Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit?


  • This topic is locked This topic is locked
1 reply to this topic

#1 Giant44

Giant44

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 25 August 2011 - 12:57 PM

Hi,

I'm running XP Pro, and there is a process that shows up that was never there before. It has a serious of numeric numbers, followed by a :, and then more numbers with a .exe extention. I know all the normal files that show up in the processes section when you do a ctrl-alt-del (I check it regularly). This is definitely an intruder.

I've tried using a program called TDSSKiller get rid of it, but it appears upon reboot.

What this is doing is bogging down my PC and is blocking my anti malware program from being able to run, as well as blocking the updating and runnability of my anti virus. My anti virus is basically disabled. When I try to run it, the scans stop short and abort. When I try to run my anti malware, it starts, and then aborts. If I try to run it again, it says that it cannot find the file specified or that I don't have access to it. I am the Administrator on this machine with full privileges. I have tried running these programs in safe mode, with networking and without networking, but to no avail.

This I have observed:

1) When I do a search of this .exe file, I see an association with it in the registry as something to do with system root.

2) I have tried doing a System Restore, prior to when this accured (just occured yesterday, did a month back), did not work

3) If I navigate to my malware folder in DOS and try to run the executable from there, it says access denied

4) With Firefox, my searches are redirectired via some site called 5day(something). IE remains untouched

5) If I try to search for this .exe file, it can't be found, even though the TDSSKiller showed it in the C:|Windows directory. When I browse for it either via Windows Explorer or via DOS, I cannot find it. I have it set to show system and hidden files as well

I don't know if this is malware, a virus, or a rootkit, so am posting it here, as I think it might be a rootkit, which I just researched and learned about yesterday.

I have current anti virus installed, with updates to the .DAT files occuring just about everyday (until yesterday). I also do a complete scan of the hard drive once a week, and am behind a firewall with high security. I have no idea where this came from, or how to prevent this from happening again. All my incoming and outgoing emails are scanned and I do not open attachments from unknown sources and haven't had one from a known source in ages.

I would like to start with the simplest thing first, as opposed to reinstalling the OS, if that isn't necessarily what's needed.

Update: I just tried all the steps in the Super Antispyware removal and that did not help. I was able to execute a scan at the very last steps, but then the scan aborted after about 3 mins. Going to try this in safe mode as the administrator

Update: Didn't work, plus when I tried to repair the Windows Installation, it blue screened upon each reboot. The "Super" Antispyware removal program only found cookies, did not find this rootkit thing, so worthless for that.

Nuking the system (deleting and recreating partition, formatting, and reinstallig OS). I sure would like to know how this rootkit got on there, despite my layers of protection and weekly scans, so if anyone has any idea on that, open to views..

Edited by Giant44, 26 August 2011 - 09:18 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:23 AM

Posted 28 August 2011 - 05:18 AM

Hello,

Nuking the system (deleting and recreating partition, formatting, and reinstallig OS).

Thank you for letting us know. I'm sorry we couldn't get to you sooner. Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users