Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit Activity Since January - Only just now are tools starting to detect

  • Please log in to reply
No replies to this topic

#1 Zen Seeker

Zen Seeker

  • Members
  • 695 posts
  • Gender:Not Telling
  • Local time:03:26 PM

Posted 09 May 2011 - 12:16 AM

Rootkit Activity Since January - Only just now are tools starting to detect

I bought a new laptop in January. It failed to make the recovery disks repeatidly. I removed the drive to backup an image instead. Found out shortly after that the new system came with a virus/rootkit. Now my other systems have the same bug and I have been unable to remove/clean it and only in the last week have the tools here been able to detect it but not name it or clean it.(GMER notes 3 hidden services when a HDD or USB are installed, all USB related such as USBHUB.SYS, that are rootkit activities.)

Seems to be hidden in either the BIOS/MSBIOS/Video/Chipset. Even after using the newest DaRT from a MS Rep, burned with bad system as I have no trusted clean machine, it still doesn't find anything wrong when I use the scanner and the disk wipe DoD 4x cleaning still leaves things behind when viewed with a hex editor or fdisk on a linux live disk. RAWDATA partition view shows, hex, all "0" except for; "0x1B0: 00 00 00 00 00 00 00 00 xx xx xx xx 00 00 00 00" & "0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA" ("XX"= any hex value...keeps changing whenever I load fdisk to view.) In a hex editor usually the first 20+ lines still have hex values other than 00 and end at 55 AA. I can replace them in the editor with 00 or FF and it will stay but in fdisk the RAW DATA is always there in the same place.

If I load a windows OS, usually Windows 7 or Vista, it looks like things are replaced or changed during the reboots using the tools that come with the OS. On theannew laptop if I load my old MS XP SP2 DVD it goes to BSOD saying to try again or I have a possible virus. With my MS Vista Ultimate x64 if I run MRT.exe it pops up in Sanskrit? (MS tech said that wasn't right but could be bug.) Also noted the exact same certificates in my clean Vista and Win 7 x64 installs. Same goes for the aproximately 25 NON-Plug and Play drivers like VGASave.

Under Win 7 or Vista x64 or x86 when I lock down/harden the system will usually turn services back on or run when disabled. Installing in safe mode usually fails even when I change the registry to allow it. Svchost, Rundll, Rundll32, and Dllhost all get abused if I try to load/lock system down even with KIS 2011. (The box to disable "trust digital signatures" is greyed out in th echecked possition.) At best I can lock down the virus with KIS and see popup warning how a hidden service/process is using other services/process to try and enable ones I marked untrusted.

After using the latest tools from here and MS I was able to find that by making a few changes to the registry, either in safe mode or with the new DaRT, I can take ownership and remove/fix a few keys and then rename some SysWOW files like rundll32, svchost, or in system32 ctmon and then reboot to an almost normal system. (Not much use or good but at least I can scan and check things with out it rebooting and/or BSOD.) Also noted with a linux live dvd that the system reserved partition has a memtest.exe that is an archive with unknow files, to me. Not sure if that's normal or not but worth noting.

I currenlty have the HDD nuked...not fully wiped again as it's still a long process but 1/3 done at least. Can load any OS you need to review/test. Once connected to teh internet it updates and becomes even more infected, for lack of a better term, but I can use live disks as I am now to leave the OS as clean as possible.

Flashing BIOS seems to work when I tried to apply a lower version that includes a chipset flash and video, Intel, it didn't seem to apply...

So, other than seeing others starting to post things that seem to have the same issue and the latest tools confirming that I have "a" bug I'm no further ahead at naming it or removing it. I know it's on the dives, USB and HDD, and after format take about 30MB but no idea where else it's hiding for sure other than one or two old system scanners telling me that some video rom/nvram locations are in the wrong format or unreadable.

Anyone able to help? I'll start where ever you want and provide what you ask ASAP and don't care about starting over or losing data. Everythings gone and ready to start fresh.


Forgot to mention that fdisk, linux version, notes that the 4th partition has wrong information at 0x0000 but will be corrected when the new changes are saved. (This is for any HDD or USB that has been wiped or totally deleted.)

Edited by memine, 09 May 2011 - 12:29 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users