Apparent rootkit problem on XP machine... Need help.

I'm trying to clean up the aftermath of several infections on a WinXP machine. The infections included the PCPowerSpeed adware, and other stuff that I've heard can include rootkits. Notably the PC had Norton Antivirus installed, and Norton had detected none of it. The Avira live CD and SAS removed some stuff, but suspiciously little; and the machine is still quite sluggish.

I ran Rootrepeal in safe mode, and it found a hidden service - a driver named 92947031.sys. I figured I'd copy this and upload it to VirusTotal or Jotti, to see if it was recognized; but copying it in Rootrepeal failed ("Could not locate file on disk", or something to that effect). So I tried rebooting with SystemRescueCD (a live Linux distro that supports NTFS). When I looked in the directory where the driver had been found, it wasn't there.

I did not at any point attempt to delete the driver. But on subsequent reboots into XP and scans with (both in normal and safe mode), the driver did not appear in Rootrepeal scans for hidden services.

Assuming this driver is something bad, how can I find it again?

 

N/M, this was an artifact and I'm an idiot. TDSSKiller loads a randomly numbered driver that hangs around for a while. D'oh!

 

Try CCleaner and Puran Defrag. Do not touch the registry cleaning part. Or Windows built-in tools. CleanMem and Process Lasso/Tamer may help.

 

Live and learn is what I say. Just love my TDSS killer...always comes up clean.

 

Tried clearing the prefetch catch, which amazingly made it a little faster. All the temporary files and stuff have been removed. The Windows defragger says defrag is not needed, but I guess I shouldn't trust the Windows defragger.

I think there are a few things going on here:

- Norton Antivirus is a tremendous pig, it's showing something like 10-20% CPU use, and that's when it's NOT running its full background scan.

- There's a bunch of utilities and support stuff from Dell installed. I'm kind of loathe to remove them though, since it looks like the owner uses some of them frequently.

- The owner apparently uses AOL, which seems to require special software. The software takes forever to load, but I don't want to remove it lest I break the Internet (and maybe the Windows network stack, based on some stuff I've heard).

As far as I can tell this is all; there doesn't seem to be any more malware. But between all this and whatever else, the computer takes longer to boot from its own XP install than to boot from SystemRescueCD, and the SystemRescueCD environment is more responsive. If I didn't know better I'd think the hard drive was running in PIO mode.

(And yes, I checked that. It's at UDMA/100, and the write cache is on.)

Edit: BTW - how does the "temporary files slow down Windows" thing work? The only reason for that I can think of would be the indexing service, which was already turned off on this computer anyway. You can load up a Linux install with countless files and it won't slow down at all, why should Windows be any different?

 

Interesting results. XP defragger isn't good.

What version of Norton was it?

Make a disk image next time, unless you like fixing computers.

 

The recomendations written by Blue come to mind

 

I would also use Hitman Pro

Also have you considered doing a System Restore ? If you do, run the tools afterwards too

I would add GMER to the list & RkU Even if you don't SR.

 

System restore had been turned off. Presumably by some piece of malware.

I allready tried Gmer, sorry I hadn't mentioned that. It showed nothing hidden. Security procedure so far was basically:

- Run a complete scan from the Avira live CD
- Run SAS from UBCD4win (failed, probably due to lack of memory)
- Run SAS portable from within the Windows install
- Run some hardware tests (all hardware came up okay)
- Run TDSSKiller, because one of the pieces of malware found on the computer reportedly sometimes includes TDSS (machine came up clean)
- Run Rootrepeal, Rootkit Revealer, and GMer (finding nothing, other than the TDSSKiller artifact)
- Run HJT, find nothing seriously abnormal
- Remove nonessential temp files, making sure I don't remove important cookies, etc. (Did not speed up the computer.)

Right now I'm back to square one, scanning from the Kaspersky rescue disk. I doubt I'll find anything, but in my experience, no computer should ever boot from Windows XP more slowly than from a Linux live CD. So I very much suspect that something is wrong.

Edit: yep, Kaspersky did not find anything.

 

@ Gullible Jones

Just noticed the update, which i missed earlier 'cos you did an EDIT instead of a new post

You didn't say if you've tried HitmanPro ?

I wonder if you've used Autoruns & ProcessExplorer to see if Anything/s dodgy etc ?

The slow start up is Definately a concern

What about the MBR being infected ? Try some dedicated tools and see

 

Hmm. Hitman Pro found a malicious DLL in the application data folder. But when I looked for it in Explorer it didn't show up, even though I'd made it show hidden and system files. It was visible from a live CD though.

 

just reformat it
be a lot easier and you will be sure that all the infections are taken care of

 

I would do the following:

1. Recover any critical files.
2. Wipe the hard drive (zero write to all hard drive sectors).
3. Partition the hard drive.
4. Format the hard drive (I would do a full format to make sure that any bad sectors are marked.).
5. Install Windows XP, all Service Packs + any remaining critical updates and any optional updates.
6. Install any required software, including Security Software.
7. Install, configure and use Sandboxie.
8. Image your Windows System Partition and establish a plan to routinely Image your Windows System Partition.

 

99%, not some rootkits. Wiping the hard disk is 99.9% due to BIOS infections.

 

Recently someone who had a Rootkit infection gave me an Intel Motherboard + Intel Core2 Duo CPU + 2 X 2 GB RAM (~08/2006 Manufacture Date). I used these components to upgrade my ~01/2003 PC.

The first thing I did was flash the BIOS to the latest BIOS version using the Intel bootable BIOS flash CD. I was worried about the possibility of a BIOS infection.

I also did a wipe (zero write to all sectors) of my "New" Western Digital 500 GB RE4 SATA hard drive. This procedure is now a standard practice for me with all "New" hard drives.

 

Does anyone know if malware can hide in the Host Protected Area (HPA) on hard drives?

https://www.wilderssecurity.com/showthread.php?t=298174

 

Wait a minute, is there actually any evidence of current BIOS rootkits in the wild? I've heard of experimental stuff, but I'd thought there were usually too many BIOS differences from one machine to another for such things to be effective. Last time there was a major BIOS virus it only worked on a certain subset of x86 computers, which all basically used the same BIOS.

(A bit of Googling on the subject turns up some threads about a TDSS variant that can supposedly infect the BIOS. Personally I'm quite skeptical. The first thing I'd suspect if a scan on a nuked & paved machine turned up TDSS would be an antivirus engine FP, not a BIOS rootkit.)

Edit: Wikipedia does have some interesting stuff on it...

In that case it is conceivable that BIOS rootkits could turn up ITW about now, but I've yet to see any reports of them from antivirus and security vendors; and as much as I dislike antivirus vendors, I'm not yet willing to consider them part of a massive conspiracy.

Edit again: Wow, the situation actually looks pretty bad. I'm amazed at how little of this stuff is turning up ITW, but it makes me glad I have a PPC Mac with OpenFirmware - it might prove to be an invaluable resource at some point.

Also, remind me to never, ever run Windows XP again, or any OS that uses a root account by default...