Help Please RootKit Craziness

Update: I just finished a chkdsk /r for the L:\ drive and it completed successfully. Again, I'm in D-7 and then I tried to run sfc /scannow and received the message: "Windows Resource Protection could not start the repair service". Guessing the rootkit is responsible for this.

I'm also learning that the rootkit may be "hiding" the OS directory from windows. I am trying to find the NTFS Junction to delete it and run the IFEO modifier in D7.

Stay tuned.
 
B Trevathan said:
Have you taken ownership of the drive?
Click to expand...

I just now went into L:\ -->Properties-->Security-->Advanced-->Owner and changed/replaced ownership with Administrators and the Windows Security window popped up and is changing ownership. I also checked "Replace owner on sub-containers and objects" as well. Now it's changed over. The drive shows no volume after the ownership change yet but I have been able to access it through D7 and found the NTFS Junctions that look like it corresponds to to what I believe is a false/infected $NtUinstallKB45721$ file. Interesting it is a file type called "Symbolic Link". There is one other SL L:\Users\All Users director as well. Not sure what to do with these. I should ask FoolishIT about it.

Now that theoretically I've taken ownership, I should be able to run ComboFix or Kaspersky within the drive. I'll report back.

Thanks again.

UPDATE: Right-clicking to Open L:\ --> "Access Denied."
 
Last edited:
I cannot stress the need for techs to at least learn basic Linux so that you can take the faulty O/S that allows nasty infections like this to occur in the first place out of the equation. There are numerous Linux based rescue and scanning disks available so that the malware is not active while scanning. Download and burn a live CD or USB of Ubuntu or better yet Linux Mint. When you boot into the live o/s you can browse the infected drive without worrying about file permissions. The file browser is a GUI similar to Windows Explorer so no need to know command line stuff.
 
kwisher said:
I cannot stress the need for techs to at least learn basic Linux so that you can take the faulty O/S that allows nasty infections like this to occur in the first place out of the equation. There are numerous Linux based rescue and scanning disks available so that the malware is not active while scanning. Download and burn a live CD or USB of Ubuntu or better yet Linux Mint. When you boot into the live o/s you can browse the infected drive without worrying about file permissions. The file browser is a GUI similar to Windows Explorer so no need to know command line stuff.
Click to expand...

Well, I guess the next thing to do is try out your suggestion and get some Linux experience. We all have to start somewhere and I happen to be at a point where I need to take the next step. Thank you kwisher.
 
kwisher said:
I cannot stress the need for techs to at least learn basic Linux so that you can take the faulty O/S that allows nasty infections like this to occur in the first place out of the equation. There are numerous Linux based rescue and scanning disks available so that the malware is not active while scanning. Download and burn a live CD or USB of Ubuntu or better yet Linux Mint. When you boot into the live o/s you can browse the infected drive without worrying about file permissions. The file browser is a GUI similar to Windows Explorer so no need to know command line stuff.
Click to expand...
Linux is becoming more and more common and easier to use now a days, just about anyone can throw in a live CD of say Puppy and start using it with very little instructions.

Having different live CDs like UBCD, UBCD4Win, AV Rescue Discs, Knoppix, etc is invaluable. In this thread live CDs have been used and the hard drive has also been slaved in another computer, these should have given full access to the drives content, the OP should have been able to edit the offline registry to running an AV on the offline OS to running AutoRuns on the offline system to whatever.
 
B Trevathan said:
Linux is becoming more and more common and easier to use now a days, just about anyone can throw in a live CD of say Puppy and start using it with very little instructions.

Having different live CDs like UBCD, UBCD4Win, AV Rescue Discs, Knoppix, etc is invaluable. In this thread live CDs have been used and the hard drive has also been slaved in another computer, these should have given full access to the drives content, the OP should have been able to edit the offline registry to running an AV on the offline OS to running AutoRuns on the offline system to whatever.
Click to expand...

Exactly! But so far, it still eludes efforts to do all that. If this is not a new Rootkit, these approaches should have dealt with the issue. Perhaps this is a new, more vicious RootKit. Even my efforts at using D7 that in a few attempts have only let me, pardon the expression, Nibble at it. On the other hand, using a live CD of any flavor of Linux still requires that you have a lot of experience recognizing the target areas and specific files that need to be removed. I'm still learning that.

