Do I have a rootkit?

Topic

New Reply

My computer has been behaving churlishly of late including refusal to install software because it violates group policy. My Win 7 Pro, my wife’s home premium, and a Win Hate point one portable are the only machines on my home network. I have never set any kind of group policy or even thought about it. Investigating how to get control of my group policy, i ran into some very troubling posts about a four-year-old Chinese rootkit that seems to be the worst thing in the world:
Google GPU Para-Virtualization Root-Kit
Google Rakshasha Malware
Google Mebromi

Does anybody have any experience with these or with why I should have group policy problems when I am the (clueless) admin?

Reply | Quote

Replies

Dan,

??Do you have Cryptoprevent installed??

Zig

Reply | Quote

I had it installed but it gave me so much trouble (I just remember the trouble, not what it was, specifically) that I removed it. How will that prevent a rootkit from loading?

Reply | Quote

Dan,

It will prevent any programs that look like they might be rootkits from installing, unless you’ve “whitelisted” them. You probably haven’t really removed Cryptoprevent’s modifications, as those are settings in your computer. Suggest you reinstall it, then remove the restrictions previously set.

Zig

Reply | Quote

Topic moved to Security & Scams.

Reply | Quote

Every so often, usually in the evenings, my computer becomes conditionally useless.

Intel Core i5 CPU K655 @3.2 GHz x64, P7P55LX mobo, Windows 7 Pro SP1 64 bit patched.

PaleMoon browser, a Firefox variant, is always running and commonly set to the weather radar page which runs a Flash player plugin so that I can watch local thunderstorms. It is set to auto-update every so often (important because a normal 2-second update can drag out over 10 minutes or more).

Mark Russinovich’s Process explorer (v14.11, newer versions won’t install) is up, showing system information cpu usage. This graph usually shows < 20% usage and DOES NOT CHANGE even though the machine is locked up and appears to have no clock cycles.

If Winword (2007) is running, I can continue writing in the document but not save it.

Programs can neither be launched nor closed.

I have NetWorx but have not been paying attention to it.

Cryptoprevent went on this morning.

Reply | Quote

I used to have CryptoPrevent installed but found it was blocking Control Panel cmds and used IOBit Uninstaller to remove it.

Did your suspected Rootkit problems start after the removal of C/P ?

The free version of MBAM has a Rootkit scan option and ESET Online Free Scanner is pretty good at finding what shouldn’t be there as well as Norton Power Eraser, but that can take out legit programs.

Checking to see if you have the same problems when booted up into Safe Mode with Networking could tell you if it’s any 3rd party that’s causing problems, but if in doubt then it would be advisable to register on a forum that has specialist disinfection experts.

Satrow recommended one for a member who appeared to have a Fake BSOD infection but can’t remember what it was.

Reply | Quote

Sudo,

Control Panel commands (.cpl) can be unblocked in Cryptoprevent, if you wish.

The OP should reinstall Cryptoprevent, then set the protection to “None” on the Selected Protection Level screen, then reboot.

Zig

Reply | Quote

I didn’t like it anyway as it seemed a bit intrusive for me and seemed to want to take over the laptop, but I didn’t go into it to see what could be excluded.

I use HitmanPro.Alert2 which has Crypto Guard and watches your browser.

Did try HitmanPro.Alert3 but it was causing problems.

Reply | Quote

I tried free crypto prevent last year and removed it last year, the slow-down is from a couple of months ago. I have both Vipre and Malwarebytes (I’m a paranoid SOB) on my machine. Nobody finds nothin’.

Next time I experience a slowdown, I’m going to start looking at bandwidth usage with NetWorx. I am most bothered by having process explorer completely unaware that the CPU is running at 100%.

I’m a geologist and I understand my computer only dimly. The more I read and experience, the more convinced I am that the criminals are completely in charge, the systems are so irreducably complex. The thread that described the GPU Para- Virtualization Root-Kit suggested that the disks with my images are corrupt, and I’m worried that getting these images onto a clean machine may be impossible.

Reply | Quote

Ironically, it’s probably Vipre’s root kit detection during a scheduled scan which causes your 100% CPU usage:

Quick Fix: SBAMsvc.exe causing 100% CPU utilization

And Vipre has caused similar problems for WS Lounge members in the past:

alert: 100 percent CPU with VIPRE for some

Reply | Quote

Brother, here we go again.

