1. Of note - we are in the process of upgrading the site to use HTTPS / SSL. In that time, you may be logged in/out depending on what area of the site you are looking at. If you want to be logged into the forums, please log in via https://www.tfw2005.com/boards/login/. If you do that, you will not be logged in while looking at the front page. We hope to have this fixed within the next 24 hours or so.
    Dismiss Notice

Rootkit PSA

Discussion in 'Video Games and Technology' started by process, Mar 29, 2009.

  1. process

    process Hanlon's razor Veteran TFW2005 Supporter

    Joined:
    Dec 1, 2008
    Posts:
    8,033
    News Credits:
    35
    Trophy Points:
    327
    Likes:
    +1,034
    Ebay:
    I just finished cleaning this nasty little infection off my dad's computer. I thought I'd post a little summary of what happened, and how to remove it. I wouldn't normally post something like this, but I was surprised by the apparent ease at which someone (like my dad, who is not computer-illiterate) could be infected, the severity of the symptons and the significant difficulty of removal. Here is how this situation progressed:

    1. I turned on the computer and booted into Windows XP, instantly hitting a BSOD about a Windows session error. Subsequent reboots resulted in the same thing. Booting into safe mode only yielded a cursor on a black screen, which zero functionality. Clearing the BIOS and resetting the CMOS did nothing. My first instinct was that I was dealing with a failed hard drive. Scenarios of dealing with Dell customer support began playing out in my head.

    2. By sheer luck, I managed to boot into Windows using the "last known good settings". Everything appeared to be normal. Not having ruled out the possibility of a virus, I attempted to download Malwarebytes Anti-Malware. First problem-- Internet Explorer had been hijacked. All search results for anti-virus software (Malwarebytes, AVG, Kaspersky, etc.), when clicked, would foward me to phony antivirus sites and pop-ups. A manual scan of the registry and services yielded nothing.

    3. No problem-- I whipped out my USB stick, downloaded and transferred Malwarebytes Anti-Malware, along with AVG for good measure, from my computer to the infected computer. I double-clicked on the Malwarebytes install executable-- nothing. Double-clicked again, same thing. Checking the task manager, I found that the Malwarebytes processes were stacking up without any activity. Curious. Somehow, AVG installed fine, and soon enough I had a full system scan complete, with about 50 infections, all in critical system files (explorer, winlogon,etc.) and labelled "win32/cryptor". I ran a purge, predictably with most of the infected files being left in quarantine instead of being deleted. After rebooting, I re-scanned to find that all the so-called clean files had been re-infected.

    4. If AVG had not been able to identify what was infecting the computer, I probably would have been boned at this point. However, knowing its name allowed me to quickly find this page. This revealed to me (as I had suspected at this point) that the rootkit infecting the computer (CLB Rootkit infection aka TDSS, Seneka,GAOPDX and UAC Rootkit) not only prevents web browsers from reaching anti-virus sites, but it blocks the installation of certain anti-virus programs and will cripple others that have already been installed. Using the nifty tool that the website above links to, I removed the source infection. This essentially un-crippled the computer, allowing me to run Malwarebytes to remove the rest of the infection.

    5. Perhaps the most startling revelation was that at this point I realized that Norton Antivirus software had been running on the computer this entire time. After a restart, Norton cheerfully decided to start working again. The boot problems I had initially encountered disappeared. Everything was back to normal.

    6. After a brief conversation with my dad, it sounds like the infection was spread through one of those fake anti-virus popups, not unlike the ones that had hijacked the flash advertisements on Photobucket, which are far less servere.

    In conclusion, I was surprised at the extent to which this rootkit was able to disable any and all attempts to remove it. Internet browsers, hijacked. Antivirus install *.exes, sabotaged. Antivirus software, supressed. And the sneaky nature of the rootkit made it impossible to manually find certain infected files. If I didn't have the name of the infection, or an additional computer to use, I think my only option would have been to reformat the hard drive, something that I've never had to do to disinfect a computer.

    Anyway, I just thought I'd share. :wink: