newzbin

  • Kindly Remove My Rootkit

    Rootkit Activity DetectedIt would seem that even being a somewhat responsible computer user can’t stop you from getting a rootkit. Last Night, my computer, using nzbtv and Newzbin, downloaded from USENET, for my girlfriend, what it believed to be True Blood the latest episode of a publicly released television show from its rightful copyright holder. When sabnzbd was done extracting it, I was left with a .exe and a bunch of RAR files. It appeared to be a self-extracting archive that WinRAR created, but I was suspicious. So, like any good little boy would do before running files from an untrusted medium, I scanned the file with AVG.

    AVG detected no viruses or suspicious behavior at all, so I took that as a bill of good health… my mistake. The file did actually extract a video, which was the previous week’s episode. I thought everything was still fine, but a few seconds later, AVG Resident Shield started popping up saying all kinds of files that start with hjgrui*.dll were infected in my C:\Windows\System32 directory. I went back to the post on Newzbin and sure enough it was then tagged SPAM/VIRUS with all kinds of comments on it; I wish I had checked the community’s reaction first. Apparently Nod32 was detecting the virus for its lucky users. Another user said he fell into the same trap as me and “should have known better,” but that he got rid of it with ComboFix.

    I ran ComboFix in safe mode and it popped up the dialog you see here in the post (click to make it larger). The title of this post comes from the sentence in the dialog that reads: “Kindly note down on paper, the name of each file.” Grammatically incorrect sentences that sound like little old ladies wrote them crack me up when juxtaposed with a rootkit detection warning. ComboFix was able to completely remove the infection and AVG Resident Shield no longer shows any traces, but it makes me uncomfortable running a previously compromised machine. I’m going to upgrade to Windows 7 as soon as it’s released and do a clean install.

    I’m not sure what the dolts who make and post this kind of crap get out of it, unless it’s some sick version of computer schadenfreude, but my guess is that its to make computers into botnets for attacks/spam, something of which I’d like no part. This just goes to show, even an experienced software developer is capable of accidentally installing a rootkit trojan, so never be complacent and never let down your guard when dealing with untrusted sources. When in question, just don’t run it, even if it promises to be something you want. Do as I say, not as I’ve done.