rootkits suck

Tags: rootkit, trojan, hosts file

Yesterday my pc pops up a message stating that I will need to reboot the pc in order to disable UAC. Ugh. That's no good.

Ran windows defender, and it found nothing (or it found something, but irrelevant).

Later, i noticed one of my websites had a strange floating ad in the lower left corner. Checked a few more sites and some others showed this same ad... so I knew we had a problem. The ads were from a few "second tier" ad services, such as cpxinteractive.com or xtendmedia.com. And, the ads seems to often (or always) be placed in a div with id of _rjkkvyjkph - <div id="_rjkkvyjkph"> (unwanted ad code here etc...)</div>

Ran Malwarebytes to dig it out. It found some rootkit thing that it removed and then rebooted. But, the ads continued to show up in the webpages.

Decided to check the hosts file. I have a tool from Amazify I use for this (Hosts file editor). Opened the file and it looked like a generic empty hosts file... which is actually not good in my case, as I have a number of hardcoded entries usually. Then I noticed the scrollbar showed the file was very long. SCroll down far enough, and sure enough, you find this:


66.185.21.82 www.google-analytics.com.
66.185.21.82 ad-emea.doubleclick.net.
66.185.21.82 www.statcounter.com.
66.185.21.82 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.

Easy enough, we'll delete these and be back in business. But, the editor tool crashed when I tried to save the file, so apparently some other tricks are being employed here.

I tried running Unlocker on the file, but this didnt help things.

Explore to the c:\windows\system32\drivers\etc folder, and I notice there is a hosts.txt file in there. Strange, because hosts file is normally extensionless. Open this file and it looks like it has normal hosts file contents. But apparently it's benn created a decoy- the real file has been hacked all kinds of ways to keep you from repairing it. It is hidden, readonly, and set to be a system file. But even worse, the ownership and permissions have been messed with to prevent even an admin from editing and saving the file.

After a bit of digging online, I found these commands you can run from an admin command prompt which will reset the permissions back so you can edit it once more:


CACLS.EXE C:\WINDOWS\system32\drivers\etc\hosts /G BUILTIN\Users:R
CACLS.EXE C:\WINDOWS\system32\drivers\etc\hosts /E /G "BUILTIN\Power Users:R"
CACLS.EXE C:\WINDOWS\system32\drivers\etc\hosts /E /G BUILTIN\Administrators:F
CACLS.EXE C:\WINDOWS\system32\drivers\etc\hosts /E /G "NT AUTHORITY\SYSTEM:F"
ATTRIB.EXE -S -H +A -R C:\WINDOWS\system32\drivers\etc\hosts

After doing this, I was finally able to save the changes I needed to the hosts file.

I then cleared the caches in my browsers and tried viewing my sites again, but these stupid ads continued to show up. Using fiddler I noticed that the google analytics file was being downloaded and refreshed, but the domain was still resolving to a hacked ip. So I finally flsuhed the dns cache and this cleared things up - by using, again from an admin command prompt:

ipconfig /flushdns

 

So. Now perhaps I can try to get some work done today?

Add a Comment