It would seem that even being a somewhat responsible computer user can’t stop you from getting a rootkit. Last Night, my computer, using nzbtv and Newzbin, downloaded from USENET, for my girlfriend, what it believed to be True Blood the latest episode of a publicly released television show from its rightful copyright holder. When sabnzbd was done extracting it, I was left with a .exe and a bunch of RAR files. It appeared to be a self-extracting archive that WinRAR created, but I was suspicious. So, like any good little boy would do before running files from an untrusted medium, I scanned the file with AVG.
AVG detected no viruses or suspicious behavior at all, so I took that as a bill of good health… my mistake. The file did actually extract a video, which was the previous week’s episode. I thought everything was still fine, but a few seconds later, AVG Resident Shield started popping up saying all kinds of files that start with hjgrui*.dll were infected in my C:\Windows\System32 directory. I went back to the post on Newzbin and sure enough it was then tagged SPAM/VIRUS with all kinds of comments on it; I wish I had checked the community’s reaction first. Apparently Nod32 was detecting the virus for its lucky users. Another user said he fell into the same trap as me and “should have known better,” but that he got rid of it with ComboFix.
I ran ComboFix in safe mode and it popped up the dialog you see here in the post (click to make it larger). The title of this post comes from the sentence in the dialog that reads: “Kindly note down on paper, the name of each file.” Grammatically incorrect sentences that sound like little old ladies wrote them crack me up when juxtaposed with a rootkit detection warning. ComboFix was able to completely remove the infection and AVG Resident Shield no longer shows any traces, but it makes me uncomfortable running a previously compromised machine. I’m going to upgrade to Windows 7 as soon as it’s released and do a clean install.
I’m not sure what the dolts who make and post this kind of crap get out of it, unless it’s some sick version of computer schadenfreude, but my guess is that its to make computers into botnets for attacks/spam, something of which I’d like no part. This just goes to show, even an experienced software developer is capable of accidentally installing a rootkit trojan, so never be complacent and never let down your guard when dealing with untrusted sources. When in question, just don’t run it, even if it promises to be something you want. Do as I say, not as I’ve done.
Hello Chris,
just want to thank you for this “kindly written blogpost”
I’ve removed the same rootkit tomorrow, after reading about combofix in your article.
Nice blog, go on!
Phil from Germany
Excellent Phil! I’m glad you were able to fix it.
I promise I won’t make any snide remarks about an experienced software developer running as an administrator on his home machine. Promise.
LOL Lee! So true! I made a decision for my personal machine of convenience over security, and it directly contributed to this. I’m too stubborn though. Admin on my home box for life (with UAC turned off)!
Chris,
Thanks for the info and link to combofix. I’ve used gmer, but its not able to catch the main file or whatever is loading this garbage. At the end of your article, you wondered what they get out of doing this crap. From what I’m seeing on my machine, every time I do a google or yahoo search, I get a list of sites as normal. But when I click to go to a site, I am redirected to different sites. The only way to go to the site I wanted to go to is to copy or type in the url in the address box.