Rootkit?! Any advice?

This is a discussion on Rootkit?! Any advice? within the General Discussions forums, part of the Community Boards category; Hi all. I know there are many smart and helpful people on these forums and I could really do with ...

  1. #1
    Registered User
    Join Date
    Jan 2005
    Posts
    183

    Rootkit?! Any advice?

    Hi all. I know there are many smart and helpful people on these forums and I could really do with some advice.

    Windows Media Player recently prompted me to download a program in order to view a 'protected' avi file. This program appeared to be an installation file for some kind of program called GammaPlay, which I have searched for on google but could not find any information about it. However, due to the fact it was a legitament program that prompted me to download it, and Trend Micro Internet Security and it's firewall detected no security threats, I figured it was safe to run... Guess not.

    Once the installation of GammaPlay was complete, Trend Micro informed me of three suspicious changes to the OS/registry, all of which I blocked. I then uninstalled this GammaPlay and deleted the avi file. I then ran a full virus/spyware scan and, because nothing was detected, I thought I was in the clear.

    However, next time I ran my internet browser I noticed several minor changes. The preferences link on google would take me to the correct URL, but would display an exact copy of: Google. After having bypassed this, (by simply using the preferences link from google's image search,) I would change my google preferences as desired, but they would not stick. Searches also opened up in a new window (they never use to,) and I was being redirected to various websites (such as yahoo, youtube, and various advertising websites.) I tried deleting cookies and resetting my browser, to no avail.

    I figured this could be the work of a browser hijacker so I downloaded a variety of malware scanners, including Spybot - Search and Destroy and Malware Bytes. However many of these programs wouldn't install because they couldn't connect to update servers. (My antivirus and Windows Defender also could not connect to update servers.) I managed to install Spybot successfully by updating the program manually, but when I try to open the main window from the taskbar, nothing seems to happen.

    By now, I was starting to get very concerned. I installed Trend Micro's system cleaner, which is the only scanner I managed to run successfully. (With the exception of my virus scanner which detects nothing.) This looked promising when it detected 3 potential threats, but they just turned out to be cookies. I have tried Housecall and another online threat scanner, but neither could connect. (Housecall said Java needs to be enabled on my system, but I had updated Java only a day before.)

    I have checked for any unwanted processes running on my machine via the task manager. The only one I thought to be suspicious was '175369943.tmp' which I ended. However, this made no difference to my current situation. I have also checked my startup programs via msconfig and my registry keys via regedit, found nothing suspicious. (However, I am no computer expert so I may have overlooked something.) I have also performed netstat from the command line to see if it would detect any backdoors. Once again, I found nothing suspicious.

    After researching rootkits on the internet, I realize that this may very well be the work of one of them. What do you guys think? Is a rootkit hiding all suspicious activity from me? I am also at a loss as to how to remove rootkits considering all anitmalware seems to be blocked.

    Thanks for reading, and any suggestions would be greatly appreciated.

    P.S. I am using Windows Vista, Trend Micro Internet Security and IE7 (stupid I know ). I upgraded to IE8 and installed Firefox yesterday to see if this made a difference. As you guessed, it didn't. I have downloaded Hijack This and ran it but this produces a log which is meaningless to me. However, if seeing this log might assist anyone who tries to help me, I will gladly post it.

    I am sorry for such a long post.
    Good day to you all

  2. #2
    Super Moderator
    Join Date
    Sep 2001
    Posts
    4,913
    What you're describing sounds like the rootkit managed to override parts of your low-level networking code. If it got privileges to do that, it can pretty much do what ever it wants, including evade detecting and block anti-virus software. Unless someone here has a more informed suggestion, I would think your only safe solution is to back up all your data (extremely carefully) and reinstall every thing.

  3. #3
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Portugal
    Posts
    7,439
    If reinstalling is a problem right now, try ComboFix. It usually does a good job at removing rootkits. After it finishes (which will force you to reboot at least once), I suggest you also get regdelnull. ComboFix apparently doesn't delete all null registry keys (which is a common rootkit strategy for residing on the registry) and this tool will eliminate any remains.

    This two alone were able to remove a nasty rootkit from my wife's computer some time ago. I too was stumped since I don't have much experience with the buggers. I was pleasantly surprised at the efficiency of ComboFix and at the fact I didn't need to fancy Malware removal tool... of which the many I tried didn't do a thing, btw.

    EDIT: Do not think this will save you a reinstall though. As far as I know, many rootkits will compromise your computer for good. Because they were able to bypass all and any security measures, as long as they were active they had full control over your system. This means they could have downloaded corrupt system files, made changes to your registry, etc. Removal tools will not solve these hidden problems. Combo fix is only useful to bring your computer up to a satisfactory condition if you are having problems using it. Make your backups afterwards and reinstall. That's the only protection against rootkits. That and... avoiding getting another.
    Last edited by Mario F.; 08-15-2009 at 11:55 AM.
    The programmer’s wife tells him: “Run to the store and pick up a loaf of bread. If they have eggs, get a dozen.”
    The programmer comes home with 12 loaves of bread.


