Announcement

Collapse
No announcement yet.

Gah !! Rootkit showing up on a work PC

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Gah !! Rootkit showing up on a work PC

    Just ran into this little nasty here at work that is resisting all efforts to remove it. The file is located in the Windows/System 32 folder and goes by the name dgockd.dll.

    I first tried to boot to a live CD, namely Ultimate Boot CD 4, and delete the little bugger. Access denied !!??!!??? Whaaa ... ???

    OK, so that's a first. Any live CD is able to remove ANY file from the boot drive, so now I'm stuck. I tried changing the file attributes from a CMD window, but its locked on a system level, not a file permission level, so its hooked into something, either winlogon.exe or explorer.exe at this point.

    I then booted into Windows Safe Mode to take a look at the file using ProcessExplorer, and it appears to be polymorphic, as the file by that name above is now gone from the PC.

    Running MalwareBytes in Safe Mode right now, but if that doesn't fix it, we nuke it from orbit and wipe it out. Rootkits are the worst of the worst, and its debatable whether you can even 100% guarantee that a PC will be clean after you have dealt with the rootkit.

    I have only dealt with a handful of rootkits myself, but I'm curious to see what you guys have run into in your PC repair travels.
    Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

    #2
    Can't say I've ran into one, but if you're booting off a live CD did you make sure you powered off the computer and waited over 1 minute to ensure all memory is lost. I have heard of some nasty little bugs that will install a MBR infection that revives the memory portion that is left. These are some very sophisticated bugs and not normal. If the system is clean booted there should be no way it can prevent you from doing anything you want with the drive.
    Have you tried BitDefender Rescue CD or the Linux System Rescue CD?
    How to create a BitDefender Rescue CD

    Download - SystemRescueCd
    [IMG]http://thepebkac.net/images/sigs/Outdoors_sig.jpg[/IMG]
    Like the community? Donate here:
    [URL="http://www.cainslair.com/misc.php?do=donate"]http://www.cainslair.com/misc.php?do=donate[/URL]

    Comment


      #3
      Maybe try a Linux LiveCD? I can't see UBCD4WIN tying in to Windows in any way, but since it's based off of it not sure.

      Other than that with a Rootkit unless you can find something specific to kill it, I'd just nuke the entire thing. Especially as it's a work PC and I'm guessing you guys have a standard image you put on them all.
      [img]http://img.photobucket.com/albums/v337/Igorod/troopdod.jpg[/img]
      [url=http://profile.xfire.com/trooper110][img]http://miniprofile.xfire.com/bg/co/type/1/trooper110.png[/img][/url]

      Comment


        #4
        Originally posted by Trooper110 View Post
        Maybe try a Linux LiveCD? I can't see UBCD4WIN tying in to Windows in any way, but since it's based off of it not sure.

        Other than that with a Rootkit unless you can find something specific to kill it, I'd just nuke the entire thing. Especially as it's a work PC and I'm guessing you guys have a standard image you put on them all.
        Very good advice. Especially since it is work. The only real benefit from trying to repair it is to see if you can for data recovery. The only real protection is a low level format and NSA approved wipe
        [IMG]http://thepebkac.net/images/sigs/Outdoors_sig.jpg[/IMG]
        Like the community? Donate here:
        [URL="http://www.cainslair.com/misc.php?do=donate"]http://www.cainslair.com/misc.php?do=donate[/URL]

        Comment


          #5
          Originally posted by DougBob View Post
          Very good advice. Especially since it is work. The only real benefit from trying to repair it is to see if you can for data recovery. The only real protection is a low level format and NSA approved wipe
          Yep, no tools that I could dig up that would make me feel safe, so I wiped it. I am a bit worried about my USB thumb drive, since I copied over the user's docs to that. I've seen some crapware that copied to thumb drives, so I am not sure if a rootkit would perform in the same manner.

          Only problem is, I have ANOTHER one to deal with today, and both of the two users are notorious for going to a LOT of questionable websites and clicking on anything. Some people just don't learn.
          Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

          Comment


            #6
            Time to lock down access
            [img]http://img.photobucket.com/albums/v337/Igorod/troopdod.jpg[/img]
            [url=http://profile.xfire.com/trooper110][img]http://miniprofile.xfire.com/bg/co/type/1/trooper110.png[/img][/url]

            Comment


              #7
              ComboFix is the only thing I know that will wipe that away .......

              Comment


                #8
                Troop, we have limited their access with them being set up as power users, not admins. Its not great, but its a start. We also have a group policy in place, but again its rudimentary and much more stringent on student PCs, not teacher PCs.

                Cain, I actually ran ComboFix on the PC after remembering your affection for it. Hehe ... well, it did detect the rootkit .DLL file and promised to eradicate it, but there was just no way I would trust any one app to tell me whether a true rootkit was effectively dealt with.

                End result - to remove it, nuke it from orbit and wipe it clean. After seeing my Live CD denied access to remove the .DLL, I was in a real pickle, and was stunned that it couldn't remove it.
                Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

                Comment


                  #9
                  Originally posted by WalkinTarget View Post
                  ... I was in a real pickle, and was stunned that it couldn't remove it.
                  I have seen live cd's that will by default mount some hard drives (usually NTFS drives) as read only. You might have been able to mount the drive manually as read-write?

                  Comment


                    #10
                    i had rootkit issues a few weks ago, see my "avast still good " thread. i also used a program called mbr.exe . it solved a lot of the problems that combofix noted. combofix even said to use the program, so research it, the website i got it from had a bizzare name, but the file was good and did its trick.

                    Comment

                    Cain's Lair Forums Statistics

                    Collapse

                    Topics: 26,187   Posts: 269,850   Members: 6,183   Active Members: 6
                    Welcome to our newest member, Fermin13Q.

                    Today's Birthdays

                    Collapse

                    There are no members with birthdays today.

                    Top Active Users

                    Collapse

                    There are no top active users.

                    More Posts

                    Collapse

                    • Reply to Hi guys!
                      by Evil_T0NY {CLR}
                      I've been Alpha and will be Beta testing the Delta Force game. It's been really getting good reviews! Definitely a good Battlefield feel to it like the...
                      14 Nov 2024, 08:50 PM
                    • Reply to Hope your all OK over there
                      by Apache Warrior
                      We had 17 inches of rain from the storm on November 7, 2024.
                      Apache
                      11 Nov 2024, 07:55 AM
                    • Reply to Hope your all OK over there
                      by Sirex
                      Aye, I'm inclined to agree with that lmao
                      Gone are the days of warm summers and snow filled winters here, nothing but rain and wind for 8mths of...
                      10 Nov 2024, 08:53 PM
                    • Reply to Hope your all OK over there
                      by Apache Warrior
                      Now we have had a lot of flooding in this area and there are still a lot of houses that have not been repaired. Must be the apocalypse.
                      ...
                      8 Nov 2024, 09:23 AM
                    Working...
                    X