AFX Rootkit

Discussion in 'malware problems & news' started by jeffczyz, Mar 27, 2005.

Thread Status:
Not open for further replies.
  1. jeffczyz

    jeffczyz Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    2
    I keep finding the AFX rootkit installed on my PC. I clean it off, then a day or so later it shows up again. I have the XP firewall running, a Cable DSL router with a firewall, yet I still get this.

    What do I need to disable/fix to prevent this?
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi jeffczyz,

    One option is to download and install the trial version of UnHackMe. The latest version supports removal of the AFX rootkit.

    Another option is to follow these removal instructions (from the rootkit's readme):

    Method 1
    1. Run the root.exe with the "/u" parameter
    2. Delete all the files associated with it
    3. Reboot

    Method 2
    1. Boot into safe mode
    2. Locate the service with the root folder name
    3. Remove the service and delete all the files associated with it
    4. Reboot


    You would first have to scan with RootkitRevealer in order to locate the hidden executable and its folder.

    Nick
     
  3. jeffczyz

    jeffczyz Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    2
    Nick,

    Thanks for the reply. I'm running unHackme now and that's what keeps finding it. My real question is, how is it getting installed? Do I have an open port, running something I shouldn't be? I can't seem to find the connection to where it is coming from.

    Thanks
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    More than likely it is another autostarting process. A scan with RootkitRevealer might give you more information.

    Nick
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi jeffczyz,

    I was pressed for time and not able to add some suggestions to my last post.

    Regarding open ports, you should be able to get a basic view of any unauthorized network traffic by looking at XP's firewall log (C:\WINDOWS\pfirewall.log). Your router logs are also worth looking at.

    Regarding the repeating rootkit installation, the AFX rootkit is installed (by some process/executable) as a service via registry modification. The safest way to pinpoint the installing process without becoming reinfected is to use the trial version of RegDefend to monitor processes that attempt to modify the registry. It's safe because you are alerted and given the option to allow or deny the change. If you deny, the rootkit fails to install correctly. Once UnHackMe removes the rootkit, install RegDefend. If you use the setting below, any attempt to create the rootkit service will be blocked and logged.

    If you want to clean your system (and bypass the detective work), I recommend following Blackspear's General Virus and Trojan removal Instructions.

    Nick
     

    Attached Files:

  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    You had not mentioned the version of this aphex rootkit (AFXRootkit2003/2004/2005?) but they are only variants of the original one.
    UnHackMe detects it and can remove it easily.

    RootkitRevealer is a good tool to search a sign of a rootkit's presence, but it's almost intented to advanced users.
    You can also try RKDetector professional which is easy to use (run rkdetector.exe): this tool will search hidden process, service and regkeys likerun/runonce (see image) : http://bagpuss.swan.ac.uk/comms/


    If you want to be sure that the rootkit was TOTALLY removed, take a look at its files (dll...) on this page:
    http://www.uk.sophos.com/virusinfo/analyses/trojafxroote.html

    And use a registry tool to find traces of the rootkit.

    For a rootkit prevention, ProcessGuard and UnhackMe are an efficient (and easy to use) solution.
    I can just recomend to disable the Windows Firewall and install another one

    -Free ones: ZoneAlarm, Kerio, Sygate and Jetico,
    -Paid ones: just take a look at the firewall area on this forum.

    A router is not enough.

    Regards
     

    Attached Files:

  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Nick,

    I did not find the entry that you are referring to in RegDefend's standard entries nor in the RegRun entries dataset. Are you recommending that this entry be added to the Special Registry Items in all cases, or just in the case where there is a suspected rootkit? Thanks for the info.

    Rich
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Rich,

    I believe it should be there by default in the "Auto Starts" group. If it is not there, I would absolutely include and protect it in all cases.

    Nick
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Here's a brief overview of Control Set and related keys: What are Control Sets? What is CurrentControlSet?.

    In addition to HKEY_LOCAL_MACHINE\CurrentControlSet\Services, I would also protect these:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services
    HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery
    HKEY_LOCAL_MACHINE\SYSTEM\Select


    Nick
     
  10. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Nick. I found the CurrentControlSet in Autostarts as you indicated and added the other registry keys as you suggested. After reading the link you provided, it seems like they are important keys to register under RegDefend. Hopefully Jason is following these threads and is making note of these suggestions.

    Rich
     
Loading...
Thread Status:
Not open for further replies.