Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: PhytoExtractum Kratom Powder for Sale   Kraken Kratom Red Vein Kratom   Left Coast Kratom Buy Kratom Capsules   Myyco.com Golden Teacher Liquid Culture For Sale

Jump to first unread post Pages: 1
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Rootkit... what. the. fuck.
    #14429045 - 05/10/11 09:49 AM (12 years, 9 months ago)

Can rootkits infect computers on homegroups? 

I hadn't used my desktop for quite some time, and I run Avast Internet Security 6.0 on all my machines.  When setting up the connection to the VPN I have on my desktop it kept disconnecting.  I fucking wasted hours trying to figure it out and thinking that it was a firewall/router issue, and instead of being a dumbass I should have just run netstat -a in the fucking admin console.  When I did that I see all these damn connections.  The use of my desktop was so infrequent that I couldn't remember physical memory usage, and it's a brand new rig so the shit installed doesn't affect performance anyways.  Pretty sure it is a malware rootkit because when I found the hidden files they're for a bunch of redirects to ads and only work in Internet Explorer.  Now, I have no clue what else it may be doing since I ran virtually every scan I could find, including those for 64-bit rootkits.  That showed me what was being hijacked, as well as Hijackthis, and looking through the folders and analyzing the scripts it all seemed to be shit pertaining to ads.  The earliest file was from Feb and the most recent from March, which makes me think using Chrome didn't really work with it... idk.  I can't even think what would have caused it to have been installed except for my wife/mom using IE once in a while. 

My laptop ended up getting it as well so I don't know how that happened either as I usually have it with me.  I formatted my HDD and reinstalled Winblows on my laptop, and my main question is this:

Do complex anti-virus programs mimic rootkits in how they hook into shit to protect you? 

Due to the amount of data I have for my classes I don't want this shit happening again, so when I installed Win 7 last night I first installed my drivers (which came from mfg.'s site), and then immediately installed Avast IS 6.0.  When I ran the rootkit scanner aswMBR.exe is shows these results...


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 11:44:52
-----------------------------
11:44:52.651    OS Version: Windows x64 6.1.7600
11:44:52.651    Number of processors: 4 586 0x2502
11:44:52.652    ComputerName: XIRRI  UserName:
11:44:54.535    Initialize success
11:44:58.586    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:44:58.589    Disk 0 Vendor: WDC_WD5000BEKT-00KA9T0 01.01A01 Size: 476940MB BusType: 11
11:45:00.652    Disk 0 MBR read successfully
11:45:00.653    Disk 0 MBR scan
11:45:00.656    Disk 0 Windows 7 default MBR code
11:45:00.659    Service scanning
11:45:02.296    Disk 0 trace - called modules:
11:45:02.358    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
11:45:02.362    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a60060]
11:45:02.366    3 CLASSPNP.SYS[fffff880018df43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007769060]
11:45:02.369    Scan finished successfully
11:45:42.587    Disk 0 MBR has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\MBR.dat"
11:45:42.588    The log file has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\aswMBR.txt"

I may not have looked correctly, but I'm guessing these results are from Avast (Hijackthis also shows results that would implicate the antivirus).  I had the firewall cranked to not allow anything I didn't approve, and I didn't approve much except to update Avast and download the rootkit scanner.  My thread hasn't been replied to at bleepingcomputers yet.  Thanks for any advice! *the infected computer is not connected to my network*


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
Invisiblekoraks
Registered: 06/02/03
Posts: 26,691
Re: Rootkit... what. the. fuck. [Re: 5HTSynaptrip]
    #14429067 - 05/10/11 09:55 AM (12 years, 9 months ago)

Quote:

5HTSynaptrip said:
I formatted my HDD and reinstalled Winblows on my laptop



Did you re-generate the MBR? Formatting doesn't clear the MBR. If the rootkit has infected the MBR, and you didn't create a clean MBR before reinstalling Windows, you might not have gotten rid of the rootkit.

Extras: Filter Print Post Top
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Re: Rootkit... what. the. fuck. [Re: koraks]
    #14429710 - 05/10/11 12:50 PM (12 years, 9 months ago)

Yea I did, that's why it's weird that shit is still showing up.


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
Offlineat0m
Hawhaw-a-phone
Male

Registered: 04/30/11
Posts: 28
Loc: South Australia
Last seen: 9 years, 9 months
Re: Rootkit... what. the. fuck. [Re: 5HTSynaptrip]
    #14430953 - 05/10/11 05:37 PM (12 years, 9 months ago)

Rootkits are generally what are used to hide the malware.

Could you show us the printout of Hijack This? Use a pastebin service like securepastebin.com.

An answer to the question, rootkits don't infect - they hide. Anti-viruses can (if you're running multiple) pick up each other but they usually don't pick up themselves. So you've either got false positives (ie, other anti-viral software) or a more hidden problem.

Do you keep your copies of Windows up to date?

