Posted 07 September 2010 - 07:58 PM
Our computer (running Windows XP) is showing some signs of having a rootkit, but the various detection programs are giving ambiguous signs.
1 - Last night I was gaming (offline) and was interrupted by a "send error report" pop-up. I clicked "Don't Send" quickly, but noted it had to do with svchost.exe.
2 - When the game (StarCraft II) stalled again, we pulled the ethernet cable out and ran MalWareBytes. It found 6 Rootkit.Dropper files in the C:\Windows\Temp\ directory. I checked Properties and they were each dated (date modified) as 9PM nightly for the last 6 nights. I told it to remove them.
3 - After keeping the ethernet cable out all day, I came home and ran Rootkit Buster, which found nothing.
4 - I checked the Norton Internet Security history for the last 6 days, looking specifically around 9PM each day. There was an entry on the 4th labeled as "High Severity," "tcmsetupa.exe detected by SONAR" and Norton tagged it as "quarantined."
5 - At 9PM on the 5th, Norton has (among other things) 2 "Low Severity" entries. One says "choicea.exe made 13 modifications to your computer" and the next one says "changeb.exe made 97 modifications to your computer." Both are then tagged as "Detected."
6 - At 8:30PM on the 6th, Norton has an entry marked "Info" that says "IP address has disappeared from adapter Realtek RTL8139/810x Family Fast Ethernet NIC-packet Scheduler Miniport and is no longer being protected (IP address..." (I have the IP address but am not sure I should post it here.)
7 - We Googled changeb.exe, choicea.exe, and tcmsetupa.exe and the first two found no results (except for change.exe and choice.exe hits that were benign.) For tcmsetupa.exe, however, I found a zonealarms forum entry that directed the poster here for help.
8 - I have a HiJackThis scan log, but will refrain from posting it here until someone says it's worthwhile.
Based on this, I assume we do have a rootkit that's allowing these Dropper files in. Is it worth using HiJackThis to try to find it, or will the PC still be suspect? Should we just reformat and take this "opportunity" to go to Windows 7?
Thanks for any guidance or help. I can post the log for HiJackThis, if that's worthwhile.