Help with rootkits

Discussion in 'Prevx Releases' started by Triple Helix, Aug 4, 2009.

Thread Status:
Not open for further replies.
  1. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hi Joe or Marco,

    I have a problem with getting these 2 Rootkits gone, can I get some instructions to completely remove them? I have tried 3 times to let Prevx 3.0 deal with them with no luck! At this point I have not tried anything else to remove them! And also not a peep from NOD32 :blink:

    c:\windows\system32\netcard.sys [PX5: C613BD9C00453DA0094C00870EEA7900B79BCD14] Malware Group: Medium Risk Malware

    c:\windows\system32\fastuv32.dll [PX5: 1C585F1A0044E9FBF0510011C6954200DA0E8B11] Malware Group: Medium Risk Malware

    TIA,

    TH
     

    Attached Files:

    Last edited: Aug 4, 2009
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I have tried MBAM, A-Squared, Avira, GMER and none of them see them so goes to say that they are still there :mad:

    I did another scan and the lines are as follow now:

    [B<00310020>] c:\windows\system32\netcard.sys [PX5: C613BD9C00453DA0094C00870EEA7900B79BCD14] Malware Group: Medium Risk Malware

    B<00310020>] c:\windows\system32\fastuv32.dll [PX5: 1C585F1A0044E9FBF0510011C6954200DA0E8B11] Malware Group: Medium Risk Malware

    TH
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi, as it's some hours now since you asked for help and you need to get rid of these nasties fast, i'm posting this until Prevx arrive.

    netcard.sys - http://www.superantispyware.com/malwaredailyfiles/2009-07-31.html so SAS should clean up that one.

    fastuv32.dll - seems a bit more tricky from what i've read so far

    Have you tried deleting them in Safe Mode ? Also i would try RootRepeal.

    How did you get them anyway?
     
  4. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    You could also try FileASSASSIN that is in MBAM -- click on tools.

    EDIT: You should be able to manually type in the file name and grab it.
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Sorry for the delayed response - the files are not false positives (confirmed by checking them here) but we may be missing some part of the infection which is causing these to be re-dropped. Could you email a scan log to report@prevxresearch.com? If we don't find anything from there, I'll forward you onto our research team for remote removal if we still can't automatically clean it up.
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hi Joe,

    I have sent the log with the link to this thread!

    TH
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Thanks for the suggestions StevieO,Toby75 and Habakuck but I want Prevx to get rid of them for me :D

    And I was playing with some new nasty's that's all! It's all on my test machine anyways! It seems to me that they are Highly Cloaked or the files are not there because I cannot locate them but Prevx still detects them?

    TH
     
    Last edited: Aug 5, 2009
  9. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    My friend by my own experience what I could suggest you is to create a boot CD. You could find out how to create one at:

    http://www.ubcd4win.com/

    Now I would like to tell you also most of these boot CDs do not work quite well on a 64bit computer. the only one that I have found thus far that works on 64bit computer is F-secure rescue CD. You could download it at:

    http://www.f-secure.com/linux-weblog/2008/11/25/rescuecd-301-released/

    You have to be careful since f-secure will rename your infected files instead of deleting them. If your windows files are infected f-secure will rename them as well. Thus your computer will not boot up anymore.

    If you need more help let me know.

    Good luck.
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Once again I'm clean! I had Joe and another fellow named Cretemonster me out via Remote help! We could not find the files they told me to run Check Disk to recover the files and they had me run Prevx 3.0 and cleaning was done! But I used many scanners and they could not detect this problem but even though they had to be recovered Prevx was the only one detecting these 2 files! What a great experience I have to say. Kudos

    Great work Joe and thank your buddy for me also!

    Thanks,

    TH
     
    Last edited: Aug 9, 2009
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Thanks for providing the good follow up details. The support you received was excellent and the software did a commendable job. :cool:
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Yes I would have to say so :thumb::thumb::thumb: And to be Honest it was the best support I have ever received for any product!!
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Glad we could help! :)
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    bet you are glad that you are runing it in your pc:D :) ;)
     
  15. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Good to hear another happy customer - in a long line of many. ;)
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Presumptively these rk's now in the PX db ??
    Some interesting coding no doubt ??
    Always interesting to see some new hooks.

    @PXHelp: a little extra info ?? ( w/o revealing trade secrets 'natch)
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We actually detected everything fine - it was more an issue of cleanup. We bypass the operating system entirely when scanning the disk so we're able to see rootkits very accurately. However, our removal routines do not use all of the same low-level cleanup features just because it is a bit of a risk to the integrity of the OS.

    In this case, Windows had managed to lose track of the files somehow and he had to run a Check Disk on the drive, which brought the files back. Our scan engine is built in the same way that an undelete program is so we were still able to see the files even though the sectors/tables were corrupted because of a mismatch between the rootkit and Windows. After the Check Disk, our removal routine worked properly and everything was clean :)

    One note which has probably not been mentioned before: TH ran into this screen when trying to cleanup:

    http://img16.imageshack.us/img16/4276/capture0508200920327am.jpg

    This gets triggered whenever we detect we aren't working properly so that users can come into tech support (as he did) so that we can clean them up remotely or by making database changes.

    In the end, this was definitely an interesting case :)
     
  18. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  19. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    I just felt love again :D :D
    Really nice job Prevx ;)
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    me too i am becomig a prevx freak:D :)
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    The part that I like was the Remote Help and watching them do the searches for themselves on my computer :D they send you an email with a link to download a program and install it and let it through the firewall and we where hooked up! Very Cool :cool:

    And during that time you can communicate with them :D

    TH
     
  22. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I'm much more than sure that they're soooo much better than the support techs. of Symantec. o_O
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    for sure man norton takes for ever to help you:D
     
  24. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    That's what you get for having call centers. You get scripted responses that you've probably seen a 1000 times before.
     
  25. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    The size of the organisation seems to make a difference. Prevx is only small in comparison so are, in effect, able to offer a more personalised service.
     
Thread Status:
Not open for further replies.