Extras: Filter Print Post Top
OfflineSeussA
Error: divide byzero


Folding@home Statistics
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 23 days, 23 hours
Re: Rootkit... what. the. fuck. [Re: 5HTSynaptrip]
    #14430973 - 05/10/11 05:42 PM (12 years, 9 months ago)

> Did you re-generate the MBR?
>> Yea I did

I'm curious what you did to reload the MBR?  When dealing with MBR related malware, I usually use a Linux Live-CD to drop a Unix boot loader onto the disk (grub, lilo, etc) and then install windows forcing it to reload a Microshit MBR.  If the Unix loader comes up, I know the MS install failed to clean out the MBR.

The above is a pain, but I've yet to see malware that can operate under both windows and linux, and I've come across some insidious MBR infectors...


--------------------
Just another spore in the wind.

Extras: Filter Print Post Top
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Re: Rootkit... what. the. fuck. [Re: Seuss]
    #14432130 - 05/10/11 09:41 PM (12 years, 9 months ago)

The cd recovery console didn't do it for some reason. I just finished running a drive wipeout that did a bunch of passes with some DoD mechanism. So the entire drive was truly cleaned of readable data. I'm installing Win 7 now.

I posted all the logs from hjt, aswMBR, and OTS. Tomorrow I can link them.

Since I had all my backup data readily available this was a certain method of ensuring no data remained. I prefer the clean slate. It's so shitty what these things do. My desktop is infected as well but prior to the rootkit I installed a take-ownership script for the registry and was able to claim all the files it created and browse through them. It was some advertising garbage with a ton of scripts. I just renamed them all and it isn't doing anything atm. I believe it was some type of TDS but TDSKiller and a lot of other programs didn't identify it.


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
OfflineSeussA
Error: divide byzero


Folding@home Statistics
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 23 days, 23 hours
Re: Rootkit... what. the. fuck. [Re: 5HTSynaptrip]
    #14433367 - 05/11/11 04:22 AM (12 years, 9 months ago)

> The cd recovery console didn't do it [wipe the MBR] for some reason.

Don't feel bad; I've seen this more often than not with Microsoft, which is why I go to the trouble outlined above.  My next guess was an infected device driver from a vendor, which I have seen before, but it is pretty rare.  Glad to hear you got the problem resolved.


--------------------
Just another spore in the wind.

Extras: Filter Print Post Top
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Re: Rootkit... what. the. fuck. [Re: Seuss]
    #14439851 - 05/12/11 11:58 AM (12 years, 9 months ago)

Do you guys know if rootkits affect all drives on a computer?  My desktop has 1 SSD and 3 HDDs.  I'm uploading essential stuff to my SkyDrive/MobileMe, but my iTunes library is humongous so if I can avoid using BCWipe on one drive that would be great.

Also, do they somehow get into a USB memory stick?  I know some reside in memory, how do you flush the memory before a boot?  Is there a program you can run from CD that is capable of this?


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
Invisible1983
Stranger

Registered: 04/14/11
Posts: 130
Re: Rootkit... what. the. fuck. [Re: Seuss]
    #14440272 - 05/12/11 01:42 PM (12 years, 9 months ago)

Quote:

Seuss said:
> Did you re-generate the MBR?
>> Yea I did

I'm curious what you did to reload the MBR?  When dealing with MBR related malware, I usually use a Linux Live-CD to drop a Unix boot loader onto the disk (grub, lilo, etc) and then install windows forcing it to reload a Microshit MBR.  If the Unix loader comes up, I know the MS install failed to clean out the MBR.

The above is a pain, but I've yet to see malware that can
operate under both windows and linux, and I've come across some insidious MBR infectors...





Will "diskpart clean" do this?

Extras: Filter Print Post Top
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Re: Rootkit... what. the. fuck. [Re: 1983]
    #14479121 - 05/19/11 03:02 PM (12 years, 9 months ago)

In the end I did this:

http://neosmart.net/wiki/display/EBCD/Recovering+the+Vista+Bootloader+from+the+DVD

For Win 7 obviously... I ran into a problem (I used the holocaust method) and found a command line solution for it in the Microsoft DB.  I also use EasyBCD to bypass my shitty custom BIOS that doesn't allow for USB boot.  I first redid everything with EasyBCD but then figured it couldn't hurt to follow the command line method. 

From what the guys at the avast! forums said my laptop seems fine.  BCWipe TotalWipeout wouldn't do the ATA Erase function because of a BIOS lock, but I guess you can use the hotswap method to make it work as the BCWipe is a Linux LiveCD.  When I get to my desktop I'm doing the hotswap method for wiping all of the drives. 

Personally, I'm just about certain I got rid of it all because the laptop doesn't have a fuckin zillion processes running and my load screen doesn't take forever anymore.  What a fucking pain in the ass.


