Sean\’s Sicily

Just another WordPress.com weblog

HLDRRR Infection

with 3 comments

Erika got infected with HLDRRR the other day – fortunately she’s just bought a brand new Asus M50SA which she has been able to use, because getting rid of this rootkit is a freaking nightmare.

Reading the internet I see that a lot of people don’t understand exactly what a rootkit is, and are surprised when Task Manager etc. can’t find it, or can’t stop it.

Folks, when you have a rootkit, you cannot TRUST your system anymore! The only solution is to boot from a external read-only source (such as a live-cd or a read-only USB key) and track down where the rootkit has installed itself. The good news is, the rootkit has to be in your registry somewhere, and usually you can find out where it is by checking on the internet.

First let’s describe some symptoms;

  • Anti-Virus gets turned off and/or deleted and/or uninstalled
  • Firewall meets the same fate
  • You may get the blue screen of death if the rootkit crashes some vital Windows processe to insert itself into them.

Got that? Now you’re infected. Here’s how to check;

  • Internet or network connection crashes or slows right down
    • That’s because you are now the proud host of a rooted box, and it’s using all your bandwidth to download malware and porn…
  • Computer seems really busy but there’s no obvious processes in task manager eating up all your CPU
    • That’s because it’s busy hiding all that malware and porn, or cracking your passwords files…
  • Can’t boot into Safe Mood
    • That’s because if you could boot into Safe Mood, you could stop the rootkit from running and uninstall it…

Here’s what NOT TO DO;

  • Ignore the issue… because it WON’T go away.
  • Start using internet banking… because you can kiss your money goodbye.

Here’s what to do, if you have gotten HLDRRR;

  • Delete Megadrv3 device (follow instructions from Alireza Peyman).
  • Log out straight away.
  • On another computer, research, research, research. These things change all the time
  • Get someone else to download BART PE and create a Live CD
  • Reboot your computer with the CD in the drive
  • Delete everything in [windows]\system32\drivers\down.
  • Browse your system and delete everything in every Temp directory, which includes Temporary Internet Files
  • No, really, find every Temp/Temporary/Temporary Internet Files directory, and delete everything
  • Delete [windows]\system32\hldrrr.exe
  • Create a new empty read-only file called hldrrr.exe
  • Delete [windows]\system32\hidr.exe
  • Create a new empty read-only file called hidr.exe
  • Delete [windows]\system32\srosa.sys
  • Create a new empty read-only file called srosa.sys
  • Delete [windows]\syystem32… etc. etc.
  • Create a new… etc. etc.
  • Delete anything else that the internet suggests, if you can find it (mdelk.exe, wintems.exe, but the names change frequently!)
  • Load up your registry (follow the instructions)
  • Find all references to hldrrr and delete them
  • Find all references to hidr and delete them
  • Find all references to srosa.sys and delete them
  • Find all references to… (get the picture yet?)
  • Unload your registry
  • Remove the disk and reboot.
  • Check if the Megadriv3 device is still uninstalled.
  • Check if the empty,read-only files you created above are still visible and are still 0kb.

You may, or you may not, have gotten rid of this infection.

See my next post for what to do if you just want to give up, but want to save all your files!

,
,
,

Advertisements

Written by seancasaidhe

May 23, 2008 at 7:57 am

Posted in Work

Tagged with , , ,

3 Responses

Subscribe to comments with RSS.

  1. Thank you for this post. I managed to get rid of this evil because of it.

    Paul G

    May 27, 2008 at 9:11 pm

  2. […] on May 29th, 2008 We hadn’t succeeded after all in cleaning the PC of this crap. After my previous post, Erika and I spent a long evening attacking this thing without any victory at all. I was all for […]

  3. Hey thanks Paul, glad to have helped!

    seancasaidhe

    May 29, 2008 at 4:43 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: