[Jeremy]

Last night took me completely by surprise. I am using Windows 7 x86 but I might as well have been using any previous version of Windows.
I downloaded a torrent for DriverCleaner.NET. I wanted the latest version without having to provide my e-mail and other info just for a download link.
Anyway, so I installed it and was told I had to reboot.
When I rebooted, oh boy.
You know on Windows XP when you first logon after a format or do Windows Updates, you get the "Applying personal settings"?
I had that but it was referencing "C:\WINDOWS\svchost\svchost.exe"
I actually had that the night before last so it might not have been the torrent download.
It did not go away after 5 minutes and it was 2:30AM so I went to bed. In the morning I was at my desktop and nothing out of the norm.
The following night was different.
I had the following:
- Porn desktop icons. Lesbians, girls giving BJs, etc. That wasn't too bad. ;-)
- Dr. Guard program installed.
- Pop-ups galore
- Task Manager, Folder Options, Registry Editing, all disabled.
- All of the executables that I have loaded at startup were copied and had the shortcuts redirected to this bogus file with a truck icon.

What did I do?

- Disconnected my Ethernet cable.
- Ran CCleaner to check startup entries.
They were in C:\Users\Administrator\Local Settings\Temp\
- Used Unlocker 1.8.8 to mass delete the whole Temp folder.
- Used 'Remove Restrictions Tool' (RRT) to get my access back.
- I even deleted C:\WINDOWS\SVCHOST\SVCHOST.exe but it kept coming back.
- I installed MBAM and Kaspersky but these were both disabled from running. I figured hidden rootkits.
- I used a Rootkit removed by Sophos and found dozens all over the place. Removed as many as it would allow.

MBAM and Kaspersky worked again but neither would update. There were still lots of things left that I could visibly notice.
I said screw it. I backed up everything and formatted, did a fresh install.

I have always considered myself very good at fighting malware but when it comes to these rootkits there's no turning back unless you have a backup or are using virtualization software.

Anyway, I have a D-Link router and use SandBoxie and PeerBlock. I will be taking my security to a new level from now on.

Has anyone here had similar devastating experiences?


Cheers,
Jeremy
PS: The two hours I spent fighting rootkits could have been spent playing Mass Effect 2.

[submix8c]

Yes, (brother's PC).

You'll need to get rid of it via Clean Install on another HDD then "MBAM" the offender before it can be used again. Lots of cleanup afterward even after being MBAM'ed.

The culprit was undoubtedly that file. Other files are just floating all over under wierd names and run again from the Registry ("runonce", part of the "cleanup").

BTW, you need LSPFIX because that's what's preventing the updates (I believe).

Since you already reloaded....

[Tripredacus]

The "Dr. Guard" program was the key. This is from the new strain of fake antivirus/antimalware programs. Some are smart, some are stupid. Most work extremely well (what they were designed to do that is) on XP, but not so much on Vista or 7. #1 thing, these programs use registry settings to block your programs. The first variation would only use the Image Execution Options lists. Renaming the installer and EXE bypassed this. The second wave would terminate programs that tried to open/modify/delete the files it used/needed. This even included Notepad or in some cases even explorer.exe. In these cases, if renaming does not work, only WinPE or NTFSDOS are your saviours. Then after you remove "part" of the problem, can you run Gmer or MBAM (still renamed to be safe) to remove some more.

Yet you described something on 7, which so far I have not encountered a problem removing. Rest assured, these programs are a lot easier to remove from Vista or 7 than XP. Also, never forget about using cacls (or xcacls) to change the ACLs on files you need, or files you don't want running. Denying SYSTEM access to files is often a great way to disable these programs.