At 17:00, in accordance with the schedule, Vipre ran a scan. With Process explorer System Information graph on the screen, I watched SBAMSvc use all four of the CPU cores. It was done in about 15 minutes.

Close to 18:00, the computer dragged to a near halt. The weather bureau flash updates dragged out over many minutes, no programs could be started or closed. Networx did not show any unusual communications activity.

Interestingly enough, cores 1 and 3 dropped to very low activity while 0 and 2 were 10 to 20%.

I don’t know where to go from here. I can read while the computer goes walkabout but I really would like to know why.

Reply | Quote

It could be very high disk activity due to lack of RAM. Check those figures in Task Manager.

cheers, Paul

Reply | Quote

This machine has 16 G of ram and I have never seen more than half reported in use by Process explorer. This with Lightroom and IMatch5 running. The old saw, “You can’t have too much memory,” seem to not be true (I am running 64 bit). I wonder if there is something wrong with memory management.

I am also wondering if there is something wrong with Process Explorer. I am using an older version because, like many people, I am unable to install more recent versions on my Win 7 machine. “Unable to extract 64-bit image. Run Process explorer from a writeable directory.” No directory I try is “writeable.”

The machine crawls to a near halt, my attempts to use some running programs get the little spinning circle, others work. The four graphs in System Information, meanwhile, show normal activity with physical memory 80% CPU system Idle. I do not hear disks thrashing (but I’m old). NetWorx shows no abnormal I/O.

This is very strange.

Reply | Quote

I am unable to install more recent versions on my Win 7 machine. “Unable to extract 64-bit image. Run Process explorer from a writeable directory.” No directory I try is “writeable.”

Still sounds suspiciously like Cryptoprevent. ??Have you tried reinstalling Cryptoprevent, setting the protection to “None,” rebooting, THEN uninstalling it??

Zig (who’s nothing if not persistent)

Reply | Quote

Still sounds suspiciously like Cryptoprevent. ??Have you tried reinstalling Cryptoprevent, setting the protection to “None,” rebooting, THEN uninstalling it??

Zig (who’s nothing if not persistent)

Are you suggesting that CryptoPrevent is it’s own form of malware? I had it on the machine last summer, it turned into DannyPrevent, getting in the way, so I removed it (I thought). I just put it back following a suggestion on this thread.

What should I do, set the protection to “none,” reboot the computer, and then try to install the latest version of Process explorer?

Reply | Quote

There are some settings that can be made to the Group Policy that are intended to stop CryptoLocker, but they can also prevent some software installing.

If you are getting a message that it is unable to extract, then it may be a self-extracting zip file that’s being stopped by the Group Policy settings. Try changing the extension from EXE to ZIP and then see if you can open it that way and manually extract the files to a setup folder.

Reply | Quote

Figuring that the best way is to start at zero, I downloaded PE 16.05 as a zip file from MS into a folder on my desktop. I used Powerdesk to extract the contents into that folder, one of which was procexp.exe. Running that got me “Unable to extract …” Same old same old.

I have not yet set CryptoPrevent to “none” and rebooted.

Reply | Quote

If your slowdown is experienced only when updating the weather every 2 second in Tucson AZ this time of year (“the monsoons”) it may be because of the load by all of your fellow Tucsonans (and likely anyone else in the Sonoran Desert) doing the same. Tucson has the most spectacular storms in the world this time of the year which usually occur at night and when most people are home.

Does any other app slow down especially if you close the browser?

Cryptoprevent will not effect an already installed malware nor will it likely block all rootkits. It was designed to block some ransomware via automating Group Policy changes.

Reply | Quote

I guess I was not clear. Update of the radar “video” occurs about every 5 minutes. The process takes 1-2 seconds under normal conditions, dragged out to 5 minutes or longer when things slow to a crawl.

We do have some spectacular storms. I have a surge protector on the service at the breaker box and a UPS on the computer.

Other things are going wrong on this box. Half of a mirrored drive pair failed and I had to fix that. The video card is apparently dying, one (of three) monitor is intermittent and another reported “No cable” on a restart about an hour ago. Shutdown, cool, and restart got the same thing and that cable has not been touched in months. I’m down to two (poor me). I have an old card in a box at my shop.

I no longer think I have a rootkit, just some “computer” things happening that I’m going to try to recover.

I heartily thank everyone who has contributed to this mess, I’ve learned some things (always good) and truly appreciate the help. If I can figure out how, I am going to mark this closed.

Reply | Quote