Hello,

I've got an annoying problem - my computer apparently got infected with a rootkit/trojan and it immediately took control over critical parts of the OS (in particular, it installed a virtual device/driver that obstinately blocks any attempts removing it). My antivirus software which I am generally very happy with could not prevent this and got corrupted itself. I can't reinstall it either, installation always fails. Other antivirus software doesn't detect it, either.

However, I eventually succeeded disabling the main process manually by denying access to all its files, so it no longer is a real threat to my system.
However, I'd like to be able to reinstall my antivirus software, but for this I'd have to fully remove the rootkit first...

Does anyone have experience in dealing with these nasty things? Maybe some tools that may actually work?

Your help is much appreciated. Thank you in advance,
David

---

Hello,

I've got an annoying problem - my computer apparently got infected with a rootkit/trojan and it immediately took control over critical parts of the OS (in particular, it installed a virtual device/driver that obstinately blocks any attempts removing it). My antivirus software which I am generally very happy with could not prevent this and got corrupted itself. I can't reinstall it either, installation always fails. Other antivirus software doesn't detect it, either.

However, I eventually succeeded disabling the main process manually by denying access to all its files, so it no longer is a real threat to my system.
However, I'd like to be able to reinstall my antivirus software, but for this I'd have to fully remove the rootkit first...

Does anyone have experience in dealing with these nasty things? Maybe some tools that may actually work?

Your help is much appreciated. Thank you in advance,
David

Try this website and do some reading first before doing any posting asking for help there. There are some real experts there, Pay attention to what Calamity Jane says of course.

---

The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's

Thank you.
This forum appears to be very competent on the subject.

The rootkit/trojan prevents any of the proposed security software from working, but the users of that forum seem to still be able to help me.

---

I found this page, Task Manager Has Been Disabled By Your Administrator very useful recently when I got infected by a trojan.

---

Sir Arthur C Clarke 1917-2008

... However, I eventually succeeded disabling the main process manually by denying access to all its files, so it no longer is a real threat to my system.
However, I'd like to be able to reinstall my antivirus software, but for this I'd have to fully remove the rootkit first...

"rootkit"? Is that an "uber-virus" for MS-windows systems?

Does anyone have experience in dealing with these nasty things? Maybe some tools that may actually work?

Boot with a Linux LiveCD and directly delete the offending 'locked' files. Also copy into place the previous registry files copies. Then reboot into Windows "Safe Mode" to finish off tidying up the mess.

Or use your Windows CD to reinstall or check the OS files?

Take a backup before trying any 'fixes'. Or have you already got a backup copy? Compare what files have changed?

Your help is much appreciated. Thank you in advance,

But how did you get 'infected' in the first place?

Good luck,
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

"rootkit"? Is that an "uber-virus" for MS-windows systems?

Actually, UNIX is more susceptible to 'rootkits' than Windows is... IMO... ;)

(I second the linux live cd approach.)

---

It may not be 1984 but George Orwell sure did see the future . . .

"rootkit"? Is that an "uber-virus" for MS-windows systems?

Actually, UNIX is more susceptible to 'rootkits' than Windows is... IMO... ;)

(I second the linux live cd approach.)

Some linux users may be in de river nile w/de crocodiles. ;) Yeah, The live CD does seem like a logical idea, What could be written to affect one OS couldn't affect a different OS.

---

The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's

Well, I don't even know where those hidden files actually are. The are REALLY hidden. Besides, I don't think a Live CD would be of much use, since I use full-disk encryption on all my drives.

---

"rootkit"? Is that an "uber-virus" for MS-windows systems?

Actually, UNIX is more susceptible to 'rootkits' than Windows is... IMO... ;)

I think that needs 'explaining' in that 'rootkit' usually describes someone/something breaking into a *nix root. Windows is not *nix :-p

Just one of the latest never-ending 'giggles':

last man standing

... so is that all down to 'obscurity' or real security?

(Note that most of the Windows 'security' appears to rely on obfuscation and obscurity...)

Happy crunchin',
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Well, I don't even know where those hidden files actually are. The are REALLY hidden. Besides, I don't think a Live CD would be of much use, since I use full-disk encryption on all my drives.

I'd say that is fine for your personal data. Doing that for the OS itself is too dangerous for shooting yourself in-da-foot.

This is where using a standard format would be 'helpful'.

Errr... Can you get far enough to backup your data and try the other 'standard' of the Microsoft Reformat-Reinstall-Reboot?

Or will the MS 'Rescue mode' from CD get you far enough to do something?


Good luck,
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Real security can only be accomplished by encrypting ALL data, including the operating system. I even gave up my Windows/Linux dual boot environment to gain this level of security (currently, the software I use supports only MS operating systems)

Unless the MBR itself is damaged, any damage to the operating system is not more severe than it would be without the encryption (the boot loader includes an option for decrypting the whole partition so I can use e.g. MS recovery tools)

However, I was able to completely remove the rootkit/trojan without reinstalling Windows, thanks to bcastner, a very competent guy on the forums JokerCPoC guided me to and some obscure-looking tools he told me to use.

