Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Just download the file. There is no need to create floppies are do anything else on the MS site. When you drag the file over to Combofix (which should be on the desktop and not in a folder) and let go, Combofix will work some magic to install the Recovery Console.
  • 0

Advertisements


#32
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, will do.

Say, a couple of interesting things just happened while I was waiting.

I was running the unhide, and I noticed that the shortcut icons were all back to the state they should be, showing the correct pictures. Not sure when that happened, but it was recent, maybe even the unhide itself.

After the unhide ran I looked and didn't see any mystery drives shown. (Just "C", and a documents folder.)

So I rebooted to see what would happen. It shut down very quickly, much more so than normal. (Which is good, I have felt for a while that it was taking a long time to shut down which makes me suspicious.) Then when it started up again, it took forever, as it has since I got this thing. I clicked on "my computer" and it just hung for a while. (That flashlight shining back and forth endlessly.) When the machine finally fully booted, there was no change, couldn't see any mystery drives. BUT...

The icons have reverted to non-pictures again. (Except the ones I had fixed by hand.)

Also, and more curiously, when it first started up it said the firewall was install when I clicked on the security thingy in the lower right. Then it changed to "off" all my itself, and the little nag balloon popped up and had changed to a warning about no AV- and no firewall. Hmmmm.

Anyways, I'll work on the restore console.
  • 0

#33
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
It wouldn't let me put Combofix on the desktop, because there is an older version already there- the one I "don;t have permission" to access. So....

I thought about it about it a bit- and then renamed Combofix to a random name, and it let me put that on the desktop. I dropped the Microsoft file you had me download into that, and it seems to be working. (Had me say "yes" to an end user agreement, seems to be installing ...

Now it says congratulations, recovery console installed. Let's see if I can reboot and get into it....
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
We are hosting a party today from about 1PM until 6 so may not get back to the computer much more today. Let me give you some other scans to do:

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.


We Need to check for Rootkits with RootRepeal

[*]Extract RootRepeal.exe from the archive.
Right click on rootrepeal.zip and Extract All. Then move to the folder it created and find rootrepeal.exe and run it.
[*]Open Posted Image on your desktop.
[*]Click the Posted Image tab.
[*]Click the Posted Image button.
[*]Check all seven boxes: Posted Image
[*]Push Ok
[*]Check the box for your main system drive (Usually C:), and press Ok.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list]
Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks





Fix :


Now for the fix. Close all windows and disconnect from the Internet. Run IceSword.exe. Do not restart your PC until the very end to ensure the fix works


Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

PLACE FILES HERE


Step 2 : Click the Win32 Services tab. Since the rooted processes are already terminated, the rootkit service will be stopped automatically. The service will not be hidden now and so it will not be displayed in red color. Since the service name was already noted down in Step 2, there will not be problem in finding it on the list. Now, right-click on this service and choose "Disabled" to permanently disable this service.

PLACE FILES HERE


Step 3 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

PLACE FILES HERE


Step 4 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.

PLACE FILES HERE



Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" functions, taking note of any red entries from them and from the SSDT tab.

Ron
  • 0

#35
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I got into recovery console- and get this...!


It asked me *which* Windows installation I would like to log onto:

1: C\Windows
2: E\Windows


wow! "E:Windows". Invasion of the Bodysnatchers, or what? Now I think if I go look in the kitchen- there is a guy who looks just like me going through the fridge. Only he's not me- he's an impostor.
  • 0

#36
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"We are hosting a party today from about 1PM until 6 so may not get back to the computer much more today. "


Dang. That's unfortunate, (not for you but for me), because...


"Let me give you some other scans to do:"

Running all these scans are all well and good and everything- but if there is a hidden drive- they won't know to do anything with it and it's all for nothing, right?
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
E:\ is probably your USB drive. See if it still sees E:\ with the USB drive out.
  • 0

#38
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Oh.

Let me see. (I'll be embarrassed if it is. :-)
  • 0

#39
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Still does it! Even with the flash drive removed, restart, log into recovery console- it asks me WHICH Windows I want to log into.
  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Sounds like map may not do all it promised. There is another command diskpart. If you just type that in Recovery Console it should show also you what partitions you have. If not, once you type diskpart and hit Enter you can then type:
list partition
and it should show you details.

Instructions: http://support.micro...kb/300415/en-us
  • 0

Advertisements


#41
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
No, no. I never typed "map". Just entering into recovery console, it asks me which windows installation I want.
  • 0

#42
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"If you just type that in Recovery Console it should show also you what partitions you have. If not, once you type diskpart and hit Enter you can then type:
list partition
and it should show you details."


I'll give that a try.
  • 0

#43
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Aha!

I can't type anything- other than choose which Windows.

When I get into recovery console, it says which Windows installation to log onto, and the answer must be a single character. It wants me to chose "1" for "C\Windows", or "2" for "E\Windows".
  • 0

#44
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Here is a photo of my desktop when I log into recovery console, showing the choice it gives me- WHICH Windows do I want.

Posted Image


I think this illustrates the essence of this virus. If you Google this, you will find all these "help me" pages, where people are trying to get rid of the Zeroaccess virus, (aka "Max++ virus"), all looking in the wrong place.

How is someone going to get rid of a virus installed on a hidden partition, such as "Drive E", but running logs showing all the other drives except the hidden one?
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Well then tell it 1 and see if it lets you do map and diskpart.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP