BleepingComputer.com: Help removing rootkit

Hi guys,

It's my first time on this forum so I'm sorry if I'm posting on the wrong forum.
I'm a programmer so I know a few things about computers but recently I've encountered a problem that I've never seen before (and don't know how to solve).

My friend's laptop has been infected with a rootkit that is pretty hard to remove.
First, the symptoms:
- registry editing, task manager are disabled (if I re-enable these functions with a .reg file they are overwritten automatically in seconds).
- usb drives are automatically infected with autorun.inf files (that will run a .pif file)
- I cannot boot into safe mode (the computer restarts automatically during boot)
- unhackme (http://greatis.com/unhackme/) finds a rootkit (a random name sys file). I cannot remove it with unhackme (it keeps coming back after reboot).
- gmer (http://www.gmer.net/) will BSOD during scan (so I cannot use it).

I didn't wanted to waste time on this and I formatted (NTFS quick) the C: drive. The laptop has two partitions (D: is used only for data).
So, I've formatted the C: drive and cleaned all the USB sticks (removed autorun.inf) on a Mac computer.

However, the rootkit reappeared instantly after C: format and Windows reinstallation. I have no idea how it persisted because C: was formatted.
Any ideas on what to try next?

Thanks in advance for help,
zmx

Couple of questions.
How did you reinstall? From an OS disk or from an image.
Did you scan the D partition? Could it be hiding in there?

There is a good possibility that this will be moved over to another forum on the site, where it can be looked at more in depth.

I reinstalled from the Windows OS disk. The install is not compromised.
I've used the same CD for reinstalling 3 other machines (the whole network was compromised) and I get this behavior only on this machine. The other machines are fine.

I've scanned the D partition, didn't found anything on there, but this could be irrelevant if the rootkit is running (because it could be hiding his files). Maybe D: had autorun enabled and when I reinstalled Windows and accessed the D: drive, the rootkit came back.

I have the idea to boot from a bootable CD and scan from there (like WinInternals ERD commander).

Since I posted this help message, I've been reading a lot of threads from here and testing some of the tools mentioned here (like mbam) and I think I'm getting close to removing this rootkit.

Will try a reinstall later today and post here if the rootkit still persists. Unfortunatelly, I didn't saved a copy of the rootkit, so if I will remove it, I would never know what it does. I scan it on virustotal but it was only detected by 4 avs and only using heuristics (so it's a new one).

p.s. found a log from unhackme

Partizan 1.4 started.
Day: 21. Month:6.2009 Time (GMT +0):19:6:33
Windows Version:5.1 Build:2600
Partizan driver is active.

Opening command file: SUCCESS.

Safe deleting file:

\??\C:\WINDOWS\SYSTEM32\DRIVERS\QHRLJ.SYS


so, the rootkit was placed in SYSTEM32\DRIVERS.

If its still on the machine you can upload it here so I can take a peek at it. You can submit the file by following this link:
http://www.bleepingcomputer.com/submit-malware.php
In the comments mention that I asked for the file to be uploaded.

Let me know how you make out.
Harry

Hi Harry,

I've just finished the second reinstall and now the rootkit is completely gone. Unfortunatelly, I didn't saved a sample.
Sorry about that. I just wanted to get rid of the damn thing as soon as possible Thanks for your replies.
You can close this thread, my problem is solved.

p.s. Just wanted to say that you guys are doing a great job, helping people for free. Keep up the good work!

Thanks