Join 3,424 readers in helping fund MetaFilter (Hide)

Persistant Vista rootkit infection - virus scanners aren't all they're cracked up to be.
July 2, 2011 9:15 PM   Subscribe

Tracking down and killing a virus - my virus scanner (Avast) is telling me scvhost.exe keeps trying to open malicious URLs. It also tells me I have a rootkit in the MBR. It doesn't seem capable of fixing either of these problems. What can I do? Windows Vista.

I understand scvhost.exe basically executes DLLs, and I'm assuming the scvhost.exe file itself isn't compromised (maybe it is...) - how do I find out which DLL it's running that is trying to open malicious URLs?

In terms of the cause of the problem, the rootkit in the MBR, Avast tells me it's going to restart my computer and fix the problem, but when I let it do that, the virus is still there, and Avast alerts me to the same MBR problem. I would be inclined to fdisk /MBR but I run Ubuntu on another partition, and don't want to nuke it, because it's actually the main OS I run. How do I fix my MBR without losing my dual-boot system? I assume it's something I can do from within Ubuntu (10.04), possibly by reinstalling GRUB, but I'm always tentative about messing around with that stuff - I've been burnt in the past.
posted by Jimbob to Computers & Internet (9 answers total) 3 users marked this as a favorite
Deezil's profile has a step-by-step guide to deinfesting your windows system.
posted by Chocolate Pickle at 9:55 PM on July 2, 2011 [2 favorites]

Woah. You'd think someone would have put together a product that just does all that stuff. I'll try all that once my son has finished watching Diego on my Ubuntu system...
posted by Jimbob at 10:08 PM on July 2, 2011

Did you use Rkill and then Combofix? Checkout Bleeping Computer forums!
posted by psiwave at 11:36 PM on July 2, 2011

I tried MalwareBytes and Hijackthis and they both did nothing. I tried DrWeb, which is a custom Ubuntu distro which found nothing.
posted by Jimbob at 11:50 PM on July 2, 2011

It also tells me I have a rootkit in the MBR.

If true, this is an automatic Nuke It From Orbit situation in my book - you can't trust the system for anything more important than minesweeper after this. There is a chance it's a false positive though - are you sure your antivirus is not detecting your grub installation as a rootkit?

I assume it's something I can do from within Ubuntu (10.04), possibly by reinstalling GRUB, but I'm always tentative about messing around with that stuff - I've been burnt in the past.

Standard caveats apply (backup everything, make sure you know what you are doing etc), but reinstalling GRUB should not be too hard: your configuration should already be saved in a config gile in the Ubuntu system, you just need to run the appropriate command to tell GRUB to recreate the MBR. Windows tends to hose Win/Linux dual boot setups at the slightest provocation, so the net is crawling with repair instructions for this situation.
posted by Dr Dracator at 12:18 AM on July 3, 2011

First thing: don't panic. It's entirely possible that Avast is misidentifying the Grub first-stage boot code as malicious, simply because it's not the same as a Windows MBR boot loader.

Simplest thing to try is booting into Linux and reinstalling Grub. There's a good chance that any nastiness lurking within your present possibly-infected MBR won't know how to do anything sneaky to a Linux kernel as opposed to a Windows one, and will therefore not be able to protect itself from that reinstallation, so you'll end up with an MBR containing only a clean copy of the Grub first-stage boot loader.

Before you do that, though, grab a copy of what's already in the MBR. You can do this from an Ubuntu terminal window with

sudo dd if=/dev/sda of=old-mbr bs=512 count=1

Then, after the Grub reinstallation, grab another copy of the MBR and compare them:

sudo dd if=/dev/sda of=new-mbr bs=512 count=1
cmp old-mbr new-mbr

If cmp says that the two MBR images differ, then you probably did have something nasty in there which is now fixed, and you should be good to go with a Deezil cleanup.

If cmp produces no output, then the two MBR images are identical, which leaves two possibilities: Avast was misdetecting Grub as malware, or there was and possibly still is a rootkit in the MBR capable of protecting itself from Linux as well as from Windows. So while you're Deezilizing your infected machine, use a clean one to download and burn a copy of Rescatux that you can use between Windows reboots to put your Grub world back into guaranteed-clean order (MBR rootkits can only do what they do if they get run, which booting from a live CD like Rescatux will bypass).

Would be interested to find out how you get on.
posted by flabdablet at 4:05 AM on July 3, 2011 [2 favorites]

If you do end up believing you have a cross-platform MBR-based rootkit, you'd be better off using Rescatux to clean that up before starting on Deezil's stuff, just so the rootkit can't hide the rest of your malware from your scanners (which it may well be fully capable of doing, even in Safe Mode, if allowed an initial foothold).

Also, be aware that limited Windows user accounts don't have the right to install services, or to write directly to disk devices; the fact that you're seeing malware that needed both of those capabilities is a good argument for not using a Computer Administrator account for day-to-day Windows computing.
posted by flabdablet at 4:16 AM on July 3, 2011

Throwing in a shout for Kaspersky's TDSS rootkit remover.
posted by bhance at 8:20 PM on July 3, 2011

I've been in Information Security for over 10 years. My recommended course of action for workstations is to format the drive reinstall the OS. Ideally, you'll install the OS on a new disk and then mount the original drive to move your critical data to the new machine. Sure, it will take a half day, but it's the only way to be 100% sure that you've removed the threat.

After reinstalling, take some precautions to make sure that you aren't reinfected. Drive-by-download is the number one way to get popped. Installing software that you've pulled from file-sharing networks is another way. Here are a few basic things that will help prevent infection in the future:

1. Use firefox with the noscript plugin to prevent bad javascript and from running. Adblock can help guard against malicious flash when it's delivered via a naughty banner ad.
2. Autoupdate flash and acrobat. These are the number one targets for bad guys. Disable acrobat's browser plugin.
3. Turn off any browser feature that automatically opens files after downloading.
4. Don't install java unless you really need it. If you need it, set it to autoupdate and disable the browser plugin.
5. Windows autoupdate.
6. Use virus protection.

Personally, I use Macs at home. They aren't any more secure than Windows 7, but Apple's small market share means they aren't a priority for the bad guys. This will change in the near future.
posted by Jambi at 11:22 PM on July 3, 2011

« Older Does anyone know a good video ...   |  My computer keeps making a cli... Newer »
This thread is closed to new comments.