Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.

 
  
Reply
 
Thread Tools Display Modes
Old 04-05-2010, 14:18   #1
jpa
CLM Number 268
Charter Lifetime Member
 
Join Date: May 2001
Location: Las Vegas NV
Posts: 10,368
Send a message via AIM to jpa Send a message via Yahoo to jpa
F-ing rootkits....

I got a good one (well, one of the computers from work does anyway). WinXP Pro SP3, laptop boots straight into a fake virus scan and starts "finding" viruses on it. It hides the start menu, no right-clicking on anything, the task manager is greyed out when you ctrl-alt-del. Even booting in safe mode w/ command prompt, you can't run regedit. I think this one got me.

Anyone ever successfully beat one of these suckers without having to reinstall the OS?
__________________
Big Dawg #1408, TT #1408
Moto Club #1408, GSSF Member, NRA RSO
NRA Benefactor Member
jpa is offline   Reply With Quote
Old 04-05-2010, 14:23   #2
IndyGunFreak
KO Windows
 
IndyGunFreak's Avatar
 
Join Date: Jan 2001
Location: Indiana
Posts: 30,507
Send a message via ICQ to IndyGunFreak Send a message via AIM to IndyGunFreak Send a message via MSN to IndyGunFreak Send a message via Yahoo to IndyGunFreak Send a message via Skype™ to IndyGunFreak


Quote:
Originally Posted by jpa View Post
I got a good one (well, one of the computers from work does anyway). WinXP Pro SP3, laptop boots straight into a fake virus scan and starts "finding" viruses on it. It hides the start menu, no right-clicking on anything, the task manager is greyed out when you ctrl-alt-del. Even booting in safe mode w/ command prompt, you can't run regedit. I think this one got me.

Anyone ever successfully beat one of these suckers without having to reinstall the OS?
Boy that sounds wicked..lol.

Rootkits(good ones) are particularly nasty. I won't waste more than a few minutes trying to clear them. It's to easy to reinstall.
__________________
Quote:
Ronald Reagan
"If we ever forget that we are One Nation Under God, then we will be a nation gone under."
"Man is not free unless Government is limited"
IndyGunFreak is offline   Reply With Quote
Old 04-05-2010, 15:39   #3
jpa
CLM Number 268
Charter Lifetime Member
 
Join Date: May 2001
Location: Las Vegas NV
Posts: 10,368
Send a message via AIM to jpa Send a message via Yahoo to jpa
Yeah, tell me about it. If the laptop had a floppy I'd try using a rescue disk, but no luck. That and our antivirus is installed from the media copied to a shared drive, so the original disc is locked in an office in Carson City. Every thing I try to get around this stupid screen or to keep it from loading on boot is blocked. No taskmanager, no ctrl-alt-del, no loading windows w/ confirmation, none of it. We'll just reload it tomorrow I think.
__________________
Big Dawg #1408, TT #1408
Moto Club #1408, GSSF Member, NRA RSO
NRA Benefactor Member
jpa is offline   Reply With Quote
Old 04-05-2010, 15:42   #4
ChristopherBurg
Senior Member
 
Join Date: Dec 2009
Location: Minnesota
Posts: 181
Anytime a machine is compromised you just need to bite the bullet and reformat the drive.

Even the best malware removal tools can not guarantee they removed all the malicious software. Remember those malicious guys are making money off of keeping your machine infected and in their botnet therefore they are going to put as many back doors and access methods in your system they can. This ensures that if they're tool is found and removed their automated scripts can reinfect the machine quick, fast, and in a hurry.

Anytime you get any malware just reformat the drive and reinstall your operating system.
__________________
I'm the host of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
. Truth About Guns is a member of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
.
ChristopherBurg is offline   Reply With Quote
Old 04-05-2010, 18:39   #5
Pierre!
NRA Life Member
 
Pierre!'s Avatar
 
Join Date: Jun 2003
Location: Lovin Sparks Nv!
Posts: 4,209
Get ahold of Systems Internals. They have tools that will let you whack at will, and see the process start so you can block future runs...

They had some videos talking about how to stop virus attacks a while ago. Don't know that they are still relevant to tell the truth.

Might as well Nuke it while you are at it. I have had 3 now that would install aaaallllmmmmoooosssstttt all the way before puking and refuse to finish the XP install. Yah, they were THAT deeply rooted.

I believe it was Darik's Boot N Nuke that I used... run it overnight, install in the AM.

Worked every time for me! Also taught the user that "fun and games" will cost you some time...

