Author Topic: Is this actually a root kit. (Read 4978 times)

lam47 · « **on:** Sun, 29 March 2009, 10:16:10 »

Only avg sees this and none of the other scanners I have tried.
However it does not seem able to remove it.
Im not sure if its a false or real. Can anyone offer advice?

"C:\Windows\System32\Drivers\ay4s3b7u.SYS";"Hidden driver";"Object is hidden"

Oh and it has a different name every time I re boot the PC.

Thanks.

bhtooefr · « **Reply #1 on:** Sun, 29 March 2009, 11:51:00 »

Try RootkitRevealer, just for fun.

It likely is something along the lines of a rootkit, though.

lam47 · « **Reply #2 on:** Sun, 29 March 2009, 12:07:50 »

I tried it but it wont launch. I click the exe and it says the application quit.
Im in vista 64 could that be the problem?

lam47 · « **Reply #3 on:** Sun, 29 March 2009, 12:10:38 »

black light rootkit detection cannot find it.

Oh and 1k posts wooo etc.

Just trying some other rootkit tools and blacklight is the only one that will install and boot.
All the others say they are missing a component or just wont install at all.
Not sure what to do now

pex · « **Reply #4 on:** Sun, 29 March 2009, 12:34:31 »

Sometimes you have to get down on your knees and do manual forensics work when one-hit wonders won't save you.

As a background, I, like most people, do not observe "least priviledged access" and other such best computing practices. Because people, in general, do not observe these practices, it is why we have a communicable-virus culture. While I do not observe best computing practices, I do have a level of smart computing practices that has apparently allowed me to go without any known-detrimental viruses through my whole history of computing, even when I do occasionally get a virus (and am always able to locate and expel it.) This is even in light of significant periods without anti-virus or a maintenance discovery strategy.

That said, I think it is not too much trouble to be able to realize you have a virus, ascertain how it works on a basic level, and rid yourself of it. You have many tools at your disposal that aren't even categorized under 'virus/spyware scanner'. For the things that always want to rename themselves, there is probably a process running that looks valid but is not, which runs the show, or otherwise DLLs or other system files are being hooked into otherwise legitimate EXEs. It's certainly annoying. You need a piece of software that allows you to track what files your executable uses/and accesses to realize if these issues are occuring.

It helps if you have a knowledge of what your computer SHOULD be running at any given time so that you can, with the aid of such a program, ignore any false-positives or -negatives (for softwares that flag 'strange things' hooking into your EXEs, for example.)

I will have to look up the name of a software I used most recently for this very reason. In the meanwhile, you want to use MSCONFIG to check for services added by unknown providers and that shouldn't be running, as well as stopping things from running on startup (also done through MSCONFIG and checking your Startup folder in shortcuts folder). If you do things like this and the processes/startup references come back, you'll know that there is a third party running the show, and that's when you have to do more investigative work.

----------------EDIT:--------------

I am having incredible trouble finding the software I use, bah

iMav · « **Reply #5 on:** Sun, 29 March 2009, 12:44:17 »

According to TrustedSource, it is highly likely you've been infected with some sort of malware.

Your current IP

lam47 · « **Reply #6 on:** Sun, 29 March 2009, 12:53:30 »

Oh god whats the best thing to do?
I have tried blacklight, spybot, malwarebytes and none of them can see it.
Should I do a re install?
I have tried msconfig and there were no unknown services running.

pex · « **Reply #7 on:** Sun, 29 March 2009, 13:05:24 »

When I format and partition hard drives, I always like to leave a few 5-10 GB partitions to install OSes on for times when the current OS is too crippled to let someone use tools inside of it. Better than that is probably a separate hard drive for such purposes.

I found the software I was referencing...which is called ESET SysInspector. http://www.eset.com/download/sysinspector.php ESET makes the NOD32 antivirus software, which I hadn't heard of when I first came upon it, but after some review it apparently actually finds more viruses than your mainstream Norton/McAfee/Kapersky/whatever. ESET offers limited-time trial evals of their software, so it's a great tool to put on a new OS you're just going to discard after you fix the virus/malware issue. Unfortunately, I don't actually remember how I killed the last obnoxious malware/virus I had, so I can only suggest that these two tools were two of many I tried. I imagine I downloaded several AV softwares, AS software, and analysis tools. GFI LanGuard might be another tool you could use although it is more useful for determine what might be getting out of your system through the interwebs due to malware/errant-programs.

lam47 · « **Reply #8 on:** Sun, 29 March 2009, 13:16:56 »

Thanks for all the great advice pex. I will give it a go. Languard I could not get to run for some reason.
I will let you know how I get on.
Thanks again.

Laurie.

bhtooefr · « **Reply #9 on:** Sun, 29 March 2009, 13:19:12 »

On my own systems, I nuke from orbit.

pex · « **Reply #10 on:** Sun, 29 March 2009, 13:21:39 »

Maybe I should explain why you want to use SysInspector or something similar: When you're given a list of processes and files connected to them, and you know what is supposed to be running and what is supposed to be connected, you'll then have a starting point to deduce the actual (known and named) cause of your issues, and you can seek the appropriate treatment, even when an automation program won't provide or realize it. Also, sometimes you get the opportunity to take on such a simple task as closing a bunch of processes through Windows Task Manager that your virus has hooked into, at which time, since the virus is no longer active, you can extract it from your hard drive and remove references to it from the registry/ini/whatever.

