|
Rootkit Rootkit? Ever heard of that ? Until recently I didn't. The story begins at my girlfriends computer where one of her kids recieved a mail from a friend with a attachment. Avast antivirus immediate sounded the alarmbell and removed it, but the virus is present again at every startup. Its called msdirectx.sys and is beeing placed in the username folder. It spreads trough mail, sending itself to every adress in the adressbook. Aparently it is a keylogger that phones home. So far I found it prevents you from opening : - Regedit - Taskmanager - Hijackthis It had shutdown ZoneAlarm and prevents it from a manual start, it prevents a Antivirus update. There seem to be a few variations. Some manual cleaning was described here but the variation I found had none of the described register entries. Further Googeling brought me here (there are some interesting links on that page). Perhaps for the paranoids ( ;) peers) it is good to run: RootkitRevealer and F-Secure BlackLight I certainly have these programs in my PC good health list from now on ;) So far I haven't been able to kill the virus, but I have another go at it coming weekend, I keep you updated |
**Update** As it is such a well designed virus, and the rootkit element beeing stealthy. All my known methods of deleting it failed. It does not load when booting in safe mode, so there was nothing to go at that way There was only 1 option left: I formatted and reinstalled WinXP. |
http://search.symantec.com/custom/us/query.html A Norton page for more info... and RaaF... Two questions... Why does there seem to be a .nl link here with this problem and what more have you learned ? (Or, what more does anyone reading this thread have to share ? This thread is NOT locked !!! Please contribute !) |
Have you... Quote:
I have you tried getting ca Antivirus program? THis program really works for me. I had a simillar problem, were keylogger wants to dial out from pc, well, I downloaded the trial version of CA with all the extras, I couldn't believe my eyes. This program kicked butt. It also allows you to monitor all programs being started, what program wants to dial out to the internet and you have the option to click "yes" allow program to connect or "No" do not allow program to connect. A window appears to the lower right corner of your pc, and btw this small window is not anoy you at all, because it allows you to have CONTROL of your pc. It is pretty cool. Try it. It also has alot of features, even for a trial verson it REALLY ROCKS! It is always picking up virus left and right, also I would password protect your ca anitvirus program so no virus can turn it off. if you know what I mean. Also get the trial ver of Firewall, it didn't screw up my other firewall I have in my pc. Hope this helps. Sorry for the easay. ;) |
NOthing cant do anything to my computer even if its some new virus my great secret |
she got hit with a virus. don't confused the kids on here. they don't know the difference between an anti-virus scanner and a spyware scanner. they think the spyware scanner gets viruses and the anti-virus scanner gets spyware. some av applications catch spyware, however in my experience, i left that to giant antispyware, now MS antispyware. read this. it explains everything. Quoted from Wikipedia The key distinction between a computer virus and a root kit relates to propagation. Like a root kit a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus). In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system. A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel. Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated |
did you try turning off system restore? sometimes they will stay in the restore file and keep coming back. |
Guys Rootkits are the nastiest of online dangers that are around today, if caught they are difficult to get rid of and, as RAAF found out, will necessitate a full HD reformat and reinstallation. RAAF if you are reading this you should, if possible, reformat your GF's drive at least seven times, that way you will be sure that it is gone. In the past, I have come across viruses that survive a normal (one-time) reformat and, as rootkits are more dangerous, it is possible that they can survive several reformattings but it is highly unlikely to survive (the MOD recommended) seven. As I am paranoid about PC security, I intend to install F-Secure Blacklight (beta) over the weekend and see if I have any stealthed malware on my system. UK Bob |
UK , iv never run into any virus that has survived a reformat. yes its tru that whan you reformat that all the files are still there , but there "dead" and the OS just sees them as blank space and they can onley be recovered with special file recovery programs. and that is onley if they havent been overwriten...if somthing new (eg windows)has been written over the deleted files than the files that were there befor are history. i dont know how much you know about computers UK but please correct me if im wrong...but if you ran into a virus that "survives" a "reformat" you may not have actualy reformated the drive...you may have just done a re install of windows or a "repair install". in wich case the virus would still be there because you dident compleatley erase the drive. but if im wrong on this and you do know what your talking about and you did run into a virus that survives a compleat reformat, even then , 7 times?? if the virus dose somehow resurect itself, than a zero-fill and 1 reformat should complatley destroy any data/virus on the drive. |
