Virus keeps coming back...

[polonus]

Here is a way of finding the thing up see:

http://forum.avast.com/index.php?topic=14363.0

MD5 With the use of MD5 we can easily create a 128-bit "fingerptint" (or "mesage digest" of a string or a file.
By comparing this computed value with a "known good" MD5 value hash, we can be sure for 99.9% the compared file is a legit file.


polonus

[FreewheelinFrank]

Back again:

http://forum.avast.com/index.php?topic=14907.0

[polonus]

Hi FreewheelinFrank,

I think you should post here something substantial about this FU
rootkit vermin, because we are going to see more and more of this nastiness. Will you? Anxious to read it?

polonus

[FreewheelinFrank]

I'm not really an expert, Polonus, but I have noticed that this rootkit seems to be responsible for a number of postings which say 'I have a virus and it keeps coming back'. In fact avast! is identifying the FU rootkit but is unable to remove it. More information here:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453093441

http://www.eweek.com/article2/0,1759,1816972,00.asp

http://www.pcworld.com/news/article/0,aid,120067,00.asp

http://chaseandsam.com/virusalert.htm

[polonus]

Hi FreewheelinFrank,

You are not an expert per se, but with some more of these postings I would not know for sure.
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n't it. Link: http://www.greatis.com/unhackme/
Please comment?

polonus

[MFB]

I think if you google around, you'll find alot of information about unhackme.   

[FreewheelinFrank]

How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n't it. Link: http://www.greatis.com/unhackme/
Please comment?

polonus

I wish somebody would: :'(

http://forum.avast.com/index.php?topic=14816.0

I tested it on my computer, but I can only say it didn't find anything. A google search brings up a lot of download sites but no tests or reviews.

[FreewheelinFrank]

And back again!

Has nobody found and answer to FU yet?

Is the only solution to flatten and reinstall?

Is it possible to disable the rootkit driver somehow?

http://forum.avast.com/index.php?topic=16356.0

[internetworld7]

I have some great technical advise: STAY OFF PORN SITES! 
I mean my God, where else on earth could you possibly pick up such a malicious virus? Oh, and one more thing, always surf the net with Firefox or Opera and never IE. Now tell me that ain't great technical advise?

[FreewheelinFrank]

Porn sites are not the only source of infection.

They often seem to be the source because once any spyware gets its foot in your door, it tends to invite in all its friends, and sooner or later you end up with porn links on your desktop.

There's a lot of money in advertising: an adware program may be intended to show you adverts for decent products, but then the creators of that program can bundle more spyware along with it and make money by doing so, and then these programs make money bundling other products, and all the time the spyware and adverts get more evil and sleazy.

Porn links and pop-ups are sometimes the symptom of a venal enterprise, the lowest common denominator, the last link in a chain of infection that may start with something entirely innocent.

where else could you pick up such an infection?

1) opening email attachments
2) clicking on links in spam emails
3) instant messaging file transfers
4) downloading from peer-to-peer networks
5) downloading program cracks
6) downloading phoney anti-spyware or internet cleanup products
7) even connecting to the net without a firewall or up-to-date OS and browser

Actually even malicious web sites are not particularly dangerous if your OS and browser are up-to-date: most really on ancient exploits like the MS Virtual Machine ByteVerfiy, which was patched years ago or security weaknesses in older versions of IE. Just don't fall for the social engineering of notices which say 'you have spyware, download this program' or 'download this program to clean your internet tracks', or 'you need this plug in to proceed'.

The really big dangers today are:

1) having no firewall
2) not updating your OS
3) no virus and spam filtering by ISP's

Anybody with no firewall and a OS which is out of date is going to get infected even connecting to the internet.

Anybody who doesn't have good spam and virus filtering provided by their ISP is going to have to be very careful about attachments arriving in their inbox, because these are likely to contain a new worm or virus, and if it's one that uses a rootkit, you're very likely to not even see it, and if you see it, it may be impossible to remove like for so many people who've had a FU rootkit infection.

And don't rely on an anti-virus program to catch viruses in email attachments, because even the best will not catch a new one for a few hours or even days.

A good rule is, only open email attachments if you know what it is, who sent it, and you have confirmation from them that they really did send it.

Don't be one of the people starting a thread here saying 'I have a virus and it keeps coming back' because you have been warned. If you get a FU rootkit infection then you are FU**ED. Avoid it in the first place!

[polonus]

Hi FreewheelinFrank,

Interesting background information can be found here:
http://www.f-secure.com/weblog/archives/archive-052005.html#00000559. Fu rootkit can be prevented though, using a program like ProcessGuard prevents it.

greets,

polonus

[kakapo]

I don't know whether this is of any help to you Freewheeling Frank, ( and welcome back friend!) but these FU rootkits are being discussed at DSL reports or Broadband reports.

From their search I found 4 pages of hits. Here's the link to the search:

http://www.dslreports.com/nsearch?q=FU+rootkit+&cat=remark

Hope this might help. Good luck..................

[internetworld7]

Hi FreewheelinFrank,

Hope I didn't offend you. I was joking about the porn site thing but if all else fails in removing the rootkit, will a fresh install of Windows help? This usually wipes out the C: Drive and a fresh install starts you off new again. Perhaps you have already thought of this and I assume you don't want to do this or maybe this might not work but I can't see how.

[FreewheelinFrank]

No, I'm not offended. I just wanted to make clear that porn links and pop-ups appearing on a computer may actually arrive via an innocent looking site or download.

Ben Edelman has an interesting video on his site showing how they can arrive after downloading a music video clip- something your kids might do innocently.

So it may seem that porn sites are the source of all infection, if every infected computer is infested with porn pop-ups and links, but it's important to point out what the real dangers are.

I'm happy to say I don't have a problem with this rootkit myself. Following the advice in my previous posting, I have never had a virus, worm or Trojan infection.

I started this thread to comment on all the people who were coming to the forum saying 'I have a virus and it keeps coming back.' In many cases this seems to be because they have a rootkit on their system which anti-virus programs will detect but not clean.

Yes, a reinstall will remove it, but it's far better to prevent infection in the first place , especially as other more sophisticated  rootkit infections may not be detected at all. Anybody not aware of the risks and preventative measures may end up with a malware infection which anti-virus programs can not even detect let alone remove.

Malware writers seem to be one step ahead in the arms race with anti-virus developers at the moment, and this thread is intended as a warning.

Have a look at the problems people have had with a rootkit infection and follow the advice in this thread and others in the forum to avoid infection in the first place.

PS, thanks for the interesting link, Kakapo!

[FreewheelinFrank]

Good news! Microsoft are tackling this problem!

Rootkit Detection Coming to Windows AntiSpyware

http://www.eweek.com/article2/0,1895,1838294,00.asp