Message boards :
Number crunching :
Removing a rootkit
Message board moderation
Author | Message |
---|---|
Helsionium Send message Joined: 24 Dec 06 Posts: 156 Credit: 86,214,817 RAC: 43 |
Hello, I've got an annoying problem - my computer apparently got infected with a rootkit/trojan and it immediately took control over critical parts of the OS (in particular, it installed a virtual device/driver that obstinately blocks any attempts removing it). My antivirus software which I am generally very happy with could not prevent this and got corrupted itself. I can't reinstall it either, installation always fails. Other antivirus software doesn't detect it, either. However, I eventually succeeded disabling the main process manually by denying access to all its files, so it no longer is a real threat to my system. However, I'd like to be able to reinstall my antivirus software, but for this I'd have to fully remove the rootkit first... Does anyone have experience in dealing with these nasty things? Maybe some tools that may actually work? Your help is much appreciated. Thank you in advance, David |
zoom3+1=4 Send message Joined: 30 Nov 03 Posts: 65769 Credit: 55,293,173 RAC: 49 |
Hello, Try this website and do some reading first before doing any posting asking for help there. There are some real experts there, Pay attention to what Calamity Jane says of course. The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's |
Helsionium Send message Joined: 24 Dec 06 Posts: 156 Credit: 86,214,817 RAC: 43 |
Thank you. This forum appears to be very competent on the subject. The rootkit/trojan prevents any of the proposed security software from working, but the users of that forum seem to still be able to help me. |
Keith T. Send message Joined: 23 Aug 99 Posts: 962 Credit: 537,293 RAC: 9 |
I found this page, Task Manager Has Been Disabled By Your Administrator very useful recently when I got infected by a trojan. Sir Arthur C Clarke 1917-2008 |
ML1 Send message Joined: 25 Nov 01 Posts: 20337 Credit: 7,508,002 RAC: 20 |
... However, I eventually succeeded disabling the main process manually by denying access to all its files, so it no longer is a real threat to my system. "rootkit"? Is that an "uber-virus" for MS-windows systems? Does anyone have experience in dealing with these nasty things? Maybe some tools that may actually work? Boot with a Linux LiveCD and directly delete the offending 'locked' files. Also copy into place the previous registry files copies. Then reboot into Windows "Safe Mode" to finish off tidying up the mess. Or use your Windows CD to reinstall or check the OS files? Take a backup before trying any 'fixes'. Or have you already got a backup copy? Compare what files have changed? Your help is much appreciated. Thank you in advance, But how did you get 'infected' in the first place? Good luck, Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Jeffrey Send message Joined: 21 Nov 03 Posts: 4793 Credit: 26,029 RAC: 0 |
"rootkit"? Is that an "uber-virus" for MS-windows systems? Actually, UNIX is more susceptible to 'rootkits' than Windows is... IMO... ;) (I second the linux live cd approach.) It may not be 1984 but George Orwell sure did see the future . . . |
zoom3+1=4 Send message Joined: 30 Nov 03 Posts: 65769 Credit: 55,293,173 RAC: 49 |
"rootkit"? Is that an "uber-virus" for MS-windows systems? Some linux users may be in de river nile w/de crocodiles. ;) Yeah, The live CD does seem like a logical idea, What could be written to affect one OS couldn't affect a different OS. The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's |
Helsionium Send message Joined: 24 Dec 06 Posts: 156 Credit: 86,214,817 RAC: 43 |
Well, I don't even know where those hidden files actually are. The are REALLY hidden. Besides, I don't think a Live CD would be of much use, since I use full-disk encryption on all my drives. |
ML1 Send message Joined: 25 Nov 01 Posts: 20337 Credit: 7,508,002 RAC: 20 |
"rootkit"? Is that an "uber-virus" for MS-windows systems? I think that needs 'explaining' in that 'rootkit' usually describes someone/something breaking into a *nix root. Windows is not *nix :-p Just one of the latest never-ending 'giggles': last man standing ... so is that all down to 'obscurity' or real security? (Note that most of the Windows 'security' appears to rely on obfuscation and obscurity...) Happy crunchin', Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
ML1 Send message Joined: 25 Nov 01 Posts: 20337 Credit: 7,508,002 RAC: 20 |
Well, I don't even know where those hidden files actually are. The are REALLY hidden. Besides, I don't think a Live CD would be of much use, since I use full-disk encryption on all my drives. I'd say that is fine for your personal data. Doing that for the OS itself is too dangerous for shooting yourself in-da-foot. This is where using a standard format would be 'helpful'. Errr... Can you get far enough to backup your data and try the other 'standard' of the Microsoft Reformat-Reinstall-Reboot? Or will the MS 'Rescue mode' from CD get you far enough to do something? Good luck, Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Helsionium Send message Joined: 24 Dec 06 Posts: 156 Credit: 86,214,817 RAC: 43 |
