 Help removing rootkit, I have a rootkit that persisted after Windows reinstall |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
  Jun 22 2009, 05:41 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 3 Joined: 22-June 09 Member No.: 344,340  |
It's my first time on this forum so I'm sorry if I'm posting on the wrong forum. I'm a programmer so I know a few things about computers but recently I've encountered a problem that I've never seen before (and don't know how to solve). My friend's laptop has been infected with a rootkit that is pretty hard to remove. First, the symptoms: - registry editing, task manager are disabled (if I re-enable these functions with a .reg file they are overwritten automatically in seconds). - usb drives are automatically infected with autorun.inf files (that will run a .pif file) - I cannot boot into safe mode (the computer restarts automatically during boot) - unhackme (http://greatis.com/unhackme/) finds a rootkit (a random name sys file). I cannot remove it with unhackme (it keeps coming back after reboot). - gmer (http://www.gmer.net/) will BSOD during scan (so I cannot use it). I didn't wanted to waste time on this and I formatted (NTFS quick) the C: drive. The laptop has two partitions (D: is used only for data). So, I've formatted the C: drive and cleaned all the USB sticks (removed autorun.inf) on a Mac computer. However, the rootkit reappeared instantly after C: format and Windows reinstallation. I have no idea how it persisted because C: was formatted. Any ideas on what to try next? Thanks in advance for help, zmx |
 |
 
|
|
Jun 22 2009, 08:31 AM
Post
#2
|
|
 Group: HJT Team Posts: 4,147 Joined: 16-May 07 From: Philadelphia Member No.: 131,269 |
Couple of questions.
How did you reinstall? From an OS disk or from an image. Did you scan the D partition? Could it be hiding in there? There is a good possibility that this will be moved over to another forum on the site, where it can be looked at more in depth. -------------------- |
|
|
|
|
Jun 22 2009, 11:08 AM
Post
#3
|
|
|
New Member Group: Members Posts: 3 Joined: 22-June 09 Member No.: 344,340 |
I reinstalled from the Windows OS disk. The install is not compromised.
I've used the same CD for reinstalling 3 other machines (the whole network was compromised) and I get this behavior only on this machine. The other machines are fine. I've scanned the D partition, didn't found anything on there, but this could be irrelevant if the rootkit is running (because it could be hiding his files). Maybe D: had autorun enabled and when I reinstalled Windows and accessed the D: drive, the rootkit came back. I have the idea to boot from a bootable CD and scan from there (like WinInternals ERD commander). Since I posted this help message, I've been reading a lot of threads from here and testing some of the tools mentioned here (like mbam) and I think I'm getting close to removing this rootkit. Will try a reinstall later today and post here if the rootkit still persists. Unfortunatelly, I didn't saved a copy of the rootkit, so if I will remove it, I would never know what it does. I scan it on virustotal but it was only detected by 4 avs and only using heuristics (so it's a new one). p.s. found a log from unhackme Partizan 1.4 started. Day: 21. Month:6.2009 Time (GMT +0):19:6:33 Windows Version:5.1 Build:2600 Partizan driver is active. Opening command file: SUCCESS. Safe deleting file: \??\C:\WINDOWS\SYSTEM32\DRIVERS\QHRLJ.SYS so, the rootkit was placed in SYSTEM32\DRIVERS. This post has been edited by zamolx3: Jun 22 2009, 11:16 AM |
|
|
|
|
Jun 22 2009, 11:52 AM
Post
#4
|
|
|
Group: HJT Team Posts: 4,147 Joined: 16-May 07 From: Philadelphia Member No.: 131,269 |
If its still on the machine you can upload it here so I can take a peek at it. You can submit the file by following this link:
http://www.bleepingcomputer.com/submit-malware.php In the comments mention that I asked for the file to be uploaded. Let me know how you make out. Harry -------------------- |
|
|
|
|
Jun 22 2009, 01:03 PM
Post
#5
|
|
|
New Member Group: Members Posts: 3 Joined: 22-June 09 Member No.: 344,340 |
Hi Harry,
I've just finished the second reinstall and now the rootkit is completely gone. Unfortunatelly, I didn't saved a sample. Sorry about that. I just wanted to get rid of the damn thing as soon as possible  Thanks for your replies.You can close this thread, my problem is solved. p.s. Just wanted to say that you guys are doing a great job, helping people for free. Keep up the good work! 
This post has been edited by zamolx3: Jun 22 2009, 01:13 PM |
|
|
|
|
Jun 23 2009, 06:01 AM
Post
#6
|
|
|
Group: HJT Team Posts: 4,147 Joined: 16-May 07 From: Philadelphia Member No.: 131,269 |
Thanks
-------------------- |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 02:44 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.