Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 05-24-2012, 03:42 PM
coffee's Avatar
coffee coffee is online now
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,499
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default Do we have a new rootkit in the field?

I recieved in a laptop from a customer of mine and ran Avast, Kaperskey boot disk (antivirus) and found nothing. I also booted normally and ran tdsskiller (sp?) and it didnt find anything. But I couldnt run anything in control panel and the laptop soon would lockup with spinning windows curser. I ruled out hardware as a problem and also ran a chckdisk and sfc and they came back clean.

bootpartition - 100 mg
2nd partition - restore (dell)
3rd partition - windows (only about 30 gigs ???)
4th partition - virtual - D: 4xx gigs.

Looking at the boot partition I was able to determine there was a rootkit basically installed. Alot of chinease type characters for folders/files. Not curruption as I first thought. I wiped the boot partition and recreated it. Then it would boot/login/no desktop just a curser. Couldnt do anything. I ended up N/P.

Nothing I ran on it discovered the rootkit. Here is a close up pick from my cell phone for curiosity sake of the boot partition readout:


Later yesterday I took in an older dell desktop and it is experiencing the same type of symptoms.

Partitions on the deskop showup as:

boot partition - 39 megs
2nd par. - c: 52 gigs NTFS
3rd par. - d: 17 gigs - backup
4th par. - 4 gigs unallocated.

Admin has no rights to do stuff on the box. I dont know if this is important but there is a startup program called driver detective that I cannot get rid of. Was in the add/remove programs and also did it with revo uninstaller. But comes back every boot. So, There is a clue hopefully.

Just dont know what Im dealing with here. This desktop computer is running XP.

Just finding this very interesting as I have not ran into this before yesterday. Now I have 2 with it??

Your thoughts are welcome,

Best Regards,

coffee

UPDATE: Running a program called Roguekiller on it right now. Found 3 things right off the bat. I guess its probably not new rootkit but nothing else picked it up. Ill post more when its done scanning.
__________________

www.renuecomputers.com

Last edited by coffee; 05-24-2012 at 03:53 PM. Reason: RogueKiller running now
Reply With Quote
  #2  
Old 05-24-2012, 04:13 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,049
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?
__________________
put that in your pipe and grep it
Reply With Quote
  #3  
Old 05-24-2012, 04:38 PM
coffee's Avatar
coffee coffee is online now
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,499
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default

Quote:
Originally Posted by iisjman07 View Post
I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?
Well, I can nuke and pave it. But I would like to investigate it. Oh, Made a mistake on this rogue program. Its name is driverfinder.

Im going to collect a bunch of info on it. Its just gonna make things easier in the future. I think Ill start seeing more of these.

Ill PM Galdorf. Thanks!

Best Regards,

coffee
__________________

www.renuecomputers.com
Reply With Quote
  #4  
Old 05-24-2012, 05:07 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,428
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

Quote:
Not curruption as I first thought.
That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?
Reply With Quote
  #5  
Old 05-24-2012, 05:15 PM
coffee's Avatar
coffee coffee is online now
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,499
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default

Quote:
Originally Posted by NYJimbo View Post
That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?
They didnt. Seems that chkdsk would have found the curruption if it were wouldnt it??? Perhaps different language set instead?

So I ran this RogueKiller app and it quarantined some stuff on a folder on the desktop. These appear to be registry entries (??)

NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg
PhysicalDrive0_User.dat
PhysicalDrive1_User.dat
Security Center_UpdatesDisableNotify0.reg
System_EnableLUA0.reg

5 files in all. Properties shows: Windows registry extract.



NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg:

Quote:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001
The two dat files are unreadable machine code.

System_EnableLUA0.reg:
Quote:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
"EnableLUA"=dword:00000000
Security Center_UpdatesDisableNotify0.reg:
Quote:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001
Got rid of the driverfinder program. Edited the registry and removed DriverFinder.exe entry. Then cleaned out the app directory/shortcuts/menu items.
__________________

www.renuecomputers.com

Last edited by coffee; 05-24-2012 at 05:31 PM. Reason: Additional info inserted
Reply With Quote
  #6  
Old 05-24-2012, 11:02 PM
glricht glricht is offline
 
Join Date: Jun 2010
Location: Zephyrhills, Florida
Posts: 804
glricht has a spectacular aura aboutglricht has a spectacular aura about
Default

Not sure if it's the same as what you're working on, but I've two instances in the last few weeks where the PC had a rootkit which resided in a small partition at the end of the drive. Most of the scanners missed the boot kit, those that found it supposedly fixed it, but it was back on the next reboot.

I used Acronis Disk Director stand-alone to find the partition. Deleted it, rebuilt the boot partition, and then was able to to do a successful boot and then proceeded with normal cleaning procedures.
__________________
Gary Richtmeyer
C&G Web Enterprises
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:56 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.