Fight Club Forum Index
RegisterSearchFAQMemberlistUsergroupsLog in
Rootkits...

 
Reply to topic    Fight Club Forum Index » Technical Support View previous topic
View next topic
Rootkits...
Author Message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Rootkits... Reply with quote
Did a scan with spybot recently and it identified an invisible folder called "Roott! s"

The thing seems to be a bitch to get rid of, anyone have any experience of this? Any way to get rid without losing the whole bootlock etc?

I've been meaning to buy ssd / hybrid...this may now be that time, if so...recommendations please

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Wed Dec 18, 2013 9:18 am View user's profile Send private message
Morbeth
BR (Barrel Rank) 5
BR (Barrel Rank) 5


Joined: 22 Nov 2003
Posts: 3066
Location: Pushing The button.

Post Reply with quote
Download this on a known clean system and burn it to a CD and boot your infected system off of it to verify:

https://www.avira.com/en/download/product/avira-rescue-system

If it does confirm the infection then hit your system with DBAN (again download from a known clean system) and reinstall from clean media:

http://www.dban.org/

If you need to copy files off, use a sacrificial system to copy the files you need off the infected disk and scan them (recommend the avira boot CD for that as well) before copying them onto your newly clean system. Avoid copying anything that's likely to carry the infection with it (no executables), stick to your documents and pictures. For reinstalling any applications, re-download them from a trusted source or verified original media.

I did malware response as part of one of my old jobs and this was pretty much the procedure we followed for any reported infection. Scan system using a custom scanning CD to verify if it was a false positive or not; if it's infected, the system gets nuked from orbit.

_________________
Morbeth
"I don't flirt with death, she runs up and sticks her tongue in my ear."
Ita Devexus Quando Hic Adveni - "It was sinking when I got there..."

Thu Dec 19, 2013 1:16 am View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
HD a total Joe loss then?

And thanks for the tips also

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Thu Dec 19, 2013 7:59 am View user's profile Send private message
Azrae1
BR (Barrel Rank) 2
BR (Barrel Rank) 2


Joined: 25 Feb 2013
Posts: 107

Post Reply with quote
It's not necessarily a write off, but it's probably not a great idea to try to disinfect unless you're used to pissing about with rootkits. There are rootkit recovery discs you can get ( effectively a Linux av on a disc) but again, not for the faint hearted.

Oh, and it's probably me stating the obvious, but make sure you use an up to date endpoint protection product
Bit defender is decent, but like all antivirus solutions, it's only as good as the latest signature.

On the plus side, once you've dban'd your PC, all the accumulated crap you never use will be gone

_________________
Thu Dec 19, 2013 8:22 am View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
I have no experience of these things at all...are we talking virus-like ability to spread or just a convenient back door in my machine?

In other words can I copy my stuff across without the rootkit?

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Thu Dec 19, 2013 12:04 pm View user's profile Send private message
Azrae1
BR (Barrel Rank) 2
BR (Barrel Rank) 2


Joined: 25 Feb 2013
Posts: 107

Post Reply with quote
So a root kit is typically installed by a piece of malware. It often hides naughty stuff like key loggers and password sniffers.

I would strongly recommend you don't do any sensitive stuff, such as internet banking until your PC is cleaned up.

Consider downloading trusteer-rapport from here
Www.trusteer.com/products/trusteer-rapport
Effectively preventing man in the browser attacks

Technically, you should be ok moving stuff to another drive, although you may end up moving the
Malware that dropped the root kit in the first place.

Plenty of the big av companies have a root kit removal tool for free, some are better than others

Oh and be careful where you browse. Filesharing and torrent sites are notorious dumping grounds for nasties.

Good luck

_________________
Thu Dec 19, 2013 1:38 pm View user's profile Send private message
Morbeth
BR (Barrel Rank) 5
BR (Barrel Rank) 5


Joined: 22 Nov 2003
Posts: 3066
Location: Pushing The button.

Post Reply with quote
The drive isn't a write off, but you should wipe it before reusing it.

But still, download the Avira offline scanning CD to verify that you do indeed have an infection in the first place.

