rootkit problem

AtYourService

AtYourService

Member
Reaction score
12
Location
CT
i feel im very confident in succcessfully removing viruses/spyware and even rootkits , until i met my match today, ive tried a variety of tools to figure this out, im quite certain there is something still left on this machine, the only signs are that
1. internet explorer will not open
2. firefox will not let me download internet explorer and tries to kick me to one of those fake virus pages

ive ran combofix,malwarebytes,kaspersky,avira and all have cleaned something , but the problem still persists after scans come up clean after the files are removed, I have even ran bootable virus scan cds to scan without windows being loaded, and still nada

I know normally we would at this point admit defeat and reformat, but I refuse to be defeated :) anyone have a similiar situation before?
 
I can't preach it enough. Boot from another windows environment and run your scans from there. Either boot from UBCD* or take the hard drive out and hook it up to a clean running system.

EDIT: Just read you already tried that. My bad. I would manually go through the windows and windows/system32 folder on the drive and rename anything you suspect to be a virus.

I would also mount the infected computers' registry files and look there for anything suspect.
 
Last edited:
I've ran into systems like that before.
I reload. The way I see it, yes, I could probably figure out every problem and make it run correctly....but I wouldn't completely trust the machine to be clean or develop problems soon after.
If you're sticking to your guns and want to fight with it, go for it, but sometimes reloading does make sense.
 
Another thing. Try copying autoruns, Process Monitor, and Process Explorer over to the computer. You really should get an idea of what files to kill by looking through those.
 
What's telling you that it's a rootkit and not just a new virus not in those scanner definitions? And I would think that they would still be helpful figuring out the names of the virus files themselves.
 
I had a system over the weekend that was kind of similar. If you did a search in Firefox and clicked a link you'd be redirected to another site. However there was nothing running on this system. Upon manual inspection (hijackthis!, autoruns, etc) everything was pristine. I scanned with a few different programs, and none of them found anything. Ran Combofix, Dial-a-Fix, Smitfraudfix, etc and none of them fixed it. I even tried manually looking through all the Firefox settings going as far as reviewing every line in 'about:config'. I tried a couple rootkit scanners and they didn't find anything either. Then I had the idea of trying IE, and oddly enough it was not affected.

It really peaked my interest so I was determined to find out what was causing it. Unfortunately the customer called asking for a status so I decided just to wipe and reinstall. I'm thinking it had to be a hidden setting in Firefox.
 
arrow_runner said:
What's telling you that it's a rootkit and not just a new virus not in those scanner definitions? And I would think that they would still be helpful figuring out the names of the virus files themselves.
Click to expand...
Good point, and that's why you should not rely upon scanning software to do your job. Learn to identify how and where viruses and rootkits operate and also keep up-to-date with the latest security news to see how the black hats are constantly changing the game.
 
i know of the most common places for startup methods used by viruses
and because all of the places ive check dont have anything seen, nor do i see any running process using normal tools, im gonna chalk it up as a rootkit

i tend not to rely on scanners until ive done my own initial sweep checking the registry services and startup folders etc
 
it may not be a rootkit, it could be that IE was damaged due to other viruses and the firefox page thing could be a setting in firefox, try removing ff with all the settings and reinstalling it.

most of my wasted time is wasted, because I rule out ideas to quickly, just don't be so sure its a rootkit.

Abe
 
Last edited:
There are some nasty rootkits out atm i scanned with ubcd4win fully updated.

Spybot- found nothing.
superantispyware-found nothing.
malwarebytes -found nothing.

antivir-updated found nothing.

Housecall- found nothing.

Kapersky- found nothing.

Rootkitty scan- nothing.

3 more rootkit scans online -nothing found.

yet you cannot run or install:

any antivirus or spyware software it prevents execution.

I installed other apps not having to do with the above worked fine.

Does not allow you to go to websites with antivirus or spyware cleaners.

and yes i check hosts file it was clean

 
Last edited:
Jory said:
I had a system over the weekend that was kind of similar. If you did a search in Firefox and clicked a link you'd be redirected to another site.
Click to expand...

I saw something similiar myself. Links for malwarebytes and all other virus/malware sites would just show "Page Cannot be displayed", other sites like google and yahoo worked fine.

I checked the hosts file and nothing was out of the ordinary, but this machine was using DHCP and something had set the DNS servers manually to addresses other than what they were supposed to be.
 
RitechSystems said:
I saw something similiar myself. Links for malwarebytes and all other virus/malware sites would just show "Page Cannot be displayed", other sites like google and yahoo worked fine.

I checked the hosts file and nothing was out of the ordinary, but this machine was using DHCP and something had set the DNS servers manually to addresses other than what they were supposed to be.
Click to expand...

Good point! I haven't seen a DNS change in awhile, but you're right. That could be causing the issue as well. I was thinking that's it's a BHO, but the OP said he didn't find anything in autoruns.
 
hrrm rescanned with the kaspersky live cd before i left last night , dled the latest updates and after hours of scanning it found an .exe and .dll in the system32 folder , im hoping removing these does the trick after the scan finishes
 
i finally threw in the towel , the customer needed it back so i went for the restore, no matter what i removed there was always something left that wouldnt let go, probably another virut type virus that injects into exes
 
RitechSystems said:
I saw something similiar myself. Links for malwarebytes and all other virus/malware sites would just show "Page Cannot be displayed", other sites like google and yahoo worked fine.

I checked the hosts file and nothing was out of the ordinary, but this machine was using DHCP and something had set the DNS servers manually to addresses other than what they were supposed to be.
Click to expand...

Yeah, I checked the HOSTS file and their DNS settings. Both were clean. It's really mind boggling when I think about it. That's why I'm assuming it was a hidden setting in Firefox. It's either that, or the most sophisticated rootkit I've ever ran across.
 
I have done alot of research all rootkit detectors out there cannot pick up new rootkits such as Blue Pill, Vitriol, Rustock.C, MaosBoot.

There is a rootkit detector that can pick them up http://northsecuritylabs.com/

Hypersight Rootkit Detector

There might be a few new ones that can but all the ones i have seen don't.

more info on microsofts ghostbuster project:

http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/

Good but out of date info on rootkits:

http://www.data-recovery-reviews.com/howto-defeat-a-rootkit.htm

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201080
http://www.wilderssecurity.com/showthread.php?t=209327
 
Last edited:
I'm actually working on a script that will use the rootkits' methods against them. The basic premise is to get a full list of all files on the infected drive, then remove the drive and connect it to a clean system and get a 2nd list while the rootkit is not active, and then finally compare the two lists.

Any files that show up on the second list but do not show up on the first list should be considered suspect.

That's the premise anyway. Though it won't find rootkits in the MBR, this method should be able spot the files that the rootkits are hiding.
 
arrow, that sounds like a good idea.

What programs do some of you use to detect rootkits? I have been using GMER and I just added Hypersight to my toolkit based on Galdorf's suggestion. Looking for more options to have on-site.
 
You must log in or register to reply here.

Similar threads

nlinecomputers
Mac External Drive weirdness or bad drive?
Replies
8
Views
2K
brandonkick
B
D
Can't connect to ANY websites, Can ping just fine, strangest problem I've ever seen!
2 3
Replies
42
Views
9K
nextechinc
N
A
Windows 10 no network adapter
Replies
5
Views
789
alexsmith2709
A
RetiredGuy1000
Interesting article on the changing role of the computer repairman
2
Replies
31
Views
6K
Sky-Knight
Sky-Knight
cyde_ePhex
Dell Optiplex 960 update issue - please help
Replies
1
Views
1K
johnrobert
johnrobert
Back
Top