0access Rootkit: Questions Before Re-installation

Discussion in 'Troubleshooting Help' started by baumaxx1, Jul 3, 2012.

  1. baumaxx1

    baumaxx1 Member

    Joined:
    Jan 28, 2011
    Messages:
    31
    Location:
    Adelaide, SA
    Hi All,

    Mum was using the computer yesterday when a Trojan Downloader got in through a java exploit when she was using internet explorer. Malwarebytes was able to detect Rootkit.0Access and Trojan.Sirefet on the computer. At first, this disabled Microsoft Security Essentials and was persistent until I did a system restore. Now things seem normal.

    There have been no recent system changes, new applications or downloads, it looks like it came in from a hacked site or something like that and I forgot to keep IE up-to date because I generally use proper browsers.

    Basically, what I want to ask is how much you guys might know about this threat?

    - I've wound back a week using system restore and they system is coming back clean. I even did manual checks. However, I am still planning on wiping the drive and re-installing and reverting to a clean snapshot.

    - Malwarebytes and Microsoft Security essentials were used to check, but I will be getting an anti-rootkit scan going after I wipe the HDD to make sure it's not lurking anywhere.

    The plan of attack is:

    - I have 4 HDDs, 2 document mirrors and one per OS. I will be disconnecting all but the infected system drive. The infected drive will be formatted.

    - From what I have read, this is a kernel-level root-kit. I have not seen an indication that it is a bootkit or infects BIOS. If it's just OS files that makes life easier. Is anyone able to confirm this?

    - I dual-boot win 7 x64 with XP x32. Am I correct to assume that that system is clean, being on a separate disk?

    - Will wiping the Win 7 drive completely (the boot sector too) cause issues accessing XP? I will not touch the existing XP install, and it would be as if I'm doing a clean install with XP pre-existing, but I might use a more robust formatting tool than what is used during teh windows install. Otherwise, I can look into other methods of ensuring the disk is clean.

    I'm finding some of the information on-line a bit vague on this topic, and the fastest and easiest solution is best because I need the comp back and healthy to run some simulations for uni.

    Basically, the plan is to:

    1) Backup documents.
    2) Run a rootkit scanner. I'll look into a good one that can look into boot sectors and hardware hopefully.
    3) Disconnect "clean" Drives (XP, 2x Doc duplicates).
    4) Wipe the W7 drive.
    5) Bring the XP drive back and install W7.
    6) Use True image to restore 7 with the drivers and core/trusted programs I had from a clean install earlier in the year.
    7) Re-scan for rootkits.

    Hopefully this will do the trick, especially considering things seem pretty normal at the moment. If anyone knows anymore on the topic, your help would be much appreciated.

    Thanks in advance.
     
  2. digamma

    digamma Member

    Joined:
    Mar 12, 2002
    Messages:
    2,758
    Location:
    The Sticks, Toowoomba
    TBH, this sounds like a teensy weensy bit of massive carpet bombing overkill. Chances are if the scans of multiple programs are telling you it's clean, then it will be. If you want to check more, download a couple more scanners, do a couple of online scanners. Wiping seems a bit of an overreaction when all the indications are good otherwise.
     
  3. OldMX

    OldMX Member

    Joined:
    Aug 29, 2001
    Messages:
    59
    I never trust an infected computer even when 10 applications tell its clean, wipe it clean with dban and reinstall or wipe and restore an image backup if you have one.
     
  4. rusiakid

    rusiakid (Banned or Deleted)

    Joined:
    Apr 15, 2011
    Messages:
    196
    Location:
    rockhampton.qld.au
    In my honest opinion and experience,

    I would format the Win 7 drive, as a precautionary measure as the maleware sometimes disguises itself as something important and wont be deleted, or it has made registry entry to re-download itself from the hacked site and may have deleted DLL's which can cause havoc.

    My advice to the install to be on the safe side.
     

Share This Page

Advertisement: