rootkit removal never certain?

[CArceneau]

I'm infected with rootkit.gen (specifically: swerftx.sys, unique code IQ1LCWD7) at LBA sector 0 of my MBR. It's a "highly severe" Trojan which can enable a remote computer to take over my computer, among other things. Webroot Security Essentials (incorporating Spy Sweeper) is unable to remove this Trojan, so I assume that most other such programs are also unable to do so. I don't want to pay a Webroot consultant $100 to remove it for me, so I'd like to remove it myself.

However, I'm now reading the following online at the University of Minnesota's Safe Computing website (see

http://safecomputing.umn.edu/guides/scan_unhackme.html):

Rootkits are a special kind of malware that are specifically designed to hide the activities of other viruses and worms, and compromise the operating system so that it may not be repaired. If your machine is infected with a rootkit, you will very likely not be able to regain complete control of the system. Reinstallation is highly recommended.

However, there are exceptional cases when you absolutely need to attempt to repair the system. Although no tool can guarantee results for rootkit identification and removal, there is at least one program which has show limited success from time to time in this area. It's called UnHackMe.

It goes on to say:

Remember that in computer security there's no such thing as a silver bullet, and that you can't be certain which files were compromised by the viruses, worms and trojans on your machine. If you've been infected, you could still have "backdoors" riddled throughout your computer's operating system, and you should think very hard about reinstalling your operating system, and starting over from scratch.

Does anyone know if you can never really be certain if you've succeeded in completely removing a rootkit? I'll reinstall the system and all my software if I really have to.

 

[kjv1611]

I suppose it would be possible to make really sure. But it sure wouldn't be easy. I'd imagine, at the least, it would require you to take the hard drive out of the infected system, connect to a known clean system, and browse through every single file, including the MBR partition. You might have to use a Linux distro or something other than Windows to properly view the MBR.

Long story short - if it's POSSIBLE to redo your system in a situation like this, then by all means, don't even think about it - just wipe the system, and start again.

To be absolutely certain (especially if something has infected the MBR) that you get rid of the infection, I'd highly suggest first formatting the hard drive with one of the following:
1. DBAN - Darik's Boot 'n' Nuke
or
2. Active Killdisk

If the hard drive is a SATA hard drive, you might want to just go strait to Active KillDisk. If it's an IDE drive, then you'll be safe with DBAN. Even if you do go with DBAN on the SATA drives, the worst thing that'll happen is it won't be able to find your hard drive - and this isn't always the case, just sometimes. Before I had this occur, myself, the only thing I used at all was DBAN.

You basically run one of those applicstions from a bootable ISO, or from another OS/bootable ISO that has those included. For instance, UltimateBootCD has both programs, as well as others, included in their ISO file.

Then once you reinstall, make sure you've got as much protection as possible. If this is a business, I'm assuming you already know what that is - or at least a large business.

If it's a small business or home computer, then these are my bottom-line suggestions:
[ol][li]Firewalled Router - any router on the market today basically has this. Just make sure it says "router" on the box.[/li]
[li]Good Antivirus App - I personally prefer Avira Antivir currently. Or a good alternative, if you want to spend the money, is Nod32. I've not used Nod, but read great things about it.[/li]
[li]Good firewall - Tall Emu Online Armor (32 bit only - currently) or Comodo Internet Security[/li]
[li]At least one malware scanner and/or protection program. A few are: Malwarebytes Antimalware, SuperAntispyware, Windows Defender (installed by default on Vista and 7, SpywareBlaster.[/li][/ol]

And of course, it wouldn't hurt to run some sort of cleanup program. I personally like these 3: Advanced System Care, Glary Utilities, and CCleaner. I've not had a serious problem out of any of the 3. I've only seen a minor issue on one computer on one rare occasion with CCleaner, but I'm fairly confident (based on the situation), that it was the way the affected application was installed - old game, default options - seems I remember it stored important app running files in a temp folder, which makes absolutely no sense - during install, sure? But for day-to-day running of an app, no.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

If you want to run MalwareByte's Anti-Malware, GMER, RootRepeal and maybe ComboFix and they all come back clean - I wouldn't fret.

Wiping is an extreme step unless you have a super simple installation and/or time on your hands.

 

[CArceneau]

attention, kjv1611:

I've got a firewalled router (NetGear WGR614v6). Webroot Security Essentials is my anti-virus app, personal firewall, malware scanner / protection program and cleanup program.

As far as your suggestion concerning DBAN and/or Active Killdisk:

I understand that you need to wipe a disk many times to be sure to leave no trace of what was on it. But it was my understanding that NOTHING could live through a reformat. Is this incorrect? Do I really need to reformat as you suggest?

