Root kits from Hell
- Published: Wednesday, 17 August 2011 16:09
Just had one of them days today, I have a pretty good grasp of windows and spotting the odd trojan or virus however rootkits are harder to spot.
I generally run good old combofix on a pc when I get a call from a user saying there is an issue, but what happens when that wont run?
Most of the manufacturers of antivirus product have their own rootkit program to discover the problem but not always to fix them.
A few good ones are:
My favourite Free antivirus/trojan products at the moment (this will probably change next week) are:
The rootkit to get me working late again was called Watermark.exe, Avira detected it initially as did Microsoft Security Essentials but as two different issues. Both unable to remove it. The client had a total of 2370 dll/exe infected files. This was probably the highest amount of infections I’d seen in years. Considering the client had a new hard drive installed 2-3 days prior to my visit it was pretty alarming.
Starting up in safe mode and clearing the files worked however I noticed my trusty usb flash had some unexpected and unwanted files (autorun.inf and 4 shortcuts and copy to shortcuts.lnk ) added every few seconds. The A drive also kept lighting every few seconds.
However – None of the applications touched the watermark.exe file. I tried XP recovery mode but got an access denied message. So to remove this I had two options….boot to dos via a trust ntfs disk and locate the file c:\program files\microsoft\watermark.exe or connect the disk as a slave onto another pc. I luckily had a hiren’s recovery cd in my collection and was able to get into dos and remove the file.
Hope this helps someone spot the same issue and resolve it quickly.
Follow up – having returned the pc to the client – we agreed it was safer to wipe the entire pc thus ensuring there was little or no chance of the trojan resurfacing.