Stubborn Rootkit - Need Advice

[powlaz]

I have Dell Celeron 1.7 PC w/ 512MB, 40GB HDD, running XP SP2.  The PC is in pretty bad shape.  I usually use the standalone scanner from Kaspersky (available in devbuilds) and Super Antispyware to clean up pretty much every infection on a PC.  Not working this time.

Kaspersky flagged a bunch of Hidden.Object.xxxx items that it couldn't delete, heal, or quarantine.  So I downloaded Rootkit Revealer, Blacklight, RootKitty, PAR, &  SAR.  Rootkit Revealer showed 20+ items.  Blacklight found 5 but didn't fix them.  Haven't run RootKitty or PAR yet and SAR found 37 items, 1/2 couldn't be deleted or fixed, the other half it recommended not to fix.

So . . I'm out of ideas.  In the meantime I have used CCleaner to clean all user's accounts, prefetch, etc..  Turned off system restore and hibernation (to eliminate their stores), added Ad-Aware 2008, Counterspy V2 (which won't update) and a couple of other things.

Super AS needed manual updating, it was blocked.  Ad-Aware needed manual updating, it was blocked.  Counterspy can't be manually updated as far as I can tell because it, too, is blocked.  Hijack This won't even run.

I've never seen anything so vicious.  These are my best tools.  For the record the spyware programs are addressing a search engine hijack, and a rooted out a mess of other spyware and trojans.  I suspect the rootkits are allowing the trojans in and the search engine hijack isn't the result of spyware.

There's too much on this PC to reformat so what I'm wondering is 1:  any other ideas?  and 2:  Will an XP repair installation overwrite the hooked files in the install directory and the registry??

I have done a lot of work in Safe Mode and still others in Windows after using Code Stuff Starter to disable almost everything from starting with the PC (aside from essential Windows files).  I'm seeing progress but not what I expected (especially given that those files and keys identified as rootkits are still in place)

Thanks for any light you can shed.

Po

[stevejohnson1958]

Not being a Malware Specialist...one should be along, hopefully soon...

Have you tried any of the free online scans out there such as Trend Micro's HouseCall?  The online scan takes a while to update and scan...but it may help.  At least it could get you to a point where you'll be able to download, run and post a HijackThis log file.

Trend Micro HouseCall

[powlaz]

Nope - online functionality is sketchy at best right now.  Housecall is on my list of tools to use but not in this case.  Thanks for the reply.

Po

[Broni]

Restart in Safe Mode with Networking, and see, if you can update/run Superantispyware from there.

While there, try:
Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Eventually, try to run HJT in Safe Mode.

[powlaz]

Internet activity in Safe Mode ain't great either.  I did most everything Safe Mode before I had to run the Rootkit programs (Blacklight first and that prompts you to run in a standard Windows environment.)

Funny that you mentioned the Malwarebytes program.  I ran across it last night.  I'm interested in trying it.  Also going to try to hunt down the Ewido standalone scanner.  I had a jump drive with tons of stuff configured to run (portable) and lost it so I've been scraping together what I can and installing it . . . what a waste of time.

Anyway all programs but Counterspy were updated manually.  I'll let you know what Malwarebytes does tonight.  Also let you know what HJT finds but I've been using it since the Merijn days so I don't need to post.

I DO need to know if a repair install of Windows will overwrite the registry and system hooks that are currently victims of the rootkits.  Any ideas.

Thanks for helping guys.

Matt

[evilfantasy]

Run the F-Secure online scan for Viruses, Spyware and RootKits:

This scanner works with Internet Explorer only

• Go to the F-Secure Online Virus Scanner
  
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take over an hour so please be patient