Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit from hell


  • Please log in to reply
1 reply to this topic

#1 WOPing

WOPing

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 19 July 2010 - 05:23 AM

Ok...

I have a unique situation. I have an aging laptop that I cannot wipe clean, as it has some expensive development tools on it, the CD is inoperable, AND has no USB boot support.

The thing is, I have contracted a HORRIBLY RESILLIANT root kit (bad site maybe, but I rarely stray out of my known site list). It infected my entire home network (5 Windows XP Pro boxes and this old laptop). A few boxes showed TSS.ROOTKIT under Malware Bytes (among several other trojans, etc.), but some showed nothing, yet had the same symptoms... which were:

1). IE page redirects on each search.

2). VERY slow performance (CPU usage of 20-40%, though task manager showed System Idle at 97-99%) That would randomly start when connected to the I-Net and last for maybe 15-20 minutes, then dissapear).

3). Shuts off most anti-virus/malware scanners or randomly disallows installation.

4). COMPLETELY disabled windows firewall (even the setupapi trick wouldn't work), though it runs in safe mode.

5). Blue screened when I ran CMC; GMer detects no hidden ANYTHING, deletes all desktop icons for SysProt (which shows many hooks and hiddens, but cannot clean) and TDL3 Razor (which shows no infection when run), and RootKitty blue screens.

6). MBRWiz detects hidden partitions ONLY when booted from a Win XP boot CD (Ultimate Win Boot CD)... and NOT on the root drives (only secondaries).

7). Does NOT seem to infect or hinder any USB stick drives (thank God).

8). Shows a bunch of additional malware and such which comes back after cleaning as soon as I connect to the internet.

I wiped all my drives clean and reinstalled and restored backups from last month... EXCEPT this laptop, as the VS 2005 tools I use on this laptop cannot be restored from backup, but MUST be installed via their web install (yes I have tried before with their tech support). I use it ONLY to compile apps that use these tools.

The problem is, I have a current contract using these tools and they are MAD expensive and integrated throughout the 160+ screen app, so I cannot lose the ability to compile it right now.

I managed to disable the main functionality of the root kit by disabling various Windows services and killing explorer (the whole shell), yet every time I attempt to connect to the internet, open Services or several other Windows cpl's I get a Windows Installer pop-up. The few times I was unable to click the cancel button quickly enough, I was immediately reinfected with the redirects and such.

I have been pulling my hair out for a solid WEEK with this damn laptop. I was able to block the outgoing by creative NAT-ing and inserting a local software proxy server in between IE and the outside connection, but it only works on my PCMCIA Sprint card (3G dial-up connection).

I am assuming it is a TLD3 variant (as some detect it as TDL3 or TSS), but damned if I can clear it off. I can't even unhide the partition, because I cannot SEE it with anything I have.

I am fairly certain it has infected the ATAPI driver in conjunction with a hidden driver or two, but am still uncertain, and the only hidden registry entries are DUMP_ATAPI.sys and DUMP_WMILIB.sys, which is normal... SO WHAT THE HELL!?

Lots of hooks... too smart to fall for renaming tools... WELL protected.
This is OBVIOUSLY a root kit... but I can't get the damn thing off. Hell, I can't even see it completely!

If you think it will help, I'll get myself a 2.5" USB drive enclosure and try detecting/cleaning from a throw-away workstation.

If ANYONE can assist in this, I will forever sing your praises and be in your debt! Hell, I might be inclined to fly to your city and treat you to dinner at a five-star of your choice!

I am new to this forum and have a SLEW of logs from different SW, so let me know what you want and I'll send it along.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:34 AM

Posted 19 July 2010 - 05:34 AM

With the information you provided follow the following:

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users