Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts

    Do I have a rootkit?

    My computer has been behaving churlishly of late including refusal to install software because it violates group policy. My Win 7 Pro, my wife's home premium, and a Win Hate point one portable are the only machines on my home network. I have never set any kind of group policy or even thought about it. Investigating how to get control of my group policy, i ran into some very troubling posts about a four-year-old Chinese rootkit that seems to be the worst thing in the world:
    Google GPU Para-Virtualization Root-Kit
    Google Rakshasha Malware
    Google Mebromi

    Does anybody have any experience with these or with why I should have group policy problems when I am the (clueless) admin?
    Dan Lynch
    The stonecherub

  2. #2
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    S.F. Bay Area, California, USA
    Posts
    735
    Thanks
    15
    Thanked 80 Times in 78 Posts
    Dan,

    ??Do you have Cryptoprevent installed??

    Zig

  3. #3
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts
    I had it installed but it gave me so much trouble (I just remember the trouble, not what it was, specifically) that I removed it. How will that prevent a rootkit from loading?
    Dan Lynch
    The stonecherub

  4. #4
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    S.F. Bay Area, California, USA
    Posts
    735
    Thanks
    15
    Thanked 80 Times in 78 Posts
    Dan,

    It will prevent any programs that look like they might be rootkits from installing, unless you've "whitelisted" them. You probably haven't really removed Cryptoprevent's modifications, as those are settings in your computer. Suggest you reinstall it, then remove the restrictions previously set.

    Zig
    Last edited by Zig; 2015-08-07 at 21:23.

  5. #5
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    Topic moved to Security & Scams.

  6. #6
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts
    Every so often, usually in the evenings, my computer becomes conditionally useless.

    Intel Core i5 CPU K655 @3.2 GHz x64, P7P55LX mobo, Windows 7 Pro SP1 64 bit patched.

    PaleMoon browser, a Firefox variant, is always running and commonly set to the weather radar page which runs a Flash player plugin so that I can watch local thunderstorms. It is set to auto-update every so often (important because a normal 2-second update can drag out over 10 minutes or more).

    Mark Russinovich’s Process explorer (v14.11, newer versions won’t install) is up, showing system information cpu usage. This graph usually shows < 20% usage and DOES NOT CHANGE even though the machine is locked up and appears to have no clock cycles.

    If Winword (2007) is running, I can continue writing in the document but not save it.

    Programs can neither be launched nor closed.

    I have NetWorx but have not been paying attention to it.

    Cryptoprevent went on this morning.
    Dan Lynch
    The stonecherub

  7. #7
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,610
    Thanks
    147
    Thanked 870 Times in 832 Posts
    I used to have CryptoPrevent installed but found it was blocking Control Panel cmds and used IOBit Uninstaller to remove it.

    Did your suspected Rootkit problems start after the removal of C/P ?

    The free version of MBAM has a Rootkit scan option and ESET Online Free Scanner is pretty good at finding what shouldn't be there as well as Norton Power Eraser, but that can take out legit programs.

    Checking to see if you have the same problems when booted up into Safe Mode with Networking could tell you if it's any 3rd party that's causing problems, but if in doubt then it would be advisable to register on a forum that has specialist disinfection experts.

    Satrow recommended one for a member who appeared to have a Fake BSOD infection but can't remember what it was.

  8. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    S.F. Bay Area, California, USA
    Posts
    735
    Thanks
    15
    Thanked 80 Times in 78 Posts
    Sudo,

    Control Panel commands (.cpl) can be unblocked in Cryptoprevent, if you wish.

    The OP should reinstall Cryptoprevent, then set the protection to "None" on the Selected Protection Level screen, then reboot.

    Zig
    Last edited by Zig; 2015-08-08 at 16:51.

  9. #9
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,610
    Thanks
    147
    Thanked 870 Times in 832 Posts
    I didn't like it anyway as it seemed a bit intrusive for me and seemed to want to take over the laptop, but I didn't go into it to see what could be excluded.

    I use HitmanPro.Alert2 which has Crypto Guard and watches your browser.

    Did try HitmanPro.Alert3 but it was causing problems.
    Last edited by Sudo15; 2015-08-08 at 17:00.

  10. #10
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts
    I tried free crypto prevent last year and removed it last year, the slow-down is from a couple of months ago. I have both Vipre and Malwarebytes (I'm a paranoid SOB) on my machine. Nobody finds nothin'.

    Next time I experience a slowdown, I'm going to start looking at bandwidth usage with NetWorx. I am most bothered by having process explorer completely unaware that the CPU is running at 100%.

    I'm a geologist and I understand my computer only dimly. The more I read and experience, the more convinced I am that the criminals are completely in charge, the systems are so irreducably complex. The thread that described the GPU Para- Virtualization Root-Kit suggested that the disks with my images are corrupt, and I'm worried that getting these images onto a clean machine may be impossible.
    Dan Lynch
    The stonecherub

  11. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Ironically, it's probably Vipre's root kit detection during a scheduled scan which causes your 100% CPU usage:

    Quick Fix: SBAMsvc.exe causing 100% CPU utilization

    And Vipre has caused similar problems for WS Lounge members in the past:

    alert: 100 percent CPU with VIPRE for some
    Last edited by BruceR; 2015-08-08 at 20:21.

  12. #12
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts
    Brother, here we go again.

    At 17:00, in accordance with the schedule, Vipre ran a scan. With Process explorer System Information graph on the screen, I watched SBAMSvc use all four of the CPU cores. It was done in about 15 minutes.

    Close to 18:00, the computer dragged to a near halt. The weather bureau flash updates dragged out over many minutes, no programs could be started or closed. Networx did not show any unusual communications activity.

    Interestingly enough, cores 1 and 3 dropped to very low activity while 0 and 2 were 10 to 20%.

    I don't know where to go from here. I can read while the computer goes walkabout but I really would like to know why.
    Dan Lynch
    The stonecherub

  13. #13
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,179
    Thanks
    47
    Thanked 983 Times in 913 Posts
    It could be very high disk activity due to lack of RAM. Check those figures in Task Manager.

    cheers, Paul

  14. #14
    2 Star Lounger
    Join Date
    Feb 2009
    Location
    Tucson, AZ, USA
    Posts
    185
    Thanks
    3
    Thanked 3 Times in 3 Posts
    This machine has 16 G of ram and I have never seen more than half reported in use by Process explorer. This with Lightroom and IMatch5 running. The old saw, "You can't have too much memory," seem to not be true (I am running 64 bit). I wonder if there is something wrong with memory management.

    I am also wondering if there is something wrong with Process Explorer. I am using an older version because, like many people, I am unable to install more recent versions on my Win 7 machine. "Unable to extract 64-bit image. Run Process explorer from a writeable directory." No directory I try is "writeable."

    The machine crawls to a near halt, my attempts to use some running programs get the little spinning circle, others work. The four graphs in System Information, meanwhile, show normal activity with physical memory < 5 Gb use and > 80% CPU system Idle. I do not hear disks thrashing (but I'm old). NetWorx shows no abnormal I/O.

    This is very strange.
    Dan Lynch
    The stonecherub

  15. #15
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    S.F. Bay Area, California, USA
    Posts
    735
    Thanks
    15
    Thanked 80 Times in 78 Posts
    I am unable to install more recent versions on my Win 7 machine. "Unable to extract 64-bit image. Run Process explorer from a writeable directory." No directory I try is "writeable."
    Still sounds suspiciously like Cryptoprevent. ??Have you tried reinstalling Cryptoprevent, setting the protection to "None," rebooting, THEN uninstalling it??

    Zig (who's nothing if not persistent)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •