Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Removal


  • Please log in to reply
7 replies to this topic

#1 jfirestorm44

jfirestorm44

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 11 June 2006 - 11:14 PM

OS: WinXp Home sp2

I'm about 100% positive I have a rootkit installed. I've ran almost every program out there for findings the pieces to it but still I can't get rid of it. I have also ran a hook analyzer and realized the it is hooked into many of my spyware adware programs, except spybot. I have disabled the programs from starting that it has hooked into and ran my rootkit revealer and the were still there. then I ran the hook analyzer again and I saw that it was hooked into the rootkit revealer also.

I've also ran RKdetector and it has to hidden files it finds

HIDDEN: c:\System Volume Information\MountPointManagerRemoteDatabase

HIDDEN: c:\System Volume Information\tracking.log

It also does a registry scan and finds hidden registry keys which to me look very suspicious

HIDDEN: SOFTWARE\Webroot\SpySweepe\IEH\||||||||||--------------------------------

THERE IS ACUTALLY NO -'S AFTER THE HORIZONTAL LINES. Substitute them for a string of funky letters with qoutes and commas every where it's like another languge or somthing.

There are 9 of these registry keys. by the way there in HKLM\SOFTWARE


I have a lot more registry keys than these also in HKLM\SYSTEM

Please Help Me
jfirestorm44

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:24 AM

Posted 12 June 2006 - 08:25 AM

Hello jfirestorm44

Lets try something else. Please perform this online scan: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.

This scan only works with IE on WIN XP/2000 systems. It scans scans for viruses, spyware and rootkits using the Blacklight engine.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 12 June 2006 - 11:32 PM

Okay I ran the F-secure scan here it is

Statistics
Scanned:
Files: 24981
System: 5485
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\PROCGUARD.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_COMPAQ_OWNER\220
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{318EC2B9-24ED-473F-9034-32384BD5C6FD}
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-12
F-Secure Libra: 2.4.1, 2006-06-10
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Orion: 1.2.37, 2006-06-12
F-Secure Pegasus: 1.19.0, 2006-00-19
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics


Looks like I'm okay. but I'm not sure why it skipped those 8 files If you could let me know i'd appriciate it Thank You

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:24 AM

Posted 13 June 2006 - 06:38 AM

dtscsi.sys is a part of Daemon tools software
sptd.sys is a part of Daemon tools
procguard.sys is part of DiamondCS Process Guard
hiberfil.sys is used by Windows Hibernate
pagefile.sys is part of the Virtual Memory Manager on Windows platforms

This is still in beta but it appears to be normal for the scan to skip these files. If you were infected with anything the log would show something like this:

Scanning Report
Tuesday, June 06, 2006 20:59:30 - 23:45:41
Computer name: A1WJDU
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

Result: 27 malware found
ABetterInternet.Nail (spyware)
System (Disinfected)
Adware.Look2Me (spyware)
System (Disinfected)
Adware.Yazzle (spyware)
System (Disinfected)
Alexa (spyware)
WebHancer (spyware)
System (Disinfected)
Win32.Trojan.Downloader (spyware)
System (Disinfected)

The main thing to keep in mind with rootkit scanning tools is that not all the hidden files they detect are malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 13 June 2006 - 05:20 PM

Well then I'll assume that everything is okay. I appriciate all your help and thanks for the on-line scan reference. I'll just keep up to date on all the definitions and try to keep my computer clean.

Thank You

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:24 AM

Posted 13 June 2006 - 05:28 PM

Your welcome. Here is some more reading:

Windows rootkits in 2005, Part 1 of 3 [2005-11-04]
http://www.securityfocus.com/infocus/1850

Windows rootkits of 2005, Part 2 of 3 [2005-11-17]
http://www.securityfocus.com/infocus/1851

Windows rootkits of 2005, Part 3 of 3 [2006-01-05]
http://www.securityfocus.com/infocus/1854

IceSword, F-Secure BlackLight, GMER and UnHackMe are some other tools which can detect and/or remove Rootkits. The latest versions of Webroot SpySweeper and PC Tools Spyware Doctor are also able to handle some Rootkits.

To protect yourself against malware, you may want to read "Simple and easy ways to keep your computer safe"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jfirestorm44

jfirestorm44
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 13 June 2006 - 06:25 PM

I checked out your simple and easy ways. There's some good information there I also downloaded spywareblaster so thanks again.

Another things I was wondering about was that hook program and why everytime I run it it says my programs are hooked? What does this mean? They all seem to have to same line of code also.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:24 AM

Posted 13 June 2006 - 07:40 PM

Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are bascially installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on your system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer.

For more info on this see Windows Rootkit Overview

The newer algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of detecting the presence of the rootkits hooks.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users