Welcome to Laser Pointer Forums - discuss green laser pointers, blue laser pointers, and all types of lasers

Buy Site Supporter Role (remove some ads) | LPF Donations

Links below open in new window

FrozenGate by Avery

Rootkit?

Pontiacg5

Pontiacg5

0
Joined
Dec 23, 2007
Messages
2,494
Points
0
I have a laptop I got from someone at work that they want me to look at, and I'm pretty sure there is a rootkit so some sort on this machine. They say that some random antivirus popped up and started scanning, which I think would be a virus antivirus thing that is becoming so common. Running any other real antivirus program locks the computer up to the point that ctl+alt+delete wont even bring up taskmgr.

I've used Rootkit Revealer, and I get 4 hits before the machine locks. I can't see the whole text of the registry entries it finds because the thing locks and I can't see all of the file info but they are something like this...

HKU\S-1-5-21... 0 bytes key name contains embedded nulls
HKLM\SECURIT... 0 bytes Key name contains embedded nulls
HKLM\SECURIT... 0 bytes key name contains embedded nulls
HKLM\SOFTWA.. 13 bytes Data mismatch between Windows API...

Can anyone confirm that this is something that is best fixed by a complete reformat and reinstall?
 





Pontiacg5 said:
I have a laptop I got from someone at work that they want me to look at, and I'm pretty sure there is a rootkit so some sort on this machine. They say that some random antivirus popped up and started scanning, which I think would be a virus antivirus thing that is becoming so common. Running any other real antivirus program locks the computer up to the point that ctl+alt+delete wont even bring up taskmgr.

I've used Rootkit Revealer, and I get 4 hits before the machine locks. I can't see the whole text of the registry entries it finds because the thing locks and I can't see all of the file info but they are something like this...

HKU\S-1-5-21... 0 bytes key name contains embedded nulls
HKLM\SECURIT... 0 bytes Key name contains embedded nulls
HKLM\SECURIT... 0 bytes key name contains embedded nulls
HKLM\SOFTWA.. 13 bytes Data mismatch between Windows API...

Can anyone confirm that this is something that is best fixed by a complete reformat and reinstall?
Click to expand...

Did you try scanning in safemode?
 
It might make me sound retarded, but I haven't tried that. I just turned off everything in msconfig.

I'll try safemode, thanks for the tip!
 
Pontiacg5 said:
It might make me sound retarded, but I haven't tried that. I just turned off everything in msconfig.

I'll try safemode, thanks for the tip!
Click to expand...

Better to sound retarded than be retarded? :P
 
The line "Data mismatch between Windows API..." is very suspicious indeed - is very likely to be signs of a virus which wants to stay as hidden as possible.
 
did u try out malwarebytes antimalware? post a hijackthis log so ppl can see all processes running at startup/etc

if u suspect it might be zeus trojan check out my software, http://deeptide.com/software.htm



maybe try combofix that has helped a lot of ppl i know
 
I ran SUPER AntiSpyware from mini XP from Hirens boot cd, and it found

Rootkit.unclassified/USBHubB

I'm going to let it keep running and see if I can find anything else. Thanks for all the tips everyone!
 
Pontiacg5 said:
I ran SUPER AntiSpyware from mini XP from Hirens boot cd, and it found

Rootkit.unclassified/USBHubB

I'm going to let it keep running and see if I can find anything else. Thanks for all the tips everyone!
Click to expand...

Updates plz.
 
Well, scanning in safemode I found...

Microsoft.windows.securitycenter.firewallbypass Microsoft.Windows.SecurityCenter.Firewallbypass - MajorGeeks Support Forums

and two things called

virtumonde.atr Manual Removal Guide for Virtumonde.atr - Safer-Networking Forums
virtumonde.sdn WikiAnswers - What is Virtumonde.SDN

I removed both of those and I can now start taskmgr, so thats progress.

But, I also found a bunch of other crap, something to do with sony games in a folder called rootdirectory. The files are locked and I cant remove them, but I think they are just from that sony DMR episode a while back. I don't think this is causing the weird behavior.

There is a lot of random stuff installed on this thing which might be making it slow, but I still can't run any antivirus software when windows is not in safemode...
 
Sounds like you want to get your data off and reinstall that machine, just to be sure you've wiped all traces of that virus..
 
Thats what I'll probably do, I need to check with the owner and find out what all she wants me to keep. I hate working on other peoples computers :D
 
you could try file assassin it deletes locked folders I think its a part of malware bytes!
 
You must log in or register to reply here.





Back
Top