rootkit and virusey stuff

The Cat

Hmmm. This is convoluted, so bear with me. A week or so ago I had to get some documents scanned, and so I went up to the local internet cafe with my usb stick and they did it for me. Yay, papers in order. Next day I plug in the same USB into my work computer and the network there claims to have spotted a trojan on the USB and deleted it. Yay? S'pose... but the USB had also been plugged into my home laptop before that and AVG's free scanner didn't detect anything.

Next: I got a new laptop yesterday, because the old one is...old (also for sale, brisbanites :P). I had them linked by a wireless ad-hoc network created on the new laptop using Vista's networking capability, and transferred most of my files across to the new HD. While it was doing that, there were some weird shenanigans at first - the screen resolution switched around a couple of times, and twice while that was happening a screen full of little low-res... teddy-bear faces, I guess, popped up for a split second. Which, you know, is kind of suspicious, and that's when I started to worry about the incident with the USB.

So I ran AVG on the new machine (first thing I'd installed prior to doing the file transfer), and I ran Windows Defender, and neither of them found anything. Still suss, I DL'd AVG's free anti-Rootkit thingy as well, and lo and behold it found a suspicious file - a disguised driver of some sort. I googled its name, but got no hits at all (the file is called alugujrf.sys, FYI). So I had the program remove it. Scanned the old machine (which runs XP Home rather than Vista) as well, but found nothing there. Is this actually the end of the problem? Am I even tracing it back correctly?

I ran the scanner and defender again after removing it, and nothing new was revealed. Could the programs be missing anything the rootkit might have been hiding? Is there another scanner I should try? I know TrendMicro have a web-based one, and its good but slow as hell. I'm kind of looking for alternatives, or a way to avoid using it.

devoir

What manufacturer is your new laptop from?

Did it come with any kind of anti-theft measures?

If I understand your situation correctly, it's unlikely that the USB 'trojan' is related to what happened on your new laptop. I've recently noticed a number of false positives related to USB devices that were marked as trojans with some of the clients I work with.

I'd run Stinger and then the TrendMicro online scanner on the new laptop, overnight. Stinger just to be on the safe side, because AVG should pick up anything that Stinger does, and the TrendMicro one for the reasons you figure. Running it overnight won't hurt.

The Cat

Its an Acer (both laptops are). The USB is a Creative mp3 player, a Stone Plus. That's interesting about the false positive. Those weird resolution changes still bothered me though. Fair enough, TrendMicro it is.

Derrick

That file is indicative of a trojan. Where was it located? In the Windows System32 folder?

What generally happens is that the trojan process is embedded in the explorer.exe process and that it will create files with random names (such as the gobbly-gook above) in order to work it's mischievous magic.

If you get another file of that random type, you certainly have a trojan. Let us know if you get any other symptoms and we should be able to help you out.

The Cat

yup *sigh*

found another file like that just now. Now what?

Derrick

The Cat wrote: »

yup *sigh*

found another file like that just now. Now what?

Honestly the very best solution is probably to wipe your hard drive and start fresh.

Barring that, you need to figure out just what you've got. Download and run hijackthis and look for suspicious items and google them all to check to see if they're legit. Also, download process explorer. You're probably going to have to fix your registry also. Unless you get lucky and it's a trojan that's well known and old, you're probably in for a fight.

Pheezer

You can never trust a computer with a rootkit on it. You're really best off backing up your documents and formatting. If you were talking about a server which probably had the rootkit introduced by someone with physical access, I'd suggest that you might want to re-flash the BIOS, or replace the motherboard as well, after having wiped the drive using a different PC to do so. But that's extreme and not necessary here.

If you format the hard drive and re-install windows, you should be really safe. Then you can virus scan all of your documents before copying them back to your PC. It's going to be far less time consuming this way. There is no way to properly clean your computer of a rootkit or a decent trojan situation that will take less time than starting over.

Thanatos

Try the trial version of Kaspersky. Naporeon recommended it to me, and it seemed to work very well.

The Cat

Can't reformat, its a laptop. Doesn't come with a Vista disk, just the intstall plus Acer's firmware. And I realised this morning that Vista had suppressed Acer's eRecovery software from firing up the first time I booted this machine, which is a pity, because it therefore means I don't have a clean system restore disk and no way to make one that's less than 20GB in size - hell, even if I did make the image now, it'd only preserve the problem :x In my defense, I'd never used Vista before and had no idea it could block stuff without telling you, but I should have remembered to use the utility first anyway.

Googling around, it looks like I've got a trojan called Pardot-A, judging by the behaviour. Its a system backdoor, so it could be worse I suppose. I'm running Windows' Malicious Sofware Removal Tool right now, and if that doesn't catch it (likely), Sophos' free trial antivirus is supposed to be able to handle it. We'll see what happens.

Pheezer

Are you sure that Acer install disk isn't an OEM branded Vista install disc? That's how my XP disc that came with a Compaq laptop ages ago was.

