Jump to content

Fairly certain I have a rootkit infection


Recommended Posts

Thanks screen317,

Sorry for the delay in responding. Had some other stuff happening. Thank you for helping me clean up the malware. I deleted the two folders. I am not sure where you wanted me to download XP SP3 from. You mention 'here' but I did not see a link. I went to Microsoft downloads and got a copy so I should be all set with that.

Is it okay to run DeFogger Re-Enable now? I would like to be sure everything else is restored before continuing.

I may try to use Spotmau Powersuite Pro 2008 (have used it to recover my daughters laptop from BSOD) or maybe a repair (friend has XP Pro SP2 disk) before I make the leap to SP3. Not against SP3, just not entirely for it either.

Thanks, await your word on DeFogger and will follow-up with how SP3 went if I ultimately do it! Will post either way.

Link to post
Share on other sites

  • Staff

Hi,

You mention 'here' but I did not see a link. I went to Microsoft downloads and got a copy so I should be all set with that.
The link was lost somehow. Seems you've found it regardless.

Unfortunately Microsoft has stopped releasing security updates for SP2, so your computer will remain incredibly vulnerable with SP2. Please upgrade to SP3 as soon as you can. Re-enable Defogger after the upgrade. See this for more information:

http://support.microsoft.com/gp/windowsxpsp2

Let me know how it goes.

-screen317

Link to post
Share on other sites

SP3 it is then! Will update you this weekend. Most likely on Sunday. Very busy today.

I really want to upgrade my hard drive from the 40gb it is to a 500gb drive. I think I want to partition the 500 so it has a matching 40gb boot partition that I can clone the old drive over to and boot from the new drive. Since I don't have the original software, not sure if it can be done. Could you point me to a source to learn more about what is involved? In the meantime, recovery via SP3 is what I am doing. Do understand this is not in the scope of this post so I am just fine if u have no feedback this item ... I am ok googling for the info, just been hard for me to find a really good site for this.

Thank you, thank you, nnnnnnnnnnnn did I say thank you?!

Link to post
Share on other sites

  • Staff
I really want to upgrade my hard drive from the 40gb it is to a 500gb drive. I think I want to partition the 500 so it has a matching 40gb boot partition that I can clone the old drive over to and boot from the new drive. Since I don't have the original software, not sure if it can be done. Could you point me to a source to learn more about what is involved? In the meantime, recovery via SP3 is what I am doing. Do understand this is not in the scope of this post so I am just fine if u have no feedback this item ... I am ok googling for the info, just been hard for me to find a really good site for this.
It might be worthwhile to consider starting from scratch with a new hard drive if possible.

Not really sure what you mean by "40GB boot partition." Perhaps you could explain in more detail?

Link to post
Share on other sites

Yeah, not to clear huh? I thought I would partition the 500gb drive and assumed it would be necessary to create a partition that matches the size of the 40gb drive I would be replacing. Of course, this is also assuming the old 40gb drive is functioning properly and the old 40gb drive can be cloned to the new partition. The reason I wanted to do it this way is I do not own a copy of Win XP for that system to do a clean install.

Anyway, I tried to install SP3 and it hung during the 'finishing installation' , 'performing cleanup' phase. I started by copying the standalone version of SP3 to the desktop and running it (I have a copy SP3 iso boot version but Microsoft says to use the standalone version if only updating one computer). Not sure if it matters but prior to that I had hooked up a 1Tb external drive (drive f:) and backed up my documents and files. What I forgot to do was dismount and disconnect the drive when I was done. As a result when I executed SP3, it extracted its files to that drive (it did not give me a choice).

Everything seemed to be going okay ... it backed up files and registry... installed files then just hung. I wasn't watching the screen so I do not know how far into finishing installation it ran before it hung. The blue progression bar for the whole process appears to be about 5/6 or 6/7's complete (best guess). The Back, Finish, Cancel buttons are greyed out. The Help button is the only one selectable. The light on the front of my external drive is on making it appear the drive is being accessed (it is not flashing showing normal activity). Also, once in a while the desktop will flicker but not show any other activity.

That is where the system sits until you advise .... :( loads of funs !

Link to post
Share on other sites

Yes! some success. SP3 did install but the problem of no ip address, no network and no ability to connect to the internet did not change.

So, since the 'netsh winsock reset' back in post #12 did not resolve it back then, I chose to run a small utility 'WinsockxpFix' that resets winsock but also cleans up registry problems associated with the network. It worked .. my network places, ip address and internet connectivity were all restored.

