Jump to content

Serious virus/rootkit problem


Recommended Posts

Well, I just spent several hours trying to get rid of something that's on one of my computers. I rarely get viruses and when I do, I'm pretty quick at getting them removed, but this one really got me. It started when I installed some new Windows updates that came through the automatic updater. It asked me to reboot my computer, so I did. I noticed a very long delay between the BIOS post and the Windows XP boot screen coming up. I thought maybe it had something to do with the updates I just installed. Either way, Windows eventually booted without any problems.

Then I went to play a game (MMORPG) which uses GameGuard. GameGuard is an advanced hacking/cheating prevention system some online games use. I got an error saying GameGuard failed to properly initialize. This is bad news, and usually means one of two things; you're trying to hack/cheat and it detected it, or something has hijacked certain system functions/calls which GameGuard is trying to hook. It suggested that I reboot, which I did. I noticed the long delay between the BIOS post and Windows boot screen again. This time even the text based progress bar came up for a couple of seconds. It's the one rarely seen that comes up before the graphical progress bar shows up (under the Windows logo). Anyway, by this time I suspected something was seriously wrong. My guess is I have some kind of boot sector virus or some advanced rootkit.

After my reboot I tried my game again and got the same error from GameGuard. Then I tried to install a few different virus scanners. First I tried F-Prot, which installed, but with an error. After rebooting, F-Prot failed to start. It said some files were missing. I un-installed F-Prot and tried Kaspersky, which also failed. Then I tried Avast, which gave an error right away and would not even install. By now I was fairly annoyed and frustrated.

I decided to fire up IceSword. IceSword is a very good tool against rootkits and virus-type programs that can evade detection by ordinary antivirus products. It also failed to start. Now I was getting worried. IceSword has never failed before in a situation like this. Next I tried using a boot CD. I booted from the latest version of UBCD4Win (Ultimate Boot CD for Windows) and ran all the malware and virus detection programs that come with it. None of them found anything wrong. I wasn't too surprised at this point. The fact that there is a ~20 second delay after the BIOS post, while the hard disk access LED is solid red, tells me that it's either a rootkit or a boot sector virus. What ever it is doing, it's doing it even before Windows starts to boot. This delay does not happen when booting from a CD, obviously.

As a last resort, I tried scanning the infected drive from across my LAN, using Avast on another machine. It scanned the entire hard disk and found nothing. I don't know what else to try. I doubt even re-formatting and re-installing Windows would solve the problem. I hope I described the situation well enough, and any suggestions on what to do would be greatly appreciated. I suppose I could low level format the hard disk, but I'd rather not go that far if there's an easier solution.

Edited by Kashim
Link to comment
Share on other sites


Well, I can think of one easy thing to try - 1-800-PCSAFETY. I know it's corny, but virus/malware cases are free at Microsoft for Windows users, and they've got some tools you can't get on the public internet that might fix this for you. Otherwise, you're going to need a null-modem cable, a free COM port, and some knowledge of the Windows debuggers to catch this. I can help you with the latter, but it isn't easy. The former is though, and it'll probably save you from having to rebuild (although once you DO clean your box, I'd suggest strongly that you do back up your data and rebuild - you can't ever trust a box to be clean once it's compromised until you do a very clean reinstall).

Link to comment
Share on other sites

  • 2 weeks later...
Then I went to play a game (MMORPG) which uses GameGuard. GameGuard is an advanced hacking/cheating prevention system some online games use. I got an error saying GameGuard failed to properly initialize.

That error sounds like likely a Windows error, because of missing DLLs.

Did Windows give an error such as "The application failed to initialize properly. (0x00000135) Click "OK" to close the application."

Link to comment
Share on other sites

Well, I can think of one easy thing to try - 1-800-PCSAFETY. I know it's corny, but virus/malware cases are free at Microsoft for Windows users, and they've got some tools you can't get on the public internet that might fix this for you.

I didn't know that was the case... that just blew me away. Is that valid only to people within the OS support life cycle?

Link to comment
Share on other sites

Its very unlikely that its a virus/rootkit. Can you start the PC in Safe Mode without any errors? The best option would be to do a System Restore.

Run a chkdsk (CHKDSK C: /F /V /X) followed by an SFC (SFC /SCANNOW). If that doesn't fix it, then boot from the XP Setup CD and perform a 'Repair' installation.

Link to comment
Share on other sites

I didn't know that was the case... that just blew me away. Is that valid only to people within the OS support life cycle?

I'm not sure about products in extended support, but mainstream support products are fine. If you're out of extended support, I know that the answer is "upgrade", but if you're in extended or mainstream support, you should at least call and see if you can get assistance.

Link to comment
Share on other sites

I'm not sure about products in extended support, but mainstream support products are fine. If you're out of extended support, I know that the answer is "upgrade", but if you're in extended or mainstream support, you should at least call and see if you can get assistance.

Considering mainstream support for XP ends next year (14/04/2009), that's not going to be for long.

Link to comment
Share on other sites

Edit: Darn - I hit edit instead of quote - sorry about that jcarle. I've lost your post, but what you mentioned about mainstream support ending years after the next product, rather than after it's release date is probably a widely-held belief, and I can't fault you on it. But, extended support goes to 2014 for XP Professional, so that's not anytime soon.

Link to comment
Share on other sites

Hello :hello:

Probably not what you want to hear, but ever since windows 3.1 in '93 just 2 years of the public internet being introduced, it became good practice that if you use a microsoft operating system, about every 3 months you zero out the drive and reinstall the o/s. At about the 8-10th week you start backing up the stuff you've acquired over the past weeks, and there ya go. Seems like a big deal but in reality, with a good back up, in about 2 hours you can have a fresh o/s that is virus, spyware, and anything else free. IMHO thats the best practice, if your not running IT. Especially with all the effort the people here at these forums have devoted to silent, unattended install, you can load up a CD with a boatload of software and cut your reinstall time in half, with some preparation.

Link to comment
Share on other sites

Hello :hello:

Probably not what you want to hear, but ever since windows 3.1 in '93 just 2 years of the public internet being introduced, it became good practice that if you use a microsoft operating system, about every 3 months you zero out the drive and reinstall the o/s. At about the 8-10th week you start backing up the stuff you've acquired over the past weeks, and there ya go. Seems like a big deal but in reality, with a good back up, in about 2 hours you can have a fresh o/s that is virus, spyware, and anything else free. IMHO thats the best practice, if your not running IT. Especially with all the effort the people here at these forums have devoted to silent, unattended install, you can load up a CD with a boatload of software and cut your reinstall time in half, with some preparation.

I haven't had to do anything even remotely like that since Win95 - what the heck do you do with your PC to have to reinstall every 8 - 10 weeks?

Link to comment
Share on other sites

Hello :hello:

Probably not what you want to hear, but ever since windows 3.1 in '93 just 2 years of the public internet being introduced, it became good practice that if you use a microsoft operating system, about every 3 months you zero out the drive and reinstall the o/s. At about the 8-10th week you start backing up the stuff you've acquired over the past weeks, and there ya go. Seems like a big deal but in reality, with a good back up, in about 2 hours you can have a fresh o/s that is virus, spyware, and anything else free. IMHO thats the best practice, if your not running IT. Especially with all the effort the people here at these forums have devoted to silent, unattended install, you can load up a CD with a boatload of software and cut your reinstall time in half, with some preparation.

HUH? :blink:

Now just where did you get that info from?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...