Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

regedit & taskmanager disabled by admin/cannot run Spybot


  • Please log in to reply
14 replies to this topic

#1 konnector

konnector

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 27 April 2009 - 12:54 PM

hi guys im a newbie here. i have been having this problem for a while and have searched google exhaustedly for solutions. i've tried numerous things google has produced such as running gpedit.msc and then ran this ---> REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f which seemed to work for 3-5 seconds then reverts again to the message "task manager has been disabled by your administrator. this ones a tough one for me probably a piece of cake for you guys :thumbsup: . any help will greatly be appreciated. thanks.

BC AdBot (Login to Remove)

 


#2 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 27 April 2009 - 01:11 PM

i also have a hijackthis logfile if necessary.

Edited by konnector, 27 April 2009 - 01:12 PM.


#3 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 27 April 2009 - 04:10 PM

The fact that you can get it to work, but then it reverts after a short while means that something is repeatedly setting it to be disabled. That could either be a piece of security software like the kind that offices may use to enforce policies on company computers, or malware trying to prevent you from controlling your system (ie, killing the malware).

An easy way to get started with this problem is to run Sysinternals RegMon. Once you run it, set the filters to include *DisableTaskMgr*, and exclude *reg.exe* (include the asterisks). Also make sure that Log Writes is checked.

Now run that command to allow TaskManager. Then wait a while to see what resets the registry entry. RegMon should detect when that value is modified by something other than REG, and you can find out what process is doing it, thus giving you a narrow field of where to start looking.
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#4 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 28 April 2009 - 01:44 PM

hi synetech, thanks for helping me out. I downloaded and ran RegMon and set the filters like you mentioned. I also ran the command and this is what I get:


4902 3.72442317 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
6703 8.72429657 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
7950 13.72432423 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
10136 18.72431183 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
11140 23.72448540 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
12126 28.72451019 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
13402 33.72459412 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
14785 38.72472000 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
15870 43.72468185 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
18082 48.72475433 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
19400 53.72479630 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
20486 58.72488785 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
21458 63.72494507 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
22749 68.72502136 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
24033 73.72504425 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
26519 78.72510529 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
27517 83.72518158 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
28561 88.72527313 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
29910 93.72534180 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
31384 98.72537231 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
32486 103.72543335 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
34858 108.72589111 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
36138 113.72555542 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
37368 118.72558594 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
45613 123.72565460 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
46910 128.72575378 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
48060 133.72581482 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50326 138.72584534 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50327 143.72584534 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50328 148.72596741 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50329 153.72604370 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50330 158.72613525 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50331 159.40242004 taskmgr.exe:4028 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr SUCCESS 0x1
50332 163.72625732 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50333 168.72622681 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50334 172.70256042 explorer.exe:1452 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d SUCCESS "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f\1"
50335 172.73251343 explorer.exe:1452 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d SUCCESS "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f\1"
50336 173.72628784 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50337 176.89746094 taskmgr.exe:3744 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr SUCCESS 0x0
50338 178.72640991 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50339 183.72640991 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50340 185.33851624 explorer.exe:1452 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d SUCCESS "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f\1"
50341 186.46075439 taskmgr.exe:2424 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr SUCCESS 0x0
50342 188.72656250 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50343 194.48587036 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50344 199.48646545 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50345 204.48651123 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1
50346 291.75006104 explorer.exe:1452 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d SUCCESS "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f\1"
50347 293.00949097 taskmgr.exe:532 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr SUCCESS 0x0
50348 294.48843384 Brightness.exe:1556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr SUCCESS 0x1

#5 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 28 April 2009 - 02:14 PM

Well there’s your answer. The process Brightness.exe is resetting that to be disabled every five seconds. If you change the include filter to be *brightness* instead, then you will see what else it is doing. I would not be surprised if it is changing other policy settings to disable features as well.

Are you using a Mac? Are you using any Apple software like BootCamp? Other than a control panel item that controls the brightness of the screen (which should not be disabling the TaskManager every five seconds!), the only references I could find to that filename are for malware. You should run either MSCONFIG (built into Windows), or better yet, Sysinternals’ Autoruns and take a look at what is set to run on your system. Don’t change anything else yet, but see if you can find the Brightness entry and disable that by unchecking it; then reboot.

Also, find the executable file Brightness.exe (it doesn’t indicate the path, but I’d bet that it’s in \Windows\System32) and upload that to VirusTotal to see what a bunch of antivirus apps think of it.
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#6 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 28 April 2009 - 02:59 PM

I ran MSCONFIG and unchecked Brightness.exe then rebooted. After reboot I ran RegMon and again filtered *DisableTaskMgr* and now rundll32.exe is disabling it. Did the MSCONFIG again unchecked rundll32.exe, rebooted, ran RegMon and now atiptaxx.exe is disabling it then arc.exe, then KbdMgr.exe then explorer.exe and then msconfig.exe. After that I stopped. It's seems to be jumping from one app to another. RegMon did also tell me that it was disabling RegistryTools and Hidden folders. Those were the 3 common problems i was noticing over and over again so I think we're getting somewhere.