Mileage varies.

lam47 · « **Reply #11 on:** Sun, 29 March 2009, 13:21:50 »

Ok eset finds it in the drivers section.
"a45559iq" = "" Manual ; Stopped ; ( 5: Unknown ) ;
However it will not let me do anything with it.
If I highlight it it says no item selected with file association.
What would be my next step?

pex · « **Reply #12 on:** Sun, 29 March 2009, 13:28:51 »

You need to be reviewing the processes section, checking each running process, and determining if that process should be 1) running for any good reason, 2) has only acceptable 'modules' seen in use with it. The most probable anomalies would be found here. A file does not do anything by itself unless it runs or is run by something.

In the course of troubleshooting, you might want to close anything that is not needed to maintain the OS for troubleshooting. If you want to take that a step further, run through services.msc and stop/disable all unneeded services (which will reduce the number of ambiguous svchost.exe's amongst other SYSTEM, LOCAL SERVICE, and NETWORK SERVICE processes), if you know that they are unneeded over the course of troubleshooting. Remember to restore them to previous configuration so you don't have to wonder why other things randomly stopped working.

bigpook · « **Reply #13 on:** Sun, 29 March 2009, 13:44:36 »

Quote from: bhtooefr;26033

On my own systems, I nuke from orbit.

I have a bunch of penguins providing cover for me. They have yet to fail me.

bhtooefr · « **Reply #14 on:** Sun, 29 March 2009, 13:45:42 »

I do have a couple penguins, one on the perimeter of my network, and another inside peeking out.

D-EJ915 · « **Reply #15 on:** Sun, 29 March 2009, 17:10:25 »

Quote from: iMav;26024

According to TrustedSource, it is highly likely you've been infected with some sort of malware.

Your current IP

Says that's for email, dunno WTF It means aside from being some ad or something like that considering on both of ours there is no email traffic.

me:http://www.trustedsource.org/query/68.10.200.39
my neighbor: http://www.trustedsource.org/query/68.10.200.237
this is our router from cox: http://www.trustedsource.org/query/68.10.200.1

lam47 · « **Reply #16 on:** Sun, 29 March 2009, 18:02:02 »

Quote from: D-EJ915;26067

Says that's for email, dunno WTF It means aside from being some ad or something like that considering on both of ours there is no email traffic.

me:http://www.trustedsource.org/query/68.10.200.39
my neighbor: http://www.trustedsource.org/query/68.10.200.237
this is our router from cox: http://www.trustedsource.org/query/68.10.200.1

Hmm. So does this not mean anything.
I have been trying to get rid of the rootkit using the methods mentioned here but dont seem to be able to.
It does not seem to be hooked to anything I have running. Unless it is part of the system itself which I cannot shut down and still scan.
Im thinking about just giving up and installing the windows 7 beta to have a go of.
Its drastic but I am worried what this could be doing to my personal data.
Do I need to be so concerned?

Thanks.

MellonCollie · « **Reply #17 on:** Sun, 29 March 2009, 21:03:00 »

Quote from: lam47;26001

Only avg sees this and none of the other scanners I have tried.

Have you tried Kaspersky?

lal · « **Reply #18 on:** Mon, 30 March 2009, 09:33:36 »

Once your system is infected the only really safe thing is to reinstall from a known clean medium. The purpose of a virus scanner is to prevent the first time execution of malware. Once it runs it's too late because it can do anything, including manipulation of anti-virus software.

MellonCollie · « **Reply #19 on:** Mon, 30 March 2009, 10:52:40 »

Long shot: lam47, do you have Daemon Tools installed (or similar drive emulation software)? A quick spot of googling throws up a few forum posts about AVG (falsely) fingering Deamon Tools as a rootkit.

Quote from: lal;26114

Once your system is infected the only really safe thing is to reinstall from a known clean medium.

I agree with you. If it was me I'd reinstall just for the peace of mind. Having said that, I'd be interested to see if a good AV (such as Avira, or Kaspersky) can find anything, as it could well be an AVG false positive.

lam47 · « **Reply #20 on:** Mon, 30 March 2009, 10:55:58 »

Kaspersky could not see it and I did have deamon tools yes!
Could it be the driver for the virtual drives that is upsetting it?
I have windows 7 installed for the moment.
It kept all my files and installed nicely.
Only 2 aps that wont run in it are skype and deamon tools funnily enough.

I like it a lot so far but I do keep loosing network connection at random intervals.
Also what am I going to do when the Beta expires?
I didnt think of that.
Doh!

MellonCollie · « **Reply #21 on:** Mon, 30 March 2009, 11:04:48 »

Quote from: lam47;26121

Kaspersky could not see it and I did have deamon tools yes!
Could it be the driver for the virtual drives that is upsetting it?

Possibly, yes!

Quote from: lam47;26121

Also what am I going to do when the Beta expires?
I didnt think of that.
Doh!

The beta expires on the 1st of August, but the Release Candidate will be out well before then (May I believe). So you can download the RC and run that for a good while.

lam47 · « **Reply #22 on:** Mon, 30 March 2009, 11:23:19 »

Thanks man good to know

News:

Author Topic: Is this actually a root kit. (Read 4978 times)