I think if you google around, you’ll find alot of information about unhackme.
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n't it. Link: http://www.greatis.com/unhackme/ Please comment?polonus
I wish somebody would:
http://forum.avast.com/index.php?topic=14816.0
I tested it on my computer, but I can only say it didn’t find anything. A google search brings up a lot of download sites but no tests or reviews.
And back again!
Has nobody found and answer to FU yet?
Is the only solution to flatten and reinstall?
Is it possible to disable the rootkit driver somehow?
I have some great technical advise: STAY OFF PORN SITES! ;D
I mean my God, where else on earth could you possibly pick up such a malicious virus? ??? Oh, and one more thing, always surf the net with Firefox or Opera and never IE. Now tell me that ain’t great technical advise?
Porn sites are not the only source of infection.
They often seem to be the source because once any spyware gets its foot in your door, it tends to invite in all its friends, and sooner or later you end up with porn links on your desktop.
There’s a lot of money in advertising: an adware program may be intended to show you adverts for decent products, but then the creators of that program can bundle more spyware along with it and make money by doing so, and then these programs make money bundling other products, and all the time the spyware and adverts get more evil and sleazy.
Porn links and pop-ups are sometimes the symptom of a venal enterprise, the lowest common denominator, the last link in a chain of infection that may start with something entirely innocent.
where else could you pick up such an infection?
- opening email attachments
- clicking on links in spam emails
- instant messaging file transfers
- downloading from peer-to-peer networks
- downloading program cracks
- downloading phoney anti-spyware or internet cleanup products
- even connecting to the net without a firewall or up-to-date OS and browser
Actually even malicious web sites are not particularly dangerous if your OS and browser are up-to-date: most really on ancient exploits like the MS Virtual Machine ByteVerfiy, which was patched years ago or security weaknesses in older versions of IE. Just don’t fall for the social engineering of notices which say ‘you have spyware, download this program’ or ‘download this program to clean your internet tracks’, or ‘you need this plug in to proceed’.
The really big dangers today are:
- having no firewall
- not updating your OS
- no virus and spam filtering by ISP’s
Anybody with no firewall and a OS which is out of date is going to get infected even connecting to the internet.
Anybody who doesn’t have good spam and virus filtering provided by their ISP is going to have to be very careful about attachments arriving in their inbox, because these are likely to contain a new worm or virus, and if it’s one that uses a rootkit, you’re very likely to not even see it, and if you see it, it may be impossible to remove like for so many people who’ve had a FU rootkit infection.
And don’t rely on an anti-virus program to catch viruses in email attachments, because even the best will not catch a new one for a few hours or even days.
A good rule is, only open email attachments if you know what it is, who sent it, and you have confirmation from them that they really did send it.
Don’t be one of the people starting a thread here saying ‘I have a virus and it keeps coming back’ because you have been warned. If you get a FU rootkit infection then you are FU**ED. Avoid it in the first place!
Hi FreewheelinFrank,
Interesting background information can be found here:
http://www.f-secure.com/weblog/archives/archive-052005.html#00000559. Fu rootkit can be prevented though, using a program like ProcessGuard prevents it.
greets,
polonus
I don’t know whether this is of any help to you Freewheeling Frank, ( and welcome back friend!) but these FU rootkits are being discussed at DSL reports or Broadband reports.
From their search I found 4 pages of hits. Here’s the link to the search:
http://www.dslreports.com/nsearch?q=FU+rootkit+&cat=remark
Hope this might help. Good luck…
Hi FreewheelinFrank,
Hope I didn’t offend you. I was joking about the porn site thing but if all else fails in removing the rootkit, will a fresh install of Windows help? This usually wipes out the C: Drive and a fresh install starts you off new again. Perhaps you have already thought of this and I assume you don’t want to do this or maybe this might not work but I can’t see how. ???
No, I’m not offended. I just wanted to make clear that porn links and pop-ups appearing on a computer may actually arrive via an innocent looking site or download.
Ben Edelman has an interesting video on his site showing how they can arrive after downloading a music video clip- something your kids might do innocently.
So it may seem that porn sites are the source of all infection, if every infected computer is infested with porn pop-ups and links, but it’s important to point out what the real dangers are.