Again, I'm using this as a learning experience. I am not here to simply walk away, I'm doing this to gain experience. If I were to just to N&P and tell the client "sorry :eek:" I would be cheating myself as well. No disrespect to those who earlier on said to N&P. It's just not how I roll.
 
IMHO, if I determine a system has any type of rootkit, I would save their data and N&P for my peace of mind. I know there are ways to manually remove bad stuff, but what happens if you miss something and it comes back?

For the OP: How much time have you invested in removing this infection so far? Could you have N&P'd the system in a shorter time?
 
kwisher said:
IMHO, if I determine a system has any type of rootkit, I would save their data and N&P for my peace of mind. I know there are ways to manually remove bad stuff, but what happens if you miss something and it comes back?

For the OP: How much time have you invested in removing this infection so far? Could you have N&P'd the system in a shorter time?
Click to expand...

He has already stated he is getting as much experience out of this as he can, N & P is on the way I think :D Agreed though at the end of the day it's a business and time is money.
 
kwisher said:
IMHO, if I determine a system has any type of rootkit, I would save their data and N&P for my peace of mind. I know there are ways to manually remove bad stuff, but what happens if you miss something and it comes back?

For the OP: How much time have you invested in removing this infection so far? Could you have N&P'd the system in a shorter time?
Click to expand...

Take a look again at post #48. I thought I explained the time issue pretty clearly. To take the time to truly know and understand what is going on with complex malware issues, I don't see any way around investing time to learn. It's called the trenches. :cool:

A rush to N&P to save time/money sometimes doesn't pay dividends like a lesson well-learned to gain good experience. No offense at all meant to you or anyone else, but it's the fly-by-night Pizza-Techs who reach for the N&P solution first to make an easy buck IMO. That's NOT how I roll.

Out.
 
ScarletPathos said:
Take a look again at post #48. I thought I explained the time issue pretty clearly. To take the time to truly know and understand what is going on with complex malware issues, I don't see any way around investing time to learn. It's called the trenches. :cool:

A rush to N&P to save time/money sometimes doesn't pay dividends like a lesson well-learned to gain good experience. No offense at all meant to you or anyone else, but it's the fly-by-night Pizza-Techs who reach for the N&P solution first to make an easy buck IMO. That's NOT how I roll.

Out.
Click to expand...
No offense taken. It's your business and I admire your efforts. Just trying to offer some help. N&P would be my last resort if my normal tools of choice cannot quickly get rid of the infection.
 
kwisher said:
No offense taken. It's your business and I admire your efforts. Just trying to offer some help. N&P would be my last resort if my normal tools of choice cannot quickly get rid of the infection.
Click to expand...

And your help is greatly appreciated. BTW, I'm closer that ever to a N&P but want to see if I can at least rescue some photos and documents from the drive (or image I made) for the client before I do that.
 
"Success" with 2nd Best Solution

Well the upshot of this learning curve resulted in this:

I ran Get Data Back on the original drive and had the result placed in a folder on my desktop. I then re-ran SAS & MBAM on the folder. Cleaned up two different trojans detected and 137 infected files.

Documents, Pictures, and other data the client really wanted/needed were cleaned and as a result salvaged!

Now I can N&P her drive, reinstall Vista, and return her important files to her.

It's worth it to not give up - sometimes. :D

A huge thank you to all the great techs that responded to this thread. It helped me get this result. Thanks also to FoolishTech and Martyn for understanding that I just had to do this to learn!

Cheers!
 
No no, it's more like after ALL that trouble the client is having you put Microsoft's worst back on...? UGH! (Yes, I'm a total Vista hater).

I'm the same really; I will struggle long and hard with stuff like this before giving up. Being persistent in this business is an asset. So kudos to you sir...we do NOT let the machines win.
 
You must log in or register to reply here.

Similar threads

Larry Sabo
ASUS Vivobook keyboard not functional in Windows, but does in WinPE
2
Replies
23
Views
351
Porthos
Porthos
katz
Client forgot pin, trying to delete Ngc folder issues
Replies
17
Views
459
britechguy
britechguy
SimonB
Deleting old user profiles
Replies
6
Views
179
johnrobert
johnrobert
johnrobert
Add screen to PC
Replies
12
Views
676
johnrobert
johnrobert
thecomputerguy
Never a dull moment. (story time)
Replies
18
Views
741
britechguy
britechguy
Back
Top