I've so been rooted!

[BD2003]

On my XP server, it appears that somehow a rootkit has slipped in. How and when I'm not sure, but I should know better than installing my AV protection after updating everything else.

NOD32 comes up with Win32/Rootkit.Agent. I'm completely unable to clean it out using NOD32 - it will detect an infected exe, I'll delete it, and it'll be back within a day. Theres no visible running processes that I dont recognize.

Clearly I need to reformat, but to what extent? Do I really need to wipe every single drive on it to be sure?

I'm not sure if its one of the really mean viruses that spread throughout the network, but if it is, every other PC on the network is running Vista and appears to be immune. Still, I've got the AV scanners jacked up on super high settings on every other PC, and it's not finding anything. Is it possible theres still a risk that it slipped onto the other PCs, and while it can't do anything to those PCs, that it can slip back in?

 

[MadAmos]

I would try running the F-secure online scanner and see if it will remove it.

Amos

 

[mechBgon]

but I should know better than installing my AV protection after updating everything else.

Don't assume your AV protection would recognize every piece of malware, either. I would be enabling the UAC on your Vista systems if it were me, btw. Just sayin'...

If your WinXP system is running any publicly-reachable services (a P2P client or whatever), make Windows run those services under a Limited account's credentials, and restrict that account to as little of your filesystem as will work, so that if the service gets exploited, it's on a short leash, rather than having extensive/complete power over your system.

Other than that, don't install anything on the XP system that isn't from ironclad 100%-beyond-question safe sources, and use a non-Administrator account, Software Restriction Policy, and full hardware DEP. Check it with the Secunia Personal Software Inspector for known vulnerabilities in your third-party stuff. Good luck

 

[Medea]

The other thing is that the infection you have has 'rootkit-like' characteristics, but is not that hard to remove. I'm guessing that you probably feel safer in formating and reinstalling, but you can easily get rid of the infection you have.

 

[bsobel]

Originally posted by: BD2003
On my XP server, it appears that somehow a rootkit has slipped in. How and when I'm not sure, but I should know better than installing my AV protection after updating everything else.

NOD32 comes up with Win32/Rootkit.Agent. I'm completely unable to clean it out using NOD32 - it will detect an infected exe, I'll delete it, and it'll be back within a day. Theres no visible running processes that I dont recognize.

Clearly I need to reformat, but to what extent? Do I really need to wipe every single drive on it to be sure?

I'm not sure if its one of the really mean viruses that spread throughout the network, but if it is, every other PC on the network is running Vista and appears to be immune. Still, I've got the AV scanners jacked up on super high settings on every other PC, and it's not finding anything. Is it possible theres still a risk that it slipped onto the other PCs, and while it can't do anything to those PCs, that it can slip back in?

After your posts in the OS thread about my products, it's hard to feel tooo bad about this That said, nuke the OS volume, you can scan the data drives (the rootkit wont magically load from those areas unless you reinvoke its installer). Most important to you is to determine how it got in (missed a patch, ran somethign from email, etc). Reinstall and setup a limited user account, use that from now on.

 

[gsellis]

Look in the Print Spoolers. They start automatically and are normally below the radar. 180Solutions did that with Aurora and it kicked my butt for awhile.

 

[blinkstar]

Originally posted by: mechBgonIf your WinXP system is running any publicly-reachable services (a P2P client or whatever), make Windows run those services under a Limited account's credentials, and restrict that account to as little of your filesystem as will work, so that if the service gets exploited, it's on a short leash, rather than having extensive/complete power over your system.

Hey, can you tell me how to do this? Or point me to a link on how to do it?

Thanks!

 

[Medea]

Originally posted by: blinkstar

Originally posted by: mechBgonIf your WinXP system is running any publicly-reachable services (a P2P client or whatever), make Windows run those services under a Limited account's credentials, and restrict that account to as little of your filesystem as will work, so that if the service gets exploited, it's on a short leash, rather than having extensive/complete power over your system.

Hey, can you tell me how to do this? Or point me to a link on how to do it?

mech gives instructions how to set up a limited user's account on his website:
http://www.mechbgon.com/build/Limited.html

 

[irishScott]

Try this:

Sysinternals FTW!!!

http://www.microsoft.com/techn...s/RootkitRevealer.mspx
Download link at bottom.

 

[programmer]

Was just going to mention that -- try RootkitRevealer and let us know what it says. Useful to clear your IE7 cache before you run RR, otherwise everything in the Local Settings cache will show up as "hidden" files.

Also just heard about GMER. It showed different results for me than RR, specifically the McAfee drivers loaded to intercept IP traffic and detect rootkits Its also harder to use, but it appears to be ok (not a virus itself or something). Please someone tell us if GMER is a "bad thing."
http://www.gmer.net/index.php

 

[ncage]

Originally posted by: BD2003
On my XP server, it appears that somehow a rootkit has slipped in. How and when I'm not sure, but I should know better than installing my AV protection after updating everything else.

NOD32 comes up with Win32/Rootkit.Agent. I'm completely unable to clean it out using NOD32 - it will detect an infected exe, I'll delete it, and it'll be back within a day. Theres no visible running processes that I dont recognize.

Clearly I need to reformat, but to what extent? Do I really need to wipe every single drive on it to be sure?

I'm not sure if its one of the really mean viruses that spread throughout the network, but if it is, every other PC on the network is running Vista and appears to be immune. Still, I've got the AV scanners jacked up on super high settings on every other PC, and it's not finding anything. Is it possible theres still a risk that it slipped onto the other PCs, and while it can't do anything to those PCs, that it can slip back in?

Sounds like its getting into the system restore area and thats why it keeps reappearning. What i would do is turn system restore off and then reboot. Then scan and see if you have anything, if you do delete it. Then you should be able to turn system restore back on.