?

Log in

No account? Create an account

Look Back | Look Forward

The Max++ Headroom Saga

Well, somehow my ex-wife's office computer has been infected by the Max++ rootkit. Nasty, nasty, nasty. I'm going to do my best to help her get it cleaned off, but it's going to take a few days. How this thing slipped past AVG I'll never know - thus far it's been able to keep my own system squeaky clean for years with no problem.

All I know is that Spybot won't touch it, AVG won't detect it, other virus wipers don't even know it's there, and it's buried so deep I'm going to have to use one of the g33k h4xx0rz forums to help me get it "rooted" out.

Unless one of my l337 friends knows a program that will handle this. I'm trying to avoid a clean install like the plague.

I'll keep tabs of what all I do, in case it's useful for someone else.

Yarg!



Support Wind Power

respective-eponymous

Comments

alaskawolf
Dec. 29th, 2009 08:11 am (UTC)
im not leet :( damn spammers x(

could you go in through safe mode and use malewarebytes?
ccdesan
Dec. 29th, 2009 09:22 am (UTC)
Excellent suggestion, of course. I have it loaded on the system, and I'll let it run - but I suspect Malwarebytes won't touch it. But that will be the first step. I've got to get the system up and running in my home and that has to wait until tomorrow - the only keyboard I have for it needs a USB adaptor.
fearciuil
Dec. 30th, 2009 01:36 am (UTC)
O/T: you owe me a new keyboard for using that icon. XD
stevenroy
Dec. 31st, 2009 05:14 am (UTC)
Chances are, if it's a rootkit, it'll still be running even if you boot in safe mode. The only way to avoid that is to boot from a different OS; either a second OS installed on the same computer, the same OS nuked and reinstalled (this does not require a reformat, by the way), or my favorite option, a bootable CD, preferably a Windows one that'll give you full access to both your file system and the Windows registries et cetera.

Am I going to have to come over there?
hendikins
Dec. 29th, 2009 09:17 am (UTC)
Just fdisk it. Seriously. Once it has been compromised you can never be completely sure it is clean any other way.
ccdesan
Dec. 29th, 2009 09:23 am (UTC)
That will be my bastion of last resort, of course.
hendikins
Dec. 29th, 2009 09:25 am (UTC)
In this instance I'd just skip straight to it. You'll waste even more time by trying to work around it first.
ccdesan
Dec. 29th, 2009 09:41 am (UTC)
Medical computer. Full of patient records and all sorts of protected data. Yes, it's been backed up. Yes, I could fdisk it and do a clean install. Protocol requires that I attempt to clean it first, before going that drastic.
makovette
Dec. 29th, 2009 09:48 am (UTC)
Patient records on a rooted system and you're going to try to rescue it???

I can not ethically recommend any other solution other than pulling it off the 'net and wiping ASAP. Sorry Old Wolf, but it's GOT to go to the bit bucket for new years and be bloody careful of the back up drive as well...

Bonne Chance!
Mako
ffcj
Dec. 29th, 2009 11:14 am (UTC)
Thirded. Any computer that has been seriously infected should have its HDD removed, a new one (or a purged and formated old one) built in and reinstalled. There is no way on earth you can be absolutely sure that every Byte of Malware is gone. Both backup and the original HDD (for more current versions) should be taken, preferably, to a Linux system, everything that is not data should be deleted and the rest thoroughly scanned.

Good luck!
ccdesan
Dec. 29th, 2009 08:02 pm (UTC)
Woe unto the congregation: The god of the servers hath come down in a cloud before the congregation and behold, his anger is kindled against that which is polluted - it must be cast out.

Argh. So let it be written, so let it be done.

james_b
Dec. 29th, 2009 03:59 pm (UTC)
The problem with rootkits is that unless you are running your virus removal from a non-rootkitted bootable disk, then the rootkit still has control of the system when you try to remove it.

If you really want to "try" to remove the problem manually, then you really need to boot from elsewhere. I'd try building a Live Windows CD (go here for details) or adding the infected hard drive to another computer so that you don't boot from the infected drive, before you even "attempt" to begin any removal.

But before you do that, have you looked here? It may not work, but what do you have to lose?
james_b
Dec. 29th, 2009 04:06 pm (UTC)
The RegRun Reanimator link on that page is dead. You'll find it here.

Profile

Fortunata
ccdesan
The Old Wolf
Website

Latest Month

December 2017
S M T W T F S
     12
3456789
10111213141516
17181920212223
24252627282930
31      

Tags

Powered by LiveJournal.com