Help with F Secure and Rootkit

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I definitely have a rootkit. Not only is it obvious, but rootkill revealer
identified it. Unfortunately, the log was compromised and I can't remember
the name. You name it, I've got it. My computer has asian keyboards on it,
ntuser.dat in system32 as well as repair. Fake updates, dialers, my telephone
modem was running yesterday and this pc has never been hooked up to a phone
line. I am paranoid typing this, because the other day, I saved a file of
notes in regard to things I'd done and needed to do to get rid of this thing,
poof it was gone. I know this sounds weird, but I have spent almost every
waking hour for the past 3 days trying to get this squared away.

Nothing is detected by any virus scanners, because they are all including f
Secure, compromised before finished. The fsecure errors were access denied
and couldn't read.

I have reformatted, and repartiioned without successfully ridding the system
of this mess. I just slowed it down a little. During my reading, I ran across
some info on Nyxem, I think. The m.o. seems the same. Anyway, I have 3
computers with this problem. Yes, they were all reformatted, yes the were
taken off the shared internet connection. Yes, Yes, Yes. Yes, I am sick of
this....

If anyone, anywhere has any advice or guidance, I'd be especially
grateful....But please, if anyone posts the link to tips for asking smart
questions, I will scream. I don't think I'm even capable at this point of
asking a coherent question.
 
missyevans said:
I definitely have a rootkit. Not only is it obvious, but rootkill
revealer identified it. Unfortunately, the log was compromised and I
can't remember the name. You name it, I've got it. My computer has
asian keyboards on it, ntuser.dat in system32 as well as repair. Fake
updates, dialers, my telephone modem was running yesterday and this
pc has never been hooked up to a phone line. I am paranoid typing
this, because the other day, I saved a file of notes in regard to
things I'd done and needed to do to get rid of this thing, poof it
was gone. I know this sounds weird, but I have spent almost every
waking hour for the past 3 days trying to get this squared away.

Nothing is detected by any virus scanners, because they are all
including f Secure, compromised before finished. The fsecure errors
were access denied and couldn't read.

I have reformatted, and repartiioned without successfully ridding the
system of this mess. I just slowed it down a little. During my
reading, I ran across some info on Nyxem, I think. The m.o. seems the
same. Anyway, I have 3 computers with this problem. Yes, they were
all reformatted, yes the were taken off the shared internet
connection. Yes, Yes, Yes. Yes, I am sick of this....

If anyone, anywhere has any advice or guidance, I'd be especially
grateful....But please, if anyone posts the link to tips for asking
smart questions, I will scream. I don't think I'm even capable at
this point of asking a coherent question.
Click to expand...


Reformat and immediately install the full version of process guard.
http://www.diamondcs.com.au/processguard/index.php?page=download
I have reformatted, and repartiioned without successfully ridding the
system of this mess.
Click to expand...
Bull!
 
missyevans said:
I definitely have a rootkit. Not only is it obvious, but rootkill revealer
identified it. Unfortunately, the log was compromised and I can't remember
the name. You name it, I've got it. My computer has asian keyboards on it,
ntuser.dat in system32 as well as repair. Fake updates, dialers, my
telephone
modem was running yesterday and this pc has never been hooked up to a
phone
line. I am paranoid typing this, because the other day, I saved a file of
notes in regard to things I'd done and needed to do to get rid of this
thing,
poof it was gone. I know this sounds weird, but I have spent almost every
waking hour for the past 3 days trying to get this squared away.

Nothing is detected by any virus scanners, because they are all including
f
Secure, compromised before finished. The fsecure errors were access denied
and couldn't read.

I have reformatted, and repartiioned without successfully ridding the
system
of this mess.
Click to expand...

Either because it is a bootstrap virus (it is in the MBR's boot program
area) and you did not use "FIXMBR" (from the bootable install CD in Recovery
Mode) or "FDISK /MBR" from a bootable floppy (you can get images of them at
bootdisk.com), or more probably is that you reinstalled the infected
software.

Save your data, overwrite the MBR boot program, boot using the install CD,
and have it format all partitions before installing a fresh copy of Windows,
and restore your data (which must be ONLY data and *not* any executable
files). All of this should be done while NOT connected to the Internet
(unless you have a NAT router with its firewall to protect you). Install
your software firewall (or use the one in Windows) and install your
anti-virus software before connecting to the Internet. Then the risk is
installing the software to add to your system, so start with the
commercialware from known vendors, and preferrably which comes on read-only
media, like CDs. Leave out all the fluff until you can start saving
disk/partition images so you have a means of restoring to a snapshot (System
Restore does NOT restore a snapshot of the system and is only a *partial*
restore).

It sounds like you clean the system and then reinfect it immediately with
some fluff software. The 446 bytes for the bootstrap program in the MBR is
pretty small for a virus so it would rely on the remainder of its infected
files on your drive. It is possible that it repositions the partition table
in the MBR so the standard bootstrap program (from FIXMBR or FDISK /MBR)
can't find the partition table. So you may want to use FDISK to delete all
partitions, replace the MBR bootstrap program, and then use the install CD
to create new partitions AND format them.
 
You may want to format your hard drive which you find suspicious.
As soon as reformating the hard drive , make sure you have firewall ON.

Windows XP (both SP1 and SP2) incorporate firewall.

Then ,install a *reputable* antivirus and antispyware software ,update them
,configure them and install the drivers for the machine.

Update your Windows using Windows Update site:
http://windowsupdate.microsoft.com

Be very careful which i-net pages you visit and extremely careful what you
install.
:-)

Do not hesitate to contact the Community again ! ;-)

Panda_man
 
Back
Top