Getting rid of rootkits

[Gemini]

My computer was running super slow lately so I did a scan with AVG 2012. Come to find out I have 41 root kits!!! AVG was only able to remove/heal 6 and I still have 35 hanging around. It's odd that AVG will find them, but then be unable to do anything about them. Any experts have ideas on how to get rid of these things?

[PacNorWest]

Re-installing the operating system is a last resort but may be you're best bet.
That or upgrading to a new operating system.

From there on, avoid file sharing, chat rooms, etc. which are well known sources of infection.

[chaz]

Google "rootkit removal".

Good luck.

[kupo]

Try TDSSKiller by Kaspersky Labs. It is free and got the job done when I had to disinfect a handful of computers at my uncle's small business.

[jebmke]

Re-installing the operating system is a last resort but may be you're best bet.
That or upgrading to a new operating system.

From there on, avoid file sharing, chat rooms, etc. which are well known sources of infection.

That is what I would do. I keep a reasonably current image of the last known stable system on a USB drive. An alternative would be to go into Windows and look for a restore point that you know was before you started having problems and do a restore to that point.

Make sure you back up all your data before you do anything.

[Toons]

You can download the tdss.exe rootkit here from kaspersky,,,,,,I have used it on more than one occasion on my computer and others
It has worked well for me
Good Luck

http://support.kaspersky.com/faq/?qid=208280684

[Default User BR]

I agree about TDSSKiller. While you're at it, get MalwareBytes. Also look to install a good firewall if you don't have one.


Brian

[Gemini]

Just ran TDSS from Kaspersky. It ran fine and found nothing...strange?

I am also running Sophos and will report back with results.

[Mudpuppy]

Re-installing the operating system is a last resort but may be you're best bet.
That or upgrading to a new operating system.

IMHO, when you are THAT infected, reinstalling should be the first resort. It's hard to clean that much up. It's much better to wipe the slate clean. I personally keep around the latest service packs and security software on CD/DVD/USB drive as well, so that I can patch up the new system as much as possible before letting it go online to download the rest of the patches. Some versions of Windows are pretty vulnerable after the base install.

It's also possible that AVG is calling things "rootkits" when they are really just adware or web bugs used by advertisers to track what websites you visit. As much as I hate adware because they can slow things down and they can violate your privacy, they aren't usually malicious, just intrusive and annoying. Rootkits in my mind should be reserved for things intending to be malicious, like the C&C code for botnets.

[CaliJim]

Re-installing the operating system is a last resort but may be you're best bet.
That or upgrading to a new operating system.

IMHO, when you are THAT infected, reinstalling should be the first resort.

I agree - reinstall O/S is the safest way to go once you get to this point, followed by MS Security Essentials. Then change all online passwords, and freeze your credit reports. Optionally - get new credit and debit card numbers if you buy things online.

[johnny72]

herp derp

[LadyGeek]

I'm thinking AVG 2012 is reporting false positives (not really there). Do you have any other anti-virus tools installed with AVG? These things work best alone, as they will fight each other and cause problems. For example, I found this thread: AVG forum: Rootkits found by scan, the problem was caused by a 2nd anti-virus tool on the same PC.

The way to do this is to download the software you need. Then, take the PC offline - which means either 1) physically disconnecting the ethernet cable, or 2) turn off the wireless router. The PC can't get to the internet no matter how hard it tries.

Once it's offline, uninstall AVG. Then, try something else (MS Security Essentials, Malware bytes is a good combo). Run the anti-rootkit utilties. If you're clean, it's probably OK. Reinstall the antivirus (your pick, but I like MS Security Essentials) and go back online.

A complete reinstall will work, also. If you continue to get antivirus / rootkit hits when it's offline, the suggestions to reinstall from scratch are often the best ones. I assume your firewall is working.

[Tabulator]

I don't have a specific suggestion for your problem. But if I can offer a comment...
Keeping Windows free of security problems is a lot of work -- more than most people are prepared for without professional help. Only you can decide whether it is worth your time and/or money. There are some alternatives available if you prefer not to worry about these things.

