Reply to this topicStart new topic
> Rootkit - Hidden Driver, How to delete it?
Muris Varajic
post Feb 6 2009, 10:57 PM
Post #1


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



This is not so much about entertainment
but has something to do with electronics and PC.
I found some rootkit as hidden driver in windows folder, drivers subfolder.
I found it using AVG but I can't delete it,
it always appears again and again but with different name.
I also noticed something weird with browser Mozilla,
fonts are changing just like that and
even some colors are applied to certain text,
could all that be done by this root kit?
And how to delete it?

Thanks biggrin.gif


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
jer
post Feb 6 2009, 11:00 PM
Post #2


GMC:er
*

Group: Passive
Posts: 1.889
Joined: 3-September 08
From: Des Moines IA USA
Member No.: 5.836



whats the name of the driver?

Are you using windows xp?


--------------------
My Gear

Jackson SL-1 USA Soloist
Jackson DK2M
ESP LTD MH-400
ESP LTD EC-1000
Ibanez Custom S-Series
Martin 001 Acoustic

Handmade Marshall JCM800 50watt head (with mods)
Carvin 50x2 Stereo Tube Amp
Boss GT-10 Preamp/Effects Processor
Digitech GSP-1101 Preamp/Effects Processor
Behringer FCB1010 Midi Controlled Floorboard
Behringer Dualfex EX2200
Behinger Stereo EQ
Line 6 POD with 2.3 upgrade
Line 6 Floor Board
Line 6 Spider III Practice Amp
Nady UHF Wireless


"Who will eat the decay, when the worms have lost their sight?"
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 6 2009, 11:08 PM
Post #3


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



Yeah, I'm on XP and its current name is ad8z38ts.SYS
but I changes into aglwl2zo.SYS or something like that.
Any ideas? smile.gif

Update, newest name is ai8I4wcc.SYS laugh.gif

This post has been edited by Muris Varajic: Feb 6 2009, 11:09 PM


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
jer
post Feb 6 2009, 11:19 PM
Post #4


GMC:er
*

Group: Passive
Posts: 1.889
Joined: 3-September 08
From: Des Moines IA USA
Member No.: 5.836



thought I'd google it....

Nothing.




--------------------
My Gear

Jackson SL-1 USA Soloist
Jackson DK2M
ESP LTD MH-400
ESP LTD EC-1000
Ibanez Custom S-Series
Martin 001 Acoustic

Handmade Marshall JCM800 50watt head (with mods)
Carvin 50x2 Stereo Tube Amp
Boss GT-10 Preamp/Effects Processor
Digitech GSP-1101 Preamp/Effects Processor
Behringer FCB1010 Midi Controlled Floorboard
Behringer Dualfex EX2200
Behinger Stereo EQ
Line 6 POD with 2.3 upgrade
Line 6 Floor Board
Line 6 Spider III Practice Amp
Nady UHF Wireless


"Who will eat the decay, when the worms have lost their sight?"
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 6 2009, 11:20 PM
Post #5


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



QUOTE (jer @ Feb 6 2009, 11:19 PM) *
thought I'd google it....

Nothing.


I did googling but nothing as well,
it changes name all the time, dunno what to google anymore unsure.gif


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
Ivan Milenkovic
post Feb 6 2009, 11:51 PM
Post #6


Instructor
Group Icon

Group: GMC Instructor
Posts: 25.396
Joined: 20-November 07
From: Belgrade, Serbia
Member No.: 3.341



I recommend Spybot as well Muris, the thing has the ability to restart the computer and search for viruses before starting the processes.

PS Good luck man

This post has been edited by Ivan Milenkovic: Feb 6 2009, 11:51 PM


--------------------
- Ivan's Video Chat Lesson Notes HERE
- Check out my GMC Profile and Lessons
- (Please subscribe to my) YouTube Official Channel
- Let's be connected through ! Facebook! :)
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 7 2009, 12:19 AM
Post #7


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



Thanks guys, gonna try those right now!


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
29a
post Feb 7 2009, 12:22 AM
Post #8


GMC:er
*

Group: Members
Posts: 356
Joined: 28-December 08
Member No.: 6.464



Seriously? Wipe the system. And reinstall it from scratch. That's the only secure way to handle this. And if it's really a proper rootkit, spybot won't be able to do anything. I hope you didn't have a credit card number or online banking credentails stored (or even just used) on this machine. In any case check the transactions. I hope that helps and nothing bad happend to your personal data.

- Jonas


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Feb 7 2009, 12:28 AM
Post #9


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



You can try also online virus scanner, such as this one

http://www.bitdefender.com/

you have link SCAN ONLINE down left

start computer in Safe mode with networking, Use Internet Explorer and follow the instructions

Just to warn you, if you have a large disk it may take some time smile.gif

edit: backup your important data before, because if some system file is infected and unable to clean it will be automatically deleted, which means it can happen that you won't be able to start windows again

This post has been edited by Dejan Farkas: Feb 7 2009, 12:32 AM


--------------------
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 7 2009, 12:41 AM
Post #10


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



QUOTE (29a @ Feb 7 2009, 12:22 AM) *
Seriously? Wipe the system. And reinstall it from scratch. That's the only secure way to handle this. And if it's really a proper rootkit, spybot won't be able to do anything. I hope you didn't have a credit card number or online banking credentails stored (or even just used) on this machine. In any case check the transactions. I hope that helps and nothing bad happend to your personal data.