BTW, while rootkits and their name originate from Unix-like operating systems, that term has in the meantime come to mean any kind of software that tries to gain access to superuser rights (or even more, like in my case).

---

However, I was able to completely remove the rootkit/trojan without reinstalling Windows, thanks to bcastner, a very competent guy on the forums JokerCPoC guided me to and some obscure-looking tools he told me to use.

So I see your thread. That was one hellacious set of instructions to fix it. Did it require all the steps he listed? I see you haven't responded to him yet with what he requested. I'd actually like to see some of the output he requested as well. Just morbidly curious... :-)

Glad to hear you got it fixed at least.

"rootkit"? Is that an "uber-virus" for MS-windows systems?

Actually, UNIX is more susceptible to 'rootkits' than Windows is... IMO... ;)

(I second the linux live cd approach.)

Some linux users may be in de river nile w/de crocodiles. ;) Yeah, The live CD does seem like a logical idea, What could be written to affect one OS couldn't affect a different OS.

If you get rooted in *nix it's your own fault....because rooting in *nix is 100% preventable if you understand how to properly harden the OS.

You cannot say the same for Windows.

---

Real security can only be accomplished by encrypting ALL data, including the operating system. I even gave up my Windows/Linux dual boot environment to gain this level of security (currently, the software I use supports only MS operating systems)

Unless the MBR itself is damaged, any damage to the operating system is not more severe than it would be without the encryption (the boot loader includes an option for decrypting the whole partition so I can use e.g. MS recovery tools)

However, I was able to completely remove the rootkit/trojan without reinstalling Windows, thanks to bcastner, a very competent guy on the forums JokerCPoC guided me to and some obscure-looking tools he told me to use.

BTW, while rootkits and their name originate from Unix-like operating systems, that term has in the meantime come to mean any kind of software that tries to gain access to superuser rights (or even more, like in my case).

My personal opinion (which means nothing at the end of the day) is that if you get rooted on a box, it's done. Slick the drive and start over with a fresh install of the OS because can you say with 100% certainty that you contained it 100%? What else is left lurking around that you havn't found yet? If your anti-virus software missed this one, what else has it missed that you are not aware of? there are other trojans/rootkits out there that hide themselves even from the task manager...

---

... What else is left lurking around that you havn't found yet? If your anti-virus software missed this one, what else has it missed that you are not aware of? there are other trojans/rootkits out there that hide themselves even from the task manager...

Note that the Task Manager itself may have been replaced by another (mal)version of the Task Manager that then dutifully lists all processes except whatever malware...

Or have you done a bit-for-bit comparison between what you think is installed and what is actually there?


Aside: Encrypting the HDD may cause a thief that physically steals the disk to then give up. You still get no protection against online infiltration...

Good luck,
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Aside: Encrypting the HDD may cause a thief that physically steals the disk to then give up. You still get no protection against online infiltration...

Good luck,
Martin

Agree.

---

Aside: Encrypting the HDD may cause a thief that physically steals the disk to then give up. You still get no protection against online infiltration...

Good luck,
Martin

Agree.

And that's why I don't encrypt the hdd here, As It isn't worth doing.

---

The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's

I am only worried about unauthorized hardware access. Encryption of the whole system - when it's reasonably safe - prevents any such access.

But this thread's not about encryption, it's about that stupid trojan/rootkit that infected my computer. I finally got to uploading the logs and hopefully they will be analyzed soon. I don't feel comfortable giving away so much information about my computer (these logs contain VERY much and afer all, my computer is my primary production system and contains some confidential material as well), but it's for the security of my computer and network...

Oh, and you're absolutely right that there is no way to tell if the rootkit has really been removed. But reinstalling Windows is absolutely no option now, and I really trust that competent guy and his tools.
Even if I can't tell whether the rootkit is really gone, at least all negative side-effects are gone.

---

I am only worried about unauthorized hardware access. Encryption of the whole system - when it's reasonably safe - prevents any such access.

But this thread's not about encryption, it's about that stupid trojan/rootkit that infected my computer. I finally got to uploading the logs and hopefully they will be analyzed soon. I don't feel comfortable giving away so much information about my computer (these logs contain VERY much and afer all, my computer is my primary production system and contains some confidential material as well), but it's for the security of my computer and network...

Oh, and you're absolutely right that there is no way to tell if the rootkit has really been removed. But reinstalling Windows is absolutely no option now, and I really trust that competent guy and his tools.
Even if I can't tell whether the rootkit is really gone, at least all negative side-effects are gone.

Possibly only time will tell, If the deed is done.

---

The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's

Backup your data and reload windows I do on a monthly basis keeps my system up and running gets rid of all the trash that I picked up. And install only as needed at the moment.

---