Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


First visit / posting Looks like rootkit to me

  • Please log in to reply
1 reply to this topic

#1 AfpMike


  • Members
  • 2 posts
  • Local time:09:07 PM

Posted 19 September 2010 - 08:20 AM

Edit = Not getting any responses. Did I do something wrong? :|


As indicated this is my first time here on the forums, among so many that know more than I, even that I've done support and dealt with computers more than 20 years. Thank you for the time spent helping those of us learning how to cope with more advanced viral afflictions.

Quiet but odd behaviors lead me to run MalwareBytes and SuperAntispyware first. Both initially found several tracks and lesser infections but seeing a couple of droppers, made me nervous. Slow P4, struggling for reliable TCP still, so I DL'd a copy of HJT and cleaned up the usuals. Still no better, started to smell like rootkit, so DL'd a copy of RootRepeal and found several indications of things not happy. Some hidden files, hooked processes and most concerning a tcpip.sys that's hidden and has no signature found.

One MS update fails to install for .Net 3.5 and at one point autoupdate had to be turned off as it was interfering with Avast updating. This is the point I decided to hold up and look for advise. I also blocked file sharing at Win Firewall, as another system on the Lan kept running a Pipe and file open event on me. Most other ports that typically can be blocked to reduce exposure have been

I'm running XP SP3 on a 2.7ghz, P4 eMachines T2742 model, with 1Gig of RAM, connected on a 6M DSL, sitting behind a Linksys RV082 and SMC 10/100 switch. I have 3 other systems which are running without issue and test clean with Malware bytes so far, albeit I'm not convinced that a rootkit on the network might not own all the AV I've got to throw at it. The other 3 machines are two laptops running Vista and one server running Win7.

Hopefully I haven't tread on the forum's rules getting started.

If anyone would be willing to offer some direction, I should be able to follow and would be most thankful for help on how to clear this mess up, if it's possible.

Thank you in advance,


Edited by AfpMike, 19 September 2010 - 11:15 AM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,493 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:09:07 PM

Posted 19 September 2010 - 09:47 PM

Hello and welcome.. We are just very busy here.
Having run HJT you may have only changed things. Just because you "fixed" something with HijackThis, that does not mean you have a clean system. There are specific files and folders which must be deleted afterwards. HijackThis does not delete them. Futher, removing entries in HijackThis before the problem is properly identified can make the malware undetectable to other detection and removal tools. Full system scanning tools like SUPERAntispywre, Malwarebytes' Anti-Malware, Spybot S&D and SpySweeper will remove the registry entries as well as the related files which results in a more complete removal process. HijackThis this should only be used to clean up the entries left behind, after you have properly removed the malware.

Would you post the Rootrepeal log for review.

Also run an online scan. ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users