Sean\’s Sicily

Just another weblog

Archive for May 23rd, 2008

HLDRRR Infection

with 3 comments

Erika got infected with HLDRRR the other day – fortunately she’s just bought a brand new Asus M50SA which she has been able to use, because getting rid of this rootkit is a freaking nightmare.

Reading the internet I see that a lot of people don’t understand exactly what a rootkit is, and are surprised when Task Manager etc. can’t find it, or can’t stop it.

Folks, when you have a rootkit, you cannot TRUST your system anymore! The only solution is to boot from a external read-only source (such as a live-cd or a read-only USB key) and track down where the rootkit has installed itself. The good news is, the rootkit has to be in your registry somewhere, and usually you can find out where it is by checking on the internet.

First let’s describe some symptoms;

  • Anti-Virus gets turned off and/or deleted and/or uninstalled
  • Firewall meets the same fate
  • You may get the blue screen of death if the rootkit crashes some vital Windows processe to insert itself into them.

Got that? Now you’re infected. Here’s how to check;

  • Internet or network connection crashes or slows right down
    • That’s because you are now the proud host of a rooted box, and it’s using all your bandwidth to download malware and porn…
  • Computer seems really busy but there’s no obvious processes in task manager eating up all your CPU
    • That’s because it’s busy hiding all that malware and porn, or cracking your passwords files…
  • Can’t boot into Safe Mood
    • That’s because if you could boot into Safe Mood, you could stop the rootkit from running and uninstall it…

Here’s what NOT TO DO;

  • Ignore the issue… because it WON’T go away.
  • Start using internet banking… because you can kiss your money goodbye.

Here’s what to do, if you have gotten HLDRRR;

  • Delete Megadrv3 device (follow instructions from Alireza Peyman).
  • Log out straight away.
  • On another computer, research, research, research. These things change all the time
  • Get someone else to download BART PE and create a Live CD
  • Reboot your computer with the CD in the drive
  • Delete everything in [windows]\system32\drivers\down.
  • Browse your system and delete everything in every Temp directory, which includes Temporary Internet Files
  • No, really, find every Temp/Temporary/Temporary Internet Files directory, and delete everything
  • Delete [windows]\system32\hldrrr.exe
  • Create a new empty read-only file called hldrrr.exe
  • Delete [windows]\system32\hidr.exe
  • Create a new empty read-only file called hidr.exe
  • Delete [windows]\system32\srosa.sys
  • Create a new empty read-only file called srosa.sys
  • Delete [windows]\syystem32… etc. etc.
  • Create a new… etc. etc.
  • Delete anything else that the internet suggests, if you can find it (mdelk.exe, wintems.exe, but the names change frequently!)
  • Load up your registry (follow the instructions)
  • Find all references to hldrrr and delete them
  • Find all references to hidr and delete them
  • Find all references to srosa.sys and delete them
  • Find all references to… (get the picture yet?)
  • Unload your registry
  • Remove the disk and reboot.
  • Check if the Megadriv3 device is still uninstalled.
  • Check if the empty,read-only files you created above are still visible and are still 0kb.

You may, or you may not, have gotten rid of this infection.

See my next post for what to do if you just want to give up, but want to save all your files!


Written by seancasaidhe

May 23, 2008 at 7:57 am

Posted in Work

Tagged with , , ,