1527 Rootkits Found

I alredy think I know the answer, but Rookit Revealer found1500_plus rootkits most with dates beyond 4/9/06 when I downloaded Tenebril's Spycather Express. That is when the trouble began. I've gone over some of the previos posts on this subject and am going to try some things, but is Reformat and Reinstall the only solution?  That is the conclusion I have sort of come to.

Thanks Donnie
LVL 1
Donnie616Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zephyr_hex (Megan)DeveloperCommented:
are the rootkits bad?  i ran rootkit revealer and it came up with many ok things... like norton and other valid applications.  rootkit revealer is like hijackthis in that it can not determine what is ok and what is not.  some of the items RR showed on my system were temp internet files...easily removed by clearing the temp internet file....

it is hard to believe you have 1527 bad rootkit items.
0
David-HowardCommented:
My personal opinion...If this is my system and I had that many instances of a rootkit. I save my data and reinstall my OS. This is something that I wouldn't take chances with.
0
David-HowardCommented:
Note: I'm not sure which anti-malware suite you are running but you might try either Ewido:
http://www.ewido.net/en/
Or SpyBot: http://www.safer-networking.org/en/download/
Both have options for real time protection during setup. I've used both. I like Ewido quite a bit but it does seem to be somewhat resource hungry at times.
:-)
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

pjedmondCommented:
If you've got a root kit, then you can't really trust anything running on your system - backup all data that you need, and re-install from scratch. Sorry, but that is the safest thing to do.

Obviously with your nice new clean system, you need to treat it a little more carefully - regular backups/patches etc

HTH:)
0
Donnie616Author Commented:
Running Ewido right now.  So far it has found about 300 medium risk tracking cookies, most of which were generated by Iolo's system mechanic.  Hijack this shows me nothing out of the ordinary that I don't recognize.  Ewido is only about 1/3 of the way finished.

I have Backups of my system Somewhere, but embarassingly I do not know what to do with them.

In the event I must Reinstall, how do I save my data?  I have most of  it on a 40gig partition on a 250G hard drive broken into 3  partitions.  I just noticed that the 3 parts only equal 140 gigs of the 250.  Whatever did I do there?

I also have a really clean 400G (2 x 200G) in sata raid 0 with only 12 G's taken up.
How do I transfer my Important folders and files to the good HD?  Can I transfer files that I need to save from Partition C (the bad one) to clean and empty partitions on the same 250G HD? or should I go to the Sata drive? and how do I do whatever it is I must do.  What did I do to lose 100Gigs on the ATA 250 gig?  Could I have just forgotten to format and partition it?  

I know I  have a lot of stuff going on here, but hopefully you expert's will find a simple way for me.  I still am working on the rootkit issue, but I would like your assistance in getting ready for the reinstall, because with 1500 items, how will I ever clean all that up?
Thanks,
Donnie

 
0
Donnie616Author Commented:
Ewido gets about 1/3 of the way through the scan and error message says it must shut down, which it has done twice. I think when it gets to the point of finding a given piece of malware, the malware stops the scan.

Donnie
0
Donnie616Author Commented:
What happened? Did you guys give up on me? Please offer some help. I am not crazy. I have just made a huge mess of my PC and I really need assistance.

thanks
Donnie
0
rpggamergirlCommented:
Entries in the Rootkit Revealer's log doesn't mean that they are rootkits. Can we look at the log?
Rootkit Revealer needs to be run when the computer is idle, that means no other activity like surfing the internet etc otherwise the log will be full of legit entries.
Entries that are hidden from API's doesn't mean they are hidden either.
If you have that much rootkit, your pc would surely be crippled and can't do anything at all.

Could we see the log?
just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
0
rpggamergirlCommented:
Ooops I mean the Rootkit revealer's log, you can post your Hijackthis log too, :)
0
Donnie616Author Commented:
I have saved the file and can copy it, but I cannot seem topaste it onto rafb.  Am having trouble pasting. please advise.  I am getting too tired to try anymore today. Been on this PC for 10 hours today.  I need help to get this done.

Thanks
0
rpggamergirlCommented:
You copy the log and then paste it inside the blank square, then click on "paste" so it will be saved, (with its own url)

I understand if you are tired now, can you send it to me? I'm just curious of the RKR contents.
Is there a chance for us to see your Hijackthis log too? anytime when you're up to it.
0
yuriskCommented:
Whatever betides - you just  can't have 1500 rootkits, for the simple reason that there are no 1500 rootkits in existence on the whole planet ! There are about 30000 viruses, of them only few thousands are in active use, there are few hundreds of spyware, but rootkits hardly count  few dozens.

Long ago I used it , and by no means will I try to belittle Mark Russinovich's work - he is the Guru in the windows world,but I found this software of little/null use as it gave a long list of 100% false positives on a clean machine.

BackUp.
Haven't done it with RAID tough (but don't think there could be a problem as long as the PC recognizes it), but with regular harddisk I'd turn off the machine, then
connect the second harddisk to this machine  as the slave (accompanying manual should tell how), turn it on, and finally would just copy folder-by-folder to 2nd harddisk what has to be saved from the 1st harddisk to one folder, later to be checked by anti-virus. Then turn it off , disconnect 2nd harddisk and that's all - all you need is on this disk.

PS Of course it's possible to do reverse - take out the original harddisk and plug it in another working machine if available.
0
rpggamergirlCommented:
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad. What the entries mean and do is all up to the line.
The way Rootkit Revealer works, is by checking what Windows reports with what is actually on the disk. If Windows does not report that the file is on disk and subsequent search on the disk show it is there... that means it is hidden from the Operating System. This still doesn't mean that it is bad.

When Rootkit revelear starts, it asks Windows what is there and records it, then when you do other things while Rootkit Revealer is scanning, like surfing for example,
Rootkit Revealer looks at the Internet cache and sees some files that Windows didn't tell him about!
- - Report!!!!!!!!!! Hidden from Windows API.

 If the user does not stop doing what he was doing, opening programs etc, the log is hugely polluted with legit data. Rootkit Revealer should be run in an idle pc.
0
Donnie616Author Commented:
I have put the two logs in RAFB at about 11:11 and 11:14 PM on 4/12/06.  (1.Rootkit revealr and 2.Hijack This)  I did Roootkit Revealer while it supposedly was idle and walked away from themachine.
0
rpggamergirlCommented:
>>I have put the two logs in RAFB at about 11:11 and 11:14 PM on 4/12/06.  (1.Rootkit revealr and 2.Hijack This)<<

You need to post the rafb's url/link of the pasted log here, in order for us to view the log.
0
Donnie616Author Commented:
http//www.rafb.net/paste/

OOPS! only have a few more hours now.

Thanks
0
rpggamergirlCommented:
Donnie616,

All I saw was a blank page,
did you click on "paste" ?
You need to click on paste for the log to be saved and given its own url, or was I too late?
0
Donnie616Author Commented:
Not too late DO NOT KNOW HOW to paste url or WHAT url to put WHEREGetting fatal error taking too long to paste to RAFB.
0
rpggamergirlCommented:
When your Rootkit Revealer's log is open,  copy the entire contents(ctrl+c)
then paste it into the empty square on the page (ctrl+v) --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
then highlight and copy the top address/url and post it here.

Maybe you can just sent both logs, to me (not recommended because other experts might complain), and if anyone objects I'll then paste the logs for you.

0
yuriskCommented:
Given the slowness of progress may I suggest a different course?
- While you're able to connect to Internet, run on-line virus scan .
I can't recall now the URL, but rpggamergirl will undoubtly be able to help you.
If it finds too much malware - do a backup and reformat, it will take all in all <2 hours. On the other hand, if online check finds nothing, and this is higly probable, forget about Rootkit revealer
 and everything said here.
0
GinEricCommented:
Backups will only continue to backup the rootkit files.  Copying files to a writeable CD or DVD is a lot better than "backup" which always needs some decrypt or other running restore software to bring back to life.  "Backup" is not all it's cracked up to be.

Windows is trying to misdefine rootkit, which is a Linux term meaning that some hacker software got in and is trying to run as root.  The proper Windows term would be hijackware, since, under Windows, there is no root account.