[blu-ray]

My computer was running super slow lately so I did a scan with AVG 2012. Come to find out I have 41 root kits!!! AVG was only able to remove/heal 6 and I still have 35 hanging around. It's odd that AVG will find them, but then be unable to do anything about them. Any experts have ideas on how to get rid of these things?

If there are actually that many rootkits on a PC, something is wrong --
Is your PC behind a hardware firewall? if not - that could be why

A hardware firewall is part of a wireless or wired router. We have cable, it would be possible to plug a PC directly into the cable modem and it would work great, except there would be no firewall and the pc would be open to the world with the exception of the windows firewall which is not intended for that level of protection.

if you are plugged into router or use a wireless router your are probably ok in that respect.

[Default User BR]

Only you can decide whether it is worth your time and/or money. There are some alternatives available if you prefer not to worry about these things.

It's an interesting concept, but it's not something you use to upgrade your machine. You would need to buy a whole new one, specially designed for the operating system. There is a parallel open-source OS project, but it doesn't have all the features described in that article.


Brian

[mike143]

Sounds like you have Fake AVG: https://www.google.com/search?q=fake+avg

Highly likely that nothing is wrong with your computer except for Fake AVG. This a good start if you are the DIY type: http://www.dslreports.com/faq/13616

[Easy Rhino]

I still never even knew what a rootkit was, so I had to google it:

http://en.wikipedia.org/wiki/Rootkit

[genjix]

download malwarebytes and boot into safemode (restart computer and press f8, choose safemode)
run malwarebytes and do a full scan. also create a new profile in windows and log into the new profile.

[Gemini]

Apparently they are real and I will need to do a reformat and reinstall.

I am a noob at this and was wondering if someone can guide step by step.

1 - Backup all data -

does this mean basically transferring all my files/pics/home vids to an external drive? I have a 1tb drive that is practically empty. What about my outlook emails? I have like 10K+ emails on this computer. Is there a way to move them over? I also have bookmarks on firefox - can I save them?

2 - KeePass - that is the main thing I am worried about. I had it on this comp and was wondering if it is compromised. What steps should I take to make sure all the accounts are safe and then backup this critical data to be moved over to external?

3 - Reformat? How?

4 - Reinstall - this is an IBM T60 laptop. I am guessing start the computer in microsoft recovery console and say restore to factory settings?

Thanks all.

[CaliJim]

Apparently they are real and I will need to do a reformat and reinstall.

I am a noob at this and was wondering if someone can guide step by step.

1 - Backup all data -

does this mean basically transferring all my files/pics/home vids to an external drive? I have a 1tb drive that is practically empty. What about my outlook emails? I have like 10K+ emails on this computer. Is there a way to move them over? I also have bookmarks on firefox - can I save them?

2 - KeePass - that is the main thing I am worried about. I had it on this comp and was wondering if it is compromised. What steps should I take to make sure all the accounts are safe and then backup this critical data to be moved over to external?

3 - Reformat? How?

4 - Reinstall - this is an IBM T60 laptop. I am guessing start the computer in microsoft recovery console and say restore to factory settings?

Thanks all.

1) transfer all your data files to external drive. Outlook data is stored in OST and PST files. Google "moving outlook data to a new computer". Also google "back up restore firefox".
2) change all account passwords everywhere. assume your passwords have been compromised
3) buy a new internal hd. remove and save old infected hd for later data recovery if needed. don't reformat.
4) follow mfg / microsoft instructions for reinstall

[Gemini]

New hd? I am not sure I would know how to install and do all the techie stuff. Furthermore, I don't have recovery discs - I was just planning to use the partition that was initially made by IBM to recover the console. Good idea or no?

[Epsilon Delta]

I'd revise your list:

• Assess what is on your hard drive and decide how much you will regret losing it.
• Backup your data. Do a full disk backup. Since you have another hard drive, it can go there.
• Backup your data. Copy things you care about like photos, tax returns or email directories to some other media. DVD-R is often a good choice, it will keep the data for the next few years. Long enough to make sure you have the computer up and running again.
• Back up your data. Copy things you are actually working on or might need in the next few weeks to say a flash drive.
• Back up your data. Somethings you really don't want to lose. Email copies of your really irreplaceable data, such as photos, to friends and family, or copy these things to the cloud. You probably have a few gigabyte of free storage with your ISP etc.
• Consider if you have enough backups and that everything you care about is backed up at least twice. Verify your backups.
• Reformat the disk.
• ...

