Root_Kit virus on a 2k box. Cant get rid of it

D

Deezus

Gawd
Joined
Jan 16, 2001
Messages
859
Need some advice please.

Have a customers box that I am working on. Issues were spyware related at 1st and his Norton Corp. AV not being able to update. So I install the normal AS software and get rid of 834 pieces of junk on it. Then I start to troubleshoot the Norton issues, find out it's a hacked copy from a previous job by someone else. The program won't uninstall, so I manually rip it out. Customer supplies me with a new Trend Micro all in one solution to install, no problems there. Upon a new scan virus scan it comes up with a few, some get removed and one doesn't. Says it's a root_kit virus located "c:/win98/system32/hpdriver."
So I boot it into safemode to remove it, it goes, reboot and now it's back... I haven't ran into an HP file being rewritten with a virus, but figure WTH the printer software can be reinstalled later if I cook it. So I remove the hard drive and scan/clean it with a clean PC. Solved.. Nope, after I put it back in the original comp, it's still F'n there. And every time I click on the "hpdriver" file, Trendmicro throws up a warning.

So for now, I have killed access to the system32 file, which is a crutch as far as Im concerned and I'm sure since this looks to be an upgraded OS from 98, the printer will not work.

I have "ides" as to why this is all happening or not happening, but can't prove any of it. I want to recommend a format and clean install of everything, but if there is another way, I'm open to suggestions. As it is, I've put too much time into this thing and just want it to be done.

Thanks for any suggestions.
 
No sense in waiting for someone else to say the same thing. Recommended it to the customer and he was fine with it.


Thanks for the reply. :)
 
Rootkit= "Dust off and nuke the site from orbit. It's the only way to be sure." There are ways to remove them, but why bother. It's a MAJOR PIA.
 
Yeah that's what I've been gathering from it all. 1st one I've had to deal with over the 5 years I've been fixing PCs.
 
raw full

this guy's computer I was working on last night has no "root" something file, every time I try to install AV it comes up with a message saying to go to www.microsoft.com and get these files, but he doesnt even have internet. He refuses to reformat.
 
If he refuses to reformat, then you've exhausted all of your options and you can not help him.
 
z-lite said:
If he refuses to reformat, then you've exhausted all of your options and you can not help him.
Click to expand...

Pretty much it.

You need to lay out the case for reformatting.
Explain that the tools on the machine can not be trusted, a good root kit has the ability to intercept just about anything you do on the machine. The only option is to reinstall from known good media after backing up all critical data.

Explain that any data on the machine is at risk with the root kit on it, any transactions that take place on the machine put your customer at risk.
 
I agree with all of this, however rootkits can be removed. You cannot know unless you really understand your machine that someone didn't put another one behind your back, but they can be removed.

For the customer, if a format is fine, format the disk. If not, what rootkit does the AV software identify it as?
SdBot?
RdBot?
IsPro?
Hacty?

This posting is provided "AS IS" with no warranties, and confers no rights.
 
The root_kit specifics are back at home, but I believe it was the Rdbot.

After thinking about it more, I am going to stick with the format. I'm pricing out a new rig for him and will format the old one with a new install of XP home. I don't trust the 2K install anyway. When he came to pick up his box he talked about the last repair he had done on it. It went from being a 98 box, to a 2K box without him even asking. That's when the Corp edition of Norton went on too, even though he didn't ask for that either. Whole thing sounds shady. If someone want's to do shady things to their own box, fine. But when a "tech" goes above and beyond and just "does" this, ehh.. something isn't right. I got a good clue when he said he spent 100 bucks and got the machine fixed plus 2k installed and that Norton install.. and no disks. :rolleyes:
 
Tell him to buy a Mac. How one gets a root kit installed without internet make me laugh :D
 
You must log in or register to reply here.
Back
Top