You can stop these things dead in their tracks with http://www.sysinternals.com/ Process Explorer by suspending suspected processes, even Internet Explorer, while you inspect all these .exe's that are not supposed to be under \Windows\system32

BHO's, or Bar Helper Objects should all be removed, be careful about deleting in the registry.

But if a suspected worm or virus, which is what hijackers actually are, are suspended by Process Explorer, then you can kill them by deleting them at the source.

Usually the source is your temporary folder where they are executing from; temp folders should not be executeable to begin with, which is why so many IIS and other programs get infected so easily; Windows does not have the permissions sets that Linux does, there is no "chrooted jail," for example.  su is a very bad idea, under either Windows or Linux.

There are hardware operators now that can prevent any injected code from executing.  You can spend a lot of time in hijackthis, or you can hunt down the rootkits youself in a much shorter time without million page logs that hardly show anything that is actually a worm or virus, and remember, they are all viruses, including spyware, adware, and anything that takes advantage of your computer.

Downloading free software with names like "Spycatcher" is just asking to be hijacked.  Freebies in Windows are usually written by the hijackers.  Open Source as in SourceForge.net, however, will kill off any program that does this and effectively excommunicate its authors.

When it comes to free software, there is only one source, the Free Software Foundation, and not Windows shareware participants.  Microsoft is a sponsor, supporter, and participant of SourceForge.net and the Open Source software of the Free Software Foundation.

In short, if it isn't on SourceForge.net, then it is suspect before it is tested or used.

Also, you can't trust programs like Realplayer, Flash, and the plethora of others who appear to offer free software; most of them are gathering data on your browsing habits and your purchases.  Even SoundBlaster and Sony have been found guilty of this sort of hijackware.

In the end, software is not a solution to hijacking and viruses, only your own intelligence and effort is.
0
r-kCommented:
The most important results of RootkitRevealer are usually in the first 100 lines or so. If you're having trouble with rest, just post the first 100 lines of your RootkitRevealer log here. Do not post the entire log here since it is very long.
0
Donnie616Author Commented:
Thank you all for being so persistent, especially "rpggamer girl".  I am working slowly because the Easter Holiday requires my attendance at other functions.  I am making some progress, but please do not abandon me if I  do not respond right away.   The latest I have is that Tenebril's Spycatcher Express and all of its subs were completely hidden.  Since my troubles began with the install of this program, I searched file after file until I found it where most certainly was NOT supposed to be.  It was not in the contol panel or the start menu or the all programs or under C:\Program Files, plus files that are supposed to be under My Computer>C:\  were missing. Nowhere could I find Application Data, etc or anywhere to uninstall this program.  The search, run, processes,etc had no knowledge of it.  It was really hidden well. Long story short, I found the uninstall totally hidden in a remote corner and with difficulty, uninstalled it.  It would not go easily, so I beleive that I brought a piece of reall garbage in when I installed Spycatcher with only a desktop icon and not a one sub-folder that I could open.  The computer is running much better since immediately after I did the uninstall, but i think it still needs a lot of work to get it right.  I am fighting as hard as I can to avoid Reformattting.

Got to do some specialty food shopping for Easter Be back in an hour and 1/2.  Thank you all so much and beware of what I thought was a good program, but turned out to be the evil one.  Still need you all's help udoing the damage the evil one (Spycatcher) did.

Thank you from a grateful guy.

Donnie
0
yuriskCommented:
I guess I have the answer to your problem Donnie616. Why didn't I use Google, as usual, first place?
Below there's a link to the forum where people were talking about the same problem with Spycatcher you have, and finally representative of the Tenebril joined (scroll all posts) and explained that to prevent spyware activity, they, in their product, use basically the very same techniques the spyware use - hiding processes, files etc. and this will of course trigger any anti-malware applications (like Rootkit revealer). This means that if you downloaded this Spycatcher from their site and it's not a real spyware masking itself as Spycatcher, then no actual damage was caused to your machine and you don't need to reformat anything. Just uninstall it ( what you've already done.)

http://www.dslreports.com/forum/remark,14863451
0
GinEricCommented:
There was a link on similar software, which I have warned most people, are not what they seem to be.  You can get infected by merely going to a web page:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.trunlow.html

The only real way to stop any software is to stop it.  Process Explorer is written by the same guy that does all of the security for Microsoft!  You can't get any better than that.

