Rootkit?! Any advice?
Hi all. I know there are many smart and helpful people on these forums and I could really do with some advice.
Windows Media Player recently prompted me to download a program in order to view a 'protected' avi file. This program appeared to be an installation file for some kind of program called GammaPlay, which I have searched for on google but could not find any information about it. However, due to the fact it was a legitament program that prompted me to download it, and Trend Micro Internet Security and it's firewall detected no security threats, I figured it was safe to run... Guess not.
Once the installation of GammaPlay was complete, Trend Micro informed me of three suspicious changes to the OS/registry, all of which I blocked. I then uninstalled this GammaPlay and deleted the avi file. I then ran a full virus/spyware scan and, because nothing was detected, I thought I was in the clear.
However, next time I ran my internet browser I noticed several minor changes. The preferences link on google would take me to the correct URL, but would display an exact copy of: Google. After having bypassed this, (by simply using the preferences link from google's image search,) I would change my google preferences as desired, but they would not stick. Searches also opened up in a new window (they never use to,) and I was being redirected to various websites (such as yahoo, youtube, and various advertising websites.) I tried deleting cookies and resetting my browser, to no avail.
I figured this could be the work of a browser hijacker so I downloaded a variety of malware scanners, including Spybot - Search and Destroy and Malware Bytes. However many of these programs wouldn't install because they couldn't connect to update servers. (My antivirus and Windows Defender also could not connect to update servers.) I managed to install Spybot successfully by updating the program manually, but when I try to open the main window from the taskbar, nothing seems to happen.
By now, I was starting to get very concerned. I installed Trend Micro's system cleaner, which is the only scanner I managed to run successfully. (With the exception of my virus scanner which detects nothing.) This looked promising when it detected 3 potential threats, but they just turned out to be cookies. I have tried Housecall and another online threat scanner, but neither could connect. (Housecall said Java needs to be enabled on my system, but I had updated Java only a day before.)
I have checked for any unwanted processes running on my machine via the task manager. The only one I thought to be suspicious was '175369943.tmp' which I ended. However, this made no difference to my current situation. I have also checked my startup programs via msconfig and my registry keys via regedit, found nothing suspicious. (However, I am no computer expert so I may have overlooked something.) I have also performed netstat from the command line to see if it would detect any backdoors. Once again, I found nothing suspicious.
After researching rootkits on the internet, I realize that this may very well be the work of one of them. What do you guys think? Is a rootkit hiding all suspicious activity from me? I am also at a loss as to how to remove rootkits considering all anitmalware seems to be blocked.
Thanks for reading, and any suggestions would be greatly appreciated.
P.S. I am using Windows Vista, Trend Micro Internet Security and IE7 (stupid I know :rolleyes:). I upgraded to IE8 and installed Firefox yesterday to see if this made a difference. As you guessed, it didn't. I have downloaded Hijack This and ran it but this produces a log which is meaningless to me. However, if seeing this log might assist anyone who tries to help me, I will gladly post it.
I am sorry for such a long post.
Good day to you all :)
What you're describing sounds like the rootkit managed to override parts of your low-level networking code. If it got privileges to do that, it can pretty much do what ever it wants, including evade detecting and block anti-virus software. Unless someone here has a more informed suggestion, I would think your only safe solution is to back up all your data (extremely carefully) and reinstall every thing.
If reinstalling is a problem right now, try ComboFix. It usually does a good job at removing rootkits. After it finishes (which will force you to reboot at least once), I suggest you also get regdelnull. ComboFix apparently doesn't delete all null registry keys (which is a common rootkit strategy for residing on the registry) and this tool will eliminate any remains.
This two alone were able to remove a nasty rootkit from my wife's computer some time ago. I too was stumped since I don't have much experience with the buggers. I was pleasantly surprised at the efficiency of ComboFix and at the fact I didn't need to fancy Malware removal tool... of which the many I tried didn't do a thing, btw.
EDIT: Do not think this will save you a reinstall though. As far as I know, many rootkits will compromise your computer for good. Because they were able to bypass all and any security measures, as long as they were active they had full control over your system. This means they could have downloaded corrupt system files, made changes to your registry, etc. Removal tools will not solve these hidden problems. Combo fix is only useful to bring your computer up to a satisfactory condition if you are having problems using it. Make your backups afterwards and reinstall. That's the only protection against rootkits. That and... avoiding getting another.
Re: avoiding rootkits:
If you would merely download and install ffdshow (and Haali Media Splitter), you should be able to play all (or 99% of the most common) video and audio formats. That would allow you to not download any type of suspicious codec files.
Of course, a great precaution is never to download anything you don't know what it is and download it from a secure location. If there are any comments regarding the download (such as torrent sites), read them and make sure it's safe to download before you do it.
Dump Windows. :D
Actually, have you tried ZoneAlarm? it has a good "OS firewall" which prevents local software from doing sensitive things without getting permission from the user. It even has safe-guards in place to prevent software from manipulating itself (other AVs are not so well eqipped), I've tried. ;) Once it takes over, a rootkit can't install without tripping an alert somewhere in the course of infection.
I've had good experiences with Outpost Firewall. Not free, but damn good security suite (excluding AV, but there's Outpost Security Suite for that). It can protect against a lot of things, but it isn't free. Still not that expensive, though.
The only effective way to get rid of a rootkit that is behaving this way is to reformat and reinstall windows. This is one of the reasons Sony got sued.
All i can say is someone at the FBI is getting a huge paycheck for turning a blind eye and not enforcing the computer crimes laws against malicious software. Granted it may not be as malicious as a virus that steals your CC numbers, but it is taking steps to avoid being uninstalled or deactivated and effecting your productivity. There is no legitimate reason for any software to EVER do this.
From my experience, it's much faster and cleaner to just reinstall everything. I got so much practice that reinstalling everything would only take me about 2 hours (including configuration). It got very annoying (I was reinstalling about twice a month), but is probably still faster than trying to hunt a virus/malware down. I was using a downloaded and cracked copy of XP at that time, even though I had a legitimate version, just so I won't have to call M$ everytime to activate. I have switched to Linux since then, so that's not a problem anymore. That said, modern Windows is not THAT bad. Just don't run anything suspicious (at least don't run it with admin priv), and does not have source available. If you are using Firefox or a more secure browser, going to pr0n sites is probably okay, as long as you don't download and install anything (almost guaranteed infection if you do, though).
Just wanted to say thanks everyone for all your helpful replies. Rootkits are without a doubt the nastiest piece of malicious software I've ever come across so thanks for the advice on detecting, destroying and avoiding them. ComboFix and Regdelnull were the way to go - thanks for the links Mario :) Just gotta reinstall now then I'm good to go.
I could suggest you also get some image backup software. Reinstall Windows, install apps, configure everything as you like it, then make a backup.
Everytime you need to reinstall, restore from the backup. 30 minutes later, everything is done and you can use the system as normal again. That's the idea anyway.
I suggest you to use an online scanner for free...which belongs to bitdefender. I've being use it and it prove to be very efficient: Free Online Virus Scan - BitDefender Online Scanner