Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my laptop hacked or infected with a root kit!?


  • Please log in to reply
1 reply to this topic

#1 SpyCatsher

SpyCatsher

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 11 January 2012 - 10:54 AM

Greetings everyone,

Summary: Sorry for the long story below, too much details can make a post unpopular; at the same time I didnít want to omit some details keeping the last judgment to more experienced people on this great forum. Iíve not posted elsewhere also. Iíll of course edit my post if it is required. Its a report of about 3 long weeks of troubleshooting and my question is if you very kindly can help me sort it out if I have a hacker or a rootkit on my lap top, or not. Iíve some reasons to suspect that, as I tried to explain in the story below. I must also say that all security programs that I use are freeware. One last note I've been reading the forum rules, but not all of them yet; if I erred in this first post please let me know so I can do better another time :tophat:

System: Microsoft Windows XP Home Edition, Version 2002, Service Pack 3, CPU Penttium 4, 2.80 GHz, RAM 768 MB, Microsoft Security Essentials, WinPatrol, Secunia, Firefox with different security add-ons, Ccleaner, TweakNow PowerPack, Laptop functions good.

ÖÖÖÖÖÖÖÖÖÖ..
:mellow: On 5 December 2011 I did a routine scan with SuperAntispyware (Free Edition) which resulted in sfloppy.sys, as a rootkit that must be deleted immediately, with a reboot. But after couple of hours about 20 programs, mostly security or Microsoft, began to disappear according to the continuous messages from Secunia; then didnít take too long when the desktop froze and I couldnít open any program with the mouse arrow which was not locked. I navigated with success to the Save Mode where all options worked, but couldnít recover the system. It took not too long for a BSOD (0*000 00023a) Fatal_System_Error when I tried to boot to a Normal Mode. According to answers.microsoft.com...(I didn't add the whole link, this goes for all other refrencies):

ďThis error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel modeÖMismatched system files can also cause this error. This can occur if you have restored your hard disk from a backup. Some backup programs might skip restoring system files that they determine are in use.Ē

I spent days on the web, where I learned among other things that sfloppy.sys was a False-Positive. After lots of troubleshooting I installed Service Pack 3 in Safe Mode with Networking, thinking it gets the messed up software in order. It did recover my laptop to a Normal Mode but he was very slow and came lots of noise from the processor which ran almost all the time 100%. The task manager had -+16 possesses more than usual and the Memory was almost all the time full, also more services were on then original settings with one new and unknown. I checked also on the 20 disappeared programs, but they were there. I was puzzled. I couldnít do much. Avast was all the time disabled, was difficult to remove also.

I managed to install AVG which after couple of days was not able to update. SuperAntiSpyWare fond to "Potential threats" and removed them with success(Psisetup_EXE.EXE, Cnet2_REVOSETUP_EXE.EXE). I saved the last log from AVG and I was worried why so many files or folders canít be open for scan and control. I understand that some essentials from Windows are standard out of reach. But with the though of a rootkit I became unsure. Iíve attached this log at the end of this story, sorry that itís becoming too long. I realize now that all other logs are deleted because of the checked utilities entry in Ccleaner and all other programs under it. Iíve them now unchecked .

It is still a riddle for me, did I get the BSOD because of the faulty deletion of sfloppy.sys, because the failed recovery tries that I did or much more worrying because of a stealthy intruder!? I must admit that a day earlier, 4 december, I couldnít log in with my very long password. After about 6 or 7 tries I gave it up and I made new one by logon in Safe Mode as administrator. Now I ask myself sometimes if I was hacked; then my administrator password, which Iíve none till than, was also blocked, but it wasnít. I also downloaded a Codec for Media Player a couple of days earlier but much later I checked the CLSD and it was genuine. So anyway after about a week I gave it upÖI was so tired. (I've made password disks for both accounts).

I keep a logbook for my laptop, so on 26 December I gave it another try, to my great amazement I was immediately after powering the laptop welcomed by another sort BSOD:

Unmountable_Boot_Volume (0*000000ED). The desktop was full of information about wrong hardware and software configuration\ installation; BIOS settings. I know how to clear the BIOS on a desktop but not on a laptop; then I thought about the probable cause of the new installation of SP3 and the possibility of a rootkit; so being not able to search the web this time I resorted to my computer books and my common sense at that moment. My only tool was the OS original CD, so I thought I had nothing to lose. I ran Fixboot in the Recovery Console which wrote new start-up sector after giving the message that the old one was damaged and I refrained from running Fixmbr after what I though was a very serious warning. Then I ran Chkdsk \p \r and exit, to my great amazement and relief also it booted in the Normal Mode :guitar:

It is now about 2 weeks since than and my laptop is doing very good, but Iíve been working on it the whole time and by doing so I came across somethings for example in the registry, services, different security program then I check it on the web, but I noticed few things that Iíve question about not much discussed with a convincing answer, like the following examples:

WinPatrol lists the followings in services, Recent and History, respectively:

HNM:
Service with these two sub-keys Enum and Security. It has something to do with LEGACY and Local Machine. Itís not from Microsoft and there is no mention of a company name, enz. Being suspicious of a rootkit I have disabled it; the HNM.exe canít be found in the Temp Directory.
Path: HKLM\ System\ CurrentControlSet\ Services\ HNM
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\HNM.exe

crypt32chain:

Itís confusing what to make of it:

According to processlibrary.com

crypt32chain.dll is a module belonging to the Crpytnet trojan and should be removed immediately Non-system processes like crypt32chain.dll originate from software you installed on your system.