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
OfflineBothHands
Dog Coffee
Female User Gallery


Registered: 10/28/09
Posts: 13,177
Loc: Flag
Last seen: 4 years, 11 months
Re: Rootkit... what. the. fuck. [Re: 5HTSynaptrip]
    #14479510 - 05/19/11 04:13 PM (12 years, 9 months ago)

I had a rootkit called Aleuron.A last week and it took me 20+ hours to get rid of.  Nasty fucking things, those.  FInally got it off with TDSKiller, but the virus put up one hell of a fight.  It wouldn't let me on the TDSkiller website.  Had to download it from another computer and move it to mine on a jump drive. And when I downloaded the file, it wouldn't let me open it because it recognized it.  I had to rename it, but it had already been detected, so the rename didn't work.  The virus also disabled my computer's ability to start up in safe mode, which was a bitch.  Eventually I got it off by restoring the computer to the settings of a few months ago.  It didn't get rid of the virus, but it got rid of the changes the virus had made to my computer.  This allowed me to quickly open the renamed TDSKiller, and finally it was gone. 

I think I got mine on animefreak.tv

Extras: Filter Print Post Top
Offline5HTSynaptrip
Dopamine Enthusiast
 User Gallery

Folding@home Statistics
Registered: 09/14/08
Posts: 4,360
Loc: USA Flag
Last seen: 5 years, 10 months
Re: Rootkit... what. the. fuck. [Re: BothHands]
    #14483857 - 05/20/11 11:08 AM (12 years, 9 months ago)

I think I got mine from my mother-in-laws homegroup.  From the time my laptop was connected to it I had a ton of attempts at her computer connecting to mine.  The same date my NTUSER.DAT became fucked compared to the normal Win 7. 

For some reason I think the version of whatever rootkit I had was older because it didn't affect Chrome.  To bypass Win 7 ownership crap I have a registry script that puts a take ownership control in the right-click menu for any directory/file/folder.  Once I knew I was infected I took ownership of C: and saw the folders in users\appdata that it put and there were all sorts of Mozilla/IE Java scripts that were URL redirectors and shit.  aswMBR.exe found the rootkit but didn't identify it.  So after doing research on where they put themselves on the HDD I saw some were in the first sector and then in a hidden sector further in the disk.  Once I reinstalled Win 7 after running BCWipe (Linux LiveCD) I noticed my bootmgr was still from February when I was infected so the BIOS blocking ATA Erase didn't delete that sector on the HDD.  That was very fucking annoying.  Now I know you can bypass that from booting to a Linux LiveCD by plugging in the power after the BIOS post, but keeping the SATA cable connected to the controller. 

My desktop still hasn't been completely cleaned.  aswMBR fixed the MBR and now the rootkit isn't detected but if it's the same thing my laptop has then it somehow resides elsewhere and reinstalling Win 7 probably repairs it from the hidden sector... idk.  My desktop has an SSD though, and from what I've read it's annoying to get rid of rootkits on them as sector placement is irrelevant compared to HDDs.  The OCZ forums had a neat post on how to do it, and it involves plugging the power in after BIOS post.  :facepalm: 

I have a blank, shitty laptop drive that is getting Ubuntu installed on it and I'm wiping these fuckers from my old desktop that hasn't been turned on in a couple years.  Two days ago I also ordered an avast! rescue CD, which is supposed to be really good at fixing this shit.  Out of all of this, the BIOS locking ATA Erase was the biggest fucking annoyance I encountered.  EasyBCD is a great program though if you have to deal with these things.  I really like it, and am using it now to control dual-booting. 

64-bit operating systems makes rootkits hard to detect and fix as well since so many of the really awesome programs meant to deal with them are for 32-bit OS's.  :frown:


--------------------


Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.


Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: PhytoExtractum Kratom Powder for Sale   Kraken Kratom Red Vein Kratom   Left Coast Kratom Buy Kratom Capsules   Myyco.com Golden Teacher Liquid Culture For Sale


Similar ThreadsPosterViewsRepliesLast post
* For anyone looking to try linux as a desktop OS
( 1 2 all )
windex 5,971 37 02/07/03 12:32 AM
by Malformed
* Sony's DRM rootkit phi1618 1,419 12 11/21/05 06:07 PM
by Catalysis
* Windows XP unknown rootkit infection - Linux to the rescue! Asante 642 4 01/13/10 03:11 AM
by Annom
* New Worm Installs Patches wingnutx 1,167 10 08/21/03 06:34 PM
by wingnutx
* currently installing gentoo...
( 1 2 all )
FlusH 3,197 32 09/25/04 05:45 PM
by FrankieN
* Networking laptop to desktop, easy and how? TackleBerry 1,047 8 06/21/03 05:33 PM
by Scvotto_Turellskey
* My comp is fucked StonedShroom 1,377 15 06/01/04 02:03 AM
by daba
* LInux program install trouble monoamine 1,246 9 09/11/04 01:10 PM
by monoamine

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: trendal, automan, Northerner
1,714 topic views. 0 members, 0 guests and 2 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.024 seconds spending 0.005 seconds on 12 queries.