BetaONE will rise again!


Reply
  #1  
Old 21st Feb 06, 02:41 AM
lickablepig lickablepig is offline
BetaONE Supporter
 
Join Date: Oct 2001
Location: PST -08:00
Posts: 261
lickablepig is an unknown quantity at this point
Security Help needed
Hi BetaONE... It would be a treat if OOoops i could get some feedback on a lil security threat, not so lil actually think i'm seeing rootkit...

wrote this earlier today
been trying unsuccessfully for a few days now cleaning a suspected
rootkit trojan. The Key, is calling itself "PScc8xx"

Unhackme says source = system\controlset\services...
value = bDw0H4R8 blah, blah, blah, system32\drivers\cdflmnt5.sys

Not much success w/ version 3 of UnHackMe removing it.
Tried a host of proggies from da toolbox sh*t like hijackthis, hjttools area. Spybot S&D, Ewido, all kinds of utils.

The computer originally was brought to me for repair symtoms were a
brand new flatscreen monitor continually going black & was really
unstable, generally unresponsive u know the drill!
Eradicated about 33 trojans, 6 viruses, 1100 tracking cookies, & a
gang of ad, spy, mal, scumbag ware so far... I'm down to this last
frackin HackerDefender Class rootkit trojan thingy.

She's squatting on an XP Home SP1 box... a Sony Vaio RS420 P4 512
DDR yada,yada, yada. It's offline here now.

You should have seen how the bitch reacted after 1st boot when i got
her home... Hoe had been online in a chiropractors front office with
dsl on 24/7 for the last 2 years. hehe.

When the bandwidth was severed was like a herion-speedball junkie
spitting and throwing up bluescreens when you moved the mouse just
a wee bit.

Me says she cuz i can't figga her out. Now bringing her to y'all for a
lil gangbang. Interested? Where's war
Just playin kinda frustrated & been up for a few...

Any advice at all would be welcome from anyone @this point
If not cya on da flip side, lates, jiz.
__________________
jizac_aka_lickablepig
(Y) (jizac)
(':') |/
("(")_)0


Reply With Quote
  #2  
Old 21st Feb 06, 02:59 AM
cableguy cableguy is offline
Junior Member
 
Join Date: Sep 2005
Posts: 11
cableguy is an unknown quantity at this point
Sounds NASTY.

Have you tried both ms malware removal tool and the new defender antispyware? Both are good at removing root kits.

F-Secure also seems to identify and remove root kits.
Reply With Quote
  #3  
Old 21st Feb 06, 04:40 AM
User Needs User Needs is offline
Administrator
 
Join Date: Aug 2001
Posts: 950
User Needs has disabled reputation
Can you post your Hijackthis log?
And have you tried spy sweeper?
Reply With Quote
  #4  
Old 21st Feb 06, 01:33 PM
JacKDynne's Avatar
JacKDynne JacKDynne is offline
Administrator
 
Join Date: Oct 2001
Location: The Past Through Tomorrow
Posts: 1,591
JacKDynne will become famous soon enoughJacKDynne will become famous soon enough
Send a message via MSN to JacKDynne
Not sure which kit you got but try this:

http://www.rootkitdetector.com/

Running it now on my laptop to test and giggles

/JD
__________________


Reply With Quote
  #5  
Old 23rd Feb 06, 05:03 AM
lickablepig lickablepig is offline
BetaONE Supporter
 
Join Date: Oct 2001
Location: PST -08:00
Posts: 261
lickablepig is an unknown quantity at this point
Thank you all for the suggestions, I really appreciate it. Yes spy sweeper is in my arsenal user needs, btw the hijackthis log is clean i've gotten everything except the one RootKit which of course doesn't show cuz it's cloaked imo.

The guy Mark Russinovich over @sysinternals has some good reading & i've used /using RootKit Revealer2 to identify it, the damn thing started changing names it threw me for a loop plus I had been up for a while and wasn't thinking str8. He (Mark) also had some beta's floating around i think then these scumbag authors started using his command line version in such a way that now he's sending only to Security professionals blah, blah, blah when. JacKDynne thanks for the link, RKDetector didn't work for me for one reason or another. Just kept reappearing.
Quote:
Have you tried both ms malware removal tool and the new defender antispyware? Both are good at removing root kits.
Yes was no help at all one of the first group of stuff I tried cableguy.

BUT when you mentioned F-Secure it struck a chord or rang a bell ya might say About 4 or 6 months ago remember reading bout an early beta called blklite.exe

So i searched their webpage & read that the stand_alone version of BlackLight's expiration had been extended until 1st of May 2006. Just what the doctor ordered hehe.

Didn't want to use the F-Secure suite (which has rootkit technology) cause imho it embeds itself too much into ur system & just wanted to avoid if i could. (IT alone hosed one of my boxes when i tried it when it first came out) a while back.

Thanks again cableguy for ringin da bell That's the puppy that worked for me. Had the Rootkit Defender Trojan flavor btw, but Blacklight eradicated it by renaming it in such a way that it didn't return after shutting off the computer.

UnhacKmE also tried to rename & stop the process but it returned after shutting down.

With a hard reboot & then going into safe mode then returning to regular mode and running Blacklight multiple times was how it finally stayed gone.

I would've tried voodoo, walking around my chair 3 times then reboot into safe mode while walking & chewing gum at once if i thought it would rid the rootkit from the system, also that box (did i mention it was a Sony Vaio ) haha, bad Sony bad First 4 Internet!
Attached Files
File Type: rar blbeta.rar (217.5 KB, 0 views)
__________________
jizac_aka_lickablepig
(Y) (jizac)
(':') |/
("(")_)0


Reply With Quote
  #6  
Old 25th Feb 06, 12:36 AM
war59312 war59312 is offline
BetaONE Supporter
 
Join Date: Jul 2001
Location: U.S.A
Posts: 2,220
war59312 has disabled reputation
Send a message via ICQ to war59312 Send a message via AIM to war59312 Send a message via MSN to war59312 Send a message via Yahoo to war59312
Hey,

Damn you beat me too. Sorry been busy with class.

BTW it might not be gone for good. Rootkits are smart. It might just be hiding itself again. In fact many I have ran into will go away, say for 1 month, before re-activiting itself again. That is when it detects that someone or something is trying to get rid of it. This makes it a lot harder to figure out what is going on. It's exspically true when you have not installed or download any software and yet things go crazy all on their own.

The ownly real way to be 100% certian is to do a low level format and reinstall windows. I really would if I were you. If you have files you need to keep, then copy them over to a virtual pc, for example, and scan them like crazy until your pretty darn certain they are safe. That, or try to get an orginal copy back, if you can, from a trusted source.

In fact rootkits are not the only ones doing it. Many virus and even trogens have started too. Then it makes it really hard to discover how you got the virus or trogen on your computer in the first place.

I'm sure you have heard about a lot of the virus lately that start on a certain day. Matter of fact I believe not that far back there was a really bad one that started on a certain day, but luckly before anyone felt the damage microsoft had already released a patch. So really until that day if you were infected you would not know until then since it stays hidden. Some times you could have a virus or trogen for months before it becomes activated. Normally hackers to do this again because it makes it harder to figure out the root cause and besides normally they become active on historical days like christmas. Its a game to many of them.

A few times Mark and Steve Gibson have stated the same thing. I would take their advise if possiable. In fact I even remember ready a microsoft and norton blog stating something similar. Anyways its always recommand if your machine becomes infected if possiable to do a reintall or if your like me then a simply ghost restore. Thats why you should always keep up-to-date backups. Though I understand in your case thats how you got it. So I would not trust the box for a sec. Exsipically if you need secureity. Like if your into baking and everything. Its not worth the risk.

Well, take care,

Will
__________________
Ad Muncher Usage Statistics for v4.7 Build 27105/1624
Adverts removed by Ad Muncher: 1,601,933
Approximate bandwidth saved: 12,515 MB
Counter started: April 2, 2003

Download: http://war59312.admuncher.com/download.shtml

Last edited by war59312 : 25th Feb 06 at 12:44 AM.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft's April Security Updates NewsBot NeoWin News 0 12th Apr 05 09:30 PM
Microsoft Security Bulletin Advance Notification NewsBot NeoWin News 0 8th Apr 05 07:00 PM
Neowin Talks Security with Microsoft NewsBot NeoWin News 0 7th Feb 05 02:00 AM
Microsoft Commits to Security NewsBot BetaONE News 0 4th Nov 04 03:00 PM


All times are GMT +1. The time now is 08:50 AM.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.