Suspect RK infection

Hi,

Recently I noticed that my internet connection would "die". I am connected to a wireless router, and afteer disconnecting from the wireless network, reconnecting and then refreshing the IP address, it was fine. I didn't suspect any problems. (Not sure if it is related, but this problem would occur when I was using IE. Firefox was OK)>

Further to that, every time I turned the computer on, after about 10 minutes, the Nero Indexer executable would throw an error, and shut down. I only suspected a corrupt executable file, and would look into it at a later stage.

Today I tried to synchronise my eWallet between my PC, my iPod, and a USB hard drive that is connected to the router. Everything failed. This is when little light bulbs started going off in my head. Also AVG kept warning about infected files in a .../Local Settings/Temp folder. (I could never find these), and referred also to a problem with the Nero Indexer. Maybe a bit overdone, but I deleted the Indexer executable that was reported.

Then I ran rootkit revealer, and it showed many "problems". One was to do with a strange HKU node. As well as issue with other keys in the registry.

I have had a problem with a rootkit in 2007, and still had some of the tools that I had used back then - IceSword - this reported many problems with inline code. So I ran GMER also.

And...to be honest, I am way out of my depth here. I din't want to screw things up, so I ask for help.

Can anyone help me determine whether I am actually infected or not?

Many Thanks

Hi all,

Realise that everyone is pretty busy, but would really like some help with this. I've run Ice Sword, and can see that at the moment uphcleanhlp.sys is apparently infected.

Using GMER, this is confirmed. Rootkit Revealer is also reporting strange keys in the registry. I have had a look at the registry, but not sure if the key/node referred to is legitimate.

That's the problem - I think I can see that there is a problem, but I don't know enough I really need an expert's advice. Also with getting rid of the rootkit.

Can anyone help?


Many thanks in advance.

If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.

Why? Not all hidden components detected by anti-rootkit (ARK) scanners are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

There are many free ARK tools but some of them require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:

• Sophos Anti-rootkit - Sophos Anti-Rookit User Manual <- 64-bit compatible
• Panda AntiRootkit - Introduction to Panda AntiRootkit
• Avira AntiRootkit <- requires an Avira product to be installed in order to use

Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.

Edited by quietman7, 24 November 2010 - 08:55 PM.