Results 1 to 9 of 9

Thread: Rootkits

  1. #1
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Rootkits, or presumed rootkits, are driving me crazy, and I could use some help.

    4 or 5 weeks ago, whilst doing the weekly scans, defrag, etc, Avira Rootkit Detector gave an ambiguous message which I took to indicate the presence of a rootkit. There beings no guidance on how to remove it, I did nothing.

    Some time during the following week RU Botted warned that bots had been found. After a lengthy scan 7 vulnerabilities were recommended for deletion. After their removal Firefox was malfunctioning badly and IE was unusable for several days, but by using FF immediately after a reboot it was possible to install Chrome.

    ZoneAlarm was misbehaving also, continually changing the time of scans on a random basis – very inconvenient if using the PC only to find it had slowed down or stopped to perform a scan. Also the hourly updates could takes 10 minutes or more to complete, during which time it was almost impossible to do anything else, and if updating Sharescope or Digiguide at the time – both of which use a lot of resources - gridlock tended to ensue. Several times I had to disconnect the PC from the mains to sort it out. At least I've found out how to change to 12 hourly updates, supplemented by times when I'm not using the PC.

    There was no way of knowing whether these problems were caused by a rootkit, or just that some essential files were deleted along with the bots, but the proximity in time between the two events suggests that the bots were installed by the rootkit. Perhaps I should mention that the lengthy hold-ups while ZA updates had been going on for several months, and I had already decided to change security suites when the licence runs out, but the arbitrary full scans only occurred after removing the bots.

    With the help of several lounge members I was able to wipe and (hopefully) overwrite the hard-drive with dban and reinstall XP Home Edition, only for most of the problems to recur. There were no more problems with IE, so Chrome is not needed, and FF is slightly more stable, in that although it still will not close completely, it is now sometimes possible to open another copy without rebooting.

    Using fixmbr to install a new Master Boot Record made no difference, so I downloaded and scanned with RootkitRevealer, which produced two entries:

    HKLM\SECURITY\Policy\Secrets\ SAC* 16/06/10 O bytes Key name contains embedded nulls (*)

    HKLM\SECURITY\Policy\Secrets\ SAI* 16/06/10 O bytes Key name contains embedded nulls (*)

    Security, secrets, embedded nulls – it looked as though the trouble had been located, until I checked Google and found they are legitimate files where Windows stores passwords.

    Next I tried Sophos Anti-Rootkit, which found 25 unknown hidden files:

    C:\Docs & Settings\Owner\Local Settings\Temp Internet Files\Content.IE5\followed by a number such as
    563BAH3N\6301, 6303, 6389, 64 (remainder is off my screen)

    Sophos marked the files as unknown and recommended not removing them. Nevertheless, I deleted one file and used IE for the rest of the evening, with no problems.

    The next day, intending to delete some more, I did another scan, but in error used RootkitRevealer. The two HKLM files listed above appeared, followed by another 358 entries all reading

    C:\System Volume Information\_restore {8FF5B3D followed by a long string of numbers and letters, only the last 2 or 3 of which differed, and ending with .RDB

    326 of these files were 1.65 MB in size and marked “Hidden from Windows API”

    The remaining 32 files, which appeared at the end varied in size and marked “Visible in Windows API, but not in directory index”

    25 rootkits (now 44) in IE5 is difficult to explain, but another 358 in System Information is just ridiculous. Where did they come from, and why are they multiplying?

    Then there is the question of why I still have a problem after wiping the hard-drive and supposedly removing everything. Is once insufficient, will repeating another two or three times make a difference, or there a better tool to use?

    Or could the infection be reintroduced from my restored documents? Most are Word or Excel docs that I produced myself, but there must be a few hundred emails – should I remove the lot? Most of the application downloaded after the reinstall were scanned by ZoneAlarm and Malware bytes prior to installation, but I may have forgotten to do so on a few occasions, but I consider this an iunlikely source of infection, with the symptoms being the same as previously it must have still been on the hard-drive after wiping, or in my the docs restored later.

    Another mystery! At this point I decided to delve deeper into Google before posting to the lounge, and chose the second link listed. This advocated shutting down System Restore, rebooting and scanning again. It worked, all the entries for System Volume Information had gone.

    HOWEVER, there are now 110 new discrepancies, predominantly relating to Prefetch and a few to system32/zonealarm. What is going on? This is crazy!