I am on a Mac running BootCamp btw.

#7 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 28 April 2009 - 04:07 PM

Okay, so Brightness is a legitimate process, it was just the host to whatever is causing the problem. Re-enable the items you disabled, reboot and check it again. Is it Brightness.exe that’s doing it again? (Chances are it’s something else.)

Hmm, this case is getting interesting. Rundll32 is a host process that runs DLL files as applications, so it is not the item itself, but something loaded with it. ATIPTAXX is part of the ATI video card’s drivers that shows the icon in the notification area. ARC is part of Mac as well (Apple Right Mouse Click), and KbdMgr is the keyboard manager from BootCamp. ATI, Explorer and msconfig are not part of the Apple software, so I doubt that BootCamp is somehow trying to prevent you from seeing the processes (therefore it’s not technically an Apple issue).

My guess is that you are infected with something. Malware is pretty much the only kind of software that does this sort of behavior (continuously disabling security and/or administrative tools in a loop every few seconds—well, malware and software that uses crappy copy-protection). You will want to run some kind of malware scanners to test your system. There are plenty listed in these forums, including MalwareBytes, SuperAntivirus which seem to get a lot of word-of-mouth around these boards.

It looks a lot like something (probably a DLL) is dynamically loading and injecting into your programs, which is why the behavior jumps from process to process. In this case, I would suggest a quick and easy way to check is to use Sysinternal’s Autoruns. Run that and examine the AppInit tab. Is there anything in there? If there is, then great. Since there are few legitimate applications of that entry, then it is likely your problem, and we can stop that fairly easily (fixing any damage it may have done will require finding out exactly what it is). If AppInit is empty, then it means that either the malware is hiding elsewhere, or something else is a foot. So take a look at that tab and let me know what’s in it.
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#8 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 29 April 2009 - 11:13 AM

I re-enabled the items I had checked off and rebooted. Brightness.exe is still the culprit unfortunately. I did also download and run Autoruns and the tab is empty under AppInit; there's nothing in there.

I heard good things about MalwareBytes and SuperAntivirus so I downloaded both, did a quick scan and it found some things. I had the baddies quarantined but the problems still continued. I even also ran ComboFix and it seemed like it was working but it would try to get rid of something and that something wouldn't let it.

I think this malware doesn't like being touched and also doesn't let you open certain programs (eg: SpyBot) or certain websites. I tried going into VirusTotal yesterday and it just kept loading without showing me a page. It couldn't be the website because I was able to load the page on another computer.

#9 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 29 April 2009 - 11:37 AM

Yup, then it sounds like you’ve got one of those malwares that tries to protect itself. Fortunately few malware apps are truly invulnerable.

Let’s start by finding out what exactly is running on your system. If it is a process, then it will be much easier to prevent it from running again. If it is a DLL, it will take a little more work to pinpoint it, but still simply (re)moving the file will block it. If it is a full-on rootkit, then we’ll have to do the most work to find it.

Open a command prompt (Run->cmd.exe) and run the TaskList command (TaskManager and Regedit may be blocked, but there are plenty of alternatives to those apps). Run tasklist /svc > c:\procs.txt. You should now have a file named c:\procs.txt which has a list of the processes and services currently running on your system. We’ll use that to see if there is anything bad (and while we’re at it, anything unnecessary).
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#10 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 30 April 2009 - 01:53 PM

Ok here's what it gave me:


Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 716 N/A
csrss.exe 772 N/A
winlogon.exe 888 N/A
services.exe 932 Eventlog, PlugPlay
lsass.exe 968 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 1104 Ati HotKey Poller
svchost.exe 1124 DcomLaunch, TermService
svchost.exe 1180 RpcSs
svchost.exe 1228 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, SharedAccess, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 1348 Dnscache
svchost.exe 1380 LmHosts, RemoteRegistry, SSDPSRV, WebClient
ati2evxx.exe 1500 N/A
spoolsv.exe 1692 Spooler
explorer.exe 256 N/A
Brightness.exe 356 N/A
rundll32.exe 364 N/A
atiptaxx.exe 372 N/A
arc.exe 400 N/A
KbdMgr.exe 408 N/A
AppleMobileDeviceService. 908 Apple Mobile Device
mDNSResponder.exe 1256 Bonjour Service
svchost.exe 1328 BthServ
GridcastSvc.exe 1600 Gridcast
libusbd-nt.exe 1636 libusbd
NBService.exe 1796 Nero BackItUp Scheduler 3
stacsv.exe 1944 STacSV
svchost.exe 2116 stisvc
wscntfy.exe 2824 N/A
svchost.exe 3448 HTTPFilter
kmmap.exe 580 N/A
winnuccm.exe 3992 N/A
winmfde.exe 3528 N/A
usnsvc.exe 3188 usnjsvc
sndvol32.exe 3780 N/A
uTorrent.exe 3548 N/A
Ares.exe 4556 N/A
iPodService.exe 3092 iPod Service
msnmsgr.exe 4108 N/A
firefox.exe 268 N/A
cmd.exe 5980 N/A
tasklist.exe 4216 N/A
wmiprvse.exe 6032 N/A

#11 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 30 April 2009 - 07:35 PM

Most of that seems okay, however there are a few that may not be on the up-and-up.

