Announcement

Collapse
No announcement yet.

Gah !! Rootkit showing up on a work PC

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Gah !! Rootkit showing up on a work PC

    Just ran into this little nasty here at work that is resisting all efforts to remove it. The file is located in the Windows/System 32 folder and goes by the name dgockd.dll.

    I first tried to boot to a live CD, namely Ultimate Boot CD 4, and delete the little bugger. Access denied !!??!!??? Whaaa ... ???

    OK, so that's a first. Any live CD is able to remove ANY file from the boot drive, so now I'm stuck. I tried changing the file attributes from a CMD window, but its locked on a system level, not a file permission level, so its hooked into something, either winlogon.exe or explorer.exe at this point.

    I then booted into Windows Safe Mode to take a look at the file using ProcessExplorer, and it appears to be polymorphic, as the file by that name above is now gone from the PC.

    Running MalwareBytes in Safe Mode right now, but if that doesn't fix it, we nuke it from orbit and wipe it out. Rootkits are the worst of the worst, and its debatable whether you can even 100% guarantee that a PC will be clean after you have dealt with the rootkit.

    I have only dealt with a handful of rootkits myself, but I'm curious to see what you guys have run into in your PC repair travels.
    Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin
    Tags: None
    #2
    Can't say I've ran into one, but if you're booting off a live CD did you make sure you powered off the computer and waited over 1 minute to ensure all memory is lost. I have heard of some nasty little bugs that will install a MBR infection that revives the memory portion that is left. These are some very sophisticated bugs and not normal. If the system is clean booted there should be no way it can prevent you from doing anything you want with the drive.
    Have you tried BitDefender Rescue CD or the Linux System Rescue CD?
    How to create a BitDefender Rescue CD

    Download - SystemRescueCd
    [IMG]http://thepebkac.net/images/sigs/Outdoors_sig.jpg[/IMG]
    Like the community? Donate here:
    [URL="http://www.cainslair.com/misc.php?do=donate"]http://www.cainslair.com/misc.php?do=donate[/URL]

    Comment

      #3
      Maybe try a Linux LiveCD? I can't see UBCD4WIN tying in to Windows in any way, but since it's based off of it not sure.

      Other than that with a Rootkit unless you can find something specific to kill it, I'd just nuke the entire thing. Especially as it's a work PC and I'm guessing you guys have a standard image you put on them all.
      [img]http://img.photobucket.com/albums/v337/Igorod/troopdod.jpg[/img]
      [url=http://profile.xfire.com/trooper110][img]http://miniprofile.xfire.com/bg/co/type/1/trooper110.png[/img][/url]

      Comment

        #4
        Originally posted by Trooper110 View Post
        Maybe try a Linux LiveCD? I can't see UBCD4WIN tying in to Windows in any way, but since it's based off of it not sure.

        Other than that with a Rootkit unless you can find something specific to kill it, I'd just nuke the entire thing. Especially as it's a work PC and I'm guessing you guys have a standard image you put on them all.
        Very good advice. Especially since it is work. The only real benefit from trying to repair it is to see if you can for data recovery. The only real protection is a low level format and NSA approved wipe
        [IMG]http://thepebkac.net/images/sigs/Outdoors_sig.jpg[/IMG]
        Like the community? Donate here:
        [URL="http://www.cainslair.com/misc.php?do=donate"]http://www.cainslair.com/misc.php?do=donate[/URL]

        Comment

          #5
          Originally posted by DougBob View Post
          Very good advice. Especially since it is work. The only real benefit from trying to repair it is to see if you can for data recovery. The only real protection is a low level format and NSA approved wipe
          Yep, no tools that I could dig up that would make me feel safe, so I wiped it. I am a bit worried about my USB thumb drive, since I copied over the user's docs to that. I've seen some crapware that copied to thumb drives, so I am not sure if a rootkit would perform in the same manner.

          Only problem is, I have ANOTHER one to deal with today, and both of the two users are notorious for going to a LOT of questionable websites and clicking on anything. Some people just don't learn.
          Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

          Comment

            #6
            Time to lock down access
            [img]http://img.photobucket.com/albums/v337/Igorod/troopdod.jpg[/img]
            [url=http://profile.xfire.com/trooper110][img]http://miniprofile.xfire.com/bg/co/type/1/trooper110.png[/img][/url]

            Comment

              #7
              ComboFix is the only thing I know that will wipe that away .......

              Comment

                #8
                Troop, we have limited their access with them being set up as power users, not admins. Its not great, but its a start. We also have a group policy in place, but again its rudimentary and much more stringent on student PCs, not teacher PCs.

                Cain, I actually ran ComboFix on the PC after remembering your affection for it. Hehe ... well, it did detect the rootkit .DLL file and promised to eradicate it, but there was just no way I would trust any one app to tell me whether a true rootkit was effectively dealt with.

                End result - to remove it, nuke it from orbit and wipe it clean. After seeing my Live CD denied access to remove the .DLL, I was in a real pickle, and was stunned that it couldn't remove it.
                Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

                Comment

                  #9
                  Originally posted by WalkinTarget View Post
                  ... I was in a real pickle, and was stunned that it couldn't remove it.
                  I have seen live cd's that will by default mount some hard drives (usually NTFS drives) as read only. You might have been able to mount the drive manually as read-write?

                  Comment

                    #10
                    i had rootkit issues a few weks ago, see my "avast still good " thread. i also used a program called mbr.exe . it solved a lot of the problems that combofix noted. combofix even said to use the program, so research it, the website i got it from had a bizzare name, but the file was good and did its trick.

                    Comment

                    Previous template Next

                    Cain's Lair Forums Statistics

                    Collapse
                    Topics: 26,188   Posts: 269,861   Members: 6,183   Active Members: 4
                    Welcome to our newest member, Fermin13Q.

                    Today's Birthdays

                    Collapse

                    There are no members with birthdays today.

                    Top Active Users

                    Collapse
                    There are no top active users.

                    More Posts

                    Collapse
                    • Reply to hey yall!
                      by Sirex
                      All sorted now, even updated the email on the account.

                      Been quite a few of us catching up in the discord the last few days ...
                      7 Mar 2025, 10:03 AM
                    • Reply to hey yall!
                      by Pidgeot_Girl
                      Glad to hear you're doing well Apache and congratulations on the business!! Only thing I'm playing is BO6 these days on the weekends!
                      2 Mar 2025, 01:55 PM
                    • Reply to hey yall!
                      by Apache Warrior
                      Sirex should be able to recover his log in and change the password. He would then login and change the password.
                      I am not playing anything right...
                      2 Mar 2025, 09:04 AM
                    • Reply to Hi guys!
                      by Pidgeot_Girl
                      Mostly playing good ol CoD BO6 on the PS5 (old habits die hard), I'll dabble into a little bit of Fallout 4. But I'm pretty much a weekend warrior, my...
                      1 Mar 2025, 07:24 PM
                    • Reply to hey yall!
                      by Pidgeot_Girl
                      Sirex!!! I will let him know! He cant remember his log in anymore but he wonders how everyone in the lair is doing, and hope everyone is doing well. Also...
                      1 Mar 2025, 05:19 PM
                    • Reply to hey yall!
                      by Sirex
                      :O hey Pidgeot!

                      Long time no see and congrats on EVERYTHING!
                      Good to hear all that wonderful news and I know what its like having...
                      23 Feb 2025, 06:31 PM
                    View All
                    Working...
                    X