    Firefox is still playing up, perhaps worse than before, as everything seized up when I tried to log in to my bank just now, necessitating a reboot. Perhaps the problem is FF rather than all the entries produced by scans, but it has been removed and reinstalled several times without improvement.

    I have now spent so much time on this issue that I’m reluctant to just give up and buy a new PC, especially as cash is tight at the moment, but unless someone can provide an answer there seems no alternative.

    One last question if I may. When reinstalling XP there was no option to set a password for the PC, and I’m unable to find way to set one now, but it must be possible. At least it is with Vista.

    Any advice gratefully received.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,199
    Thanks
    48
    Thanked 987 Times in 917 Posts
    It is possible that you have a hardware problem which is showing up as data inconsistencies - assuming you re-loaded from good virus free media. I would test the hard disk with the manufacturer's test software.

    cheers, Paul

  3. #3
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    You say you wiped the hard drive. Does this mean you formated the hard drive? If so, then you reinstalled the hard drive and problems started again. This indeed does sound like a hardware failure. I would check the power supply voltages as well using CPU ID HW Monitor. Power Supply problems often cause very strange symptoms. These strange symptoms can also be caused by CPU, HD, cabling, and others.

    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  4. #4
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts
    Hi George :

    Regarding possible Rootkits : Nowadays, experienced, trained, certified,
    Volunteer "Malware Removal Specialists" use primarily, if not only, One
    or Two Rootkit "Detectors", namely GMER Rootkit Scanner and/or
    RootRepeal . However, the scan Results from those 2 programs are
    Best analyzed by those "Malware Removal Specialists", such as
    "Corrine", who recently joined these Forums to help because they
    might produce "False-Positives" .
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  5. #5
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Ted Myers View Post
    You say you wiped the hard drive. Does this mean you formated the hard drive? If so, then you reinstalled the hard drive and problems started again. This indeed does sound like a hardware failure. I would check the power supply voltages as well using CPU ID HW Monitor. Power Supply problems often cause very strange symptoms. These strange symptoms can also be caused by CPU, HD, cabling, and others.
    Yes Ted, I reformatted the hard drive.

    Unfortunately, running CPU ID HW Monitor didn't produce a result anything like that shown on their website, no mention of voltages. It just said:

    George
    ST 3120026A (presumably the hard drive)
    Temperatures
    Assembly Value 36° C Min. 2° C Max36° C

    I assumed the second and third figures referred to recommended minimum and maximum operating temperatures, as my study is nowhere near freezing during this heat wave. As this interpretation meant that the PC was operating at the maximum safe level, I ran it again a few minutes later and the result was 36 36 36. Later the result was 37 36 36, and I noticed that if one leaves the monitor open the figures change. A few minutes ago it read 39 13 39.

    There is no guidance on the web site or in the application as to how one interprets these
    figures, but the minimum figure does seem extremely variable. In any case, they do not refer to what you suggested as a possible cause of my problem.

    Thanks anyway.

  6. #6
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by P T View Post
    It is possible that you have a hardware problem which is showing up as data inconsistencies - assuming you re-loaded from good virus free media. I would test the hard disk with the manufacturer's test software.

    cheers, Paul
    Hi Paul,

    Thanks for the prompt reply – my response is somewhat delayed being unaware that replies had been received, and I have spent quite a lot of time on your suggestion.

    Dell offer two forms of hardware diagnostics, basic and advanced. The former only involved logging in to Dell, choosing Hardware Support, Dell detect the tag number with details of my PC, and I select IDE drives and wait a couple of minutes for the result.

    The only complication is that to my mind IDE drives mean CD/DVD writers, I have no idea whether the term also includes hard drives. The results were as follows:

    Secondary IDE Drive
    Drive 0 Diagnostics not supported. This is my DVD writer, I recognise the model No.
    Drive 1 No IDE present.

    Primary IDE Drive
    Drive 0 Pass. Probably the hard drive, as the same number quoted by Ted’s application, although it could be the old DVD writer which I was unable to remove, and may still be connected.
    Drive 1 No IDE present.

    The advanced diagnostic was a bundle of frustration. The simple way would be to boot to F12 and choose the Utility Partition, but this must have been the small partition of about 9MB which was removed when I reformatted the drive. It still appeared on the menu, but selecting it only gave two options F1 to try again and F2 to boot up as normal.