I cannot find any references to winmfde, winnuccm, or kmmap. Find out where on the drive those files are located; the path(s) may give a hint to what they are. When you find them, bring up the Properties dialogs for the files and see what information (if any) is present in the Version tabs. You can also send them to VirusTotal to see what a bunch of virus-scanners think of them.

Assuming that you didn’t sort or alter the order of the list, it is also of note that those three happen to be grouped together, indicating that they were launched near each other. The surrounding processes could also be suspect unless you use MSN Messenger.
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#12 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 04 May 2009 - 07:16 PM

Sorry for late reply, had a busy weekend.

I searched for those entries using the windows search feature but nothing came up. Also I tried loading the VirusTotal website but nothing comes up. And I do use MSN Messenger which is Windows Live Messenger now.

#13 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 04 May 2009 - 10:51 PM

Hmm, I guess that the files are either hidden normally and you don’t have show-hidden-files active, or you do indeed have a rootkit that is using special means to hide them.

Try finding them from the command line: Start->Run->cmd.exe, then type: dir c:\*winmfde* /s /a. Repeat with the other filenames. If they still aren’t found, then they are probably specially hidden and we’ll have to dig them out—there are several apps and methods to detect rootkits.

If you cannot load the VirusTotal website, then either you have a legitimate program incorrectly blocking it (some security apps can block too much), or the malware—at this point it looks like some form of rootkit—is blocking it. Try going to their website via their IP.

Sorry, I just noticed I had slipped a 't' into the url. :thumbsup: It should have been VirusTotal.com.

Edited by Synetech, 04 May 2009 - 10:56 PM.

****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#14 konnector

konnector
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 06 May 2009 - 12:25 AM

Ok I tried looking for each one of those using the cmd.exe but none came up. I did notice the extra 't' in the virustotal link but it still doesn't load while trying to access the website. I tried the IP link and it doesn't load I get this message on the page:


ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://74.53.201.162/

The following error was encountered:

* Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster@hispasec.com.
Generated Wed, 06 May 2009 05:20:56 GMT by viruskill2.hispasec.com (squid/2.6.STABLE18)


I think you're right about something in the background blocking it because this page loads correctly on another computer that I tried it on.

#15 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:42 PM

Posted 06 May 2009 - 10:24 AM

(Hmm, the page doesn’t load for me via IP either. I guess their server is configured strangely.)

Okay, so let’s make a list of what we’ve found so far:
  • Regedit and TaskManager (aka admin tools) are prevented from loading
  • Something is disabling access to those countinuously every five seconds
  • Whatever is blocking admin tools is not a process, but loaded into other processes
  • The files are not visible on the drive
  • Security websites are blocked from loading
Yup; congratulations, it sure sounds like you have a rootkit on your system. What you’ll need to do now is try to root it out (pun half intended).

There are plenty of rootkit detection programs available, none of which is foolproof. There is a technique that I created a while back that can find most real-world rootkit, but requires a few tools (small programs), so it won’t work for public use at the moment, and it isn’t exactly a point-and-click affair. (I promise to work on it.)

In the meantime, you can run some of the common ones to see what they may find: RootKitRevealer is from Sysinternals, and Mark certainly enjoys working on it. RootRepeal (formerly DriverDetect) is by a_d_13 over at the Sysinternals forums, where we have been testing and helping to improve it for over a year and a half. Some of the anti-virus vendors have also started making their own rk detection apps such as F-Secure’s BlackLight, and Sophos’ imaginitively named Anti-Rootkit. McAfee has being updating its Stinger/url] for the latest threats for years and now has RootKit Stinger. There are also some indie ARK developers like GMER. And of course there’s the grand-daddy of ARKs, [url="http://www.antirootkit.com/software/IceSword.htm"]IceSword—which is available in English.

Like I said, there are a lot available now, but none are 100% due to the very nature of rootkits. There are more available (just Google for “rootkit detection” or “anti-rootkit” or some such). However the ones above are some of the more known ones.

(I don’t recall ever hearing about Hoglund working on a rootkit detector yet. What’s Greg doing? :thumbsup:)

Edited by Synetech, 06 May 2009 - 10:27 AM.

****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users