Right now I haven't tried using the system much to see if anything else is going on. I still have the Device Manager issue from post #11 with the Network adapter entries having an exclamation point but that appears to be something to be managed for now.

So, let me know if we are ready for Defogger or if you want new scans first ..... Thanks so much for your enduring patience!

Link to post
Share on other sites

  • Staff

Hi perrymc,

Glad to hear you got things sorted out with the update and the connectivity issue.

Right now I haven't tried using the system much to see if anything else is going on. I still have the Device Manager issue from post #11 with the Network adapter entries having an exclamation point but that appears to be something to be managed for now.
Right-click all Network adapter entries and click Uninstall. When that completes, restart your computer and the devices will be detected again. See if they are functional now.

Do you have any disk image cloning software?

Link to post
Share on other sites

I will be using a 500gb Western Digital drive and WD is providing a free copy of Acronis True Image WD Edition. It will work to image any drive over to a WD drive. Been readin' the WD forums n think it should go ok. Will keep readin' to be sure I am ready for any troubles that may come up. Just not sure when I will go for it. Looks like it will be a little easier than I thought .... knock on wood!

Tried to uninstall the Network adapter entries... "Failed to uninstall the device. The device may be required to boot up the computer." I tried to uninstall in regular mode, safe mode and safe mode with networking. Same message in all three.

Will google this and wait your thoughts too.

Link to post
Share on other sites

Hi, I don't think my Clipboard function is working right now ... I am unable to capture prt screen and paste here or to notepad (can I do that?) or wordpad (program is missing). Please bear with me ... my two primary network adapters are working just fine ... I am confident the affected network adapters are part of the malware and there are remnants of it in the registry and system32 folder that is blocking the removal of these adapters. I will work up some details and info about the entries for you and post tomorrow.

g'nite for now

Link to post
Share on other sites

Good morning!

Since I cannot do a screen capture, here is what I have found ...

My ethernet and wireless adapters are working okay ... I don't think we need to uninstall these drivers but still can if we

decide to.

WORKING- these two have properties tabs 'advanced', 'resource's and 'powermanagement' that the ones not working do not have. The working two are from microsoft and texas instruments:

3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)

802.11g Wireless PCI Card

NOT WORKING:

! 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - WinpkFilter Miniport

! 802.11g Wireless PCI Card - WinpkFilter Miniport

! NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) - WinpkFilter Miniport

! WAN Miniport (IP) - WinpkFilter MiniporT

1) I can enable/disable them but cannot uninstall in any mode

2) I went into properties for all four. They are identical except for the Device Instance Id:

Properties General Tab: Manufacturer - NTKR

Properties Driver Tab: Driver Provider - NTKR

Driver Date - 10/20/2005

Driver Vsn - 3.0.0.1

Driver Details: C:\windows\system32\drivers\Ndisrd.sys

Provider: NT Kernel Resources

File Vsn: 3.0.4.1

Copyright: NT Kernel Resources 2000-2008

Not digitally signed

Details Tab: drop down menu has "Driver Instance Id" selected for all four.

The box below "Driver Instance Id" only varies by one digit

the portion in parens only identifies the adapter I am refering to

(3Com 3C920 ... winpkFilter ...) ROOT\NT_NDISRDMP\0003

(802.11g ...winpkFilter ...) ROOT\NT_NDISRDMP\0001

(NETGEAR FA3 ...winpkFilter ...) ROOT\NT_NDISRDMP\0000

(WAN Miniport... WinpkFilter ...) ROOT\NT_NDISRDMP\0002

3) C:\windows\system32\drivers\Ndisrd.sys does exist. I have not tried to delete or remove it. A search of the registry did not show a reference to Ndisrd.sys but did show entries for NDISRDMP as follows:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware\Profiles\Current\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ndisrd

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Ndisrd

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#Root#NT_NDISRDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#NT_NDISRDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\ NT_NDISRDMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisrd

HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\NT_NDISRDMP

4) I am pretty sure Ndisrd.sys and NDISRDMP are malware and should be removed. Some solutions point to deleting the registry entries that refer to "ROOT\NT_NDISRDMP\0000", ....\0001 .... \0002 and \0003, specifically those under the

HKLM\system\CurrentControlSet\Enum location. Perhaps one or all ....It seems once the registry entry is gone, the lock on the entry in device manager will be removed and that device can be uninstalled ... I don't know on this one ... definitely need ur guidance on this. I have not done anything beyond looking

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

Please uninstall Azureus Vuze before continuing.

Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

File::

c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe

c:\windows\pss\monipu32.exe

Killall::

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^NAU^Start Menu^Programs^Startup^monipu32.exe]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.