Announcement

Collapse
No announcement yet.

Lets chat about .... ROOTKITS !!

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Lets chat about .... ROOTKITS !!

    Got a customer PC over the weekend that they simply wanted Itunes installed on. Wow, an easy one I'm thinking. I start the install and it locks up the PC.

    Skip forward to several scans using everything I've got, and I finally get around to scanning for a rootkit. OOPS ... well, there it is, hiding in the Windows/Temp folder with several $dgb3 or similar filenames in there, along with some perflibxx.dat files that appear to be prefetch data for the bad stuff stored elsewhere.

    ComboFix found it and said it deleted it, but it was right back when I restarted. MalwareBytes the same thing. I tried a product from McAfee and Sophos with the same results.

    My S.O.P. for these is nuke it from orbit, but the customer doesn't want to do that, so is there ANYTHING that you guys have used that can effectively deal with a rootkit ?? I doubt there is, but I have few options. I'm going to try and talk them into wiping it and I'll use the Easy Transfer wizard to back up what I can.
    Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin
    Tags: None
    #2
    Wow, that sounds nasty. You've already tried malwarebytes so I don't have anything to recommend.
    [SIZE=1][B]"Now more than ever the people are responsible for the character of their Congress. If that body be ignorant, reckless, and corrupt, it is because the people tolerate ignorance, recklessness, and corruption." ~President James Garfield[/B][/SIZE]
    <<< Please [URL="http://www.cainslair.com/misc.php?do=donate"]donate[/URL] >>>

    Comment

      #3
      One option, always, NUKE IT.

      Comment

        #4
        Ya, there is no option to safely guarantee its removal at this point. Gonna call the customer and convince him we NEED to nuke it.

        I don't like even working on rootkitted PCs on my home network ... makes me very paranoid, but at least I'm smart enough to password any file shares or access, so it won't be spreading around.

        Thumb drives tho .... that's another story altogether.
        Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

        Comment

          #5
          What about hijackthis and removing everything?

          Comment

            #6
            Originally posted by mapes View Post
            What about hijackthis and removing everything?
            If MalwareBytes or ComboFix can't remove it permanently, HJT is not gonna do the trick. The thing has several hooks and hidden system calls to replace the .DLL files that I remove after a reboot, and in my experience this is wasted effort when I can run the Win7 Easy Transfer Wizard to back up their data, then blow away all partitions and format that b*tch.
            Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

            Comment

              #7
              Honestly, you've done the appropriate level of effort.
              I don't know who the customer is, but, your the knowledgeable one.
              Explain to the customer the proper way to store important data they don't wish to lose (on removable/external media) due to such instances. Also elaborate on why it's so important in this day in technology due to how volatile computer data has become with the infection risk with today's computers.
              Then create an image of the machine, ghost, etc.
              Finally NUKE IT!!!!!!!!!!!!!!!!!!!
              [IMG]http://thepebkac.net/images/sigs/Outdoors_sig.jpg[/IMG]
              Like the community? Donate here:
              [URL="http://www.cainslair.com/misc.php?do=donate"]http://www.cainslair.com/misc.php?do=donate[/URL]

              Comment

                #8
                Take notes boys. There are inerrant risks at downloading pron.
                [COLOR="#008080"][/COLOR][SIZE="5"][COLOR="LightBlue"][B]Not everything that counts on the battlefield is countable.[/B][/COLOR][/SIZE]

                Comment

                  #9
                  If he will not let you "Nuke It", give him back his computer and let someone else fight with him. Especially since you were only going to install Itunes.
                  Apache

                  Where do you put the Bayonet?
                  Chesty Puller (upon seeing a flamethrower for the first time)
                  I am all in favor of keeping dangerous weapons out of the hands of fools. Lets start with typewriters.
                  Frank Lloyd Wright

                  Comment

                    #10
                    OOPSIE, I did an oopsie ... is that redundant ?? I backed up the PC using Easy Transfer wizard and when I go to plug in the external drive and run it on the 'new' PC, it only lists it as the OLD PC.