[MathWizard]

Even a reformat and full re-install may not get everything, there are viruses that infect the Master Boot Record,
and the reformat/reinstall does not work on these.

You have a 6 year old computer that is severly compromised.
If it were newer, I would suggest replacing the hard drive and installing a fresh copy of Windows (or Linux).

Since it is 6 years old, I would junk it and get a netbook, or some other relatively cheap computer. Almost any
new computer is going to be faster than a 6 year old computer, and if you use a wireless connection, new computers have
wireless 802.11 N rather than the 802.11 G. N is less susceptible to interference, so you should get better network performance.

New computers usually have a 30day Anti-virus on them. Once you have the new computer, immediately
install the free Microsoft Security Essentials over the network before the 30 day window expires, and then
you can turn off or uninstall the 30day Anti-virus.

I have a Gateway netbook that was about $200 on sale. ( 1GB of RAM, Intel Atom processor, 160GB hard drive, Windows 7,
wireless N, webcam, and very light ) . The only downside is that the screen is small 10.1 in., and it's nearly impossible to upgrade
the memory or disk.

[Mudpuppy]

New hd? I am not sure I would know how to install and do all the techie stuff. Furthermore, I don't have recovery discs - I was just planning to use the partition that was initially made by IBM to recover the console. Good idea or no?

Not a good idea. Depending on how pervasive the rootkits are, they could have corrupted the recovery partition as well. If this all seems beyond you, you should ask friends, family, and co-workers for recommendations of a good computer shop in your town and have them do it. Better to pay to have it done right than to make a mistake and have to do it all over again in 3 months.

[LadyGeek]

Along Mudpuppy's thoughts, do you have a good friend or relative who's technically knowledgeable? IOW, get their guidance, or perhaps let them take a crack at it. It's up to you, depending on your level of trust to view personal info.

[PacNorWest]

I inherited a computer like that.
Formatting the hard drive did not help.
Upgrading the OS did the trick.

The particularly nasty virus makes ten copies of itself and sets up a handshake with each copy.
If either any copy, or the original virus is destroyed and the remaining viruses do not find the handshake, it makes another copy of itself.
You need an expert or a OS install.

At six years, a computer, while still functioning, is antiquated.

[Gemini]

Thanks for all the help. I had an IBM and just ended up doing a system restore. It was a pain to move everything over and then re-install win xp, but so far it is good. Keeping my fingers crossed!

[nonnie]

My partner was using AVG and Malware Bytes. He got a rootkit. MS Security Essentials could not find the rootkit. He knew he had a rootkit because he's a former IT professional and he was unable to download any software or file or run any security software on his computer. He started working with a professional at Malware Bytes and the rootkit defeated all the common recommended stuff including TDSS Killer, Combo Fix, the Malware Bytes rootkit killer etc. It even went so far as erasing TDSS Killer from the DVD he was using to try and remove the rootkit. (He has no idea how he got the rootkit, does not visit porn sites, pirate stuff, use bit torrent, etc). Apparently there are some rootkits like this in PDFs but he's been working on it for more than a week and has just given up since the longer he tries the harder it gets and now he cannot run any software. Looks like it is Rootkit Zero

He's wiping and over-writing his hard drive according to Dept of Defense specs-- 3 passes- and starting from scratch. Is there anyone the doesn't think this is sufficient? (based on the fact that others have said to get a new hard drive).

Nonnie

[Kenkat]

I had Rootkit Zero on one of our laptops. As soon as my son clicked a link in Skype, he knew he was sunk. Shortly thereafter, his friend told him "don't click that link"! Too late. It would randomly send out Skype messages attempting to spread the Rootkit to others in his address book.

MS Security Essentials did not detect it and the Rootkit blocked scans. MalwareBytes found it and said it successfully removed it but it came right back after a reboot. I did not try TDSSK, deciding instead just to reinstall the OS from the recovery partition. That did the trick in this case. Nastiest virus I have ever encountered.

