About a week ago I re-installed a long loved computer game which I hadn’t played in a while, Max Payne, and because I’m quite the lazy one I decided to crack it so I didn’t have to use the cd.
I’ve been getting cracks and patches from one of two websites for a long time now, either gameburnworld.com or gamecopyworld.com and I’ve never had problems with them working before.
But last week when I downloaded a patch for Max Payne I found that after I intalled the patch (which didn’t work) the file had completely disappeared, including the .rar file.
I immediately though that this was bad, but I proceeded to download another patch which did work and I didn’t have any problems with.
So I ran a full system virus scan with AVG antivirus and it came up with the following results.
So it didn’t think that the changed system files (ironically changed at the same time as when I downloaded that patch) was any threat at all.
Call me crazy, but since then my computer has been a bit sloppy and slow under the same weight of programs.
It’s not a flash computer or anything, but it’s almost certainly slower.
AVG doesn’t want me to do anything about it and spybot and clamware antivirus don’t seem to care that they’re different so have you got any suggestions?
With those files modified you could have yourself a rootkit rather than a plain old virus. A rootkit is an infection on steroids. A rootkit is designed to be able to hide and avoid detection. Standard anti-virus tools won’t be able to detect them because they can’t see them. Consider yourself lucky that AVG Antivirus was able to tell you that those files were modified so that you at least have an idea that something has dug into your system.
To find if you have a rootkit you need to use an antirootkit tool. That link lists a bunch of freeware antirootkit tools. Run them and see if any of them can find signs of a rootkit infection. Don’t be surprised if many of them or all of them come back clean. A rootkit that can be detected is a rootkit that isn’t doing its job.
If the tools can identify a rootkit infection you can find out if it’s recoverable and cleanable. You may find that the only way to recover is to format the drive and reinstall the OS from scratch.
Ok!
I love you John!
Thanks!
I hope the scanners work, I don’t want to have to do that other thing. That would mean I’d have to back up all of the things I didn’t want to lose, right?
Thanks again,
Ed
Reinstalling from scratch would mean backing up the data you want to keep, reformatting the hard drive, installing the OS, installing all the applications, then getting everything configured again.
If you have a full backup from before you installed the game crack you can restore the backup and go on from there.
Consider your system completely compromised for now. Expect them to have a keylogger and are logging any passwords you type in. Consider the password you use here for the forums to be compromised. Don’t do any web shopping, web banking, or eBay, or PayPal or anything else like that with the computer. Consider it completely compromised.
That will give you a little bit more info about what you’re up against. The articles don’t describe the technical issues about what a rootkit is, but they do give the general idea.
I’m generally very pessimistic about cleaning a system after an infection that can give the attacker full access to your computer. The attacker has the ability to remotely log in to the computer, install additional software and make additional changes. There is no telling what exactly those changes are. They also have the ability to download any file(s) from your computer and attempt password cracking on any password protected files. They can search your entire disk for any files that look like they might contain lists of passwords. So if you have a text file or spreadsheet file that keep track of your various passwords you should consider those passwords to be compromised as well.
You just can’t be sure that you remove everything and undo everything. The only way to be sure is to reformat the drive and start over (what some call repaving the computer). That’s what I’d do. Wipe the drive and install from scratch (or from a recent disk image that was made before the infection).
If you’re lucky they are only interested in turning your computer into a spam relay. If you’re not lucky they are looking for passwords, bank account info, credit card numbers, and things like that.
Did the antirootkit tools find the rootkit? Did any of the antirootkit tools report the system as being clean and not find the rootkit?
What scares me most is rootkits that get good enough at hiding that the available antirootkit tools can’t find them.
I’m also impressed that AVG Antivirus was able to detect the tampering as the rootkit was installing. AVG Antivirus didn’t actually find and flag the infection but it did pop up a warning saying that files had been modified. To me, seeing what files had been modified, the conclusion was obvious. But a little extra smarts on AVG Antivirus’ part to flag that condition as a possible rootkit install would be a good thing.
Ahh I tried all of those rootkit scanners I THINK but none of them registered anything unusual so I think I’ll just have to go ahead and reformat my hard drive.
And yes, they am scary, because I don’t know where it is and if it’s actually doing anything or if it is even present…
Interesting. It is almost a certainty that you are infected given the description of what happened. A bit troubling that those antirootkit tools weren’t able to detect a rootkit. That doesn’t bode well for what we’re going to be faced with in the very near future (the present).
There are other antirootkit tools that run from a bootable CD or DVD. They boot Linux or a special version of Windows from the CD and then do a scan of the hard drive. Since you’re not booting the infected version of Windows the rootkit isn’t loaded so can theoretically be found. The trick is finding it.
Unfortunately I don’t know of any available antirootkit tools that work that way.
But it’s only really an academic exercise anyways in trying to identify it or find it. We know it’s there give the behavior you witnessed. The smart thing to do is backup all your data and setting then reformat the drive and reinstall the OS from scratch or from a known good backup.
and if nothing is found, are u sure u didnt press run? instead of download? check your temporary folders in C:\Documents and Settings\user\Local Data
or something similar.