Rootkit Removal (Part 3: Rootkit Returns)

A couple of days after disabling the rootkit on my wife's computer, she complained that it was back. My first thought was "must be user error ... I wasted that thing!". My second thought was, I should have known better ... when somebody pwns your machine, it is impossible to ever make sure they can't get in again. The closest you can get to being sure is to reinstall the OS. I told my wife "Sorry, honey, you're out of luck -- you're going to need to reinstall. Do you have anything you need on there that isn't backed up?" I turned out that most of what wasn't backed up was my stuff -- files that were rescued from a dying laptop a couple of years ago that were way too important to lose but not so important that I would need them in the last two years.

Paranoid thought of the day -- if you have a rootkit on your computer, and you want to back up your files to external media (usb stick, cd, etc), how do you know you're not going to transmit the virus via that media? I suppose I could copy files to my mac, since a windows virus would be unlikely to affect a mac (not tha mac's don't have their own security problems). But there is still a problem if we want to put those files on my wife's computer again after we reinstall. It would absolutely suck if the infection was via a malicious pdf and we wiped the computer clean only to have it come back when she opened the pdf again.



We soon realized that the installation media for her computer and her legitimately purchased software that she used for work were going to be difficult to find -- she'd had her computer since before we moved, and neither of us remembered where the installation disks were. The whole reinstall thing sounded less and less fun.

I decided that I'd have another go at the rootkit. My old buddy, the rundll entry in the registry was back, but this time pointing to a different dll.  I was able to neutralize it again the same way I had done before, and to verify that after a hard reboot the rootkit wasn't active.

The next question was how it reinstalled itself. I checked the usual places ... startup menu, replaced system files, image execution options, etc. Then I had a thought -- what if it was a scheduled task? Sure enough, the virus had an hourly scheduled task that caused the registry hook to reinstall itself. This one I could just delete, and I deleted the dll it wanted to run as well.

I knew better than to declare victory again without being certain. I thought I would take advantage of the lull in pwnd-edness and make sure windows was up to date. This way if the infection was via an unpatched vulnerability, it could hopefully be prevented in the future.

I noticed that automatic updates were turned off. No wonder the infection happenned, I thought, maybe my wife had turned autoupdate off, and had therefore been vulnerable to a virus. So I turned it on and went to the windows update site to force an immediate update. The site complained that the windows update service was not on. "That's strange," I thought -- I just turned it on. I opened services.msc, and the windows update service was disabled. Hmm... I set it to auto-start and started it. Five seconds later I hit refresh ... it was stopped and disabled again.

Here was yet another component of the rootkit  ... its job seemed to be to prevent windows from being able to patch itself.  This was actually heartening -- because if the virus was afraid of windows update, then chances are it was a well-known (and patched!) vulnerability. If only I could get the patches to install...