I Think I Have a Rootkit

[DJanda]

I believe that I have picked up a Rootkit. I apparently acquired it while I was online via Wi-Fi on my XP laptop. It now has migrated to my Win7 desktop. I can find nothing with VIPRE Rescue, Spybot, HijackThis, or Gmer. Malwarebytes and VIPRE are apparently compromised. VIPRE suddenly became unable to update itself -- the udate is always "canceled." I am "apparently" able to manually update VIPRE, but the update takes at least 4 minutes to download (used to be about 30 seconds) while the "installation" is almost instantaneous. Meanwhile Malwarebytes downloads the update, but after it does the install, the date and version number of the database doesn't change. Both Malwarebytes and VIPRE of course don't find any problems either.

What do you folks think?

[couttsj]

It certainly sounds like malware. I suspect that the Task Manager also will not activate. If you can go to the Command Prompt, try the "tasklist" command. If you can't get to the Command Prompt, then boot up in safe mode and try it. You need to find out what new service or executable is running.

J.A. Coutts

[DJanda]

Task Manager does start. I don't see anything out of the ordinary there. All processes are identified. But if I understand correctly, that is one of the hallmarks of a rootkit --the rootkit takes over an actual process and operates under said processes name. That's what makes them so hard to find.

The Win7 installation isn't very old, and I don't have a lot of stuff installed, so I'm going to do a clean install (see my question about "clean re-install" in the Windows 7 Installation forum).

I can't do the same with the laptop as I didn't get a Repair disc with it. XP was installed and there were no discs included. I also have tons of stuff installed on it. This will probably be a tougher nut to crack.

[couttsj]

Task Manager does start. I don't see anything out of the ordinary there. All processes are identified. But if I understand correctly, that is one of the hallmarks of a rootkit --the rootkit takes over an actual process and operates under said processes name. That's what makes them so hard to find.

It's not that they necessarily take over a process, but they might rename the original file and install a new one under the same name. Or what they will do is use a name that looks legitimate. For example, one machine that I cleaned up had a service called "tracert" installed. That is a legitimate command line executable, but it doesn't operate as a service. The Task Manager is also not to be completely trusted, as it can be modified to hide a particular process. The "tasklist" command is more reliable.

If you know approximately when the malware was acquired, you can search for files downloaded on that date and time. The windows directory and the windows system32 directory are favorite places to install the trojan downloader file. The downloader will then acquire and install the actual backdoor. From your description, this malware spreads over the Local Area Network (LAN). Therefore, it is important that you disconnect machines that you are going to clean up from the network, and not reconnect them until you are sure that all machines have been disinfected.

The Microsoft search engine is not particularly good at finding files because it tends to hide files that Microsoft figures you don't need to know about. But you can configure it to find most files (executables in particular). I use Agent Ransack, but at this point you may not be able to reliably install anything.

J.A. Coutts