The Cat

No disks came with the hardware. Its a factory install.

ecco the dolphin

Might I also recommend trying Avira? It's the AV I run and it claims to also protect against root-kits.

devoir

If there's no disk, there'll be a recovery partition or a way to burn yourself a set of disks.

The Cat

Yeah, there's Acer's backup thing. And the image it wants to create is estimated to be roughly 20GB. Hell with that, I don't have enough blank DVD's, it would take forever, and I'm not sure it wouldn't preserve the problem on the disc(s).

Pardot-A is apparently just part of a mass-mailing system, and while its present its actually blocked from doing anything by AVG (just a pity their anti-rootkit can't seem to actually remove it properly). I've run something like 6 different virus scanners today and found no problems at all, so my options at this point are

1) Wait for SP1 of Vista and see if that catches it
2) Go to an acer shop or whatever and get them to give me the hardcopy copy of vista i'm entitled to as a system owner so that I can reformat
3) Wait for Sophos to upgrade their anti-rootkit thing so that its compatible with Vista. Thanks for giving no sign of that until after I installed it, Sophos!
4) ignore it and go play lego star wars

I think I'm going with 4 for now.

I just want to say though, that this 'lolreformat' business so many of you have going is not a helpful response even for people with the ability to. A little time spent on research and learning how these things work is far more likely to be an effective solution. The damn thing would be gone already if not for Sophos' compatibility issues, I think.

Pheezer

If you had the software you were supposed to receive with the laptop, reformatting would have been faster and easier than any alternative. It's hardly an unreasonable assumption that your laptop should have come with a Vista disc of some nature.

devoir

That's incorrect. She'd already moved a whole bunch of data across and had started to configure up programs. If there had been a piece of rootkit removal software or even a website that gave information on removing them, it's less pain to follow those steps/run the software than to reformat.

The whole lolreformat thing is fine when you're in a corporate environment where your data is automatically bound to network shares, etc but despite the fact that I'll nuke a workstation without hesitation for any of my clients, I don't do it for personal machines nor do I advise friends/family to do so.

Edit: I would take the time (and disks) to burn off the system restore. A few clients have taken to buying Sony Vaios which are much in the same boat as what you describe. Even if you do get a Vista DVD from Acer, it will likely be one of two options.

A) Vanilla Vista, no drivers and thus makes your laptop near worthless as you hunt for drivers should you ever need to use it.
They'll just advise you to burn it, and if you push the issue they'll probably boot up your laptop and burn from that.

Hell, a client took their HP laptop into a registered HP repair agent against my advisement and they got charged $80 for basically option B.

The Cat

Yes, but with regard to the system restore, given that the rootkit is a hidden .sys file, won't it be preserved with all the other stuff on the disks? Using the restore disks after that would only reinfect the machine along with fixing whatever amount of damage prompted their use...isn't that how it works? Acer's software doesn't explain what it does in much detail beyond 'it takes an image'. I'm assuming that image would include any infections etc.

devoir

Restore disks generally return the device back to its factory-shipped state. I have never seen or heard of a system backup like you're describing, mind you I have low experience with recent Acer laptops/desktops because of issues in the past and my subsequent avoidance of the brand.

I'd walk through the process up until the point where it actually asks you for the disks. If it burns them in Windows, then it's highly likely it's a factory-state restore as opposed to a system backup. It should make it explicitly clear during the process what the disks are meant to be used for. Sony, for example, tells you to put the disks in a safe place and that these disks are the only way of restoring your operating system to factory-shipped state and you will lose all data and changes made to the laptop.

The Cat

Ah, ok. I'll give it a go then.

SeñorAmor

DrDizaster wrote: »

If you had the software you were supposed to receive with the laptop, reformatting would have been faster and easier than any alternative. It's hardly an unreasonable assumption that your laptop should have come with a Vista disc of some nature.

Untrue. Have you purchased a pre-built computer from a name-brand source lately? They never come with a copy of Windows on a CD, and rarely come with a CD containing the myriad of software that's already installed. Most times there's a separate partition with an install image and a custom BIOS that will let you boot off it in case of a situation like this where reinstalling Windows is necessary.

In this scenario, I would suggest purchasing a new hard drive and installing it in your laptop, then finding someone with a Vista disc and installing from that. You have a valid CD-key stuck to your laptop somewhere, so any old Vista disc of the same type as your current install should work fine. Finally, you can purchase an adapter that will let you plug your old hard drive into a USB port so you can access the files when and if you need them.

It's far from the cheapest alternative, but it's the best, imo.

Pheezer

SeñorAmor wrote: »

DrDizaster wrote: »

If you had the software you were supposed to receive with the laptop, reformatting would have been faster and easier than any alternative. It's hardly an unreasonable assumption that your laptop should have come with a Vista disc of some nature.

Untrue. Have you purchased a pre-built computer from a name-brand source lately? They never come with a copy of Windows on a CD, and rarely come with a CD containing the myriad of software that's already installed. Most times there's a separate partition with an install image and a custom BIOS that will let you boot off it in case of a situation like this where reinstalling Windows is necessary.

Okay, you've got me there. The last time I bought a pre-built machine was probably seven years ago.