I have a nasty rootkit.

Discussion in 'malware problems & news' started by sjvinc, Feb 12, 2010.

Thread Status:
Not open for further replies.
  1. sjvinc

    sjvinc Registered Member

    Joined:
    May 3, 2008
    Posts:
    2
    I have been trying to detect this thing for ages, then I decided to take the advice of someone here (sorry forgot the name) I put rootkit revealer and a few other anti rootkit tools on a memory stick, made sure it was fully protected and put it into my computer...

    I used 5 different tools and suddenly I have punched a big hole in this rootkit. Rootkit revealer pointed to a seed in my registry file along with a few other Null embedded registry.

    I tried to make a regular registry file to fix these, then found I was being forced to actually look at the registry. I found that my administrative rights for both my user and the administrator were gone for the main system, and had full access for a Virtual system! I changed this and suddenly upon reboot, the little mcafee antivirus in my memory stick wiped out the rootkit!

    I have to say a very big thank you to who ever it was that pointed me into that direction. I didn't even realize that I had a virtual machine rootkit until another tool did something else and made errors pop up telling me that I was getting tossed into the guest OS of the virtual machine because I was not allowed in the Main OS.

    Now the work begins! Since I got a good look at that hidden section of the registry, I am wondering if I am going to have to clear most of that out or at least make sure nothing is stopping me from doing a low level clean reformat of my computer as it had in the past.

    I could also use a bit of help with the registry, It appears that these changes within the registry were not all done by the rootkit, but had some help from someone else.

    I was hacked some years back and thought that I got rid of it when I tossed out that computer, seems it was stopped but kept coming back. It was more of a dare than an actual hack at the time... I bragged about something I should have not said about never getting hit with bad malware.... well, I have since learned my lesson and I still see this guys original notes about leaving two traps for me to remove. That was several computers ago and I am wondering how they keep coming back to my computers!

    this is what I have so far...

    I have something in the registry under hklm...\secrets\...administrator which is set with a regnone key. also my user is set with regnone... but under the virtual machine, the administrator and my user account have full access. should I just copy and move the keys to the main section in secrets or what?

    Another thing, since this was mostly removed but changes made by unknown still remain. my computer starts fine, just does not let me into the main section and still tries to dump me into the virtual guest OS. I seem to have gotten rid of the infection completely with a quarantine through Mcafee and the other tools I used. It just flew by so fast that I was not able to get a name of the infection and now I have to reinstall the os to get back in again. unless I can find other tools that can clean up from the point I have my computer at presently.

    Is there a tool out there that can force a low level reformat even if the system is set for away mode script installs (the malware did this, not me)

    The guest OS on the virtual machine is mostly in script, although I do have actual administrative rights over most of the computer and thanks to these tools and this handy memory stick, I have gained much more access.

    The best thing about breaking this malware.... It happened on my B-day!

    a few other things about this malware, it was actually hidden in the recycle bin of the main OS. One of my other computers actually caught it and tried to quarantine it. got most of it while parts were still active. when I tried to move it from the recycle bin to a zipped, password protected folder on the desktop... my entire account got quarantined along with those items in the recycle bin. Then I got this memory stick and the tools that I have been using with a good bit of success so far.

    The malware may have parts of it hiding in raw registry. there is the null embedded in the registry (I will get the tool from sys internals for that) I just need some good info on how to repair my registry to fix the administrator and my user account and to then allow a clean low level format and install.

    Please do not ask me for a copy of this malware... I am just happy getting it off my system as far as I have.

    Thanks in advance...

    Sjvinc
     
Loading...
Thread Status:
Not open for further replies.