kidgrok
2009-10-02, 03:18
My WinXP SP3 testbed system was afflicted for 28 hours by a rootkit whose effect was just as described in this thread. http://forums.spybot.info/showthread.php?t=52101 During the process of troubleshooting I was able to gain easy access to clean, updated test copies of the Spybot S&D folder, utilizing a backup copy I'd stored in another folder. Each time I attempted a Spybot scan using the main or sleuth executable files provided in the program's folder, the associated file was disabled by the rootkit. When all available executable copies of the Spybot program were used up, I renamed the Spybot S&D folder and moved it into a quarantine folder for later deletion. Then I copied the clean backup folder back into Program Files. I did this many times and got very efficient at it.
The steps that finally restored spyware scanner functionality to my system, and, presumably, removed the rootkit, were:
1) In normal Windows mode, downloaded, installed, ran Sophos Anti-Rootkit free scanner; removed the detected anomalies:
Hidden: registry item \HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-500
Hidden: file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Hidden: file C:\Program Files\Spybot\SpybotSD.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Hidden: file C:\Documents and Settings\InfoPro Customer\Local Settings\Temporary Internet Files\Content.IE5\06XV8PCP\z=728x90;tile=1;!c=Companion;!c=LS;!c=LSV;!c=LSL;!c=LSSL;!c=LH;!c=LHL;!c=LB;!c=LBHL;!c=LBTN;!c=SV;!c=S2L2;!c=BL;!c=HL;uri=realestateandhomes-search[1].htm
2) Rebooted into safe mode, manually loaded TeaTimer (1.6.6.32 version), and set for “Paranoid mode;” Refused several detected registry changes, opened Spybot S&D, and "Checked for Problems" (this was the first time Spybot successfully scanned in over 24 hours!); removed detected problems:
[HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-1006\Software\NordBull]
[HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-1006\Software\PopRock]
3) Rebooted into normal mode and verified proper antispyware / antivirus functionality.
Of primary importance in this procedure is the use of a functional rootkit scanner, since nothing I tried--including scanning the hard drive from a clean system--was successful in stopping the action of the hack. I used Sophos but I imagine any capable rootkit scanner would have done the trick.
FYI, the hack was caused by running a file downloaded from the website megauploaddownloads. BEWARE OF ANYTHING DOWNLOADED FROM THAT SITE AS I AM NOW SURE IT WILL BE BOGUS AND HARMFUL. The file I downloaded supposedly provided instructions for revealing the installation key for Microsoft Office 2007 installations (for the purpose, say, of transferring a downloaded installation from an old to an upgrade system). It was reported virus- and malware-free by several scanners and was very small, so I thought it would be a reasonably safe risk. It wasn't.
The steps that finally restored spyware scanner functionality to my system, and, presumably, removed the rootkit, were:
1) In normal Windows mode, downloaded, installed, ran Sophos Anti-Rootkit free scanner; removed the detected anomalies:
Hidden: registry item \HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-500
Hidden: file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Hidden: file C:\Program Files\Spybot\SpybotSD.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Hidden: file C:\Documents and Settings\InfoPro Customer\Local Settings\Temporary Internet Files\Content.IE5\06XV8PCP\z=728x90;tile=1;!c=Companion;!c=LS;!c=LSV;!c=LSL;!c=LSSL;!c=LH;!c=LHL;!c=LB;!c=LBHL;!c=LBTN;!c=SV;!c=S2L2;!c=BL;!c=HL;uri=realestateandhomes-search[1].htm
2) Rebooted into safe mode, manually loaded TeaTimer (1.6.6.32 version), and set for “Paranoid mode;” Refused several detected registry changes, opened Spybot S&D, and "Checked for Problems" (this was the first time Spybot successfully scanned in over 24 hours!); removed detected problems:
[HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-1006\Software\NordBull]
[HKEY_USERS\S-1-5-21-1960408961-789336058-682003330-1006\Software\PopRock]
3) Rebooted into normal mode and verified proper antispyware / antivirus functionality.
Of primary importance in this procedure is the use of a functional rootkit scanner, since nothing I tried--including scanning the hard drive from a clean system--was successful in stopping the action of the hack. I used Sophos but I imagine any capable rootkit scanner would have done the trick.
FYI, the hack was caused by running a file downloaded from the website megauploaddownloads. BEWARE OF ANYTHING DOWNLOADED FROM THAT SITE AS I AM NOW SURE IT WILL BE BOGUS AND HARMFUL. The file I downloaded supposedly provided instructions for revealing the installation key for Microsoft Office 2007 installations (for the purpose, say, of transferring a downloaded installation from an old to an upgrade system). It was reported virus- and malware-free by several scanners and was very small, so I thought it would be a reasonably safe risk. It wasn't.