 

[kjv1611]

Well, both DBAN and KillDisk flat out destroy everything on the disk. Technically, with the way those work, you probably woudld be fine after 1 full pass, maybe even just say 1/3 or 1/2 of a full pass. Windows Format may not cover it, b/c it does not fully destroy the MBR typically, as do the other tools. So, if you're in a hurry, you'd probably be fine running one of the aforementioned, letting it run for at least 1/3 of the time, reboot, let Windows install format, and go from there.

As far as the rest, NetGear sounds good, I don't really have a lot of experience personally with Webroot products. It seems though from what I've seen that they used to be much better than they currently are. But if you want to be sure, try checking some valid online reviews. One good one to look at is

http://www.av-comparatives.org/

--

"If to err is human, then I must be some kind of human!" -Me

 

[ronin77]

If you need guaranteed results -- "wipe and reload" is the only acceptable guaranteed answer. Anything else entails a greater amount of risk.

I have yet to find a tool that will allow me to verifiably repair an MBR infection -- and I want one very badly.

Frankly, I'm a little skeptical that a Webroot tech can fix this by remote -- but if anyone can, it would be a tech with the kind of specialized ("expensive") tools and resources that us independents do not have access to.

In order to have a high degree in confidence regarding cleaning of something as deep-level as a rootkit, you need a high degree of confidence in your expertise. If you lack that expertise, you have a greater risk than someone who cleans these infections on a regular basis.

For a tech with lots of experience, this risk is acceptable -- but we have more than just "methods" at our disposal -- we have an intuition and "radar" to sense when something is not right (again).

Your question actually sounds more practical than technical... Does Webroot guarantee the cleaning? Is it worth $100 to not have to "wipe and reload"? If you use the recommendatons here to DIY, will you *really* feel confident that you are safe?

 

[ronin77]

P.S. Nothing *functional* could live through a format. Hypothetically. What lives in the bootsector is another matter entirely.

 

[kjv1611]

Some good points, ronin77. I have definitely found that through the last several years, when I've done increasingly more side computer work, that my "radar" has definitely increased. Sounds silly to me in a way, seeing as how all PC stuff is technical stuff, being 0s and 1s at it's lowest common denominator. I tend to be able to better answer a person's problems based on what they tell me than they can determine hands on (those around me, that ask me questions). And I definitely can tell most of the time what is making a system tick or not tick. Then again, I guess it's the same with a good auto mechanic - yeah, it's all pretty strait forward, but at the same time, an experienced mechanic has "been there done that", so he can more easily find the car problem than the average joe.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

^^^^ Everybody sounds way too paranoid in the proceeding posts. Unless you have some super rootkit that you can identify using the tools I mentioned (and it can't be killed), I wouldn't even think about a reload or wiping or DBAN.

I don't think anything can hide from GMER in terms of KNOWING that something has modified a driver file or injected itself into the windows kernel. Now removing it is another issue, but I think you would at least KNOW whether you have something.

 

[kjv1611]

There is no one program that can guarantee success against all malware/rootkits/viruses - that's a well known fact. They all have success and failure rates.

That is why we have all stated that a clean slate is the ONLY sure way. Can a system be cleaned without a wipe and clean install? Sure. Can it be guaranteed clean that way? I wouldn't bet on it. I'd not place my name by that recommendation - ever.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

Can it be guaranteed clean that way? I wouldn't bet on it."

I would - very rare is the malware that will escape DETECTION (I didn't say removal) by a variety of tools.

So at least you would know that you had something and then you could make a decision on reloading if you decided to give up the fight.

I leave people every day after removing malware. I have about a 2% rate of it coming back by only running MalwareByte's. Then, at that point, I have them run ComboFix and that snuffs it out.

 

[2ffat]

Everybody sounds way too paranoid in the proceeding posts. Unless you have some super rootkit that you can identify using the tools I mentioned (and it can't be killed), I wouldn't even think about a reload or wiping or DBAN.

Being the paranoid type, I have run across some legitimate rootkits that took some extreme measures to remove. For example, I previewed Embarcadero's All-Access tool. It didn't fit our needs so I removed it. Later I tested a rootkit finder. It IDed several directories named Embarcadero as rootkits. I knew what they were but when I tried to remove them, Windows denied me access. I tried safe mode and even a rescue disk with the same result. Since these were legitimate folders, AV and AS programs wouldn't delete them. I finally ran a Linux-based CD program. It allowed me to delete them manually.

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]