[nonnie]

He doesn't Skype either and has no idea how he got it. We're networked but so far I'm safe but I'm scared.. It appears to be Zero Access but since he doesn't know how he got it, I'm scared when he re-installs all his files from Dropbox he's somehow going to get reinfected again. He had the same experience w/something Malware Bytes advised him to do-- it came right back. He was unable to do anything about it because it prevented him from running any exe files and the longer he had it, the nastier it got and that's why he gave up. Even though I don't know that much about computer software, it's quite fascinating to me to read exactly how the virus works. This is just one of the many sources of info:

http://nakedsecurity.sophos.com/zeroaccess/

[LadyGeek]

He's wiping and over-writing his hard drive according to Dept of Defense specs-- 3 passes- and starting from scratch. Is there anyone the doesn't think this is sufficient? (based on the fact that others have said to get a new hard drive). Nonnie

Hi Nonnie, you posted this question in another thread. Here's my answer:

I think your partner will be OK.

Although I haven't used this in a while, here's a good utility that does the Dept of Defense spec data wipe: Darik's Boot And Nuke. Perhaps your partner is using this already? Increasing the number of passes might help, but you probably don't need more than 10 times.

[nonnie]

Hi Nonnie, you posted this question in another thread. Here's my answer:

I think your partner will be OK.

Thanks, I could have sworn I edited my post in the other thread when I posted in this one -- I did just do it now. Maybe I didn't get Zero Access 'cause that's me these days-- Zero Access (to my memory)-- put in a new hip, take out an old brain, sigh..... I'm not sure I want to suggest 10 times--he's been working on this for more than 10 days and just finally gave up.

Sure would be nice to be able to figure out how he got it.

Nonnie

[magellan]

Although I haven't used this in a while, here's a good utility that does the Dept of Defense spec data wipe: Darik's Boot And Nuke.

+1. DBAN is the gold standard because you burn it to a CD or DVD and boot from it instead of booting from your infected hard drive. As long as you don't execute any code from the infected drive, the virus can't cause any problems (assuming your bios isn't compromised, which is very rare).

Once you boot into DBAN, you can wipe the disk, which will erase everything including the partition table. These viruses can be persistent, but they don't have superhuman power. Their code needs to run to get control. As long as you don't run any code from the infected drive and boot from a DBAN CD or DVD, you will completely eliminate any traces of the virus and can rebuild the partition table, reformat, and start anew.

Jim

[sdrone]

For god's sake don't re-install your OS. Re-imaging computers has really killed people's approach to fixing computer problems over the last 15 years.

Several people have pointed out tools that will help. There are lots of ways to go about this, including

http://www.maximumpc.com/article/howtos ... junk_files

and

http://www.maximumpc.com/article/featur ... easy_steps

and

[sdrone]

Not to be smart, but if someone tells you this:

It even went so far as erasing TDSS Killer from the DVD

Find another source for information.

[Mudpuppy]

Not to be smart, but if someone tells you this:

It even went so far as erasing TDSS Killer from the DVD

Find another source for information.

Likely the DVD was being read from within the affected OS, so I would suspect it didn't "erase" as much as "block access so completely the OS doesn't realize it exists". In other words, it was likely blocked from appearing on File Explorer and related tools, which to a novice eye makes it seem like the DVD has been "erased". That's why you should never attempt cleaning a rootkit from within the compromised OS. The rootkit controls too much. It has to be destroyed from outside the OS by booting off a CD, DVD, USB stick, etc.

[rustymutt]

One way to help keep you PCs clean is to setup a non administrative user that you log on with most the time, and only login as administrator when updating, and installing software. By doing this, these root-kits don't have the authority needed to get into your PC.

[Rob5TCP]

I would assume your PC may still be monitored.
First I would change passwords from an uninfected computer.
Perhaps setup a phone password, so no one can call pretending to be you.
As stated earlier, you may be compromised, especially on your financial sites.

[nonnie]

Not to be smart, but if someone tells you this:

It even went so far as erasing TDSS Killer from the DVD

Find another source for information.

