Rootkit Removal big problem

Discussion in 'Hardware - PCs, Consoles, Gadgets' started by hairyhandbag, Apr 4, 2012.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Good afternoon all, need some good advice with this one as i am completely stuck

    A computer i am working on had a rootkit so tried to remove with usual anti virus (avg) then superant.ispyware remover and malware bytes.
    Did not work so tried malware in safe mode but no joy.

    Reformatted the hard drive and started a fresh install with win xp.
    Install went fine and installed avast anti virus and microsoft malware remover tool and up dated all software (internet explorer to ie 8 for example)

    Problem is that the rootkit is still on the machine. Any top tips would be most welcome

    HH
     
  2. It must be residing in the MBR, use a Windows DVD to get into the Recovery Console and type fixmbr, that will write a new boot sector and erase the little ******.
     
  3. Cheers matey will give that a go now, have just reformatted and installed again

    hh
     
  4. All depends on the level of rootkit that has infected your machine. What tool is alerting you to the presence of a rootkit and what symptoms are you experiencing?

    Some rootkits bury themselves in at the hardware level where they place code inside the actual chips in your machine. They can burrow into graphic / audio cards, hard drive controllers, chips and memory on your mboard etc...No matter how many times you reformat you are fucked as the rootkit is not sitting in your operating system.

    As for the likes of avg, avast etc....some are good, others are crap. I prefer avast myself but i also have this little nugget that i highly recommend. Its called avz and is pretty powerful as an av toolkit. Its takes some getting used to and i had a lot of false positives to begin with - read the manual and check out the forums. I think it was designed by some russian hacker who has now been poached by kaspersky labs. I have had to use google translate on the link as the site is in russian.

    AVZ main page

    Another link direct from kaspersky:

    kaspersky labs
     
  5. CDT and SNLR thanks for the extra advice it is much appreciated.

    I got rid of it in the end by the following methods

    (At first used microsoft xp pro disc to format hard drive before installing but damm thing kept returning)
    Acting on snlr advice decided to see if it was MBR resident so re-installed and lo and behold it appeared again, so.............

    Did a bit of digging and got an independant drive wiper to do cleaning of hard drive from cnet then re-installed again using only genuine products
    Once OS installed put on AVAST and did scan (nothing showing)
    Loaded Superantispyware and did scan (nowt)
    Re-boot scan with avast and it picked up a "rootkit" hiding in windows\system32 as a hidden file

    Have had the desktop restarting periodically since last post and visiting websites (safe ones) and it seems to be fine now.

    I tried the Kapersky TDSS Killer at first but the rootkit had that null and void straight away.
    Got to admit that was the most difficult one i have come across for a long time.
    Anyway cheers for help

    HH
     
  6. Really? Do you have a reference to these rootkits?
     
  7. CDT is right, Dogmeat. Google for Chernobyl/CIH rootkit. We had a bit of a mare with it back in 98. It reflashed the ******* BIOS. An added pain in the arse was that the preformatted Sony floppy disks were using to boot from had the Stoned_Angelina virus on them. A bad couple of days!

    For wider reading, Google "firmware rootkits"
     
  8. Pretty much as I thought. Largely theoretical and highly impractical. The ones in the wild targeted only the Award BIOS in PCs - not gfx or sound cards, nor hard disks. I'm fine with a bit of paranoia over security, but the sort of misguided shrieking hysteria posted by CTD_Dodger is as dangerous as it is counter-productive.
     
  9. msr

    msr LE


  10. Dog, how the hell am I causing hysteria, I was merely offering advice and some input into the thread. The only person getting irate seems to be you.

    Anyway, what is your point exactly? Are you stating that rootkits can only infect the OS and BIOS. You seem to imply that I am talking bullshit about the graphics/audio cards. As for the hard drive, I said ‘Controller’, not the physical disk – pay attention to the post dear and read with more care.

    Back on topic, I take it you have never heard of PCI rootkits – no, thought not. Any PCI device which has flashable firmware is open to this type of rootkit.


    Black Hat Presentation 2007:

    Implementing and detecting a PCI rootkit


    Scroll to the section ‘Firmware Rootkits 3.4:

    Firmware Rootkits


    Now dog, go wipe that egg off your face.
     
  11. So your example is some old proof of concept exercise from 2007? Well, I'm almost ready to apologise - perhaps if you could just post some examples of actual firmware rootkits currently in the wild in 2012, it might just tip the balance.
     
  12. Just off the top of my head, Mebromi/A (and some variants) is a BIOS flasher in the wild in 2012.
     
  13. msr

    msr LE