Kernel Mode Rootkit

Question

On the other 3 computers in my family, I believe that we have a kernel-mode rootkit for windows.

It appears that the same rootkit is on all of them. We think.

We changed all the important passwords from my computer, running linux right now.

On all of the infected computers is Symantic Endpoint Protection, because it's free from the university where my mom and dad work. In my opinion symantec is a piece of crap, seeing as it didn't even manager to delete the tracking cookies it found when I tried it on my own computer.

The Computers and their set-ups:

Computer A: Vista Business; symantec antivirus. runs it as admin, no password. IE8. no other security software other than what comes with windows. IE8 security settings the default

Computer B: XP Home Premium; symantec antivirus. runs as normal user, no password, admin account with weak password, spybot, uses IE8 with default settings, sometimes Firefox

Computer C: XP Home Premium; symantec antivirus. runs as normal user, no password, admin account with weak password, uses IE8 with default settings, no other security programs except what came with windows

This is what's happening. Cut and pasted from my dad's forum post.

--

When I scanned my laptop (Dell XPS M1330 with Windows Vista Small Business), Symantec Endpoint Protection hangs for a while, perhaps 10 seconds or so, on some of the following files 9129837.exe, hide_evr2.sys, VirusRemoval.vbs, NewVirusRemoval.vbs, dll.dll, alsmt.ext, and _epnt.sys. It does this if a run a scan that I set up to run on a new thumbnail drive and it does this even if the thumbnail is not plugged in. It doesn't seem to do this if I scan only the C: drive. I've check for problems with symantec endpoint protection and also with Microsoft Security Essentials and Malwarebytes Anti-Malware. They found nothing and I can't find anything by searching for hidden files. Next I tried microsoft's rootkitrevealer. It (rootkitrevealer) finds 279660 (or so) discrepancies and the interface is so glitchy after that I can't really figure out what is going on. The screen is squirrely. The rootkitrevealer pulls up many files in the folder \programdata\applicationdata and there are numberous appended \applicationdata on the end of that as well.

--

As you can see, what we did was install MSE and MBAM and scan with both of them. Nothing but a tracking cookie. Then I took over and ran rootkitrevealer.exe from MicroSoft from a flash drive. It found a bunch of discrepancies, but only about 20 or so where security related, the rest being files that you just couldn't see from Windows Explorer. I couldn't see whether of not the files list above, the ones that the scan was hanging on, where in the list. The other thing is, I have no idea what to do about the things the scan comes up with.

Then we checked the other computers and they do the same thing when you scan with Symantec.

The people at the university seen to think that dad might not have a virus, but 2 of the computers slowed down noticably AND IE8 started acting all funny.

None of my family is very computer oriented, and 2 of the possible causes for the rootkit are:

-My dad bought a new flash drive, which shipped with a data security executable on it -My dad has to download lots of articles for his work

Those are the only things that stand out, but it could have been anything.

What should I do with USBs and camera memory cards I stuck in those computers?

We are currently backing up our data, and I'll post again after trying IceSword 1.22. I just looked at my dad's forum topic, and someone recommended GMER. I'll try that too.

We just figured out what´s going on. Symantec is acting normal and the slow computers are do to some new services/software. At least I´ve got my parents using a Ubuntu LiveCD for bank stuff now.

Answer 1

If you did indeed get a rootkit, the only way to be entirely sure it's gone is to completely format and reinstall windows. Rootkits can hide themselves from any method of scanning, depending on how thoroughly they were coded.

Your system certainly is acting funny, and if rootkit revealer is turning up discrepancies I'd fear the worst.

Answer 2

First remark is that all major antivirus products nowadays also check for rootkits as a matter of course.

Second remark is that virus infections normally happen because of carelessness or lack of knowledge of the user. Windows is really not to blame.

That said, I would throw as many antiviruses as possible at the infected computers, in the hope that one of them will at least detect the virus, so that you can maybe search for removal instruction on the web.

Google for "antivirus online scan" and use a couple of the best-known antiviruses to scan the computer (each takes some hours to complete). Be careful with all those fake antiviruses currently floating around.
Some that I like are Trend Micro House Call and Kaspersky Labs Free Virus Scan. ESET gets excellent reviews. Please note that they might require you to use Internet Explorer as your browser

If this fails, use a rescue live-CD virus scanner which could work without interference from the virus. I like best Avira AntiVir Rescue System because it gets updated several times a day and so the download CD is up-to-date. As a boot CD it doesn't use Windows, so your virus can't block it.

In the future, better educate your family to use Firefox rather than IE, together with some add-ons such as NoScript.

Note: I'm not a fan of Symantec.

Answer 3

You can also try RootRepeal. I've heard good things about it.

Answer 4

if you don't want to frag and reinstall then pull the drive out and take it to a known good system (or bootable cd with av software on it) and scan the drive.