P4 3GHz 1.5GB RAM, 200GB onboard HD with a single basic FAT32 partition (not my choice).
Hi...lots of strange things going on with my desktop.
The short version of the story is, I think I have reinfected my system after a clean install August 13. I wiped the entire drive, including rewriting the MBR and stripping all partitioning data from the drive.
I received help here previously with what I thought was the Win32k rootkit, but I don't think I ever learned what the exact malware was. That was several months ago.
Since the beginning of july, there have been lots of slowdowns and registry modification warning from Teatimer, as well as other things. For example, at one point, I received notice from Spybot SD for something called fsonlinescanner.exe - I think that was the name. Apparently there was only one copy of it, in My DocsOwnerLocal SettingsTemp. There were some locked files in that folder, but I guess that could be just normal in-use tmp files.
I also had Avira installed for a while, but it kept giving lots of false positives for removal tools left over from the previous infection.
Last week, Teatimer notified me of an increasing number of registry changes, including some data in a bootexe key value that looked like: ||?|||||||? |||||||? |||?||||?|| P ||?|||||||||||||| || ||| etc., etc....
(The pipes represent the default character windows uses when you don't have the right character set to display the string. Hopefully you get the idea.)
On 13AUG, I decided I was tired of messing around with av scans, etc., and just wiped the entire hard drive, partition table, boot record, and all. I used boot and nuke to overwrite the entire disk with zeros just to be sure there was no recoverable data that a clever rootkit could use to regenerate...I don't even know if that's possible, but I hoped the effort would prevent me having to come here for help.
But here we are again. I had to install a very few applications in order to re-establish my web connection and provide for malware detection while downloading/installing windows updates.
I tether to my jailbroken iPhone 3G, firmware 3.1.2 (spoofed as 3.1.3, in case you see that in a scan somewhere, so I needed to install iTunes 8.21 at a minimum. I also installed a handful of software that I could use to verify md5 hashes, check for hidden processes, etc. I was pretty paranoid. Also a few pieces to help audit. About 8 or 10 apps altogether.
So my system is pretty spartan at the moment.
As for recent symptoms, on August 6, all of my restore points suddenly vanished. Just prior to my August 13 reinstall, Spybot and privatefirewall 7.0 both began terminating without my interaction. They would run for several hours, then quit within a few seconds of each other. There always seemed to be traffic on my internet connection, even though nothing was being logged by the firewall.
Since the August 13 reinstall, I was only able to reinstall the first 3 (of 77) windows updates. The downloads go okay, but then the install dies. Before I wiped the hard drive, there were lots of errors with installs, too. One thing that was curious was that I never lost admin priviliges, unlike the previous infection.
I think the current malware was something I reintroduced from my external drive. (The programs I had to install to get back on the net came from the external drive, which I assumed to be infected, but I had no way of getting back on line otherwise. I did multiple scans with various types of anti-malware, with up-to-date defs, but nothing ever showed up.)
What I would like, apart from help in cleaning my system, is advice and/or help with a method of setting up a dedicated system-only logical or primary drive and a separate restore partition (if you think its necessary/desireable). I want to set up logical drives for programs, media, etc., so that I can hopefully keep everything segregated and minimize the pain of doing a restore.
When we're done, is there any way to clean my external drive without reinfecting my system drive or having to erase data from the EHD?
Update...I got my drive partitioned and resized the way I had planned, now windows is in a 13GB NTFS partition...there is a 5 GB partition where I plan to build my restore partition, and the rest of the 200 GB is either empty ntsf partitions or unformatted partitions.
I got XP3 installed and all the updates. So we're ready to rock and roll. I am guessing you will be wanting new logs, but its bedtime so I will post tomorrow, or not, if you don't want them.
In other news, I have a name... AGOBOT-KU. Actually, I have seen this name once before and just forgot. Spybot mentions it when it picks up a "blank" entry in the registry somewhere. When you ask for more information to accept/deny, it tells you the name.
Also, there has been a registry change detected by Spybot that was to have added: Autocheck autochk *sprecovr SystemRootsprecovr.txt
I denied it of course, so its not there, but I thought it might give us a clue as to where to look. If this is a memory resident program, does it write a new copy of itself on reboot each time, and then delete it once its loaded again? If so, isn't there some way we could "flash" the pagefile memory? I am sure it would send the system into a tailspin, but I have nothing critical on this drive _yet_ so it wouldn't matter to me if I corrupted something and had to repair...just an idea. I know very little about the system, and nearly nothing about the hardware, so lots of things that are bad would probably sound like a good idea to me. ;)
Oh yeah...one more thing...msmessenger showed up in my tray for the first time in several years. You can bet I didn't put it there. I normally uninstall it, but I haven't had time to look up how to do it again. I did have it disabled, though, so someone or something wanted it running, but it wasn't me.
EDIT: Posts merged ~BP
If anyone was waiting for more serious symptoms to appear before responding, we have them. I need my computer to work, so unfortunately I cannot avoid altering the state of the system until someone responds. Please let me know when they are needed, and I will post new logs.
EDIT: Posts merged again ~BP
Edited by Budapest, 17 August 2010 - 04:25 PM.