I’m happy to say I don’t have a problem with this rootkit myself. Following the advice in my previous posting, I have never had a virus, worm or Trojan infection.
I started this thread to comment on all the people who were coming to the forum saying ‘I have a virus and it keeps coming back.’ In many cases this seems to be because they have a rootkit on their system which anti-virus programs will detect but not clean.
Yes, a reinstall will remove it, but it’s far better to prevent infection in the first place , especially as other more sophisticated rootkit infections may not be detected at all. Anybody not aware of the risks and preventative measures may end up with a malware infection which anti-virus programs can not even detect let alone remove.
Malware writers seem to be one step ahead in the arms race with anti-virus developers at the moment, and this thread is intended as a warning.
Have a look at the problems people have had with a rootkit infection and follow the advice in this thread and others in the forum to avoid infection in the first place.
PS, thanks for the interesting link, Kakapo!
Good news! Microsoft are tackling this problem!
Rootkit Detection Coming to Windows AntiSpyware
Maybe avast should develop some sort of rootkit detector.
Rootkit shield
Hi DukeNukem,
A very interesting read can be found here:
http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt Read it, you will find that function hooking for log on password sniffing and e.g. redirection msgina.dll! WlxLoggedOutSAS() to hidden rootkit func, which is to log the passwords to be sent to the intruder (using CC). The goals of these rootkits are: hide intruder’s processes, to hide reg keys that enable start up of the intruder’s tools after sys reboot, hide some files for intruding tools. Helpful can be to debug the MS Kernel which the MS Kernel Debugger to be downloaded from www.microsoft.com so one can debug usermode processes in start system in debug mode, this requires reboot, use livekd tool from sysinternals.com (does not need reboot).
Classic API hooking with rootkit code is hooking NtReadVirtualMem to cheat on debugger, reading processes mem, some of this happens with pmdump.exe tool too. Kernel mem in read-only mode seems a safe choice. Source of Info : P. Rutkowska-Warszawa. From these lines one thing can be observed: rootkits versus AV detection is ongoing warfare, and we are out in the trenches. Adding debugging functionality to AV start up scanning and memory signature scans is to be advised imho. Only slowly now AV products show to react.
greets,
polonus
msdirectx.sys has been tackled with a manual fix. Signs of infection in a HJT log below, may or may not be present, as well as detection of msdirectx.sys by AV.
F2 - REG:system.ini: Shell=Explorer.exe randomnamed.exe
The fix;
*Click here to download Killbox by Option^Explicit.
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\randomnamed.exe << get the filename from the HJT log
C:\WINDOWS\System32\msdirectx.sys
*Return to Killbox, go to the File menu, and choose “Paste from Clipboard”.
*Click the red-and-white “Delete File” button. Click “Yes” at the Delete on Reboot prompt. Click “No” at the Pending Operations prompt.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe random.exe
Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to “All Files”)
[b]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]
[/b]
Doubleclick the file you made and confirm you want to merge it with the registry.
Back again:
Back again!
Back again:
If Killbox can delete this fellow at reboot, why can’t avast? ??? :-\
http://forum.avast.com/index.php?topic=14618.msg142666#msg142666
Back again!
http://forum.avast.com/index.php?topic=17747.from1133389209;topicseen#msg151226
These so-called pseudo-rootkits don’t seem impossible to deal with by cleaning out the registry entries that run them:
http://forum.avast.com/index.php?topic=16788.msg142663#msg142663
Why can’t avast! scan the registry for rootkit entries before a boot time scan?
Hello FwF,
I have asked info about such a tool in the general forum. A tool that alerts to every change in files and application attributes, and all changes in the registry. A bit like ISpy etc, but this tool I did not trust because you could create an application like User to All Users etc, kill threads, but also double program start ups, and when that can be done remotely, you have the same double sword situation. What do you have in mind? The truth is that monitoring programs like SSM etc. can keep you out of a lot of trouble here. For the moment prevention is the best policy IMO. We have seen for instance recently a lot of installations of ad- & spyware via Firefox pop-ups, that users misinterpret for genuine MS ones. I think the precautions not having the possibilities to contact the malware sources through block list programs is good. The recent Israeli thought about an AV-immunization network is as yet impracticable and vulnerable, but we will see other solutions than running behind the facts in the foreseeable future.
greets,
polonus