Coffeehouse Post

Single Post Permalink

View Thread: I've got a rootkit...
  • User profile image

    , blowdart wrote

    Didn't you use to say you didn't run antivirus? *grin*

    So for a windows solution there's a connect beta right now of System Sweeper -

    Webplains doesn't seem to be using root kits though, from what I can see. Did you remove the system TDSSserve.sys hidden device first? And checked proxy settings once rebooted and scanned?

    Yes, I am put to shame. To make things even worse I had UAC disabled at the time.

    , cbae wrote

    This came up on Bing search. Wink

    BTW, how did you discover you had this malware?

    I started noticing google search links were being hijacked. I ran my Live HTTP Headers extension for Firefox and it showed that HTTP 301 redirects were being inserted. At first I thought Wikipedia was hacked (as it only affected links to WP to begin with). Then it started happening to other links and in other browsers, I ruled out anything at my ISP and realised something was amiss locally.

    Process Explorer revealed that the Task Scheduler was launching rundll.exe with a program argument to a DLL called "dswaved.dll" under SysWow64. I quickly terminated it and extracted the file. The question remains how Task Scheduler was manipulated.

    , evildictait​or wrote

    That's very foolish of you.

    You should probably download something like AVG to do a scan of your system. If that doesn't work, you might want to consider formatting your machine and starting over.

    I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

    , ManipUni wrote

    Why waste time attempting to remove it? The Windows installation is suspect, it is beyond repair. 

    Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across. 

    Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).    

    The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike.

    You missed the part where I said the HDD was inaccessible.

    Nonetheless, Sony was meant to collect my laptop for repairs last week (hint: they didn't) so there's not much on it anyway.

    , Kryptos wrote

    I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

    RootkitRevealer only works on 32-bit systems.

    , ZippyV wrote

    *snip*Doesn't work anymore because the rootkit writers would keep finding ways to circumvent it.


    What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

    The Date Created field on the DLL file I recovered was at 2011-11-05 01:22.

    I checked my browser history, I was browsing two websites at the time,, and a thread on - I'm going to assume Jeff Atwood's website is secure, but runs vBadvanced 3.1.0 which is an old version. A cursory Google search suggests that version of vBadvanced has a number of security vulnerabilities that may have been broken.

    Assuming that's the case, the vector was that broken website, and something in my browser, possibly Flash or Acrobat (though I am running the latest version of both of these softwares). But the odd thing is that I run Flashblock in Firefox, so I'm stuck for ideas.

    , davewill wrote

    @W3bbo: A simple google toolbar infection combined with some entries in the Hosts file could exhibit the behavior as well.  It may not be a rootkit.  Then again, if it is a rootkit you need to blow that partition away and recreate it.  If you don't take the approach to just reinstall Windows, then you will spend more time analyzing and trying to clean and then more time still wondering and watching if it was actually clean.

    Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it.  Whack-a-mole style.

    Save your data files and blow that partition away.

    I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( ) to reinstall.

    There is also the option to do an in place upgrade of Windows 7 to see if that might work.  Although I don't know how it would distinguish a viral hook from any other legitimate hook.

    In conclusion ... Blow it away and reinstall!

    Looks like I'll be taking that path.

    , evildictait​or wrote


    The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either
    a) Quick download my smileys!
    b) Run this program to get rid of malware!
    c) Run me because I am *popular game* / crack for a *popular game*! 
    d) Click me to install codecs to watch *popular movie* / porn
    e) Install this toolbar to use *popular application*
    f) Install this toolbar to use *seemingly popular website*
    g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends. 

    Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.

    I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

    , ManipUni wrote

    Don't forget secret option

    h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

    In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).   

    Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from, but that was hours before any problems started appearing.

    , Royal​Schrubber wrote

    Format windows partition and delete all executables on all other partitions on internal and external storage devices that had writing access.

    Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.

    Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

    Good point, why would any potential customer or client of mine want to be trust in someone who lets his own laptop get infected?

    Fortunately "W3bbo" isn't associated with my "real-life" business identity Smiley

    , Bass wrote

    How did you discover this? From your router?

    See above: after I noticed search results being hijacked.

    Oddly enough, searching for "" in Google, gave me an immediate 301 redirect to - the evidence suggests that that redirect was caused by the malware - perhaps the author was under duress when he wrote it? (In any event, that Microsoft support article didn't help).