WARNING: New Rootkit?

[animedreamer]

I was troubleshooting a client's computer and came across a strange
problem. The shares I had setup on their server were randomly
dropping. To say the least, I was quite confused. I rebooted the
server and a Security Warning appeared prompting me if I wanted to run
svchos32.exe. At this point, I suspected some sort of virus infection.
According to the security warning, this file was located in the
C:\Windows\System32 folder. I made sure not to hide hidden files,
inspected the directory in question and could not find anything. At
this point, I began thinking perhaps this could be a rootkit. I went
to the Sysinternals website and downloaded both autoruns and rootkit
reavealer. After performing a search from the autoruns program, I
determined that the file in question was trying to start from an entry
in the registry. The entry had a description of "Microsoft Box."
After disabling this file from starting, I have not experienced any
more problems. I am currently running rootkit revealer and will post
my results if anything of interest appears.

 

[Gabriela Salvisberg]

(e-mail address removed) wrote:

[snip]

After disabling this file from starting, I have not experienced any
more problems. I am currently running rootkit revealer and will post
my results if anything of interest appears.

You could additionally try F-Secure's Blacklight, which not only scans
for rootkits but also should be able to remove them:
http://www.f-secure.com/blacklight/try.shtml

Gabriela

 

[Todd H.]

(e-mail address removed) wrote:

[snip]

After disabling this file from starting, I have not experienced any
more problems. I am currently running rootkit revealer and will post
my results if anything of interest appears.

You could additionally try F-Secure's Blacklight, which not only scans
for rootkits but also should be able to remove them:
http://www.f-secure.com/blacklight/try.shtml

But if you've been owned enough to have a full rootkit installed on a
given machine, you'd be completely nuts to trust any tool to remove a
rootkit.

You'd want to reformat and reinstall from original media.

Good info on blacklight's capabilities though!

 

[Gabriela Salvisberg]

But if you've been owned enough to have a full rootkit installed on a
given machine, you'd be completely nuts to trust any tool to remove a
rootkit.

I agree. Because you never know what someone might already have
(remotely) done with it.

You'd want to reformat and reinstall from original media.

You're right. If it was my machine, I wouldn't trust it anymore,
unless it got formatted and reinstalled.

But in my opinion: Between "don't do anything about the malware" and
"format and reinstall" there's the "remove malware" option, which is
still a bit (only a *little* bit!) better than doing nothing.

Gabriela

 

[edgewalker]

But if you've been owned enough to have a full rootkit installed on a
given machine, you'd be completely nuts to trust any tool to remove a
rootkit.

In this instance, a rootkit could be a single program - and easily removed

You'd want to reformat and reinstall from original media.

Rootkits ain't what they used to be. It could be as simple as a filter driver
that hides the presence of one directory from the system's utilities by filtering
data returned from the file system before the utility gets it.

....it used to mean you were completely hosed by the presence of multiple
trojaned executable files

 

[edgewalker]

I agree. Because you never know what someone might already have
(remotely) done with it.

But that is ancillary to the removal of the rootkit, just as removing a backdoor
may be simple - but you don't know what else was done while it was active.

You're right. If it was my machine, I wouldn't trust it anymore,
unless it got formatted and reinstalled.

If I had reason to believe that it wasn't actually used maliciously, I would
just remove it. Otherwise, - that's what a good backup strategy is for.

But in my opinion: Between "don't do anything about the malware" and
"format and reinstall" there's the "remove malware" option, which is
still a bit (only a *little* bit!) better than doing nothing.

)