P
PaulLukitsch
FINALLY I found other people who have experienced this problem!!
Posted in this Group and others. I posted this as a reply in another
group, but thought for expediancy, I would start a new thread in this
post.
OK.....
I have been dealing with a persistant malware problem since early this
year. I have had not only problems with the malware affecting my
laptop, but also from the numerous boards and forums where I would try
to seek help, and after following instructions (although I am fairly
computer savvy), they typically would believe I was lying or not
following their instructions. I am using (currently) Vista Home Prem.
x64 on a HP Pavillion dv4 1225dx.
I noticed this string of registry key changes as the previous posters
noted. And I have seen this happen on my PC : (a) after re-
installation of my OS, (b) after performing a dd if=/dev/urandom of=/
dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
drive with random characters, and THEN reinstalling my OS, and (c)
after I decided to get mad, and I went out and bought a new HDD for my
laptop.... then reinstalled my OS.
But none of those things changed anything. This is a rootkit, and I
believe it is a PCI rootkit. I do not know how it got on my machine
initially, but the sad thing is, it occurred back in February, and
then I bought a new laptop in April and accidentally stuck a USB pen
drive (Doh!) into it, and I saw my screen flicker, and I knew what I
had done (I had not even been out of Best Buy where I bought it for
more than 20 minutes). I should have just made up some excuse to
return the laptop then, but I figured "How hard can it be to remove a
virus/rootkit? If I have to reinstall my OS, I will"
But this rootkit does not care if you reinstall your OS. I have even
re-installed my OS, and halfway through the reinstallation, I
unplugged the machine abruptly, took out the battery, and the 4GB of
DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
continued my reinstallation. It didn't matter.
It is some form of ROM rootkit, because after installation, if I set
my firewall to advanced, and make sure I check all outbound and
inbound traffic FIRST, I notice several things.... 1. LSASS.exe
tries to access the net (to an IP in China or other exotic places, all
which are probably proxies), but there is no LSASS.EXE other than the
one in windows/system32 -- right where it is supposed to be. 2.
Services.exe accesses the net (I thought that this might be normal,
but I read it is only under certain circumstances related to PnP....
(which by the way, the PNP service cannot be disabled as the whole
dialog box on that service is grayed out. 3. I do not have
administrative rights... I have invoked the super "Administrator",
set a NSA-style passphrase for it (even wrote a random character gen
script in Perl, and then copied a 20 char string from it, and pasted
it into the Password Box. (Then I printed the Perl output so I would
never forget this random character string). And I will try to use
several network monitoring applications which I download for trial
use, and even as THE ADMINISTRATOR (I delete all other users), it
states I do not have administrative rights to run the application!
I have installed windows, then installed a debian/ubuntu based Linux
(backtrack 4 or Linux Mint), as a dual-boot, and ultimately, both of
these OSs will get corrupted to!!! i NEVER setup smb/samba in Linux,
and make sure any daemons are not using Samba, but somehow, whatever
access has been made through my windows partition, migrates to my new
Linux partition, and infects it.
This probably sounds crazy, and I know it has lowered my quality of
life. But I have already bought a second laptop, I cannot imagine
there is not away around this to eradicate it.
Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
he had an old Netgear router/firewall. He let me have it and I am
running it now. I shut off UPnP on the router, and turned up the
built-in firewall to a rather strict level. It seems to be doing OK,
but that may be because whatever rootkit I am infected with cannot get
unfettered access to the net because of the hardware firewall (it
always walked right through any software firewall in a matter of
days), and therefore cannot grow and take over my system.
But I have been hoping to meet a Windows expert with an open mind...
maybe there is someone here who fits this description. Far to often I
will seek help, and the Windows expert who is assisting me, will spend
1/3 of the time spewing platitudes like "you shouldn't use the
Administrator user" or asking me if my Windows update has been turned
on.
Just as an FYI, Since this started I read Stanek's Windows Command
Line probably 3x, and the SAMS Windows Vista: Management and
Administration perhaps 2x. THis additional information has sometimes
allowed me to slow this malware down, but never have I been able to
stop it. It seems to change/morph so rapidly to whatever obstacles I
try to put in its place that I sometimes feel as if someone was
specifically interested in hacking my PC as opposed to some mindless
Bot-agent that get orders from some central server. Otherwise,
whoever coded this beast is brilliant and must have a database
somewhere updating this code for a myriad of situations.
So.... I hope someone can respond to this. I have stacks of
screenshots using Sysinterals applications which show things I believe
to be evidence of this RAT, and overall more knowledge than I care to
have about it too.
But that registry update the other poster mentions... (there are 569
registry changes that take place upon bootup that are part of this
rootkit's expansion into the system-- it happens on maybe the 3rd or
4th boot after I enable network/internet access--- but the last one is
in fact a change to "SDTable" and it stays on the screen for about 3
seconds before it continues the boot into windows. This is why
everyone remembers it.
I also think I am in some active domain and therefore my "local
administrator's rights" have been made subject to the domain
controller.
I work at home.... as far as I know, no one has ever had physical
access to my PC.
