Can't remove Rootkit

Discussion in 'malware problems & news' started by davidleu, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. davidleu

    davidleu Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    19
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Hidden registry key does not mean instant infection. It could be false positive. You need more checks to verify if that is indeed an infection.
    Did you notice any symptoms that would justify an infection?
    Best way to look for rootkits is to boot off a live CD like Ultimate Boot CD for Windows or Knoppix (Linux) and then look for files and folders that do not show normally.
    If you wish to pursue this avenue, I'll provide links and instructions.
    Mrk
     
  3. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    From that evidence, you do not have a rootkit.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi David,

    From the looks of it that registry key stems from another user-account on your computer.
    Copy the part below into notepad and save it as sidusracc.vbs
    Code:
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    
    Set objAccount = objWMIService.Get _
      ("Win32_SID.SID='S-1-5-21-1417001333-688789844-839522115-1000'")
    Wscript.Echo objAccount.AccountName
    Doubleclick the file and you will get a prompt with the useraccount name that belongs to the user with the SID:
    S-1-5-21-1417001333-688789844-839522115-1000

    You should run the Sophos scan again under that user account.

    Regards,

    Pieter
     
  5. davidleu

    davidleu Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    19
    Thanks for the help, Mrkvonic and John!

    I dont know. Its just strange because this key contains a mysterious german phrase: "Ich hoffe du sendest das zur FCck..." (engl. i hope you send this to FCck...). I can't remember to write any email or letter with such sentence.

    Everything works fine, but IE is a little bit slower than normal.

    Umm, this sounds elaborate. Doesn't booting with safe mode amount to the same thing?

    Thanks Pieter, i gonna try this now...
     
  6. davidleu

    davidleu Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    19
    Unfortunately, the key is still present after this procedure.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    When I run RootkitRevealer on some XP machines I get things in Spanish. Nothing to worry. Just the odds of the operating system. The best indication of an infection is how the system feels.

    But if you want to be completely sure, you must run a check from CD. No other way. The OS must be dormant. Boot from live CD - you can download Knoppix or UBCD4WIN or any other - Damn Small Linux is only 50MB download. Boot from CD and examine your Windows system drive (would be C:). Look for files and folders that look strange and unfamiliar.

    Even better, you can save a tree of all files on C: when booted in Windows, boot off CD, make a tree of all files on C: when the system is still, then compare them.

    Not the most elegant but works.

    Mrk
     
  8. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
  9. davidleu

    davidleu Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    19
    Thanks again for help.

    Someone knows a good forum for hjt log analysis? I tried techsupportforum.com but it seems like those guys are kinda overwhelmed with work.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Most of those forums are. Posting your question on another forum will only add to the workload.
    The people working those logs are the same on most forums. Give or take a few.

    Regards,

    Pieter
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here are 3 free Rootkit scanner/rmove free tools:

    1) http://www.f-secure.com/blacklight/
    2) IceSword (do search on PC Worlds site and link will appear)
    3) You can also use Spysweeper site to do an online scan to hunt, BUT to remove you have to buy product.

    Good Luck, don't assume you don't have a Rootkit, best to check/remove before doing financial transactions.
     
  12. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    If you are prepared to jump through all their hoops before posting an HJT log, this help forum is always underwhelmed with problems.

    http://www.dslreports.com/forum/cleanup
     
  13. poppy4

    poppy4 Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    5
    Location:
    OH USA
  14. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England

    You can get a free computer file analysis of a hIJack this log here

    http://www.hijackthis.de/en#anl
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I wonder can HJT detect rootkits?
     
  16. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
  17. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Not sure if it can. When I had the Trojan problem earlier, I think that HJT was able to provide enough information to indicate the presence of a rootkit, but not in every case.
     
  18. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    It certainly cannot detect kernel mode rootkits. It cannot detect user mode rootkits directly, but only give an indication as what is not there (that should be). The reason being that HJT runs at ring 3.
     
  19. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    LOL
    you cheeky devil :blink:
     
Loading...
Thread Status:
Not open for further replies.