1) DVD was set up as a USB flash drive (this is after a gazillion times trying to run TDSS killer in other ways and on the advice of Malware Bytes)
2) It was not closed
3)TDSS Killer was copied to DVD drive and renamed FOO.bin
4) Zero Access found the file and did erase it from the DVD

Are you a security professional and familiar with the Zero Access rootkit?

Please read this:

http://nakedsecurity.sophos.com/zeroaccess/

Nonnie

[nonnie]

Not to be smart, but if someone tells you this:

It even went so far as erasing TDSS Killer from the DVD

Find another source for information.

Likely the DVD was being read from within the affected OS, so I would suspect it didn't "erase" as much as "block access so completely the OS doesn't realize it exists". In other words, it was likely blocked from appearing on File Explorer and related tools, which to a novice eye makes it seem like the DVD has been "erased". That's why you should never attempt cleaning a rootkit from within the compromised OS. The rootkit controls too much. It has to be destroyed from outside the OS by booting off a CD, DVD, USB stick, etc.

This was from another uninfected computer and I wrote the procedure above.
How Zero Access works ---
http://nakedsecurity.sophos.com/zeroaccess/

[nonnie]

For god's sake don't re-install your OS. Re-imaging computers has really killed people's approach to fixing computer problems over the last 15 years.

Several people have pointed out tools that will help. There are lots of ways to go about this, including

http://www.maximumpc.com/article/howtos ... junk_files

and

http://www.maximumpc.com/article/featur ... easy_steps

and

It defeated everyone one of those-- SUPERAntiSpyware
Free, http://www.superantispyware.com
Malwarebytes Anti-Malware
Free, http://www.download.com
Combofix
Free, http://www.combofix.org/
Panda Activescan 2.0
Free. http://www.pandasecurity.com
Pocket Killbox
Free, http://www.bleepingcomputer.com
CCleaner
Free, http://www.ccleaner.com/
Comodo Registry Cleaner
Free, http://registry-cleaner.comodo.com

do you know how Zero Access works?

[Mudpuppy]

Not to be smart, but if someone tells you this:

It even went so far as erasing TDSS Killer from the DVD

Find another source for information.

Likely the DVD was being read from within the affected OS, so I would suspect it didn't "erase" as much as "block access so completely the OS doesn't realize it exists". In other words, it was likely blocked from appearing on File Explorer and related tools, which to a novice eye makes it seem like the DVD has been "erased". That's why you should never attempt cleaning a rootkit from within the compromised OS. The rootkit controls too much. It has to be destroyed from outside the OS by booting off a CD, DVD, USB stick, etc.

This was from another uninfected computer and I wrote the procedure above.
How Zero Access works ---
http://nakedsecurity.sophos.com/zeroaccess/

sdrone's point, and a very valid one at that, is that only a DVD+-RW disk can be erased. A commercial DVD or a DVD+-R cannot be erased because that type of media can only be written to once. This is called write-once, read-many (WORM) media. It doesn't matter if you mount the DVD as a USB stick. The fundamental nature of the media cannot be changed. If it is WORM media, it cannot be erased. But the rootkit can block you from accessing anything on the disk and make it seem like it has been "erased", when really the data is still on the disk but the rootkit will not allow you to access it. Even an entry-level IT tech should know this sort of information about how DVD media works. And if they do not, sdrone is correct in saying that one should probably question the rest of their advice.

And yes, I am a security professional. I even have a fancy Ph.D. on my wall to prove it. The ZeroAccess rootkit is only "nasty" because it does many of the things a rootkit could do to cover its tracks and block cleaning the OS. Theoretically, any rootkit could be that complex, just few opt to do so. There is nothing magical going on here from a security perspective. Once one knows they have a rootkit of this level, the standard course of action is to do a fresh reinstall, as attempts at cleaning will typically be futile.

[nonnie]

Once one knows they have a rootkit of this level, the standard course of action is to do a fresh reinstall, as attempts at cleaning will typically be futile.

I've read lots of your posts over the years including computer advice and even without knowing your credentials and do respect you. It appears this rootkit got on his computer in late December when my partner had a serious case of food poisoning which lasted more than 10 days and he wasn't particularly. As understand it, the longer this rootkit is on the computer, the more it replicates and the more sophisticated it gets.

