I installed a rootkit on my Vista machine. It was interesting to note that I have no virus software which would detect this root kit either in its zip file or in its executable. You can read about that dangerous file here.
My usual fall-back for rooting out deep clinging nasties is ComboFix. You can read about ComboFix here, but keep in mind it’s a last-line extraction utility and should be used with care (and maybe should be used by people who know what they are doing). However, ComboFix was not able to locate this particular nasty.
Not only was ComboFix unable to find this rootkit but Spybot, Avast!, Security Essentials, Sophos Anti-Rootkit, and some random others were all unable to rid my system of this annoyance (or even find it for that matter).
Finally I heard about a utility Kaspersky is making called TDSSKiller. (Thanks, Harry.) It’s specifically a rootkit extractor so don’t expect more than that, but as far as rootkit extractors go this one’s rockin the misty bog. I think it took less than two minutes to scan my system and offer to cure the file. And it did find a bad file and cure it. As far as I can tell it’s all better now. Well, it’s still Vista; it’s not better in that respect.
Previously I would reboot the machine (usually because it was required by updates) and Avast! would snap the nasty when it poked its head up trying to take action. I’ve rebooted several times now over a couple of days, and nothing seems to be out of the ordinary. Excellent thus far.
Hope that helps you on your adventures.
I was working to root out some nasties on a laptop and I ran into a rather persistant little bugger. Even though I had removed everything suspicious I could locate using Revo Uninstaller (another of my favorites), I was not able to run updates or download any spyware or virus protection because calls to those URL’s were being redirected to localhost (127.0.0.1). The redirect in the browser would then, of course, take me to some site where I was told of the dozens of problems with my computer and how I should download their software.
I was able to download both of these applications from another machine, but the redirect simply made it impossible for Spybot and AVG to gather their updates from their respective servers. I was even able to download an installer which was Spybot’s update; however, neither of these applications would actually show their GUI’s (they appeared in the Task Manager but neither made an appearance on-screen).
After a bit of searching I found an article which talked about an application called ComboFix. Turns out it’s a great little utility.
Just to recap: I wasn’t able to run any viral/spyware updates or visit any site (like avg.com or safer-networking.org) because of the re-route to localhost (127.0.0.1); the machine was seriously hijacked; and I couldn’t find anything that would be doing it.
This utility does a pretty brutal scan, reboots the machine automatically, and starts itself up before anything else—and keeps doing that until it’s found nothing at all. It found a rootkit problem and rebooted maybe 3 times before it gave its final report. Only then was I able to run Spybot and AVG, run their updates, and run their respective scans.
You’ll want to pay special attention to the section where the article discusses the recovery console (XP) and recovery environment (Vista), but the whole thing worked great. (I used the XP SP2 recovery console because I could not find one for SP3.)