Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit - tcmsetupa.exe?


  • This topic is locked This topic is locked
3 replies to this topic

#1 Balaan

Balaan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 07 September 2010 - 07:58 PM

Hello-

Our computer (running Windows XP) is showing some signs of having a rootkit, but the various detection programs are giving ambiguous signs.
1 - Last night I was gaming (offline) and was interrupted by a "send error report" pop-up. I clicked "Don't Send" quickly, but noted it had to do with svchost.exe.

2 - When the game (StarCraft II) stalled again, we pulled the ethernet cable out and ran MalWareBytes. It found 6 Rootkit.Dropper files in the C:\Windows\Temp\ directory. I checked Properties and they were each dated (date modified) as 9PM nightly for the last 6 nights. I told it to remove them.

3 - After keeping the ethernet cable out all day, I came home and ran Rootkit Buster, which found nothing.

4 - I checked the Norton Internet Security history for the last 6 days, looking specifically around 9PM each day. There was an entry on the 4th labeled as "High Severity," "tcmsetupa.exe detected by SONAR" and Norton tagged it as "quarantined."

5 - At 9PM on the 5th, Norton has (among other things) 2 "Low Severity" entries. One says "choicea.exe made 13 modifications to your computer" and the next one says "changeb.exe made 97 modifications to your computer." Both are then tagged as "Detected."

6 - At 8:30PM on the 6th, Norton has an entry marked "Info" that says "IP address has disappeared from adapter Realtek RTL8139/810x Family Fast Ethernet NIC-packet Scheduler Miniport and is no longer being protected (IP address..." (I have the IP address but am not sure I should post it here.)

7 - We Googled changeb.exe, choicea.exe, and tcmsetupa.exe and the first two found no results (except for change.exe and choice.exe hits that were benign.) For tcmsetupa.exe, however, I found a zonealarms forum entry that directed the poster here for help.

8 - I have a HiJackThis scan log, but will refrain from posting it here until someone says it's worthwhile.

Based on this, I assume we do have a rootkit that's allowing these Dropper files in. Is it worth using HiJackThis to try to find it, or will the PC still be suspect? Should we just reformat and take this "opportunity" to go to Windows 7?

Thanks for any guidance or help. I can post the log for HiJackThis, if that's worthwhile.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:45 PM

Posted 07 September 2010 - 08:54 PM

Hello, yes it looks like it is.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Balaan

Balaan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 08 September 2010 - 07:47 AM

Alright. I've posted a thread with the logs here.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:45 PM

Posted 08 September 2010 - 10:32 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users