Do we have a new rootkit in the field?

[coffee]

I recieved in a laptop from a customer of mine and ran Avast, Kaperskey boot disk (antivirus) and found nothing. I also booted normally and ran tdsskiller (sp?) and it didnt find anything. But I couldnt run anything in control panel and the laptop soon would lockup with spinning windows curser. I ruled out hardware as a problem and also ran a chckdisk and sfc and they came back clean.

bootpartition - 100 mg
2nd partition - restore (dell)
3rd partition - windows (only about 30 gigs ???)
4th partition - virtual - D: 4xx gigs.

Looking at the boot partition I was able to determine there was a rootkit basically installed. Alot of chinease type characters for folders/files. Not curruption as I first thought. I wiped the boot partition and recreated it. Then it would boot/login/no desktop just a curser. Couldnt do anything. I ended up N/P.

Nothing I ran on it discovered the rootkit. Here is a close up pick from my cell phone for curiosity sake of the boot partition readout:


Later yesterday I took in an older dell desktop and it is experiencing the same type of symptoms.

Partitions on the deskop showup as:

boot partition - 39 megs
2nd par. - c: 52 gigs NTFS
3rd par. - d: 17 gigs - backup
4th par. - 4 gigs unallocated.

Admin has no rights to do stuff on the box. I dont know if this is important but there is a startup program called driver detective that I cannot get rid of. Was in the add/remove programs and also did it with revo uninstaller. But comes back every boot. So, There is a clue hopefully.

Just dont know what Im dealing with here. This desktop computer is running XP.

Just finding this very interesting as I have not ran into this before yesterday. Now I have 2 with it??

Your thoughts are welcome,

Best Regards,

coffee

UPDATE: Running a program called Roguekiller on it right now. Found 3 things right off the bat. I guess its probably not new rootkit but nothing else picked it up. Ill post more when its done scanning.

[iisjman07]

I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?

[coffee]

Quote:

Originally Posted by iisjman07

I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?

Well, I can nuke and pave it. But I would like to investigate it. Oh, Made a mistake on this rogue program. Its name is driverfinder.

Im going to collect a bunch of info on it. Its just gonna make things easier in the future. I think Ill start seeing more of these.

Ill PM Galdorf. Thanks!

Best Regards,

coffee

[NYJimbo]

Quote:

Not curruption as I first thought.

That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?

[coffee]

Quote:

Originally Posted by NYJimbo

That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?

They didnt. Seems that chkdsk would have found the curruption if it were wouldnt it??? Perhaps different language set instead?

So I ran this RogueKiller app and it quarantined some stuff on a folder on the desktop. These appear to be registry entries (??)

NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg
PhysicalDrive0_User.dat
PhysicalDrive1_User.dat
Security Center_UpdatesDisableNotify0.reg
System_EnableLUA0.reg

5 files in all. Properties shows: Windows registry extract.



NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

The two dat files are unreadable machine code.

System_EnableLUA0.reg:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
"EnableLUA"=dword:00000000

Security Center_UpdatesDisableNotify0.reg:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001

Got rid of the driverfinder program. Edited the registry and removed DriverFinder.exe entry. Then cleaned out the app directory/shortcuts/menu items.

[glricht]

Not sure if it's the same as what you're working on, but I've two instances in the last few weeks where the PC had a rootkit which resided in a small partition at the end of the drive. Most of the scanners missed the boot kit, those that found it supposedly fixed it, but it was back on the next reboot.

I used Acronis Disk Director stand-alone to find the partition. Deleted it, rebuilt the boot partition, and then was able to to do a successful boot and then proceeded with normal cleaning procedures.