CRT I would agree with that one reformat destroys most things, programs, data and everything else. However, I have, in my time working on PCs, come across a virus that survived a reformat. Now whether that virus was still active or not I do not know but it was there on the hard drive waiting for my colleagues and I to re-install windows. So, rather than take the chance of the virus being active I got NAV and deleted it. Now, I will admit that I know very little about rootkits, other that they are worse than viruses or worms and are very difficult to eradicate and, from what I read this afternoon, even harder to spot. The Ministry of Defense (MOD) recommends that a PC's HD should be reformatted seven times before being disposed of. Therefore, reformatting seven times will get rid of everything and make anything that was every on the HD unrecoverable and totally useless, i.e. nothing can survive. I would also agree that zero filling a drive then reformatting it could be the same as reformatting it seven times but either way we are still talking about getting rid of something that is notoriously difficult to eliminate, namely being infected by a rootkit. However, I will confess that I have never personally reformatted a HD seven times but I would if I had to. UK Bob |
i dont know much about rootkits ether....this tread is the first i ever herd about them. but i read the artical that kath put in ,one huge headache later i figured out that they are basicley bad programs that somehow hide themselfs from the user....and can be used as a an attemt at overkill DRM... and after reading that ,i downloaded that "rootkit revealer" program and ran it ..and it came up with whol bunch of stuff....wich i have no idia what it was...but all the stuff was ether in the "temporary internet files" or in with my one game "far cry" folders and a couple registry entries ,but the PC isent acting any worse than normal, so im assuming (hope) all the stuff it found is harmless... now my brain reely hurts... |
i have never put a CD like that in my computer nor do i own any like that....nor will i buy any... but i do alot of CD ripping myself from friernds collections etc and i dont want to expose my computer to it... is there a way to simply not install or ignor it? like holding the shift key to stop it from auto running when a cd of this nature is inserted?? and will ripping programs just ignor the data track and rip the DA as normal??? |
Watch out for Sony's uninstaller! Hello you wonderful people! I ranted about Sony's rootkit elsewhere on this forum and pointed out a link in there that was an interesting read. That was this one: http://p2pnet.net/story/7025. Now I see there is a lot of talk here about this rootkit uninstaller put out by Sony to "fix" the matter. The following read should prove interesting. I don't know if anyone here was aware of this particular situation, but if you aren't, this is a good read: http://p2pnet.net/story/6984 Mmm I want a LINUX OS so bad I can taste it. I've got the PCLinuxOS disk, but not the resources to use it right now, hrrmph. Peace. |
im not 100% ..but i think you can compleatly get around all this sony/DRM BS by clicking NO to the EULA thing when you put one of these discs in your computer. by doing that you dont install any software. and if it DOSE install somthing without your "consent" even if you clicked no and dont agree to sonys licence crap....YOU can sue the pants off SONY. (i think) |
Thanks I'm not really worried about it. I don't burn CDs to my computer or save them to the computer. I do share what I've downloaded though, so that could be of concern if someone has the rootkit on their system. Thanks for the advice. |
well theres some rootkit killers under my perfectly safe from viruses blah blah ect all free things but 1 word really gets rid of my rootkit problems..... EWIDO (ps infinate scans, 14 day trial is only limitation but that just stops updates and on access protection ) get it at www.ewido.com :D get her or urself to download it |
nvm about the perfectly safe from all viruses... an imature guy "self proclaimed spyware expert" started nagging at me for his own fault... he tattled on me for minor vulger and now my post is gone.... tell him thnx if you know him.. its Lord of the Rings haha thats him ... XD |
Quote:
They installed their rootkit, even if you rejected their EULA. Not only you could not play the CD, but the rootkit was installed, and then opened a listening port that HAS been exploited by remote virus and PC hijackers. Then Sony released a "fix" that was even worse and less secured than the rootkit initially present on the CD. By installing the "fix", younot only removed the rootkit, but you agreed with its EULA that states that you use the fix at your own risk. Sony wants to convince you that it is notresponsible, but it forgets to say that the fix it proposes actually installs a new software that will wait for instructions from ANY source in the Internet. This "fix" (actually an ActiveX component) was ALSO used by virus and PC hijackers. The Sony/BMG even is the worst thing that happened in the media industry. It demonstrates that the DRM technology it defends is not safe, not developed according to basic security standards, and that these media actually lie in their licences, lie to their legitimate customers, and spy on them illegally. The effect of this is that now many organizations have banned ALL music CDs on work places (or have removed CD/DVD players from their workstations, and now also remove floppies, disconnect the USB and Firewire ports, disable PCMCIA ports on notebooks, password protect the BIOS to apply these restrictions). The only way to save your work is now via the private LAN (when it works, and the system admin is effectively doing his work to change the storage tapes. You can't save multiple times during day, and every one now depends on a single system admin(whose work and competence is supposed to be always better, safer and faster than yours). |
GOOD, sony had it coming... i herd that a fiew months ago the RIAA got sued for rakettering and conspericay or somthing..is that true? but?...i can see why a ban on all music cds on business/school computers would be a good idia now, or , maybe more resonalbly all recent sony CDs and or all the CDA-CDROM combo discs, but why would they disdable everybodys cd burners/floppys and usb/firewire ports and not let anybody save any of there work? what dose that have to do with sonys BS? and isent there a patch out now that makes your computer immune to sonys rootkit? ...patching seems more reasonable than ripping out everybodys cd drive... |
Quote:
What is worse is that these rootkits arereally softwares installed without being visible in software licencing control systems. The whole computing system becomes untrustable because it becomes impossible to know exactly what is running on it and if it's legal or not. So companies are placed at risk of false alarms for alleged copyright violations, without the most basic tools to verify the claims. This is where Sony/BMG may be sued for racketing (due to unverifiable claims). But I don't know if such action has occured anywhere. |
No words, one url AVG Free Advisor - Free antivirus and anti-spyware downloads download AVG anti rootkit - it's great |
I already have the AVG Anti-Root Kit and AVG AV - the AV has gotten a lot better than the old editions and the anti-root kit updates and runs tests on your schedule. It works in the background and don't even know it's testing. I recommend it. u2 |
Quote:
|
Quote:
|
wow it seems pretty weired to me that the majority of rootkits and virus infections stem from peer to peer file sharing networks but yet still people carry on using them dont get me wrong i myself can not live without LIMEWIRE lol and so far i have had the good fortune of avoiding infection. |
I've been using gnutella since the day Justin invented the thing and haven't regretted it, but then I hunt down and capture hundreds of the critters every day on purpose. ;] I find P2P to be no more dangerous than the newsgroups. The real dangerous places are still email spam and rogue web sites. You can get infected just by reading a message or by going to a web site. |
Rootkit updatr Just a quick update on rootkits,detection and removal,and a heads up for those using rootkit revealer and its weaknesses,which are fairly recent. all the best to one and all ! Long time no see !! N2 Rootkit - Wikipedia, the free encyclopedia :idea::):D |
I disreccomend AVG due to the fact that it's services make my dad's laptop run slow. Runs fine without it. If you can bear this, use it, it's great (I used it for 3 years.) I now use Avast. My opinion on how to remove rootkit: 1) Get Linux Live CD or USB (Ubuntu) 2) Start Linux 3) Open Terminal 4) $ ls /dev/sd* #One of them will be your hard drive 5) $ sudo mkdir /mnt/hd #For mounting hard drive 6) $ sudo mount /dev/sd?? /mnt/hd #To mount your hard drive 7a) Find the root-kit and delete it --OR-- 7b) dd if=/dev/random of=/mnt/hd/[Wherever your rootkit may be] #Linux is case sensitive, and spaces are done like this: Documents\ and\ Settings. This command writes random data over the rootkit, thus killing it. Delete it once you reboot. 8) Restart into Windows. I hope this works. I didn't test it. Using dd is dangerous, make sure you know what you are doing. Cooper |
Are there similar threats for Linux OS's? |
| All times are GMT -7. The time now is 03:11 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.
Copyright © 2020 Gnutella Forums.
All Rights Reserved.