    The next option was to use the Resource CD supplied with the PC. There was no CD with that name, but one containing ‘diagnostics and utilities’, which only contains files relating to the modem and dial-up telephony. There was also Eurotools 1 and 2, but again they would not boot from F12 and don’t seem to contain anything about diagnostics.

    The last option was to download the diagnostic tool from Dell. During the download a pop-up stated that .Net Framework 1 was needed for this to work, so I downloaded that, until an error message stated that .Net Framework 3.5 had failed to install. There having been no mention of this previously I later had a look in Control panel and saw that .Net Framework 1, 2 , CRA, CA and other files had been installed. I can dump all them today. Anyway, the diagnostic tool being on the desktop, I unzipped it only to find 50 – 60 files useless files – no readme file and nothing referring to diagnostics.

    The upshot of all this is that the hardware is probably OK, and being unable to test the voltage, I am unlikely to discover what is wrong with the PC. This raises several questions. Judging from the number of your posts, you may well be able to answer some of them for me.

    If the most likely causes are hardware or voltage problems, does this mean that the hundreds of IE5, System Volume Info_restore and Prefetch files listed by Sophos and RootkitRevealer do not exist, or at least are harmless?

    I ask because I’ve had a lot of expenses this year and can’t afford a new PC at present, so it’s a case of making do with the laptop, with its small screen and small keys, for at least six months, or persevering with the desktop and the current irritations. It is debatable which is the more annoying. Someone suggested in reply to my previous thread on reformatting that buying a new hard drive was a cheaper alternative, but is it worthwhile with a system 6.75 years old, and the front panel will not close properly, allowing more dust to enter the case.

    The thing that has been worrying me most in all this has been security. IE8 is working well, but is it as secure as Firefox? Having to click twice on every site that requires flash is annoying, but I suppose it serves the same purpose as NoScript in FF, but IE will always been the main target of hackers,

    If a rootkit IS present, there is probably a keylogger also. This really worries me. So much so that I created a word document with all my user names and passwords for sensitive sites, never entering more than two characters at a time to any entry and moving from one to another, not always in sequence. Pasting a user name from here to a web site, then repeating the process for the password may be inconvenient, but makes me feel a little safer.

    But only a little. I don’t know whether a keylogger can only read key strokes, as suggested by the name, or can it also read what one is pasting from elsewhere?
    Also, could it read all the tabs entered while I was compiling my password doc over several days, and thus reconstruct the doc. Maybe I am being paranoid and assuming technology can do more than is currently possible, but it would be nice to what it can do. At least no money has been taken from my bank account so far, and no unexpected credit card bills.

    When investigating the System Volume Info_restore issue I was taken to another forum where someone had asked the same question. One answer described Restore Points as the last hiding place of viruses. I followed the advice of switching off System Restore, rebooting and scanning again, and the entries had disappeared, only to be replaced with others. Does this mean it is best to keep System Restore switched off permanently, as it has helped me several times in the past, and was the first place I looked when the FF troubles began, only to find there were no restore points.

    Finally, do you know a method to create a password for the PC, as the option was missing when reinstalling XP.

    George

  7. #7
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    George,

    While there are a lot of great minds on the Lounge, I would recommend that you head over to a forum that specializes in virus cleanup. I would go with the following http://www.bleepingcomputer.com/forums/topic34773.html

    These folks are very helpful and will stay with you through the long process of cleaning up your machine.

    I also would not rule out hardware failure, however, I have never seen hardware failure exhibit these exact symptoms. The programs they use and and their experiance in reading the logs will tell you fairly quickly if you are dealing with malware or not.

    If you decide to go this route, you will need to work with them and them alone until their process is complete as trying multiple suggestions from multiple sources at once may destroy items that need to be saved or result in incomplete removal.

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by George Lee View Post
    Finally, do you know a method to create a password for the PC, as the option was missing when reinstalling XP.
    For future reference, you may have two password options:

    (1) Windows XP password for the owner account (default account). This can be set in the Control Panel: Windows XP: Create and customize user accounts.

    (2) BIOS password to start the system or access the hard drive: This will depend on the BIOS installed on your system.

    Neither of these passwords is foolproof, but if you are concerned about physical access to your PC, they are useful.

  9. #9
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Many thanks for that. It is reassuring to know that if I am burgled again and the PC stolen my personal documents may not be available to the thief, unless he has the equipment to crack complex passwords.

    It may also make it somewhat more difficult for hackers to gain access - I don't know if this is the case.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •