I think I have a rootkit, please help.

So, does it look clean or what?

Unfortunately yes, for me it looks very clean. Maybe I missed something... Have you tried some rootkit scanners? What do they report?

Unfortunately yes, for me it looks very clean. Maybe I missed something... Have you tried some rootkit scanners? What do they report?

I have used a lot of rootkit scanners. Half of them have reported nothing and the other half have been too complexed for me to utilise. :sad:

I guess i'm out of luck then.

Also, I tried a different firewall for a while and it reported that when I saved and closed a document that wordpad would attemp to connect to the net, would this indicate a keylogger? :eek:

Also I have found some trojans recently which may or may not be related to the initial problem (I used programas I have laready scanned with) and am now having to constantly reset my router because of disconnections, so i'm going to post another log. Can anyone see anything wrong with this one? Please help me! Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 17:52:00, on 15/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StuffIt Task Manager - Unknown owner - C:\PROGRA~1\Allume\StuffIt\MXTask.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I have used a lot of rootkit scanners. Half of them have reported nothing and the other half have been too complexed for me to utilise.

I know exactly what you're talking about...:cheesy: But when Blacklight and RootkitRevealer didn't find any discrepancies, this must be one of the "smart" rootkits we are afraid of. But not smart or evil enough to cheat your awareness or the tool you used to check outgoing connections. (Did you use the firewall log? TCPview or alike?) What happened in first place to get your attention? How do you think you were infected?

I guess i'm out of luck then

No, you were out of luck in the moment that thing came in. Then you were lucky enough to be aware of the infection. If this happens to a normal user, it could remain undetected forever. But of course, if you thought you can get rid of that stuff - I wouldn't even try.

Also, I tried a different firewall for a while and it reported that when I saved and closed a document that wordpad would attemp to connect to the net, would this indicate a keylogger?

I'm not totally sure about Wordpad (not installed) - but I'd say that this is extremely fishy. And I wouldn't use a high quality rootkit to hide lame malware without all bells and whistles. BTW what are the IP addresses the connections go to? Did you "whois" them? If formerly harmless programs start phoning somebody, doesn't that mean this malware is a real virus, infecting files like in the old days? I read about something like "the return of the virus" in the past few weeks. Have you tried to upload some of the suspect files to http://virusscan.jotti.org/ or another online scanner?

(Checking your log soon, BRB)

Your log looks clean again, just as expected...

Sygate picked up the outbound connection attempts from my F@H core.

Strangely Azureus only ever gave 1 outbound connection attempt, which I find odd for a bittorrent client and when I noticed it had switched to the EVIL one, if I denied it the program would stall in it's "update procedure".

I guess sygate is just pretty smart, it works well even without advanced rules being set and still isn't intrusive. I also always block nt kernel and system, LSA shell, application layer gateway service and generic host process for win 32 services without any problems.

The IP is a multicast address, which I know bot's use to limit bandwidth consumption in the hopes of being harder to detect. It kind of backfired this time, although it still has me beat. :mad: 224.0.0.22 is always the address.

I have tried using several online virus scanners (including the one you mentioned and virus total) and several others in safe mode and before windows is booted. They all failed me unfortunately.

Looks like reformatting time! YAY:rolleyes:
Anyhow thanks for the replies, it's appreciated.
Bye.

Just wait a bit with reformatting...

I quote from this URL I found: http://forums.spywareinfo.com/lofiversion/index.php/t43918.html

There is nothing to be scared of about these "*.mcast.net" addresses. By doing a little research(googling), it turnes out to be something called "Multicast Addresses", and if I have understood any of the descriptions found, it's beeing used by the system internally on the LAN for discovering useable services on the LAN.

I'm confused... googling for 224.0.0.22, I can't find clear statements on that. Maybe you are not infected at all? I found some more guys that have various applications trying to connect this address. But I noticed that they all use the Sygate Firewall.

(from http://www.antionline.com/history/topic.php/264337-1.html)

PS: Recently I was at my friend. He is using the Sygate too. After his comp booted I saw the Sygate asked to allow PAINT.exe to connect to the 224.0.0.22.!!!!!!!!

Here's another statement:
http://www.techimo.com/forum/archive/index.php/t-5602.html

This is can be caused by your machine advertsing to the router on the segment that you are on that it wants to join a multicast group.
It's basically used by IP hosts to report their multicast group membership to an adjacent router.
laymans terms, your machine says "hey, I'm a member of this multicast group, even though I can also see another router"

It could be triggered by a topology change in the network upstream from you, or when the router closest to where you are connected updates it's routing tables and sends out a request to see who all can see it after the change. I don't think it's anything to worry about.

One guy reported that this started when he installed Google Talk and he stopped it by deinstalling GT. I have no idea how this gets together with the statements above. Unfortunately I'm a normal dumb user, unable to understand RFCs... but maybe there is actually no infection but a sort of configuration that causes your worries? Do you actually use a router?

Putting your HDD into another machine and scan it from there would be another way to detect malware, since a rootkit should be inactive. But this is basically what online scanners do, too. (Tomorrows rootkits won't be that dumb anymore - a new one has already been developed, which can't be detected from another system scanning.)

I wish I could help you better... I will do some more Google search, maybe I find something useful.

After some more Google search I'm pretty sure that connecting 224.0.0.22 is not a sign of an infection. It seems that the Sygate firewall confuses lots of users with a false alert. I found a lot of similar problems with programs that (allegedly) connect the internet, they all were using Sygate. Network pros made jokes on that (not very helpful). Maybe I'm wrong but all software capable of "serving" more than one user at a time could try to establish such a connection. That's why Wordpad and other programs trigger the alarm in the Sygate firewall. Other firewalls (exception: Outpost firewall) simply ignore this "internal" traffic. It seems that you don't have to use a router to have this IGMP stuff sent.

Strangely Azureus only ever gave 1 outbound connection attempt, which I find odd for a bittorrent client and when I noticed it had switched to the EVIL one, if I denied it the program would stall in it's "update procedure".

Many Azureus users report trouble with that function and a friend of mine never got that working. Whenever he allows Azureus to update, it won't work and Azureus needs to be reinstalled.

Well thanks for searching.
I don't get programs trying to connect to that address very much any more.
I forgot that I had disabled upnp on my system (because it's a vulnerability) Azureus needs this to function properly because I was too lazy to port forward. After reenabling it I don't get the messages very often.