But forums.spybot.info

Finds the program and all the group that goes with it good. Considering this is dated to 2006, probably things had changed since then and Process library is correct. I couldnít find other trusty sources to confirm either of the above, so I left it for the time being as it is until my laptop will be scanned, hopefully you find the time to help me with it.

JGK: I couldnít find any reference on the web.

slrundell.exe
According to Prevx.com is a malicious program, but other websites say its ok.

Critical Windows Update
About a week ago I got 6 updates, similar to this, to protect against ďvulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)ĒÖĒAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user.Ē Having downloaded the Codec earlier in December as I stated earlier I became very suspicious, because the problem with my laptop began days after that.

WinPatrol
I get sometimes a message from Scotty if I should allow certain program to run, but I donít dare; even if I check on the web or the logo of Microsoft is on the message. Maybe I got paranoid but if there is a root kit and a hijacker/ attacker behind it, I gather they can make all sort programs that might look genuine. This is the only example Iíve:
Command.com /c del C:\Windows\SchedLgU.Txt
Cmd.exe /c del C:\Windows\SchedLgU.Txt

sfloppy.sys: 10 files in different subfolders of Windows. I scanned on location, were ok. Some are copies. Could it be a root kit, taking in consideration that the scan couldnít detect the behaviour and the alarming orange colour from Security Essentials which shows only when malicious activity taking place in the background. However He found nothings yet.

Autorun: Registry Entries with missing files:

Changer.sys: not found
lbrtfdc.sys: idem
iZomgmt.sys: no result
ir32_32.dll: idem

mscoree.dll: missing

HTTPS Everywhere Add-on for Firefox was uninstalled than after 3 or 4 days become again installed. I get the messages from Secunia.

 Since few days ago Microsoft Security Essentials turns orange all the time even after updating and scanning.

Other items at random:
- Window Maximizer 2011 was detected and removed on 5 December
- MSConfig appeared once on 7 December, possibly more times, on the Task Manager. On the web could not find reference. I use msconfig but what Iíve learned that processes names are case sensitive.
- I removed all System Restore Points and Files (*.reg) to dispose of any maleware.
- I disabled sensitive services to block any malicious software activity.
- I changed the Setting of DEP (Data Execution Prevention) to include all programs and services.
- 2 trojan.dropper.BCM:fsquirt.exe detected by Malwarebytes (False/ Positive)
- I scanned also with Virustotal and Jutti, nothing was found.
- Iíve read Hijack This 2.0 couple of times and Iíve been checking registry entries en Windows Folder but Iíve seen no irregularity yet.
- There are cookies in my profile that clone themselves and made light sound like (uukchick) when I remove them; even when the mouse arrow goes over their *.txt files. The same sound can be also heard sometimes when the laptop is on, example:
UserDataÖoverture.com/
ETJLC96O.txt eyeblasterÖbs.serving-sys.com/
3853ZR00.txtÖm.webtrends.com

Scan regularly mostly clean, except the one below, very worrisome :
Malwarebytes: found PUM.Hijjack.Homepage.Controle 5 days ago, but it was difficult to remove (even on reboot); not sure if it comes back. This was detected after I enabled the P2P Function in the program key in the registry, which was disabled. The thing is Iíve never done P2P activity, so who else then. Also Iím the only person who uses the laptop, to my knowledge thatís.

SuperAntiSpyWare: Clean scan, except cookies

Ad-Aware: Clean scan.

Microsoft Security Essentials: Clean scan.

Spybot Search & Destroy/ Advanced Mode/ Time critical: No immediate threats.

AVG Log 8 December 2011
Note: some words are in Dutch. I translate it to English at the end of the line(Vergrendeld bestand Niet gecontroleerd = Locked File not controled).
AVG 2012 Anti-Virus opdrachtregelscanner
Copyright © 1992 - 2011 AVG Technologies
Programmaversie 2012.0.1873, engine 2012.0.2102
Virusdatabase: versie 2102/4667 2011-12-08

C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Vergrendeld bestand Niet gecontroleerd . Locked File not controled.
C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controlled.
C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Temp\mmc3C3DA6D8.xml Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Administrator.CREATIEF\NTUSER.DAT Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Administrator.CREATIEF\NTUSER.DAT.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Eigenaar\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\ntuser.dat Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\pagefile.sys Vergrendeld bestand. Niet gecontroleerd.
C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.ilg Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\RECYCLER\S-1-5-21-1085031214-436374069-1060284298-1003\Dc1.doc Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\RECYCLER\S-1-5-21-1085031214-436374069-1060284298-1003\Dc2\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\System Volume Information\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\default Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\default.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SAM Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SAM.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SECURITY Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SECURITY.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\software Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\software.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\system Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\system.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled

------------------------------------------------------------
Test gestart: 8.12.2011 18:47:59
Duur van de test: 1 uur (uren) 46 min. 38 seconde (n)
------------------------------------------------------------
Gescande objecten, scaned objects: 648350
Gevonden infecties, found infections: 0
Gevonden PUPís, Found PUPís: 0
Herstelde infecties: 0
Herstelde PUP's: 0
Waarschuwingen, Warnings: 0
------------------------------------------------------------
If you have managed to read through all the pages, I would like to thank you for your time; and if you see signs of a possible foul play, I would like to ask very kindly for your help :thumbsup:


BC AdBot (Login to Remove)

 


#2 SpyCatsher

SpyCatsher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 13 January 2012 - 01:35 PM

I am not interested any more in your hulp. please remove my post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users