I've had a virus on my PC for some time, acquired from a drive-by install at a particular, seemingly friendly, web site (name available on request). That was when I was using IE as the browser and windows firewall. (I believed I was protected !) The web site owner is a hacker who likes to remote control the PC, doing silly things to it, sometimes not-so-silly e.g. deleting files. In the past my email passwords have been logged and then changed by the hacker. (This is the short version.) I've rebuilt the PC a couple of times but never been certain that the virus was eliminated - it was never detectable by Avast or Avira. The virus was still present after the first rebuild. All things considered I suspect there's a rootkit on the PC as well.
Since the last rebuild I've been trying not to connect that PC to the internet as the virus cannot be remote-controlled unless there's an internet connection. I recently connected it, as a test, and downloaded some files. The next day the Downloads folder and the files had disappeared. Those files are not in the recycle bin and they're not visible when I run an undelete utility program. So I suspect more silly games but, until more weird things happen, it's going to be difficult to be certain that a virus is still present. However, I'd rather not wait until more data is deleted so I recently started running rootkit detection programs.
I ran Rootkit Unhooker LE v3.7.300.505 and requested a report/scan on all 6 tabs. At the end of the long log was the caution : '!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)'. I suspect that this derives from one of these tabs : SSDT State, Files, Hooks as those were the only ones that had specific comments in the log. None of the comments was highlighted in red.
Just for info, I ran a separate scan on Drivers and Stealth and got the response: 'Nothing detected :('.
I have also run TDSSkiller - about 180 objects were examined, of which 125 were unsigned and flagged as a medium risk. But there was no detection of a rootkit.
Using IceSword I scanned for rootkits and received this comment during step 2 :
HKEY_CLASSES_ROOT\htafile\shell\open\command : C:\WINDOWS\system32\mshta.exe "%1" %*
I'm not sure what to do with that comment, or with the warning from Rootkit Unhooker. I've attached an OTL log for you guys to look at.
As I say, it feels as though someone is giving the virus instructions whenever the PC is connected to the internet, so I try to limit this. The PC is currently loaded with XP SP3, which comes from a setup CD, but I haven't downloaded the latest MS updates as that would require a long internet connection.
trampas
OTL logfile created on: 4/02/2012 9:05:37 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\My Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy
510.73 Mb Total Physical Memory | 152.12 Mb Available Physical Memory | 29.78% Memory free
1.22 Gb Paging File | 0.82 Gb Available in Paging File | 67.52% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 53.37 Gb Free Space | 71.62% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 3.72 Gb Free Space | 99.88% Space Free | Partition Type: FAT32
Computer Name: ZTT-VANILLA | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/02/04 08:53:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\OTL.exe
PRC - [2011/10/05 10:18:37 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/05 10:18:29 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/05 10:18:17 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/05 10:18:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2011/03/18 01:24:50 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/04/04 13:38:52 | 000,774,144 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2003/02/12 19:55:52 | 001,334,784 | ---- | M] () -- C:\WINDOWS\system32\TCAUDIAG.EXE
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
========== Modules (No Company Name) ==========
MOD - [2011/10/05 10:18:31 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2003/02/12 19:55:52 | 001,334,784 | ---- | M] () -- C:\WINDOWS\system32\TCAUDIAG.EXE
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/02/03 14:30:36 | 000,392,064 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Owner\Local Settings\Temp\AXHSXR.exe -- (AXHSXR)
SRV - [2011/10/05 10:18:29 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/05 10:18:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
========== Driver Services (SafeList) ==========
DRV - [2011/09/18 08:39:27 | 000,134,344 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/09/15 23:55:04 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/09/15 23:55:03 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2008/03/17 11:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2003/04/18 03:12:00 | 000,073,856 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaraid.sys -- (viaraid)
DRV - [2003/04/17 18:15:22 | 000,147,328 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EL2K_XP.sys -- (EL2000)
DRV - [2002/09/20 12:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2001/09/04 21:22:52 | 000,019,534 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TCAITDI.SYS -- (TCAITDI)
DRV - [2000/06/07 04:08:04 | 000,021,233 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\TCAICCHG.SYS -- (tcaicchg)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2003/03/31 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NVCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TCASUTIEXE] C:\WINDOWS\System32\TCAUDIAG.EXE ()
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Mobile Partner] C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe ()
O4 - HKCU..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/01 18:55:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{e00f4602-04ea-11e1-ad50-000c6e64e9a1}\Shell - "" = AutoRun
O33 - MountPoints2\{e00f4602-04ea-11e1-ad50-000c6e64e9a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e00f4602-04ea-11e1-ad50-000c6e64e9a1}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{e00f4604-04ea-11e1-ad50-000c6e64e9a1}\Shell - "" = AutoRun
O33 - MountPoints2\{e00f4604-04ea-11e1-ad50-000c6e64e9a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e00f4604-04ea-11e1-ad50-000c6e64e9a1}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/02/04 09:05:19 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\OTL.exe
[2012/02/04 08:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\eSupport.com
[2012/02/04 08:21:13 | 000,000,000 | ---D | C] -- C:\Program Files\eSupport.com
[2012/02/03 19:34:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2012/02/03 19:01:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Rootkit Unhooker
[2012/02/03 19:01:19 | 000,000,000 | ---D | C] -- C:\Program Files\RkUnhooker
[2012/02/03 19:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RkU37300505
[2012/02/03 17:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\IceSword122en
[2012/02/03 14:29:38 | 000,334,720 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Owner\My Documents\RootesttkitRevealer.exe
[2012/02/02 06:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ThreatFire
[2012/02/02 06:24:00 | 000,059,664 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2012/02/02 06:24:00 | 000,051,984 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2012/02/02 06:24:00 | 000,033,552 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2012/02/02 06:23:58 | 000,000,000 | ---D | C] -- C:\Program Files\ThreatFire
[2012/02/02 06:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/01/13 11:17:52 | 000,000,000 | -HSD | C] -- C:\found.001
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/02/04 08:53:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\OTL.exe
[2012/02/04 08:21:15 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTFS Undelete.lnk
[2012/02/03 18:57:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/03 18:57:40 | 535,613,440 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/02 06:24:03 | 000,000,621 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2012/02/01 09:25:25 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/02/04 08:21:15 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTFS Undelete.lnk
[2012/02/03 14:29:34 | 000,102,160 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootesttkitRevealer.chm
[2012/02/03 12:45:02 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\gtestmer.exe
[2012/02/02 06:24:03 | 000,000,621 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2012/02/02 06:08:20 | 535,613,440 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/22 07:53:02 | 000,000,693 | ---- | C] () -- C:\Program Files\Shortcut to CoolPDFReader.exe.lnk
[2011/11/04 07:20:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/11/02 08:56:40 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/11/02 04:43:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/11/02 04:42:06 | 000,254,272 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/11/01 19:22:27 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\sk98nt4.ini
[2011/11/01 19:22:27 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\InstInfo.ini
[2011/11/01 19:19:59 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2011/11/01 19:19:59 | 000,003,366 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011/11/01 19:03:19 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\INFSETUP.exe
[2011/11/01 18:57:00 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/11/01 18:53:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/03/31 22:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/03/31 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/31 22:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/03/31 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/31 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/31 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/03/31 22:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/03/31 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/31 22:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/03/31 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/02/12 19:55:52 | 001,334,784 | ---- | C] () -- C:\WINDOWS\System32\TCAUDIAG.EXE
========== LOP Check ==========
[2011/11/22 11:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SumatraPDF
[2011/11/22 11:12:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\YcanPDF
========== Purity Check ==========
< End of report >