Rootkit?

Pontiacg5 · May 31, 2010

I have a laptop I got from someone at work that they want me to look at, and I'm pretty sure there is a rootkit so some sort on this machine. They say that some random antivirus popped up and started scanning, which I think would be a virus antivirus thing that is becoming so common. Running any other real antivirus program locks the computer up to the point that ctl+alt+delete wont even bring up taskmgr.

I've used Rootkit Revealer, and I get 4 hits before the machine locks. I can't see the whole text of the registry entries it finds because the thing locks and I can't see all of the file info but they are something like this...

HKU\S-1-5-21... 0 bytes key name contains embedded nulls
HKLM\SECURIT... 0 bytes Key name contains embedded nulls
HKLM\SECURIT... 0 bytes key name contains embedded nulls
HKLM\SOFTWA.. 13 bytes Data mismatch between Windows API...

Can anyone confirm that this is something that is best fixed by a complete reformat and reinstall?

mfo · May 31, 2010

Pontiacg5 said:
I have a laptop I got from someone at work that they want me to look at, and I'm pretty sure there is a rootkit so some sort on this machine. They say that some random antivirus popped up and started scanning, which I think would be a virus antivirus thing that is becoming so common. Running any other real antivirus program locks the computer up to the point that ctl+alt+delete wont even bring up taskmgr.

I've used Rootkit Revealer, and I get 4 hits before the machine locks. I can't see the whole text of the registry entries it finds because the thing locks and I can't see all of the file info but they are something like this...

HKU\S-1-5-21... 0 bytes key name contains embedded nulls
HKLM\SECURIT... 0 bytes Key name contains embedded nulls
HKLM\SECURIT... 0 bytes key name contains embedded nulls
HKLM\SOFTWA.. 13 bytes Data mismatch between Windows API...

Can anyone confirm that this is something that is best fixed by a complete reformat and reinstall?

Did you try scanning in safemode?

Pontiacg5 · May 31, 2010

It might make me sound retarded, but I haven't tried that. I just turned off everything in msconfig.

I'll try safemode, thanks for the tip!

mfo · May 31, 2010

Pontiacg5 said:
It might make me sound retarded, but I haven't tried that. I just turned off everything in msconfig.

I'll try safemode, thanks for the tip!

Better to sound retarded than be retarded?

jaycey · May 31, 2010

Hirens boot cd is an excellent resource for this sort of thing (and many other problems)

Enable boot from cd/dvd in your bios setup and away you go.

Free download here... Hiren's BootCD 10.4 - www.hiren.info

charliebruce · May 31, 2010

The line "Data mismatch between Windows API..." is very suspicious indeed - is very likely to be signs of a virus which wants to stay as hidden as possible.

c0ldshadow · May 31, 2010

did u try out malwarebytes antimalware? post a hijackthis log so ppl can see all processes running at startup/etc

if u suspect it might be zeus trojan check out my software, http://deeptide.com/software.htm

maybe try combofix that has helped a lot of ppl i know

Pontiacg5 · May 31, 2010

I ran SUPER AntiSpyware from mini XP from Hirens boot cd, and it found

Rootkit.unclassified/USBHubB

I'm going to let it keep running and see if I can find anything else. Thanks for all the tips everyone!

mfo · Jun 1, 2010

Pontiacg5 said:
I ran SUPER AntiSpyware from mini XP from Hirens boot cd, and it found

Rootkit.unclassified/USBHubB

I'm going to let it keep running and see if I can find anything else. Thanks for all the tips everyone!

Updates plz.

Pontiacg5 · Jun 1, 2010

Well, scanning in safemode I found...

Microsoft.windows.securitycenter.firewallbypass Microsoft.Windows.SecurityCenter.Firewallbypass - MajorGeeks Support Forums

and two things called

virtumonde.atr Manual Removal Guide for Virtumonde.atr - Safer-Networking Forums
virtumonde.sdn WikiAnswers - What is Virtumonde.SDN

I removed both of those and I can now start taskmgr, so thats progress.

But, I also found a bunch of other crap, something to do with sony games in a folder called rootdirectory. The files are locked and I cant remove them, but I think they are just from that sony DMR episode a while back. I don't think this is causing the weird behavior.

There is a lot of random stuff installed on this thing which might be making it slow, but I still can't run any antivirus software when windows is not in safemode...

charliebruce · Jun 1, 2010

Sounds like you want to get your data off and reinstall that machine, just to be sure you've wiped all traces of that virus..

Pontiacg5 · Jun 1, 2010

Thats what I'll probably do, I need to check with the owner and find out what all she wants me to keep. I hate working on other peoples computers

WretchedMerc · Jun 1, 2010

you could try file assassin it deletes locked folders I think its a part of malware bytes!

Rootkit?

Pontiacg5

0

mfo

0

Pontiacg5

0

mfo

0

jaycey

0

charliebruce

0

c0ldshadow

LPF Founder / Admin

Pontiacg5

0

mfo

0

Pontiacg5

0

charliebruce

0

Pontiacg5

0

WretchedMerc

0

Online statistics

Forum statistics

Share this page