Everyone,
Below is a link to the best article I've seen on Rootkits. It tells you
what they are, how they operate, and provides various links to the tools
you need to remove them. This is not for newbies. Long and detailed info
here. Some of this stuff offered will not be there months from now so
act quickly. ---pete---


Source:
http://www.pcsupportadvisor.com/rootkits.htm

Excerpt from full article above...

Rootkit Detection and Removal

Dealing with the threat of trojan rootkits

Rootkits are not themselves malware programs. Rather rootkits are programs that hide the presence of malware programs.

They do this using a variety of clever tricks to manipulate Windows itself, the effect of which is that you cannot see the malware product on your computer using normal Windows programs.

For example, you will not be able to see any of the malware files in Windows Explorer or any other common file viewer.

Nor will you be able to see any of the malware processes by using Task Manager or most other process viewers.

Similarly there will be no visible malware entries in the Windows Startup folder or other startup locations. Even a HijackThis log will show nothing.

---see link above for full article---

Process Explorer for Windows 9x/NT/2000/XP/S2K3
Copyright (C) 1998-2004 Mark Russinovich
Sysinternals
www.sysinternals.com

free
not exactly the easiest program to use but something to have parked in your toolbox.

Well I tried all of the suggested scans and it appears a rootkit is what I have.
I cannot delete the registry entry so back I go to the 22nd and hope this didn't start with my new install, because if it did, I'll be reformatting again!

Well I tried all of the suggested scans and it appears a rootkit is what I have.
I cannot delete the registry entry so back I go to the 22nd and hope this didn't start with my new install, because if it did, I'll be reformatting again!

Rich, my ideas are changing regarding all these malware issues.
Seems to me that backups are top priority over everything. And
I mean multiple backups where you can go back days at a time
for data and weeks or months back for the entire system via
image file.

The fact that none of us who service many PCs seem know of anyone
who actually had their identity stolen or accounts broken into, tells
me the problem is over-hyped and not that big a risk factor. The bigger
risk is in having the computer performance degraded as a result of
all the malware using up the computer resources.

It looks to me that we do need various levels of protection, but
it gotten to the point where it's so complex and time consuming
that the cure has become worse than the disease.

Bottom line... BACKUPS first & foremost. Multiple BACKUPS!
Daily Data backups. Separate Monthy & Weekly Image backups.
Then put up some barriers & protections againt malware, but
don't go crazy with all that. Don't spend your grocery money
on program after program which only provides a false sense
of security. Do manual scans occasionally and just restore to
backups when the malware can't be automatically removed.

If MS built all that into the new Win Vista, people would
flock to it. Unfortuantely, I'd be out of business or need
to focus my efforts in other areas.
But hey, I might like that. :D

---pete---

Interesting. I tried three programs, F-Secure, Rootkit Hook Analyzer and Ice Sword, which was too involved for me to mess with even if it was in English. F-Secure showed no hidden kits but Rootkit Hook Analyzer showed several modules installed that hooked kernal system services. Interestingly enough, they were all part of Zone Alarm (that should make RIch happy :)). But this seems to be common in system tools dealing with monitoring or Anti Virus, according to the Help file, though is considered an out of fashion programming technique. I've tried Rootkit Revealer before, but it always shows an error when scanning Fat 32 partitions. But since my Windows files are on NTFS, I guess this isn't that important.
I agree with Pete that this whole controversy is a little suspicious. According to the Rootkit Analizer Help File:

"RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system make use of. If any of these system services is modified it means that there is a possibility that the safety of your system is at risk.

Are kernel hooks always bad ?

Kernel hooks are out of fashion these days and are not officially documented and considered deprecated by Microsoft. The pioneering heroes of the old days who discovered how to actually implement them have all adapted to the new fashion to advice against using kernel hooks as a programming practice. Often kernel hooks are unnecessary and there are documented ways which allow a programmer to achieve his goal instead. However in a lot of system tools such as monitoring and antivirus software, kernel hooks are the only available technique to get the trick done and thus are an unavoidable necessary evil. Important is that if your kernel system services are hooked that you can find out which is the responsible software that makes use of this technique. Inspired by all the discussions going on about the Sony CD protection rootkit, we have developed the RootKit Hook Analyzer."

