Security Help needed

[lickablepig]

Hi BetaONE... It would be a treat if OOoops i could get some feedback on a lil security threat, not so lil actually think i'm seeing rootkit...

wrote this earlier today
been trying unsuccessfully for a few days now cleaning a suspected
rootkit trojan. The Key, is calling itself "PScc8xx"

Unhackme says source = system\controlset\services...
value = bDw0H4R8 blah, blah, blah, system32\drivers\cdflmnt5.sys

Not much success w/ version 3 of UnHackMe removing it.
Tried a host of proggies from da toolbox sh*t like hijackthis, hjttools area. Spybot S&D, Ewido, all kinds of utils.

The computer originally was brought to me for repair symtoms were a
brand new flatscreen monitor continually going black & was really
unstable, generally unresponsive u know the drill!
Eradicated about 33 trojans, 6 viruses, 1100 tracking cookies, & a
gang of ad, spy, mal, scumbag ware so far... I'm down to this last
frackin HackerDefender Class rootkit trojan thingy.

She's squatting on an XP Home SP1 box... a Sony Vaio RS420 P4 512
DDR yada,yada, yada. It's offline here now.

You should have seen how the bitch reacted after 1st boot when i got
her home... Hoe had been online in a chiropractors front office with
dsl on 24/7 for the last 2 years. hehe.

When the bandwidth was severed was like a herion-speedball junkie
spitting and throwing up bluescreens when you moved the mouse just
a wee bit.

Me says she cuz i can't figga her out. Now bringing her to y'all for a
lil gangbang. Interested? Where's war
Just playin kinda frustrated & been up for a few...

Any advice at all would be welcome from anyone @this point
If not cya on da flip side, lates, jiz.

[cableguy]

Sounds NASTY.

Have you tried both ms malware removal tool and the new defender antispyware? Both are good at removing root kits.

F-Secure also seems to identify and remove root kits.

[User Needs]

Can you post your Hijackthis log?
And have you tried spy sweeper?

[JacKDynne]

Not sure which kit you got but try this:

http://www.rootkitdetector.com/

Running it now on my laptop to test and giggles

/JD

[lickablepig]

Thank you all for the suggestions, I really appreciate it. Yes spy sweeper is in my arsenal user needs, btw the hijackthis log is clean i've gotten everything except the one RootKit which of course doesn't show cuz it's cloaked imo.

The guy Mark Russinovich over @sysinternals has some good reading & i've used /using RootKit Revealer2 to identify it, the damn thing started changing names it threw me for a loop plus I had been up for a while and wasn't thinking str8. He (Mark) also had some beta's floating around i think then these scumbag authors started using his command line version in such a way that now he's sending only to Security professionals blah, blah, blah when. JacKDynne thanks for the link, RKDetector didn't work for me for one reason or another. Just kept reappearing.

Quote:

Have you tried both ms malware removal tool and the new defender antispyware? Both are good at removing root kits.

Yes was no help at all one of the first group of stuff I tried cableguy.

BUT when you mentioned F-Secure it struck a chord or rang a bell ya might say About 4 or 6 months ago remember reading bout an early beta called blklite.exe

So i searched their webpage & read that the stand_alone version of BlackLight's expiration had been extended until 1st of May 2006. Just what the doctor ordered hehe.

Didn't want to use the F-Secure suite (which has rootkit technology) cause imho it embeds itself too much into ur system & just wanted to avoid if i could. (IT alone hosed one of my boxes when i tried it when it first came out) a while back.

Thanks again cableguy for ringin da bell That's the puppy that worked for me. Had the Rootkit Defender Trojan flavor btw, but Blacklight eradicated it by renaming it in such a way that it didn't return after shutting off the computer.

UnhacKmE also tried to rename & stop the process but it returned after shutting down.

With a hard reboot & then going into safe mode then returning to regular mode and running Blacklight multiple times was how it finally stayed gone.

I would've tried voodoo, walking around my chair 3 times then reboot into safe mode while walking & chewing gum at once if i thought it would rid the rootkit from the system, also that box (did i mention it was a Sony Vaio ) haha, bad Sony bad First 4 Internet!

[war59312]

Hey,

Damn you beat me too. Sorry been busy with class.

BTW it might not be gone for good. Rootkits are smart. It might just be hiding itself again. In fact many I have ran into will go away, say for 1 month, before re-activiting itself again. That is when it detects that someone or something is trying to get rid of it. This makes it a lot harder to figure out what is going on. It's exspically true when you have not installed or download any software and yet things go crazy all on their own.

The ownly real way to be 100% certian is to do a low level format and reinstall windows. I really would if I were you. If you have files you need to keep, then copy them over to a virtual pc, for example, and scan them like crazy until your pretty darn certain they are safe. That, or try to get an orginal copy back, if you can, from a trusted source.

In fact rootkits are not the only ones doing it. Many virus and even trogens have started too. Then it makes it really hard to discover how you got the virus or trogen on your computer in the first place.

I'm sure you have heard about a lot of the virus lately that start on a certain day. Matter of fact I believe not that far back there was a really bad one that started on a certain day, but luckly before anyone felt the damage microsoft had already released a patch. So really until that day if you were infected you would not know until then since it stays hidden. Some times you could have a virus or trogen for months before it becomes activated. Normally hackers to do this again because it makes it harder to figure out the root cause and besides normally they become active on historical days like christmas. Its a game to many of them.

A few times Mark and Steve Gibson have stated the same thing. I would take their advise if possiable. In fact I even remember ready a microsoft and norton blog stating something similar. Anyways its always recommand if your machine becomes infected if possiable to do a reintall or if your like me then a simply ghost restore. Thats why you should always keep up-to-date backups. Though I understand in your case thats how you got it. So I would not trust the box for a sec. Exsipically if you need secureity. Like if your into baking and everything. Its not worth the risk.

Well, take care,

Will