Re: Rootkit???? Have tried everything...literally...

From: Phil Weldon (notdiscosed_at_example.com)
Date: 09/19/05


Date: Mon, 19 Sep 2005 20:20:52 GMT


'Chana C' wrote, in part:
| My machine has been compromised for three months now. This is what I have
| done to try and deal with it. (most of these actions were taken several
| times.....)
_____

If your time is worth anything:

    put in a known clean hard drive, making it the boot drive (put the
original drive on another channel and make sure the BIOS is set so that the
original drive cannot be the boot drive)

    install whatever operating system necessary to copy over data you wish
to save

    remove the original hard drive and apply a hammer.

Certainly there are ways to reclaim the orginal hard drive, but is it really
worth it, considering what you have already done to no apparent effect?
With 7200 rpm, 8 MByte buffer 80 GByte hard drives available for as little
as $40 US, the hammer track seems a small price to pay.

Now think back very carefully; in what environment have you been doing all
this wheel spinning? Secure physical access? Recordable, removable media
laying around? Wireless connections? Did you keep a methodical record of
your attempts at disinfection?
What you describe is more indicative of reinfection than persistent
infection. And your methods are more indicative of flailing around than a
systematic approach, especially irrelevant proceedures like BIOS flashing.

Phil Weldon

"Chana C" <Chana C@discussions.microsoft.com> wrote in message
news:54FFA482-5993-4587-B606-1E360F188601@microsoft.com...
> My machine has been compromised for three months now. This is what I have
> done to try and deal with it. (most of these actions were taken several
> times.....)
>
> Flashed the BIOS and the embedded controller, overwritten the MBR with an
> Assembly program, zero-filled the hard drive, repartitioned and
> re-formatted
> the drive with multiple OSs (the compromise still exists). Norton is
> disabled
> by it - and Rootkit Revealer tells me the System credentials have embedded
> nulls. Norton is not running - although the icon stll exists in the sys
> tray.
> Fresh installs from OEM disks are of no use - 5 GB of the hard drive is
> inaccessible and I strongly suspect that it contains files which are
> intercepting any fresh install and overwriting the files before I have a
> chance to access the machine. The compromise consists of consistently
> escalating privileges that eventually render me unable to use the machine.
> None of the Windows dlls are acknowledged as signed even after a "fresh
> install".It is acting heuristically and adapts regardless of the OS I
> use -
> including Linux...(it creates another "root" account and let's me think
> I'm
> root for a while..and then...). It also has retro virus behavior in that
> it
> is "fighting back" - it will leave me alone for a while, but as soon as I
> start making attempts to limit its behavior - it starts cutting me off
> from
> privileges....soon, I cannot even open a window. The WinObj space says
> that
> no one has the right to execute any security related programs....although
> they can be queried...A WinHex analysis of the hard drive says that I have
> up
> to 42 partition table headers FAT, NTFS, GPT and EXT2) and 19 logical
> drives...all but four of them hidden...
>
> I will never put this machine back on the Net because it is completely
> untrustworthy...but, does anyone have any ideas before this becomes my
> research machine/paperweight. I think I've tried everything, including a
> clean WinPE environment install...but no luck...Ideas anybody?