Real security can only be accomplished by encrypting ALL data, including the operating system. I even gave up my Windows/Linux dual boot environment to gain this level of security (currently, the software I use supports only MS operating systems) Unless the MBR itself is damaged, any damage to the operating system is not more severe than it would be without the encryption (the boot loader includes an option for decrypting the whole partition so I can use e.g. MS recovery tools) However, I was able to completely remove the rootkit/trojan without reinstalling Windows, thanks to bcastner, a very competent guy on the forums JokerCPoC guided me to and some obscure-looking tools he told me to use. BTW, while rootkits and their name originate from Unix-like operating systems, that term has in the meantime come to mean any kind of software that tries to gain access to superuser rights (or even more, like in my case). |
Mumps [MM] Send message Joined: 11 Feb 08 Posts: 4454 Credit: 100,893,853 RAC: 30 |
However, I was able to completely remove the rootkit/trojan without reinstalling Windows, thanks to bcastner, a very competent guy on the forums JokerCPoC guided me to and some obscure-looking tools he told me to use. So I see your thread. That was one hellacious set of instructions to fix it. Did it require all the steps he listed? I see you haven't responded to him yet with what he requested. I'd actually like to see some of the output he requested as well. Just morbidly curious... :-) Glad to hear you got it fixed at least. |
Michael Send message Joined: 21 Aug 99 Posts: 4608 Credit: 7,427,891 RAC: 18 |
"rootkit"? Is that an "uber-virus" for MS-windows systems? If you get rooted in *nix it's your own fault....because rooting in *nix is 100% preventable if you understand how to properly harden the OS. You cannot say the same for Windows. |
Michael Send message Joined: 21 Aug 99 Posts: 4608 Credit: 7,427,891 RAC: 18 |
Real security can only be accomplished by encrypting ALL data, including the operating system. I even gave up my Windows/Linux dual boot environment to gain this level of security (currently, the software I use supports only MS operating systems) My personal opinion (which means nothing at the end of the day) is that if you get rooted on a box, it's done. Slick the drive and start over with a fresh install of the OS because can you say with 100% certainty that you contained it 100%? What else is left lurking around that you havn't found yet? If your anti-virus software missed this one, what else has it missed that you are not aware of? there are other trojans/rootkits out there that hide themselves even from the task manager... |
ML1 Send message Joined: 25 Nov 01 Posts: 20337 Credit: 7,508,002 RAC: 20 |
... What else is left lurking around that you havn't found yet? If your anti-virus software missed this one, what else has it missed that you are not aware of? there are other trojans/rootkits out there that hide themselves even from the task manager... Note that the Task Manager itself may have been replaced by another (mal)version of the Task Manager that then dutifully lists all processes except whatever malware... Or have you done a bit-for-bit comparison between what you think is installed and what is actually there? Aside: Encrypting the HDD may cause a thief that physically steals the disk to then give up. You still get no protection against online infiltration... Good luck, Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Michael Send message Joined: 21 Aug 99 Posts: 4608 Credit: 7,427,891 RAC: 18 |
Agree. |
zoom3+1=4 Send message Joined: 30 Nov 03 Posts: 65769 Credit: 55,293,173 RAC: 49 |
And that's why I don't encrypt the hdd here, As It isn't worth doing. The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's |
Helsionium Send message Joined: 24 Dec 06 Posts: 156 Credit: 86,214,817 RAC: 43 |
I am only worried about unauthorized hardware access. Encryption of the whole system - when it's reasonably safe - prevents any such access. But this thread's not about encryption, it's about that stupid trojan/rootkit that infected my computer. I finally got to uploading the logs and hopefully they will be analyzed soon. I don't feel comfortable giving away so much information about my computer (these logs contain VERY much and afer all, my computer is my primary production system and contains some confidential material as well), but it's for the security of my computer and network... Oh, and you're absolutely right that there is no way to tell if the rootkit has really been removed. But reinstalling Windows is absolutely no option now, and I really trust that competent guy and his tools. Even if I can't tell whether the rootkit is really gone, at least all negative side-effects are gone. |
zoom3+1=4 Send message Joined: 30 Nov 03 Posts: 65769 Credit: 55,293,173 RAC: 49 |
I am only worried about unauthorized hardware access. Encryption of the whole system - when it's reasonably safe - prevents any such access. Possibly only time will tell, If the deed is done. The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's |
Paul D Harris Send message Joined: 1 Dec 99 Posts: 1122 Credit: 33,600,005 RAC: 0 |
Backup your data and reload windows I do on a monthly basis keeps my system up and running gets rid of all the trash that I picked up. And install only as needed at the moment. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.