Dark Knight
October 23rd, 2011, 06:52 PM
You know, I consider myself computer and internet savy, I know things but am I some sort of IT person? no but my experience with computers since Windows 3.1 has taught me alot.
I also consider myself a pretty safe surfer, I stay away from the "seedier" areas of the web and use common sense when it comes to opening and downloading things.
I say all that above because up until last thursday evening I thought I had seen most of what the web can throw at anyone, out of the blue my system started throwing up messages asking me if I wanted to run the file "winupd4572", thinking it was just another web popup and I know it was not a Windows update file I "X-ed" out of the box and the boxes just kep on coming ( at least five or six more ) all with the winupd message but with different numbers. By now I figured I'd better take this a little bit more seriously.
First I made sure all my antivirus and malware program definitions were up to date and they were, I disconnected from the internet and ran a malware scan ....... nothing, I then ran an antivirus scan which gave me a message telling me that I was infected with Rootkit.MBR.Pihar.B on both my C and D (restore) drives in the MBR (Master boot records) of my computer but my antivirus software was unable to disinfect.
I get on my laptop and start doing some research on this trojan and I came to find out it is a backdoor trojan that allows remote control by another of your system, well now I am glad I disconnected completely from the internet!
I then start looking for ways to disinfect and eradicate this bugger, well let me tell you straight up, there are alot of antivirus companies that offer special tools to eradicate this trojan and claim they work ...... THEY DON'T. I tried for six hours using every possible tool I could find. The ones that did claim they had worked after scanning and told me to reboot to complete the removal process were crapola too because the popups started all over again after reboot. Even the mac daddies of all rootkit removal tools, gmer did not even work.
I began feeling accosted ...... taken from behind by force if you will, without even the courtesy of a reach around!
After further research I found an IT site ( don't ask where because I was working fast and furious by now ) and it pretty much said that upon getting infected with anything in your MBR, you are pretty much screwed, there may be tools to remove the infection but the chances of it being removed completely are next to none. The best thing for one to do upon being infected in the MBR is to reformat and reinstall the OS completely to it's out of the box state.
With that being said, if your thinking by doing a system restore will work, think again, it will not. Only doing a complete reformat and reinstall FROM THE RESTORE DISK will work.
That is what I did, two days later, I am here warning you all of this.
I do not know where or how it happened, I was not doing anything out of the norm, I DO know one needs to be extra special carefull because the internet is becoming nastier by the day, you no longer have to download or open something to get infected with something and THIS made me feel like a victim of a drive by shooting!
A word to the wise, antivirus software does not pick up rootkits very well, IF at all, malware scanners pick up very few ( I use malwarebytes along with Emsisoft anti malware scanner). Come to find out also that MOST rootkit scanners / revealers are not even worth the download because if they reveal the rootkit they will not disinfect either because they can't or the software designer wants you to pay before it will, and it will not even fix the problem completely. The best of all revealers / disinfectors was shown to be Gmer, but I guess I just got something new that it was not yet updated on.
Anyway, I am back up and running to where I was last thursday evening and without any loss of data, just more of a pain in the ass than anything else!
Be careful out there folks, it just keeps getting worse.
I also consider myself a pretty safe surfer, I stay away from the "seedier" areas of the web and use common sense when it comes to opening and downloading things.
I say all that above because up until last thursday evening I thought I had seen most of what the web can throw at anyone, out of the blue my system started throwing up messages asking me if I wanted to run the file "winupd4572", thinking it was just another web popup and I know it was not a Windows update file I "X-ed" out of the box and the boxes just kep on coming ( at least five or six more ) all with the winupd message but with different numbers. By now I figured I'd better take this a little bit more seriously.
First I made sure all my antivirus and malware program definitions were up to date and they were, I disconnected from the internet and ran a malware scan ....... nothing, I then ran an antivirus scan which gave me a message telling me that I was infected with Rootkit.MBR.Pihar.B on both my C and D (restore) drives in the MBR (Master boot records) of my computer but my antivirus software was unable to disinfect.
I get on my laptop and start doing some research on this trojan and I came to find out it is a backdoor trojan that allows remote control by another of your system, well now I am glad I disconnected completely from the internet!
I then start looking for ways to disinfect and eradicate this bugger, well let me tell you straight up, there are alot of antivirus companies that offer special tools to eradicate this trojan and claim they work ...... THEY DON'T. I tried for six hours using every possible tool I could find. The ones that did claim they had worked after scanning and told me to reboot to complete the removal process were crapola too because the popups started all over again after reboot. Even the mac daddies of all rootkit removal tools, gmer did not even work.
I began feeling accosted ...... taken from behind by force if you will, without even the courtesy of a reach around!
After further research I found an IT site ( don't ask where because I was working fast and furious by now ) and it pretty much said that upon getting infected with anything in your MBR, you are pretty much screwed, there may be tools to remove the infection but the chances of it being removed completely are next to none. The best thing for one to do upon being infected in the MBR is to reformat and reinstall the OS completely to it's out of the box state.
With that being said, if your thinking by doing a system restore will work, think again, it will not. Only doing a complete reformat and reinstall FROM THE RESTORE DISK will work.
That is what I did, two days later, I am here warning you all of this.
I do not know where or how it happened, I was not doing anything out of the norm, I DO know one needs to be extra special carefull because the internet is becoming nastier by the day, you no longer have to download or open something to get infected with something and THIS made me feel like a victim of a drive by shooting!
A word to the wise, antivirus software does not pick up rootkits very well, IF at all, malware scanners pick up very few ( I use malwarebytes along with Emsisoft anti malware scanner). Come to find out also that MOST rootkit scanners / revealers are not even worth the download because if they reveal the rootkit they will not disinfect either because they can't or the software designer wants you to pay before it will, and it will not even fix the problem completely. The best of all revealers / disinfectors was shown to be Gmer, but I guess I just got something new that it was not yet updated on.
Anyway, I am back up and running to where I was last thursday evening and without any loss of data, just more of a pain in the ass than anything else!
Be careful out there folks, it just keeps getting worse.