Possible Rootkit Infection

My computer was hit with a whole suite of nasty malware a couple days ago; the ones I actually know the names of are XP Antispyware 2009, AP Manager, and the Win32:Alureon troan. I managed to get my computer back to a functional state by running a number of antimalware and antivirus programs as detailed below, but I’m still seeing red flags that my system’s not clean:

+Avast’s shields are disabled upon startup.

+Avast lists “winstart.bat” as being offline and can’t scan it. RKDetector lists this file as showing up at the same time the malware did.

+GMER has flagged some reg entries as suspicious; I’m not good at reading these, but I think RootkitRepealer has flagged the same entries. (In addition to a whole bunch of other stuff.)

Detailed Malware History:

  1. XP Antispyware 2009 downloaded and immediately disabled Task Manager, Control Panel, and Malaware. I rebooted into safe mode and logged in as admin.

  2. Re-installed Malaware from a flash drive; attempted installs of Avast and SuperAntiSpyware were blocked. Ran Malaware and removed some files.

  3. Was still unable to install most antvirus software; Hitman Pro did go through and deleted a very long list of rootkit files, trojans, and malware.

  4. Checked my normal user account; “copyright infringement” pop-ups started immediately upon Windows opening. Rebooted back into safe mode.

  5. Downloaded combofix and ran it. It killed AP Manager and restored admin functions to my normal user account. (I’ve since uninstalled it. No damage was done to my computer, but after reading the warnings more closely I realized I really should have taken them more seriously.)

  6. Installed Avast, which removed the Win32:Alureon trojan. Since then I’ve been trying different programs to figure the above problems; not successful, obviously.

I haven’t posted OTL and HJK logs due to their size. I’m pretty sure the logs are not supposed to be as long as these are. Even HJK’s log won’t fit into one post, and it’s not nearly as long as OTL’s. I’m not sure what to do now. =\

I haven't posted OTL and HJK logs due to their size. I'm pretty sure the logs are not supposed to be as long as these are. Even HJK's log won't fit into one post, and it's not nearly as long as OTL's. I'm not sure what to do now. =\
see down left corner: additional Options > Attach

Thank you Pondus. = ) I’ve attached them here; OTL didn’t produce an Extras.txt when I ran it this morning, though.

Hi could you attach the TDSKiller and combofix logs please so that I can see the results. Also could you attach the extras log that you get when you first run OTL

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
[2010/04/29 13:37:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Barbara Massey\Application Data\.#
[2010/04/29 03:30:27 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/04/28 22:36:46 | 000,015,446 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\erTd
[2010/04/28 22:36:45 | 000,015,446 | -HS- | M] () -- C:\Documents and Settings\Barbara Massey\Local Settings\Application Data\erTd

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I’m not able to attach a combofix log; I think it was deleted when I uninstalled. I’m sorry. >_< The rest of the logs are attached. I had a hard time running OTL; my computer kept freezing when I tried to get to Firefox. Thank you for helping me.

OTS Results:
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Folder C:\Documents and Settings\Barbara Massey\Application Data.#\ not found.
File C:\WINDOWS\winstart.bat not found.
File C:\Documents and Settings\All Users\Application Data\erTd not found.
File C:\Documents and Settings\Barbara Massey\Local Settings\Application Data\erTd not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Barbara Massey
->Temp folder emptied: 855114 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3610630 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Barbara Massey
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.3.1 log created on 05012010_085242

Files\Folders moved on Reboot…

Registry entries deleted on Reboot…

No problem I will take a new Combofix log - does IE work OK or is it like Firefox

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Experimented with IE; it opened fine. I think it might be a resources issue; both Kaspersky and Avast were on startup. Used Kaspersky’s settings to take it off startup. Haven’t run any uninstallers to avoid messing up the logs. Combofix log attached. :slight_smile:

are you running avast and kaspersky at the same time … ???

:-X I meant to use Kaspersky just for scanning to see if it would pick up anything that Avast missed. I didn’t fix the settings to keep it from running on startup, though. I’ve since shut it off.

Two antivirus
http://www.bleepingcomputer.com/forums/index.php?s=&showtopic=260844&view=findpost&p=1441638

It was a bad idea; definitely not the first I’ve had. :-\ I’ll go ahead and uninstall.

It is a little more complex than shutting it off as even when disabled resident antivirus applications have low level drivers running. These low level drivers that hook files so that they might be scanned before being allowed to run. It is these drivers that can conflict, so it isn’t advisable to have two resident AVs installed even if one is disabled.

There are some AVs that are designed to run as on-demand and that shouldn’t be an issue, or you can use on-line scanners as a backup scan or one of the cloud AVs (one that doesn’t try to replace your existing avast).

So your decision to uninstall it is best.

@Pondus and DavidR: Thank you guys for the information. I understand the problem with that better now. :slight_smile: I’ve uninstalled programs that might interfere with Avast. Is Hitman Pro okay to leave on? It was pretty effective at getting some stuff off my computer; I think I might actually buy that one.

You’re welcome.

Hitman Pro shouldn’t be a problem as it is an on-demand application, not a resident AV.

I see you also have sophos and greatis on there all of these will be using resources and trying to scan files at the same time

What problems are you experiencing after removing Kas ?

Kaspersky uninstall was successful; I’ve experienced no issues since then. The system does seem to be running smoother, not freezing as it was earlier. I’ve already taken Greatis off; will remove Sophos now.

It sounds like a classic AV turf war ;D All three fighting to scan the same files

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Then let it run for a day or so and let me now if you are having any further problems

Combofix and OTL uninstalled without a hitch; however, upon reboot Avast’s shields are still disabled; winstart.bat is still listed as offline. I’ll post back in a day or two, then, and see if this changes. Thank you for helping me with this. :slight_smile:

Do the shields re-enable within a few seconds - or are they permanently off ?

They re-enable after a minute or the desktop starts up. (On a related note I was able to track down the Winstart.bat file; had VirusTotal look at it, it isn’t flagging anything. Haven’t attempted to do anything else with it.)

Edit: System lag is back, really bad. Windows Explorer froze up; after I restarted it, I saw Avast wasn’t on at all. Attempted to open it from my desktop; it ran in the processes but wouldn’t open. Had to do a hard shut down. Avast is back on.