Advice please: Repair or Reformat after rootkit virus attack?

Hi

A few days ago I was hit by rootkit Avast 5 identified it as apridfix.exe but I believe is also called other names Symantec W32.Virut.W. Have no idea how I was infected as I run
AV - Avast Free 5.0
Kerio Firewall
Winpatrol Plus
Spywareblaster
FF 3.6 with various security add-ons No Script, Flashblocker.
I also run on demand scanners - but clearly still got through.
I run Windows XP3 and my updates were all current.

Nevertheless, I got a blue screen (which happens), but then Windows wouldn't load, instead of booting into safe mode and running my AV as I should have (durn it!), I persisted and bingo - loads of files scrolled up the screen - Big OOPS!

I read about this virus from the Symantec website

W32.Virut.W is a virus that infects .exe and .scr files on the compromised computer. It also opens a back door and may download potentially malicious files on to the compromised computer.

My question is - if I do a repair rather than reformat the disk and reinstall, can I be reinfected by exe files in my programmes which will remain unchanged by the repair?

These are the files Avast found and readicated.

Hidden files on C: Windows: (9 in all
$hf_migsS\KB901017/up....../arpidfix.exe
C:/Windows / $ Nt uninstall Kb902400 $/comprepl.dll
Kb902400 / ole32.dll
Kb902400 / olecli32.dll 000
" / olecli32
" / olecli32.dll. 000
" /olecnv32.dll
" / rpcss.dll
" / rpcss.dll. 000

The system will boot (but very slowly) and light seems to be flashing on and off indicating disk activity. It will also boot into Safe Mode. I haven't had it connected to my network router, nor will I until it's safe.

Can anyone tell me a good resident shield for rootkits does AVG have one or is that just a root kit scanner?

Any advice appreciated.

 

in case you got more than shown/detected, like an MBR resident or hidden volume or driver patched rootkit - like this poster, you may risk to get the machine infested every time it boots after the repair.

have you also tried Hitman Pro on demand? even any 'good' resident shield can be beaten by the other side. some other forum posters swear on anti-executable protection... some on policy lockdowns - there are various threads about it in the forums at wilders, discussing various strategies

 

False positive?

arpidfix.exe: http://support.microsoft.com/kb/904630
$hf_mig$: http://support.microsoft.com/kb/824994

 

Question : Do you have an image backup of whole hard drive system prior to infection?

Response= yes, then restore clean image up grade your security tools which clearly failed you!

If your response is no, then my friend I suggest you disconnect from the www NOW. Copy your all your data files off on to a dvd, cd or usb word, excel, jpg's etc and record your licenced software codes your psw's for banking etc.

THEN wipe your drive by reinstalling and updating windows, then your applications then your data. It will take a few days I suspect do it slowly.

Add

a 2 way FW, (OP or OA)
a new AV with strong RT protection, (MSE, Nod32 or Avira)
and an image backup system (Paragon)
switch to FF as a browser and immediately add no script.

Watch where you surf, practice safe HEX.

Good luck

!

 

good point... could also explain the slow boot after Avast took 'care' of the guys

 

seems the OP got that (not so iron clad) combo already

 

For me, I would wipe and reinstall. I could never feel secure running an OS that had been successfully attacked.
There is no way you can be sure that you've been able to completely remove all of the malware because you don't know the totality what was installed by the virus.

Hopefully, you've been periodically imaging your hard drive.
If not, start asap, sandbox your browser, and add virtualization/rollback.
Those steps will provide the best chance to avoid future events.
Also consider using a limited user account and (if your OS is XP Professional), SRP.
For no additional cost, they can provide additional security, especially if you share use of your computer.

One last thing;
Undoubtedly, you will also be advised by someone to ditch XP for Windows 7.
That is your decision, but keep in mind that computers running Windows 7 also get infected.
Windows 7 is no panacea; it also requires security patches and hotfixes and still, users running Windows 7 have their computers get infected too.

If you like XP, just take steps to harden it.
LUA, SRP, sandboxing/virtualization, regular image backups, and the security software that works best for you.

And good luck !

 

If you really got problems, and you don't want to use a very long time to try to rescue the installation and you want to be 100% sure that you annihilated the thing then the easiest way is to "nuke" it by totally removing everything on the harddrive including rootkit if possible.... And then re-partition and re-install

If you want to try to salvage the installation you could be lucky and get rid of the thing but you could also risk that it will be very difficult or even impossible to get rid of the thing , depending on the infection and your skill level....

If you are indeed infected with "W32.Virut.W" there are some strategies to try like :
W32_Virut_W Removal - Removing Help Symantec
W32-Virut_W
W32_Virut_W
AntiVirus Solution and Removal - W32_Virut_W

There is also a very nice "generic" explanation here : How To Clean An Infected Computer (includes information on rootkits!)

