Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 zamolx3

zamolx3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 22 June 2009 - 05:41 AM

Hi guys,

It's my first time on this forum so I'm sorry if I'm posting on the wrong forum.
I'm a programmer so I know a few things about computers but recently I've encountered a problem that I've never seen before (and don't know how to solve).

My friend's laptop has been infected with a rootkit that is pretty hard to remove.
First, the symptoms:
- registry editing, task manager are disabled (if I re-enable these functions with a .reg file they are overwritten automatically in seconds).
- usb drives are automatically infected with autorun.inf files (that will run a .pif file)
- I cannot boot into safe mode (the computer restarts automatically during boot)
- unhackme (http://greatis.com/unhackme/) finds a rootkit (a random name sys file). I cannot remove it with unhackme (it keeps coming back after reboot).
- gmer (http://www.gmer.net/) will BSOD during scan (so I cannot use it).

I didn't wanted to waste time on this and I formatted (NTFS quick) the C: drive. The laptop has two partitions (D: is used only for data).
So, I've formatted the C: drive and cleaned all the USB sticks (removed autorun.inf) on a Mac computer.

However, the rootkit reappeared instantly after C: format and Windows reinstallation. I have no idea how it persisted because C: was formatted.
Any ideas on what to try next?

Thanks in advance for help,
zmx

BC AdBot (Login to Remove)

 


#2 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:32 AM

Posted 22 June 2009 - 08:31 AM

Couple of questions.
How did you reinstall? From an OS disk or from an image.
Did you scan the D partition? Could it be hiding in there?

There is a good possibility that this will be moved over to another forum on the site, where it can be looked at more in depth.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#3 zamolx3

zamolx3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 22 June 2009 - 11:08 AM

I reinstalled from the Windows OS disk. The install is not compromised.
I've used the same CD for reinstalling 3 other machines (the whole network was compromised) and I get this behavior only on this machine. The other machines are fine.

I've scanned the D partition, didn't found anything on there, but this could be irrelevant if the rootkit is running (because it could be hiding his files). Maybe D: had autorun enabled and when I reinstalled Windows and accessed the D: drive, the rootkit came back.

I have the idea to boot from a bootable CD and scan from there (like WinInternals ERD commander).

Since I posted this help message, I've been reading a lot of threads from here and testing some of the tools mentioned here (like mbam) and I think I'm getting close to removing this rootkit.

Will try a reinstall later today and post here if the rootkit still persists. Unfortunatelly, I didn't saved a copy of the rootkit, so if I will remove it, I would never know what it does. I scan it on virustotal but it was only detected by 4 avs and only using heuristics (so it's a new one).

p.s. found a log from unhackme

Partizan 1.4 started.
Day: 21. Month:6.2009 Time (GMT +0):19:6:33
Windows Version:5.1 Build:2600
Partizan driver is active.

Opening command file: SUCCESS.

Safe deleting file:

\??\C:\WINDOWS\SYSTEM32\DRIVERS\QHRLJ.SYS


so, the rootkit was placed in SYSTEM32\DRIVERS.

Edited by zamolx3, 22 June 2009 - 11:16 AM.


#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:32 AM

Posted 22 June 2009 - 11:52 AM

If its still on the machine you can upload it here so I can take a peek at it. You can submit the file by following this link:
http://www.bleepingcomputer.com/submit-malware.php
In the comments mention that I asked for the file to be uploaded.

Let me know how you make out.
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#5 zamolx3

zamolx3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 22 June 2009 - 01:03 PM

Hi Harry,

I've just finished the second reinstall and now the rootkit is completely gone. Unfortunatelly, I didn't saved a sample.
Sorry about that. I just wanted to get rid of the damn thing as soon as possible :flowers: Thanks for your replies.
You can close this thread, my problem is solved.

p.s. Just wanted to say that you guys are doing a great job, helping people for free. Keep up the good work! :thumbsup:

Edited by zamolx3, 22 June 2009 - 01:13 PM.


#6 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:32 AM

Posted 23 June 2009 - 06:01 AM

Thanks :thumbsup:

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users