_________________
Morbeth
"I don't flirt with death, she runs up and sticks her tongue in my ear."
Ita Devexus Quando Hic Adveni - "It was sinking when I got there..."

Sat Dec 21, 2013 1:46 am View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
Thanks chaps...I'll let you know how I get on.

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Sat Dec 21, 2013 7:29 am View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
32 mins in and it's found 2 "detections" so far

It's shit like this that makes me want to go back to Linux...

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Mon Dec 23, 2013 12:14 pm View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
Tappety tap...note to self - delete some shit and this wouldn't take so long! ah finished!

Quote:

Detection: /target/C:/users/main/appdata/locallow/sun/java/deployment/cache/6.0/57/603387b9-207aab6d
Virus name: EXP/CVE-2012-1723.A.3115 file renamed
Virus Type: exploit

Detection: /target/C:/users/main/downloads/setup.exe
Virus name: TR/Clicker.6654789 file renamed
Virus Type: trojan


This is what it found and sorted...are we good to go or do I need to do the complete reinstall thing???

Thanks in advance.

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Mon Dec 23, 2013 1:10 pm View user's profile Send private message
Azrae1
BR (Barrel Rank) 2
BR (Barrel Rank) 2


Joined: 25 Feb 2013
Posts: 107

Post Reply with quote
Reboot, run it again. If it's clean, move stuff you need to keep to another drive and then decide if you want to blitz your drive.

It really is up to you. I don't necessarily think you do need to dban the drive, but it will ensure you have a fresh install and less legacy shite to deal with

_________________
Mon Dec 23, 2013 2:14 pm View user's profile Send private message
Carter
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 06 Mar 2004
Posts: 5174
Location: Get orf moy Laaaaaaaand!

Post Reply with quote
I've deleted the renamed files and cleared all of JAVA stuff from the c: drive.

I've reinstalled the latest version from oracle and will give it another scan tomorrow.

Thanks and yes I do want to start again! Want some tips on that too...but I'll wait until after Christmas.

_________________
"OH NO! A BOURGEOIS BIG-BOLLOCKED BOILER!!!!! THATS ALL I NEED", Conker The Squirrel, 2001
www.raspberrypi.org
Oi may be from the West Coutry but i'm not a hobbit, a pirate or a farmer me old shagger
Mon Dec 23, 2013 2:19 pm View user's profile Send private message
Morbeth
BR (Barrel Rank) 5
BR (Barrel Rank) 5


Joined: 22 Nov 2003
Posts: 3066
Location: Pushing The button.

Post Reply with quote
You might have gotten lucky and it didn't pull much else down. The problem with AV is that it's signature based, it can't detect what it doesn't know about.

That's why I mentioned the policy of if it detects anything, the computer gets wiped. You just don't know what else it could have pulled down and installed that the AV companies don't know about yet.

If you choose not to wipe your system, don't ever do any banking on it again, or o any other serious financial transactions on it.

Linux has it's own different set of problems. But as long as you generally stick to your Distro's choice of repos and avoid things like flash, you're 90-95% protected from most of the run of the mill stuff out there. You've got ot me more careful if you're running a linux serverthat's publicly accessible, but that's a different story all together.

_________________
Morbeth
"I don't flirt with death, she runs up and sticks her tongue in my ear."
Ita Devexus Quando Hic Adveni - "It was sinking when I got there..."

Tue Dec 24, 2013 2:36 am View user's profile Send private message
DodgeIt
BR (Barrel Rank) 6
BR (Barrel Rank) 6


Joined: 03 May 2004
Posts: 6827
Location: Standing proud with KingA at my feet polishing my helmet.

Post Reply with quote
I always find it easier to wipe PCs when they get a virus.

You can spend ages cleaning it up and a week later youre back in the same boat because it missed something and thats download more shit.

Quickest and safest method is a wipe. You wont have any doubts of "did i get everything?..."

_________________
Fri Dec 27, 2013 8:33 am View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:    
Reply to topic    Fight Club Forum Index » Technical Support All times are GMT
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Design by Vjacheslav Trushkin / Easy Tutorials (Photoshop Tutorials).