Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis And Similar - Does Little For Rootkit Infections: Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 crablover

crablover

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 20 June 2006 - 05:58 AM

I am really discouraged because what I thought would be an isolated incident, ignited by a nasty chat worm, ended up becoming a series of infestations. I have tried using helpful tools that are usually pretty good at detecting garbage lurking in the background, like Hijackthis. I have used McAfee, Norton Systemworks, tools such as Ghostsurf/Spycatcher, Spybot Search and Destroy, Trojan Hunter, Registry Mechanics, etc. Nothing detects this for sure as a lot of the files that infect the pc are compressed and their names resemble or are the same as vital system files.

If anyone has dealt with a horrible rootkit contamination, please send me some feedback as I am having a real migraine with this. The only tool that picked up on certain rootkit entries, when I first downloaded the tool was Spybot. Now, it doesn't even notice those entries any longer - as if the rootkit has modified the settings in the background or something. Norton was even to the point where it was crashing and giving me internal application errors - much like a coder sees when he/she firsts starts debugging a test application. It was rediculous. Firewall settings are killed, as well as antiviral settings.

If you go to start -> run-> regedit -> HKEY_LOCAL_MACHINE... -> SOFTWARE -> MICROSOFT -> SECURITY CENTER: you will notice that on the righthand side, there are 4 to 5 new entries other than the default. These malicious entries over ride your security features - to the point that even if you delete them, they will eventually reinstall themselves even without reboot. (For sure with a reboot, even if you spend an hour deleting all of the crap from the registry - you have it all back again when you start up anew;) SECURITY CENTER expands and under that you will notice MONITORING. Select the folder that corresponds to your antiviral tool and firewall - both folders will have an extra entry which will disable the monitoring. Then, if you go to HKEY_CURRENT_CONFIG... -> SOFTWARE -> MICROSOFT -> WINDOWS -> CURRENT SETTINGS -> INTERNET SETTINGS, you will notice that there is a proxy enable entry on the righthand side, ie a nice backdoor.

I have noticed that upon deleting these entries, running antispyware, spybot, antivirus and hijackthis afterwards, with a tight internet security setting, that I can still access the web, like I am doing tonight, without having windows reboot itself (which is sometimes the case). Yes, those lovely blue windows errors.

I have reformated from Microsoft Win XP Professional SP2 boot up disks, then used the OS installation CD. Once the installation was completed, I went to the registry to verify if the garbage entries were in there. They were. So, I reformated the hard drive again, only this time I repartitioned it (new/raw). Yet, after the Win XP Professional installation - - - the malicious settings are still in the registry every time upon boot up.

I don't want to have to buy another computer. Any suggestions?????????

I originally had the crazy idea that this rootkit found a way to embed itself in my RAM or lodge itself in an interupt. A buddy of mine told me that I was nuts as the RAM clears every time it is removed. It would be the only logical assumption that I have, unless there is garbage in the 8 MB/index, which windows seems to hold (the small portion of our hard drives that we cannot partition/reformat).

I've never dealt with a rootkit before. It seems that a lot of people don't know much about them and the software out there for rootkits is just starting to come out more. I would prefer to clear the disk totally and reinstalling from zero. I just need a little help to get what I am forgetting/missing here. How can I completely clear out that registry and really reformat this hard drive from scratch?? I have the Microsoft XP Pro boot up (the download is clean) that I downloaded and a valid installation CD (the cd is clean).

Thanks for emailing me if you think it will get to me faster as I try to limit my internet connecting time with this crap on the pc.
:thumbsup:

Mod Edit~ e-mail removed to protect the member from evil spam bots.

Edited by Pandy, 20 June 2006 - 08:46 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:58 AM

Posted 20 June 2006 - 09:23 AM

Hi there crablover and welcome to BleepingComputer.

Well i've read through the details of this rootkit about 3 times, but i'm not convinced you have anything wrong with your computer. I looked into my own registry from HKEY_LOCAL_MACHINE... -> SOFTWARE -> MICROSOFT -> SECURITY CENTER, and I did find these entries you are talking about - but they are not malicious. It is part of the security centre to protect your computer. If you try and delete them the OS will simply rewrite them back in. It's similar to normal files in the OS - if you try to delete an important, legitimate Windows file, the system will simply replace it will a copy. Changing the Dwords will affect whether the various attributes of the Security Centre function.

I need you to explain if there are any symptoms of this "rootkit". What is the rootkit doing to your computer? The proxyenable value allows you to configure the proxy server settings for all programs that use the standard Windows Internet API, including Internet Explorer. You might be confusing SP-2 Extensions as rootkits, but i'm not sure. I respect your knowledge and the detail in which you have researched this, but I want to get the fact down before we use special tools to uncover rootkits. These "malicious entries" I think are confusing you - when you reformated the OS discs just recreated the security centre, writing the values above back into the security centre - they are legimate. As I said above, as SP2 has an inbuilt security centre, the keys will be replaced if you try to delete them.

I'm sure others will have their opinions and in no way am I guarunteed to be correct, but i think you might be running around in circles trying to find a rootkit that doesn't actually exist. Let's start by posting a Hijackthis log, which I think you already know how to do and have the program installed. Sorry if i've sounded a bit mean here, but I don't want you to get worked up on something that might be nothing. The reason I say this is because spybot can't even detect rootkits, and it's virtually impossible to remian infected by a rootkit after a reformat. I'll add in a smilie --> :thumbsup:

David

Edited by D-Trojanator, 20 June 2006 - 09:33 AM.


#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 20 June 2006 - 09:39 AM

Then, if you go to HKEY_CURRENT_CONFIG... -> SOFTWARE -> MICROSOFT -> WINDOWS -> CURRENT SETTINGS -> INTERNET SETTINGS, you will notice that there is a proxy enable entry on the righthand side, ie a nice backdoor.


a backdoor? I really don't see why you think this is a backdoor or rootkit or whatever. Rootkits won't even show in the registry either.

If you go to start -> run-> regedit -> HKEY_LOCAL_MACHINE... -> SOFTWARE -> MICROSOFT -> SECURITY CENTER: you will notice that on the righthand side, there are 4 to 5 new entries other than the default.


You mean:
FirstRunDisabled
AntiVirusDisableNotify
FirewallDisableNotify
UpdatesDisableNotify
AntiVirusOverride
FirewallOverride

??

These malicious entries over ride your security features


Malicious entries? Why do you think those are malicious?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 26 June 2006 - 05:19 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users