While a root kit hunter will find viruses, and make no mistake spyware is a virus, it will not be able to deal with it.  It may get close, but in the end you will have to use your own skills, after all, the people that write these are doing just that to get around all of your software, how hard can it be for them to get around other people's software?  Yet they cannot get around human perserverance and persistence.

Simply uninstalling something is usually not enough because most programs leave droppings behind, especially in the Registry.

The goal: stop a virus from executing

That is pretty simple.  Viruses adapted long ago to evasive tactics, moving, making clones of themselves, etc., all to avoid removal and uninstallation, they are way beyond that now.  But stopping them from executing?  That can be done to any program.  Once your target is immobilized, its dispensation is at your command.  Nothing can hit a moving target every time, nothing, not even the most sophisticated computer or expert.

But a still target can be hit every time, even by the novice.  So, stopping it from executing is the primary objective.

Process Explorer does exactly that.  Once immobilized, the target can be deactivated, or permanently comatosed where it can take no further action and can be disabled.

A very simple method, after identifying and immobilizing any target, is to change its name, its identity, so that if it tries to execute it gets a file not found and dies with a complete error report.

A second is to change its ending, similarly this also changes its name, it cannot find itself, nor can it execute and it ides with a complete error report.

Te Smith is wrong about hiding his file; if you have to stoop to the enemies tactics, eventually you become the enemy.  There is no reason why any file of any program should be hidden, not really.  But if one must hide some private files, then there must be an exception to the rule for the root user, always, at the local console or, if he so opts, at a well and predefined strictly static remote IP Address.

As I have said, many times, there are special operators in all microprocessors now that are built into the hardware, Supervisory Mode and Control Mode Operators, that will not allow anything to execute unless specified by the base errorhandlers, supervisory mode handlers, and control mode handlers.  These include prevention of any and all calls outside of the stack, as in stack overflow and stack underflow, the famous buffer exploits, as well as superhard supervision by core kernel operating systems based in the hardware level.  That, and the fact that most programmers do not even know of the existence of such operators, let alone how they are to be used.

The root user, the computer owner sitting at his computer, should and must have absolute full control over everything on that computer even if it means he can destroy it.

If you simply stop an excuting program, then you can deal with it, and not before if it can out manouevre you.

We use this technique and can automate it.  We produce what we call Antibodies™ that work the same way human antivirus antibodies do, by attacking the invader and immobilizing it, at which point it, if the antibody key fits and it is found to be infectious and malicious, the body's [computer's] reaction will be to destroy at the request of the infected body [your conscious decision, and a lab copy can be preserved just in case it was not what we thought it was].

Antibody Software™ is a concept freely shared with the computer security industry and they can develope as they please.  I only ask that they credit the original creator of Antibodies™.

You might want to follow along this track and restore your computer.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Donnie616Author Commented:
I've taken in all that you guys have said and am SLOWLY going thru the loads of info ONE STEP (or one day) at a time. Eventually you will solve this for me.

Thank you all so much.  When I get something solid to report to you, I will be back.
0
Donnie616Author Commented:
Not feeling well for 5 days. Will get back to this when I feel better to 1. Fix my PC and 2. award the points.  Right now I am too ill.

Thanks  Donnie
0
rpggamergirlCommented:
Donnie,
Sorry to hear that you're not feeling well. 5 days? a visit to your doctor might be in order.

Your thread might be closed before I get back, I'm off tomorrow for a week-long holiday with no internet access.

Good luck with fixing the pc and I hope you'll better really soon!
Take care.
0
Donnie616Author Commented:
Thanks to all. rpggamergirl did not have the solution but the effort she put into terying to help me deserves something.  I still have some minor problems but "SPYCATCHER" was the main culprit, with its ability to hide files & folders.  Trying to learn about "process Explorer" now.  I was in hospital for 6 days with a rare pneumonia.  Still too weak to work on the PC with any efficiency.

Again, thank you for your patience.

Donnie V.
0
GinEricCommented:
Get yourself better!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.