how to stop a driver from running - it self protected and rootkit hidden

Question

I have this serous problem

For the first time I can not stop a program from running.

Something is on one laptop computer that is run as system legacy driver, and self protected and hidden on service as rootkit.

Anything I try to remove fails.

When a program or anti toolkit try to remove the hidden registry setting for make it stop I get this error : "a device attached to the system is not functioning"

So any idea that can help me stop it from running, or even delete it on start up ?

My one limitation is that the hard drive is on a laptop and I can not remove it and attact it to somewhere else.

This program not let me, touch the registry, do not let me touch the file, do not let me touch the file, The move on boot fail to delete it, the rootrepeal fail to delete it, the rootkiet reveal from sysinternals fail to reveal it ! everything fails.

Do how have any experience on this, or do you have any suggestion how to stop this driver from run ?

Update
I have run the windows command mode, try to reveal the rootkit and stop this service from running. Unfortunately this @#@#@#$ think run as system legacy driver and windows xp run it even on command mode.

Then I try to delete this legacy note, but again this think find it and place it again.

Then I try to not give permission to the legacy note to use by the system - (and when reboot with command mode this not run) but some how by pass the security permissions and place again back everything I remove.

This #@#$@#@ program is run with the services.exe, that keeps all the services and every message I get is coming from services. Its monitor for internet connection ever 5 seconds trying to ping a big list of common url (like amazon, msn, etc) and if he see that is connected is starting sending emails....

For the moment I just have place filter/firewall on email port and block the 80 port on service and this works - this @#@#@ think can not by pass the firewall in this version.

Answer 1

Is this the same system you talk about in this question?

Like I also said on Meta, why not just pop in the system restore CD (that's usually supplied with the system), and let it do its work? Or otherwise just pop in a windows installation CD, format the system drive, and re-install from scratch?

Really, re-installing a rootkit-infected PC takes usually less time than trying to clean it. And I am talking from experience here ;-)

Answer 2

Here is the solution and how I remove this nasty think.

Its takes me 1 hour, I get my old winternals ERD Commander that I have saved from my PC.

Because this is a tablet small pc without dvd, I place the cd I have using peToUsb, into a usb memory and boot the pc from this usb memory.

From the moment I have the regedit offline of the infected pc, this virus can not be active any more and can not protect him self.

So I go and delete inside the offline registry all the reference to this virus, and delete also the files that I have found that load on start up.

Clear all temporary directories, check whats autorun on start up, and thats all. I remove it.

So I reboot, and the virus is not existing any more.

The key here was the old ERD Commander an offline registry editor.

To close - I have never reinstall a full system for reason like this one, and this is what I purpose - even if you get more time, you learn many thinks. And the most important - you learn how to remove the think that affect you, so the next time you do it even faster.

Imaging if I was reinstall my full system, and after the installation an email affect me again, what do I do, reinstall again and again ?. No I not think so.

How I am sure that is totally deleted.

The answer to that is a full tutorial. I will high light here some points for this particular problem

This virus that I do not know his name, is grab services, run as services and send e-mails. Just by monitoring the tcpview this is stopped. So is not run any more.

How I do not know that is not exist any more. Using the autoruns I find all the points that this program was run and initialized, including the service point, and I just located them also on disk and delete them. The point was on temporary directory only for this case.

Actually I am not 100% that I totally remove it, but if its fire again I locate it again. Until now in similar cases I never have this problem - usually stating from one point I find all points that exist.

What is ERD Commander

ERD commander is a tool from the same person that fix process explorer and autorun, is a boot disk that run windows, and grab your windows system so that you can edit registry thinks, run other programs will the system is offline, delete files etc.

Microsoft have buy this tool and is going to include it on new versions of windows, maybe under the name Dart (Diagnostics and recovery toolset) I do not know because I am still on xp. If some one know what ms did this tool, please tell me so.

http://www.microsoft.com/systemcenter/winternals.mspx
http://en.wikipedia.org/wiki/Winternals
http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx

There are too many tutorials about ERD and if you do not know it, then its worth to see it.

ERD Commander is run by a boot CD that the same can create from a good working machine. ERD Commander is not existing any more for sale, I have it some years now because I was fan of sysinternals and winternals, but this is a point for start -search on internet and tell to me whats happened with it. Actual I will make a question here for that.

After all that and after I remove it and not run any more, so its not protected, NOD32 say that xpgplw.sys -> rootkit.agent.nrb trojan

xpgplw.sys I found that this file have 4 random chars, xp????.sys so I locate informations on internet with similar problems, but change the name of this think.

If you ask me why no rootkit remover been able to remove it, I answer because it was loaded as critical driver for the windows and then was auto protect him self.

Answer 3

The latest version of Autoruns from Sysinternals can be used to disable entries (even drivers!) on an offline system and would be a good alternative solution!