    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  4. #4
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,554
    Re: avoiding rootkits:
    If you would merely download and install ffdshow (and Haali Media Splitter), you should be able to play all (or 99% of the most common) video and audio formats. That would allow you to not download any type of suspicious codec files.

    Of course, a great precaution is never to download anything you don't know what it is and download it from a secure location. If there are any comments regarding the download (such as torrent sites), read them and make sure it's safe to download before you do it.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  5. #5
    Unregistered User Yarin's Avatar
    Join Date
    Jul 2007
    Posts
    1,610
    Dump Windows.

    Actually, have you tried ZoneAlarm? it has a good "OS firewall" which prevents local software from doing sensitive things without getting permission from the user. It even has safe-guards in place to prevent software from manipulating itself (other AVs are not so well eqipped), I've tried. Once it takes over, a rootkit can't install without tripping an alert somewhere in the course of infection.
    A class that doesn't overload all operators just isn't finished yet. -- SmugCeePlusPlusWeenie
    A year spent in artificial intelligence is enough to make one believe in God. -- Alan J. Perlis

  6. #6
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,554
    I've had good experiences with Outpost Firewall. Not free, but damn good security suite (excluding AV, but there's Outpost Security Suite for that). It can protect against a lot of things, but it isn't free. Still not that expensive, though.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  7. #7
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,189
    The only effective way to get rid of a rootkit that is behaving this way is to reformat and reinstall windows. This is one of the reasons Sony got sued.

    All i can say is someone at the FBI is getting a huge paycheck for turning a blind eye and not enforcing the computer crimes laws against malicious software. Granted it may not be as malicious as a virus that steals your CC numbers, but it is taking steps to avoid being uninstalled or deactivated and effecting your productivity. There is no legitimate reason for any software to EVER do this.
    Last edited by abachler; 08-15-2009 at 02:21 PM.
    Until you can build a working general purpose reprogrammable computer out of basic components from radio shack, you are not fit to call yourself a programmer in my presence. This is cwhizard, signing off.

  8. #8
    Registered User
    Join Date
    Dec 2006
    Location
    Canada
    Posts
    3,183
    From my experience, it's much faster and cleaner to just reinstall everything. I got so much practice that reinstalling everything would only take me about 2 hours (including configuration). It got very annoying (I was reinstalling about twice a month), but is probably still faster than trying to hunt a virus/malware down. I was using a downloaded and cracked copy of XP at that time, even though I had a legitimate version, just so I won't have to call M$ everytime to activate. I have switched to Linux since then, so that's not a problem anymore. That said, modern Windows is not THAT bad. Just don't run anything suspicious (at least don't run it with admin priv), and does not have source available. If you are using Firefox or a more secure browser, going to pr0n sites is probably okay, as long as you don't download and install anything (almost guaranteed infection if you do, though).

  9. #9
    Registered User
    Join Date
    Jan 2005
    Posts
    183

    Thanks

    Just wanted to say thanks everyone for all your helpful replies. Rootkits are without a doubt the nastiest piece of malicious software I've ever come across so thanks for the advice on detecting, destroying and avoiding them. ComboFix and Regdelnull were the way to go - thanks for the links Mario Just gotta reinstall now then I'm good to go.
    Thanks again!

  10. #10
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,554
    I could suggest you also get some image backup software. Reinstall Windows, install apps, configure everything as you like it, then make a backup.
    Everytime you need to reinstall, restore from the backup. 30 minutes later, everything is done and you can use the system as normal again. That's the idea anyway.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  11. #11
    Registered User
    Join Date
    Aug 2009
    Posts
    1

    Hello

    Hi,
    I suggest you to use an online scanner for free...which belongs to bitdefender. I've being use it and it prove to be very efficient: Free Online Virus Scan - BitDefender Online Scanner

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Advice on C Programming with MSVC++ 2008
    By IT_Guy in forum Windows Programming
    Replies: 1
    Last Post: 03-06-2009, 03:23 AM
  2. game engine advice?
    By stien in forum Game Programming
    Replies: 0
    Last Post: 01-23-2007, 02:46 PM
  3. girl friend advice (prob. the wrong place)
    By B0bDole in forum A Brief History of Cprogramming.com
    Replies: 15
    Last Post: 10-22-2004, 06:38 PM
  4. looking for advice on selling golf balls
    By lambs4 in forum A Brief History of Cprogramming.com
    Replies: 10
    Last Post: 05-30-2004, 04:03 PM
  5. Who's telling the truth??? Career Advice Needed Badly
    By Ican'tCjax,fl in forum C Programming
    Replies: 1
    Last Post: 11-06-2002, 05:16 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21