- Jonas


Is it really that serious?
I used PayPal few times huh.gif


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
UncleSkillet
post Feb 7 2009, 12:56 AM
Post #11


Learning Tone Seeker
*

Group: Members
Posts: 1.525
Joined: 21-January 08
From: Cincinnati, Ohio
Member No.: 3.915



Not sure what time it is there. I have some free time and would be happy to walk you through the removal process. This is my job and have been doing it for 10+ years. Removed it off a system the other day at work if the name of the virus you gave is correct.

Of course if you have all your data backed up and want to do a fresh format and install that would work as well.

PM me if you want help Mirus.


--------------------
"Think of a guitar solo as a paragraph. You need a clear beginning, a middle, and an end. Look at musical phrases like sentences, and make sure you break them up using punctuation—or space. You pause naturally when conversing, right? If you don't, you'll bore the listener. The same thing will happen with your audience if your solo is one dimensional. You'll wear them out and lose their attention." —Tom Principato
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 7 2009, 01:02 AM
Post #12


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



Found it!

And 29a, you owe me like 10 years of my life,
you scared me to death man!!!!!!!! laugh.gif

Anyhow, I did some googling and found few forums with similar questions,
it was DeamonTools and it uses some rootkit as well,
I did another scan after I uninstalled it and nothing was there. biggrin.gif


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post
UncleSkillet
post Feb 7 2009, 01:14 AM
Post #13


Learning Tone Seeker
*

Group: Members
Posts: 1.525
Joined: 21-January 08
From: Cincinnati, Ohio
Member No.: 3.915



That's good to hear man!
If you run into a problem and need some help just ask. We can count it as extra credit for the homework you will soon be giving me laugh.gif biggrin.gif

Just kidding of course. I know it is scary when you get one of these things on your system.


--------------------
"Think of a guitar solo as a paragraph. You need a clear beginning, a middle, and an end. Look at musical phrases like sentences, and make sure you break them up using punctuation—or space. You pause naturally when conversing, right? If you don't, you'll bore the listener. The same thing will happen with your audience if your solo is one dimensional. You'll wear them out and lose their attention." —Tom Principato
Go to the top of the page
 
+Quote Post
29a
post Feb 7 2009, 01:46 AM
Post #14


GMC:er
*

Group: Members
Posts: 356
Joined: 28-December 08
Member No.: 6.464



QUOTE (VictorUK @ Feb 7 2009, 12:55 AM) *
Sorry i cannot believe that a rootkit can be that serious, the reason is because rootkits dont have a payload they only allow viruses etc to go un-detected there will always be some sort of method to get rid of them. if you can find the specifics of the rootkit i.e the name/type, you should be able to find some fix either on a forum (one about virus diagnosis) or google ofc.

but yes. if theres not much to loose reinstalling windows might actually take less time in diagnosing the problem/problems.

A rootkit is the most serious/low level type of backdoor you can have on your computer. Rootkits are used to hide a payload. A rootkit can modify/control everybit of an operating system and hide itself in very obscure places. It can hide files. But it can also show you files which don't exist. It can hide processes. It can modify the behavior of existing processes/applications including virus scanners. Unless you analyzed what exactly that rootkit does (by studying it's entire code) it's very hard to tell if you've removed everything or not.

And muris, sorry I didn't want to scare you and I'm glad it was nothing serious. But you've got to be careful with malware. Nowadays it's not just kids having fun but organized crime. smile.gif

- Jonas


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
fatb0t
post Feb 7 2009, 02:02 AM
Post #15


GMC:er
*

Group: Members
Posts: 1.202
Joined: 25-November 07
Member No.: 3.373



I do this for a living, I completely agree with 29a.
Go to the top of the page
 
+Quote Post
Mandos
post Feb 7 2009, 07:20 AM
Post #16


GMC:er
*

Group: Members
Posts: 509
Joined: 12-November 08
From: Stockholm, Sweden
Member No.: 6.234



A warning to everyone. DaemonTools comes with malware and has done so for well over a year. Some clame that it only is an adware, but I've friend who's gotten trojans and other crap from their installers. I recommend removing it and that you use another software for your needs.

I can recommend MagicDisc. I've read that microsoft have a program that mounts images as well, but I've never used it.


--------------------
[color="#808080"]Guitars: Epiphone Les Paul Gothic with EMG 81 and 85, Crafter Acoustic, ESP LTD F-205
Go to the top of the page
 
+Quote Post
Muris Varajic
post Feb 7 2009, 12:30 PM
Post #17


Instructor
Group Icon

Group: GMC Instructor
Posts: 15.459
Joined: 22-June 07
From: Sarajevo,Bosnia
Member No.: 2.159



QUOTE (29a @ Feb 7 2009, 01:46 AM) *
And muris, sorry I didn't want to scare you and I'm glad it was nothing serious. But you've got to be careful with malware. Nowadays it's not just kids having fun but organized crime. smile.gif

- Jonas


No problem and I agree 100% as well,
we must be REALLY careful with those things!! smile.gif


--------------------
Youtube
MySpace
Website



Album "Let It Out" on
iTunes
and CD Baby

Check out my video lessons and instructor board!

The Pianist
tune is progress,check it out!

"ok.. it is great.. :P

have you myspace? Can i to personalize this for you guy?"
Go to the top of the page
 
+Quote Post

Fast ReplyReply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 


RSS Lo-Fi Version Time is now: 18th December 2017 - 03:55 PM