I have a different approach to problem solving-- I cast wide nets. I implored him to post here-- and not depend on one or two techs but since he was working with Malwarebytes and another security professional, he declined to do so and I didn't know much, if any, of the technical details. Most of the suggestions he used were from them and it was only at the end it was identified as Zero Access and he was trying anything and everything resigned to having to do a reinstall. (he's been retired
for nearly a decade) (thanks sdrone for raising the CD RW issue-- I do understand that but I didn't understand using it as a USB drive, it was one of the dozen ways he tried to defeat the virus, certainly not the only one--he used 8-10 different pieces of software) He now regrets he waited so long to throw in the towel. (AND DOESN'T WANT TO DISCUSS IT ANY LONGER SINCE IT'S IMMATERIAL-- slight domestic tension here )

1) Could you repost-- or PM-- what you do (I can't locate the post) when you have to do a reinstall-- what you keep and how you keep it

2) suggestions for security software and methods on my computer and any comments on how that will affect me being on a network with his computer. He says he's going to install a stronger firewall but I do note that in the end you say attempts at cleaning it would be futile. How can one avoid in first place. I've read it piggybacks on Java install.

Thanks much to you and everyone,

Nonnie

[Meta4]

I'm sort of surprised nobody has suggested simply ditching MS Windows. The news stories rarely mention it, but the vast majority of these PC viruses and root kits are written for MS Windows. Simply switching to another operating system can reduce your risk 95+%. Switching to either one of the Ubuntu[1] Linux flavors or Mac OSX will most likely provide that same functionality, at least for most home users, that you had with Windows XP without needing to run anti-virus bloatware[2].

As to the Ubuntu Linux option, it is free in cost and is so similar to Windows that most people - my 78 year old technophobic mother included - don't have much of a learning curve to get up to speed. It comes with most things you might need out-of-the-box - word processor, spreadsheets, WWW browser, e-mail client, etc. - and gets auto-updated on-the-fly. And yes, you'll still be able to open and work on common MS Office documents like .doc and .xls files as long as they don't have a bunch of specialized macros attached. If you do decide to try Ubuntu, I'd suggest the latest "Long-Term Support" (LTS; 12.4 is latest) release as Canonical Ltd. currently provides them with 5 years of support. The LTS releases are targeted at business users who generally don't want to do OS upgrades every 6 months.

One last note: if you do opt to stay with Windows I'd opt for a clean install to ensure you're really eliminating any infected system files.

Good luck,
Jeff (no connection to Canonical Ltd./Ubuntu)

[1] http://en.wikipedia.org/wiki/Ubuntu_(operating_system)
[2] http://en.wikipedia.org/wiki/Bloatware

[MathWizard]

Ditch MS Windows and install Linux on a new disk. (Some viruses are be able to
withstand a disk format and re-install. ) Linux comes with firewall software, iptables,
but I'm not sure it will help because you are probably behind a NAT anyway.

If you stay with MS Windows, install on a new disk, and instal/run MS security essentials and Windiwws defender.

[Epsilon Delta]

I'm sort of surprised nobody has suggested simply ditching MS Windows.

Wait a minute, are we talking about a root kit other than windows?

[LadyGeek]

I recommend to avoiding starting an OS war (pick "Apple vs. Windows vs. Linux" is better than "Apple vs. Windows vs. Linux").

[nonnie]

I recommend to avoiding starting an OS war (pick "Apple vs. Windows vs. Linux" is better than "Apple vs. Windows vs. Linux").

How about an Android war?

I'm not up for Linux me-self since I've let a lot of my computer skills lapse but if I had the energy I'd prolly do it but since I'm spending less and less time on a Windows machine and more time on an Android tablet...

Says the infected one, "I DO NOT WANT TO DEAL w/LINUX and I DON"T want to keep going over and over this thing." I'm glad for the support here, guess I'll just stop reading it to him He is doing a clean install-- hope some tolerance and humor comes in one of those Windows update service packs although after all the time and energy it has cost him I can sympathize.

Nonnie

well, I just found out how truly clueless and outdated I am-- Android is linux,