Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Using Saved Data after rootkit removal

  • Please log in to reply
1 reply to this topic

#1 Lt Kije

Lt Kije

  • Members
  • 3 posts
  • Local time:10:06 PM

Posted 04 July 2009 - 07:33 PM

I had a nasty rootkit infection which was a first for me (hope its the last). When I realized what I was dealing with, I saved very important data to a DVD disc. Then, I reformatted my C:\ drive and reinstalled everything. I bought a terabyte USB drive and have saved images (Acronis Home) throughout the entire restoration process (three weeks). I also upgraded my Zone Alarm Security Suite to Zone Alarm Extreme Security with ForceField.

This rootkit was residing in *.exe and *.dll files in the Windows XP Pro Sp2 (now updated to the latest). It seemed that it required *.exe or *.dll for its survival. As far as I know, this rootkit only made one jump to a non-system file, ImgBurn.exe. It ultimately stayed away from files that I could identify and "kill" within Zone Alarm. During the restoration process, I was able to use the infected computer for research on the rootkit issue. The last residence of the rootkit was WinLogon.exe which required reloading the browser (FireFox) when the rootkit acted up. (I couldn't kill this or I would lose access to the internet.)

Now what are my percentages?
I have read differing opinions about rescuing data on a system that has been infected with a rootkit. Some have indicated that any data on such a system should be immediately saved and put in a secure location presumably to use after the new system is available. Others have said that once infected, nothing on the computer should be reused.

Given the importance of the data on the DVD disc, I am naturally concerned about the possibility of the rootkit having attached itself to the saved data (DVD). I am looking for (a) knowledgeable opinion(s) regarding the statistical probability that this could occur. I am 99.9% sure I have clean images of the restored system on the USB drive. I am willing to take some risk because of the importance of the saved data.

Other tools available?
Are there any procedures that could "help" insure the cleanliness of the data on the DVD? (There are no *.exe, *.sys or *.dll files on the DVD)

Thank you,
Lt Kije

BC AdBot (Login to Remove)


#2 Zllio


  • Members
  • 1,107 posts
  • Local time:01:06 AM

Posted 09 July 2009 - 03:12 AM

Hi Lt Kije,

You could do a search for those specific files on your dvd, by inserting it and running normal searches for *.exe and *.sys and *.dll
Those are wild-card searches that would pull up any of those files that might be on the dvd.

You can also scan it with an online scanner which will scan a single drive. I'll give you the instructions for that in a moment. It would also be a good idea for you to be sure that your autoruns/autoplay are disabled. This means whenever you put in a cd, you'll have to open it yourself (for instance using Windows Explorer) rather than it opening itself. Additionally, it's a good practice to run a cleaner regularly (as often as every time you leave the internet), as many forms of malware hide out in the temp files and temporary internet files.

Here are some instructions you can do after you do the above searches of your dvd. If the searches turn up anything, post the results here so we can tell you if anything is bad. Then continue as follows:

Step 1: ATF Cleaner

If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Step 2: Next I would like for you to run an online scan called BitDefender

Note: You can only run this scan with Internet Explorer with Active X enabled.

Please run a BitDefender Online Scan

  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • In the window that opens up you'll see two options:
    • Folders to Scan
      Cleaning Options
  • Click on Folders to Scan
  • Locate the drive you wish to scan (or scan your whole computer)
  • Click Start scan to begin the scan.
  • BitDefender will install updates of its Virus Signatures.
  • Once the virus signatures have been completed, the scan will begin.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Click-on the Detected Problems tab. Then select Click here to export the scan report
  • Give the file the name bdscan with the date

Let me know if you turn up anything either with the searches or with the online scan.

edit: modified log instructions for BitDefender scan

Edited by Zllio, 09 July 2009 - 03:31 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users