Good Luck, and let us know what works for the "Brain Trust"...
Pierre! is online now   Reply With Quote
Old 04-05-2010, 18:39   #6
Linux3
Senior Member
 
Linux3's Avatar
 
Join Date: Dec 2008
Posts: 1,399
Quote:
Originally Posted by jpa View Post
Anyone ever successfully beat one of these suckers without having to reinstall the OS?
Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.
Or consider a new choice is operating systems.
__________________
It it's not on fire,
It's a software problem.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
Linux3 is offline   Reply With Quote
Old 04-07-2010, 08:53   #7
jpa
CLM Number 268
Charter Lifetime Member
 
Join Date: May 2001
Location: Las Vegas NV
Posts: 10,368
Send a message via AIM to jpa Send a message via Yahoo to jpa
Quote:
Originally Posted by Linux3 View Post
Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.
Or consider a new choice is operating systems.
Good point. Good thing all our laptops at work are the same model dell and we have a stack of recovery cd's. XP is reinstalled with the apps and all is good again.

Not my pc or I'd consider changing the OS. Good thing there was no important data on it.
__________________
Big Dawg #1408, TT #1408
Moto Club #1408, GSSF Member, NRA RSO
NRA Benefactor Member
jpa is offline   Reply With Quote
Old 04-07-2010, 19:53   #8
mcole
Senior Member
 
Join Date: Jan 2001
Posts: 333
try shutting the laptop down. unplug from power. take out the battery. let it sit for 24 hours. put the battery back in and plug to power. start it up. SOMETIMES this will work (about half the time). worth the shot. mcoe
__________________
"I would rather have a German division in front of me than have a French division behind me."
George S. Patton
mcole is offline   Reply With Quote
Old 04-07-2010, 21:06   #9
area727
G23
 
area727's Avatar
 
Join Date: Oct 2009
Location: Florida
Posts: 437
I recently had something similar happen to a machine at work, no idea how it got infected...needless to say, its now running Ubuntu.
area727 is offline   Reply With Quote
Old 04-07-2010, 21:53   #10
ChristopherBurg
Senior Member
 
Join Date: Dec 2009
Location: Minnesota
Posts: 181
Quote:
Originally Posted by mcole View Post
try shutting the laptop down. unplug from power. take out the battery. let it sit for 24 hours. put the battery back in and plug to power. start it up. SOMETIMES this will work (about half the time). worth the shot. mcoe
This will not change the data saved on the hard drive and thus will not fix any issues involving malware installed on the machine.
__________________
I'm the host of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
. Truth About Guns is a member of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
.
ChristopherBurg is offline   Reply With Quote
Old 04-08-2010, 13:17   #11
HKUSP45Css
Senior Member
 
Join Date: Apr 2007
Location: Houston, by God, Texas
Posts: 3,969
I boot to WinPE on a thumb drive and go in to the registry from there. It's not rocket surgey if you have the tools, root kits are not the end all be all of malware.

Quote:
Originally Posted by Linux3
Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.
Or, as my pappy used to say "the less a man makes declarative statements, the less apt he is to foolish in hindsight."

I've cleaned root kits manually when I didn't have anything better to do just to learn their behavior. I've also used software to clean them after I was able to get the machines back to a useable state manually.

It takes longer than a re-install in most cases but, sometimes, a re-install isn't an option.
HKUSP45Css is offline   Reply With Quote
Old 04-08-2010, 15:03   #12
ChristopherBurg
Senior Member
 
Join Date: Dec 2009
Location: Minnesota
Posts: 181
The problem with going the route of removal is the fact you can't guarantee you removed everything.

For instance let's say a machine is infected with a root kit. This root kit allows remote access to the machine which the malicious hacker who compromised the machine uses. The malicious hacker, while accessing the machine, installs several other back doors on the system in case the root kit is every removed. This doesn't just apply to root kits buy any malware.

This sounds like a lot of work but most script kiddies these days do exactly that. It's rare for a machine to be infected by only a single piece of malware, usually after one gets on it installs others.

This game changed completely once malware stopped being about bragging rights and started being about money. There is a financial interest in keeping machines infected (adding them as part of a botnet which is rented out to people wanting to perform DDoS attacks for instance). Due to this malicious hackers go through great lengths to ensure they can reinfect a machine if their initial compromise is discovered and removed.

There is know way of know if something new was installed after the initial malware was installed. Sure a scanning and removal tool might know about the initial malware. The same tool very well may not know about the brand new tools that was also installed after.

The only way to clean a machine and know for sure it's safe is to completely reinstall the operating system.
__________________
I'm the host of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
. Truth About Guns is a member of the
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
.
ChristopherBurg is offline   Reply With Quote

 
  
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 23:38.




Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 785
180 Members
605 Guests

Most users ever online: 2,672
Aug 11, 2014 at 2:31