Please remember that when you attempt advanced techniques to get rid of an infection that you may risk end up with an installation that won't even boot....

 

You are right, he has said that! BUT I wonder what his settings were like on load images , external cookies etc.

We just don't know.

A root kit is a nightmare and NONE of the tools I have/ you have / he has are 100%.

I favour a wipe and reinstall. But if the image route were possible then great it is faster!

 

I will recommend reinstallation of OS after backup of important data. After rootkit attack, OS becomes non-reliable. Moreover, virus was infecting exe files too, you have to download your programs fresh from genuine source. Next time do not forget to pack/zip your executable to protect them against file infectors.

 

Thanks so much for all the swift responses.

Yes I was running FF3 with No Script and QuikJava, Better Privacy.

I am kicking myself that when I made a Paragon Backup of my XP Pro Desktop, I didn't do the same for my laptop (dumb or what? ) Can I use that backup on my laptop (it's an old DELL 1100), or would that be against the rules?

I clearly need a better AV and stronger FW - Sorry, what does OP and OA stand for?

Yes, I had already resolved to Sandbox my surfing in future, and make backups. No I've not tried Hitman Pro.

I'm a bit confused by the false positive possibiltiy - I don't think it was, as after the bluescreen, Windows refused to boot. Foolishly instead hearing alarm bells, I persisted and pressed F2 setup and suddenly a whole bunch of file scrolled up the screen, which seems like virus activity to me. It was then I booted into Safe mode and ran a full AV scan After it found the hits I mention. I also ran an updated portable version of SAS (which I downloaded from elsewhere) and up to date Cureit 6, which both came back negative. Another possible proof of AV attack is that while Avast worked initially, services have been switched off and I can't switch them on again even in Safe Mode. I might activate again if I connected to the web, but I daren't do that at the moment.

How can I check if it was a false positve? I have read elsewhere of ComboFix, but also the warnings about running it without advice. I did run a Hijack This, as I also have A-Squared/Emisoft anti malware scanner and tools, but I understand I can't post it here.

One last question, I can't recall if my USB drive was connected at the time of the attack, but if it was and it contains exe files, can I trust them to be clean? Is there any scan I can use to check the USB drive and the computer to double to see if I really have been infected?

Also, if I have to reformat/reinstall can anyone point me in the direction of a good set of instructions - never had to do it before.

Thanks for the tip on zipping files - handy to know.

Thanks again folks

 

it remains unclear when the BSOD happened, prior AV detecting and deleting/quarantining or after, but sounds prior. Still the BSOD could be beginin the sense of being caused by some legit software on the system or even by an update of the AV software, for that matter. the scrolling of files on the screen when booting into safe mode is standard, if I am not mistaken here, hence not sure whether your perception of malicious activity turns out true.

if those files in question where quarantined instead of deleted then you may restore them to an USB stick and upload from there via another machine to virustotal for assessment. just make sure the other machine has auto-run for USB devices disabled.

 

Hi,

Thanks 'vtol' - Here's my recollection of what happened - I had three windows open all declared 'safe' by Firefox 3 LinkExtend (I know it's not fool-proof) I walked away for a moment and returned to be a bluescreen warning that Windows had 'shut itself down to protect itself etc'. I tried a normal shutdown/restart but it would work so pressed the 'reset' but on the Dell. Windows refused to load twice, the third time I pressed F2 Set Up and the file scrolling occured. I knew this to be possible malicious behaviour and once in Windows shut down again, this time pressing F8 to boot into Safe Mode where I did the AV scan - producing the result I posted.

I thought the same about submitting the files for analysis, but at present, the files are in the AV chest of Avast 5 - but unfortunately I can't access them at the moment as I have 'AV processes have been deactivated' and 'Fix Now' option doesn't work. If I can discover it's safe to reconnect to internet, it might reactivate - but I need to be as sure as I can that's it's okay to do so.

I've been given a couple of on demand scan suggestions which I think I'll try before I resort to reconnection -
Sophos Free Emergency Command Line Scan avaliable from their website links -
http://www.sophos.com/support/disinfection/pedis.html
and HitMan Pro.
I'll report back.

 

reckon the chest folder is somewhere located in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\chest. It might be encrypted though and not accessible via explorer

by the way - do you make use of restore points, perhaps one close to before the BSOD happened you can roll back to?

the BSOD could still be begin, e.g. caused by over heating HDD, CPU or GPU (such can be caused by excessive video rendering and/or hard drive usage). the shutdown could also have corrupted some files which in turn Avast caught as suspicious

F2 is probably for entering the bios and should happen prior the OS start. can you still get into the bios?