                    I swear I have done this in the past ... back up an XP PC using this utility, then reload the profiles using the freshly loaded OS as the 'new' PC.

                    So now I hafta either set up a Vista box or Win7 box, load the savedata.mig file containing their 22+gb of data and then copy that (manually ?) onto the old WIN XP box ... this is turning into a total clusterf ....
                    Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

                    Comment

                      #11
                      Originally posted by WalkinTarget View Post
                      If MalwareBytes or ComboFix can't remove it permanently, HJT is not gonna do the trick. The thing has several hooks and hidden system calls to replace the .DLL files that I remove after a reboot, and in my experience this is wasted effort when I can run the Win7 Easy Transfer Wizard to back up their data, then blow away all partitions and format that b*tch.


                      I ran into something like this. I timed the creation of the file and registry keys. I delete the file and registry keys and pulled the plug on the system. Worked for me.

                      Comment

                        #12
                        Skipped the tedious migration onto a Vista/Win7 box and found a handy tool named MigrationRecovery from MS that extracts the .MIG file into its original directory structure.

                        Then its just a matter of adding accounts to the customer PC to match what was there and copying the relevant files/folders into each account on the PC once the migrecover.exe finishes its task.

                        So many other things I could be going with my free time !!
                        Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

                        Comment

                          #13
                          Your time should not be free.
                          Apache

                          Where do you put the Bayonet?
                          Chesty Puller (upon seeing a flamethrower for the first time)
                          I am all in favor of keeping dangerous weapons out of the hands of fools. Lets start with typewriters.
                          Frank Lloyd Wright

                          Comment

                            #14
                            Originally posted by Apache Warrior View Post
                            Your time should not be free.
                            Apache
                            Ohh, trust me, I am getting paid for the work, but my rates are too low.Standard flat rate for malware removal is $40, and for an OS reload its $50. I should raise both at least $10 and it'd make it somewhat more worthwhile.
                            Oh if a man tried to take his time on Earth and prove before he died what one man's life could be worth, well I wonder what would happen to this world ? - Harry Chapin

                            Comment

                            Previous template Next

                            Cain's Lair Forums Statistics

                            Collapse
                            Topics: 26,188   Posts: 269,861   Members: 6,183   Active Members: 4
                            Welcome to our newest member, Fermin13Q.

                            Today's Birthdays

                            Collapse

                            There are no members with birthdays today.

                            Top Active Users

                            Collapse
                            There are no top active users.

                            More Posts

                            Collapse
                            • Reply to hey yall!
                              by Sirex
                              All sorted now, even updated the email on the account.

                              Been quite a few of us catching up in the discord the last few days ...
                              7 Mar 2025, 10:03 AM
                            • Reply to hey yall!
                              by Pidgeot_Girl
                              Glad to hear you're doing well Apache and congratulations on the business!! Only thing I'm playing is BO6 these days on the weekends!
                              2 Mar 2025, 01:55 PM
                            • Reply to hey yall!
                              by Apache Warrior
                              Sirex should be able to recover his log in and change the password. He would then login and change the password.
                              I am not playing anything right...
                              2 Mar 2025, 09:04 AM
                            • Reply to Hi guys!
                              by Pidgeot_Girl
                              Mostly playing good ol CoD BO6 on the PS5 (old habits die hard), I'll dabble into a little bit of Fallout 4. But I'm pretty much a weekend warrior, my...
                              1 Mar 2025, 07:24 PM
                            • Reply to hey yall!
                              by Pidgeot_Girl
                              Sirex!!! I will let him know! He cant remember his log in anymore but he wonders how everyone in the lair is doing, and hope everyone is doing well. Also...
                              1 Mar 2025, 05:19 PM
                            • Reply to hey yall!
                              by Sirex
                              :O hey Pidgeot!

                              Long time no see and congrats on EVERYTHING!
                              Good to hear all that wonderful news and I know what its like having...
                              23 Feb 2025, 06:31 PM
                            View All
                            Working...
                            X