[Resolved] Rootkit: System & Browser Crash and Phishing Calls to Contact List

[Brewer]

Hi again.

Thanks for continuing to dig into this.  I just want to let you know that, given the unavailability of 64-bit removal tools yet,  I'm up for a clean re-install if that seems to be the best method of guaranteeing a clean system.  I use this machine for financial transactions and it's very important that I can feel sure that it's not compromised.  I have the system restore discs that I made first thing when the system was bought new in 10/09.  I also have good backups of my personal data.  If another set of eyes doesn't spot anything (and if the antimalware programs keep crashing and failing a full system scan), what do you think about going this route?

[PCBruiser]

Hi,

It is Fathers' Day and my family has kidnapped me, leaving me no time for today to work on malware.  I'll be back tomorrow.  Sorry.

[Brewer]

Hey, no problem.  After all you are volunteering your fee time to do this. 

Happy Father's Day (and thanks for the reminder to call my Dad!).

[Brewer]

Just want to let you know that I'm being sent out of town for the rest of the week.  I think I'm going to do a re-install when I come back.   What you and the others do on this site is simply great, using your skills to help those of us who can't get tech support or can't afford it.   Unfortunately I can't wait too much longer as I need this machine.  If you have come up with something before the end of the week, please post, as I will look at it on Saturday before I do anything else.

Thanks!

[PCBruiser]

Hi,

This has been an interesting week, and I will not be able to respond to you until tomorrow.  Sorry.

[Hoov]

Brewer, PCB has had life run over him. Until he gets it back under control, I can continue helping you if you still need it.

[Brewer]

Hoov,  Thanks for offering to step in.  I'm sorry to hear about PCB.  I figured something like that had happened.  Best wishes to him.  And, thanks again to him for his time and help.  It was a great comfort to me as I thought my bank accounts were in jeopardy and I've got no other tech support available.

As for this issue, it seemed to me like what we were running up against was a lack of 64-bit versions of the tools you rely on for removing malware (this is a 64-bit system).  Given that, and the time constraints I was under, I decided to do a clean "re-install", for my own peace of mind. 

For the benefit of others out there, I'll summarize my experience.  I used the Win 7 system restore function to restore to the "out of box" state that the machine came with.  Luckily I had a good backup of my data.  Realize that if you go this route you will lose ALL DATA on your machine that is not backed up elsewhere.  Also make a list of all third-party software that you would like to re-install.

It went smoothly and takes several hours just for Windows to reinstall itself.  Note that the system reboots itself about 12 times.  I would have panicked if I hadn't been told to expect this because it looks like it's caught in an endless loop.  Re-installing and setting up your downloaded programs takes a long time too, another three or four hours in my case.  In the end, it went well and I am confident I have a clean machine again (for now anyway).

I decided to partition my drive and separate my personal data on it's own partition (there's lots of help on how to do this on the web).  If you go this route, decide the space you'll need before you re-install so the partitions can be set up when re-installing.  There is some extra fiddling with this to get your programs to point to your new data partition.  All in all it went well but I wouldn't want to have to do this again soon.

Thanks again to all of you guys for using your talents to help people victimized by "lifeforms of lower consciousness" (scumballs).   It's a great thing you're doing!            

[Hoov]

Apologies. I am using a wireless internet connection for my access, and the main tower my connection is thru took a lightning strike. I just got back online at 11AM EST on 7-19-2010. I am in the process of catching up. I should have something for you in no more than 6 hours, unless my connection drops off again.

It sounds as if all is well. Do you need any help with your system or setting up security for it?

Repartitioning the hard drive into 2 sections is a good thing. I have been doing it since I lost everything when windows 95 crashed once and I had no backups. The real trick in doing this is to make sure all your programs point to the second partition for the data. I have moved all my e-mail folders to the second drive, and the profile files for all the browsers that I use to the second partition. Then about once a month I get a good image of my C: drive, if I have installed any software or major updates. If not, then I don't worry about it. I also have my D: drive set to incrementally backup.

[Brewer]

The re-install and set-up of a partitioned drive was a success.  The only questions I have are:  If circumstances had permitted you guys to keep working on this, could you have completely removed the rootkit on this 64-bit system?  Is it still true that the 64-bit versions of the removal tools are not yet available?  Also, it would be good to know how it got infected in the first place, as I had anti-spy and anti-virus protection in place.  I am hoping it was through now patched vulnerabilities in Adobe Flash or Reader, or Windows.  It would be good to know.  Any clues?

Other than these questions, you can mark this thread as not needing further technical support.  Thanks again.

[Hoov]

As to could we have removed it, honestly I have no idea. It would have depended on how far the thing had dug itself in. It is true that the 64 bit tools are limited, but removal is still possible.

As for to how you got it, you know better than I would, you just have to think back. Did you open an e-mail that you should have deleted? Open a website that you should have known not to? Downloaded a program that you knew wad been hacked or cracked? If you think back, chances are there is something that you did about the time the problem started that would make you embarrassed to admit in hindsight. It could have been something as innocent as turning off your firewall so that you could send an IM, or allowing something connection that you should have not.  Do you still have UAC turned on?

Below is the standard speech I give to users when we get their systems cleaned.  I think everything is applicable to both 32 and 64 bit systems.  Also if you go to this thread, http://spywarehammer.com/simplemachinesforum/index.php?topic=2333.0 , we have a list of software that you can use, and I believe that there is an indication on most of it, it it will run on a 64 bit OS.



Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List and Rogue Applications List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.