As far as I know, Sony is the only documented case of someone being caught using this practice,besides the obligatory "malicious hackers". And they were only interested in whether we were stealing their crappy music! This appears to be a rather "Old School" technique . Are there gangs of disgrunteled unemployed programmers out there trying to suppliment their income (GEEKS GONE BAD!)? The only problem with identity theft I ever encountered was some Yahoos in Georgia swiping my Mobil cards before they even left the Post Office in Atlanta! Mobil never did explain how this happened, but they did make good on it.

Pete,
I think you are so right and that is why I have always made image files weekly and file data and backup either in background or every 2 hours by schedule.
It appears that my restore worked and I not only see no traces of the earlier problems, but I note the pc running much quicker as it seemed to be a few days ago. Perhaps I overloaded it with all kinds of spyware prevention which did nothing anyway, in an attempt to find ansers to preventing all of this.
My old motto was always "15 minutes to troubleshoot, then restore back" as that was all I would allow for problem solving. I hope this solved the problem because this has been the worst infestation I have ever faced.
In fact it is the only one of any magnitude in at least 6 years so I admit I was overconfident and "rusty" as well.
If I admit to my full past paranoias, I used both Ghost and Acronis alternating weeks, in case one or the other had a problem restoring and when sata came alon with it's mbr transference problems, Ghost was actually the superior product (relax Ghost that was Drive Image folks, not real "Ghost", the old Symantec joke )at restoring to a new drive because of early allowances to restore mbr, that Acronis now has finally in the latest version.

My old motto was always "15 minutes to troubleshoot, then restore back" as that was all I would allow for problem solving. I hope this solved the problem because this has been the worst infestation I have ever faced.


Hey, I remember that motto from long ago.
I'm going strive to keep my system backup strategy working
so I can use your motto. Hopefully I do the same for my customers.

---pete---

Remember that these rootkit detection programs are not like an AV. They are not automatic and easy to use.
What they do is look far deeper into the system than anything else and tell you what is running under what service.

Identification of the items is up to you!
It's not all that easy.
The program points you to the files and then you have to figure them out.
Some software makers do not identity tag all their files so when you check the properties, it comes back blank.
Then it becomes a guessing game based more on where the file resides. If it sits in with known software, it probably belongs there.
If it is kind of random in a temp folder or system32, it may or may not be suspicious.
Rootkit files usually have oddball file names like 3X45by.exe and are most commonly found in System, System32, various temp folders.Common to find them in pairs.

Be careful what you delete.
Nod32 is fairly adept at rootkit detection and has many of the common known ones in the signature base. Full manual scanning with it is advised.
You can also submit it to them to have it checked.
They usually send back results on a file in 48 hrs or less.

My habit, which dates back to "fix or restore daily" WinME,
is to keep the OS isolated on E: drive. I install all programs on G:. Yes, installs do insert dll and the like into the OS so it will grow with additional files. I still subscribe to the theory that most malware is written to find the OS on default C: %Windows. It is often too poorly written to search for it elsewhere and if it can't find the OS on C:, aborts. Maybe wishful thinking, but it seems to work for me and all my machines have XP on 10g E:. Besides, it makes it easier for me to figure them out and compare one against the other if necessary.

My multiple scheduled backups do the OS partition bi-weekly and Acronis does daily incrementals with a fresh image weekly. I copy that off to the network in an archive that goes back two months. I keep archived images and NTbackups of each machines E: OS both locally on the machine and on the network backup drive. Each machine is doing internal and network backups one night of the week. The G:PROGRAMS are weekly, D:Games monthly, and other data drives monthly.
If I can get the OS back to current, I can access and restore everything else which does not change that often.
The scheduler works. Everything is automated. I never see it run. Now and then I check the file dates and make sure everything has run as scheduled.

Yep this is exactly what I had (this type ) and in Sytem32 temp and System temp.
Good point about full Nod32 scan and I will do that right now.

http://news.com.com/Trojan+horses+steal+bank+details%2C+passwords/2100-7349_3-6053849.html?tag=cd.lede
...
Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications--UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet--were able to detect the threat.

...Nod32... scores again!

I do believe Nod32 is top notch for detecting root kits because of the heuristics. That one time a web link started to dl one, Nod32 IMON lit right up and stopped it cold.

Well I ran the full most complete scan with heavy heuristics and came up clean so I'm off the hook again!