Paul
Posted in this Group and others. I posted this as a reply in another
group, but thought for expediancy, I would start a new thread in this
post.
OK.....
I have been dealing with a persistant malware problem since early this
year. I have had not only problems with the malware affecting my
laptop, but also from the numerous boards and forums where I would try
to seek help, and after following instructions (although I am fairly
computer savvy), they typically would believe I was lying or not
following their instructions. I am using (currently) Vista Home Prem.
x64 on a HP Pavillion dv4 1225dx.
I noticed this string of registry key changes as the previous posters
noted. And I have seen this happen on my PC : (a) after re-
installation of my OS, (b) after performing a dd if=/dev/urandom of=/
dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
drive with random characters, and THEN reinstalling my OS, and (c)
after I decided to get mad, and I went out and bought a new HDD for my
laptop.... then reinstalled my OS.
But none of those things changed anything. This is a rootkit, and I
believe it is a PCI rootkit. I do not know how it got on my machine
initially, but the sad thing is, it occurred back in February, and
then I bought a new laptop in April and accidentally stuck a USB pen
drive (Doh!) into it, and I saw my screen flicker, and I knew what I
had done (I had not even been out of Best Buy where I bought it for
more than 20 minutes). I should have just made up some excuse to
return the laptop then, but I figured "How hard can it be to remove a
virus/rootkit? If I have to reinstall my OS, I will"
But this rootkit does not care if you reinstall your OS. I have even
re-installed my OS, and halfway through the reinstallation, I
unplugged the machine abruptly, took out the battery, and the 4GB of
DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
continued my reinstallation. It didn't matter.
It is some form of ROM rootkit, because after installation, if I set
my firewall to advanced, and make sure I check all outbound and
inbound traffic FIRST, I notice several things.... 1. LSASS.exe
tries to access the net (to an IP in China or other exotic places, all
which are probably proxies), but there is no LSASS.EXE other than the
one in windows/system32 -- right where it is supposed to be. 2.
Services.exe accesses the net (I thought that this might be normal,
but I read it is only under certain circumstances related to PnP....
(which by the way, the PNP service cannot be disabled as the whole
dialog box on that service is grayed out. 3. I do not have
administrative rights... I have invoked the super "Administrator",
set a NSA-style passphrase for it (even wrote a random character gen
script in Perl, and then copied a 20 char string from it, and pasted
it into the Password Box. (Then I printed the Perl output so I would
never forget this random character string). And I will try to use
several network monitoring applications which I download for trial
use, and even as THE ADMINISTRATOR (I delete all other users), it
states I do not have administrative rights to run the application!
I have installed windows, then installed a debian/ubuntu based Linux
(backtrack 4 or Linux Mint), as a dual-boot, and ultimately, both of
these OSs will get corrupted to!!! i NEVER setup smb/samba in Linux,
and make sure any daemons are not using Samba, but somehow, whatever
access has been made through my windows partition, migrates to my new
Linux partition, and infects it.
This probably sounds crazy, and I know it has lowered my quality of
life. But I have already bought a second laptop, I cannot imagine
there is not away around this to eradicate it.
Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
he had an old Netgear router/firewall. He let me have it and I am
running it now. I shut off UPnP on the router, and turned up the
built-in firewall to a rather strict level. It seems to be doing OK,
but that may be because whatever rootkit I am infected with cannot get
unfettered access to the net because of the hardware firewall (it
always walked right through any software firewall in a matter of
days), and therefore cannot grow and take over my system.
But I have been hoping to meet a Windows expert with an open mind...
maybe there is someone here who fits this description. Far to often I
will seek help, and the Windows expert who is assisting me, will spend
1/3 of the time spewing platitudes like "you shouldn't use the
Administrator user" or asking me if my Windows update has been turned
on.
Just as an FYI, Since this started I read Stanek's Windows Command
Line probably 3x, and the SAMS Windows Vista: Management and
Administration perhaps 2x. THis additional information has sometimes
allowed me to slow this malware down, but never have I been able to
stop it. It seems to change/morph so rapidly to whatever obstacles I
try to put in its place that I sometimes feel as if someone was
specifically interested in hacking my PC as opposed to some mindless
Bot-agent that get orders from some central server. Otherwise,
whoever coded this beast is brilliant and must have a database
somewhere updating this code for a myriad of situations.
So.... I hope someone can respond to this. I have stacks of
screenshots using Sysinterals applications which show things I believe
to be evidence of this RAT, and overall more knowledge than I care to
have about it too.
But that registry update the other poster mentions... (there are 569
registry changes that take place upon bootup that are part of this
rootkit's expansion into the system-- it happens on maybe the 3rd or
4th boot after I enable network/internet access--- but the last one is
in fact a change to "SDTable" and it stays on the screen for about 3
seconds before it continues the boot into windows. This is why
everyone remembers it.
I also think I am in some active domain and therefore my "local
administrator's rights" have been made subject to the domain
controller.
I work at home.... as far as I know, no one has ever had physical
access to my PC.
Paul