FU_RootKit.B – need removal

Current threats
human factors
I believe that a user at my company has gotten a RootKit installed on her laptop. Research on the Internet particularly at http://sandbox.norman.no/live_2.html?logfile=810935 leads me to think that the malware is an updated version of the FU_RootKit. I say updated because the registry keys and files names don't quite match. This appears to be a three step chain where the step one executable looks for (and creates, if needed) a file called winstk32.exe, then runs it. Winstk32 then tries to create msdirectx.sys and SMonitor.sys. It also tries to create a tftp connection to somewhere. The AV on the laptop sees and kills the two files in the last step and the Firewall software is blocking the tftp. I managed to prevent winstk32.exe from being recreated and run on every boot by creating an empty Notepad doc with the same name in the System32 directory. Have exported and deleted various relevant registry entries per the URL above. The user will have to e-mail those to me, if they are desired. User has XP SP2 with all current MS updates. MS updates were not current when she got the problem. She also has McAfee VirusScan Enterprise 8.0i with all current patches and virus definitions, McAfee Desktop Firewall 8.5 Patch 4, Ad-Aware 1.06 SE, Spybot S&D 1.4, Windows Defender. Will post again when I have more but will welcome any suggestions, in the meantime, such as how best to clean off the offending malware and what the executable in step one might be. It isn't MSNMEssenger.exe as in the Norman URL.

Answer Wiki

Thanks. We'll let you know when a new response is added.

It sounds as if you have a juicy technical problem you want to solve, but the user really needs to have a safe laptop she can use without a rootkit on board.

Your simplest and very best solution is to reformat and reinstall the OS and other apps on her laptop, update her AV and send her back to work. There really is NO reliable way to remove a rootkit, and you can never really trust that machine on your network again. So bite the bullet and clean the hard drive.

Now I can also see that as a true geek, you want to know the why and how of it. So clone a copy of her hard drive, before you reformat and drop it into a VMWare or other virtual sandbox so that you can take it apart without risking further infection or loss of her data to some unknown party. Have fun!

Or if you used Applicaiton Whitelisting from day one. you would have never gotten this rootkit or any other malware. www.coretrace.com

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: