So, I was fixing my aunt’s machine the other day, and I came across something… interesting.

Before I tell you what I found, I want you to be aware of some facts:

The computer in question is in a house where the kids have moved out, so the only time it gets any real use is via e-mail and the occasional Web surfing.

No filesharing goes on. The family is paranoid about getting sued.

The family treats the computer like a really complicated word processor. Aside from the occasional digital camera dump, they hardly use it for anything else but e-mail and word processing.

They now use Firefox. After being infected with so much spyware to the point that the machine was unusable, I set them up with a decent Firefox install and keep their system up to date.

They’re protected by a router, software firewall, anti-virus, and anti-spyware.

Everything is kept up to date. The automatic updates of every program (including Windows update) ran smoothly. Nothing had to be updated when I accessed the machine.

With those facts in mind, I was shocked to find Hacker Defender installed on the machine.

I’m not going to go through a long story on how I came to find the rootkit; suffice it to say it was a long and painful process involving a debugger and coffee. It also helped that a certain DLL had “[Hacker Defender]” placed inside of it.

What confused me is that I don’t normally come across rootkits when I clean spyware. For the most part, booting into safe mode and using Hijack This to manually remove the garbage works. Where did my aunt get a rootkit? An investigation was needed.

Browsing through their machine, I noticed that they don’t use anything, ever. Aside from playing the occasional game of hearts, they don’t do anything that would be considered “non productive.” Hell, they don’t have a single filesharing system installed.

They don’t use Internet Explorer, except for one Web site that uses some quirks of IE to submit form data (it’s a nursing site from a pretty big hospital); however, I noticed something very interesting: when I used IE, it never asked me if I wanted to install ActiveX controls. That was curious, to say the least. Going through the system history, I started to notice a browsing pattern: after using the nursing site, they would go to various Web sites using IE. Also, they would visit adult Web sites using IE, which I found odd, because Firefox would work in that situation.

Digging up a little more, I discovered that the adult Web sites in question all had “live cams” which didn’t use Java, but an ActiveX plugin. I can only assume that someone taught these folks how to disable the ActiveX warning in IE so that when they visited other Web sites the cams would just start up without any hassle.

My investigation pretty much ended there. Ad-Aware showed that several scans had come up positive, and the dates of those positives lined up nicely with the days they had accessed the adult Web sites. Curious though that the spyware infections found were relatively minor (although one infection, sheriff, was a particularly nasty variant that needed manual removal).

As I said, my investigation ended there. I removed Hacker Defender, cleaned up the system, and returned the computer, although I’m going to keep a particular eye out for their machine.

The idea that they got infected with a rootkit is frightening enough, but to think that they got it from spyware is downright terrifying.

So, here’s the purpose of this article: have any of you readers found a rootkit installed on a machine infected with spyware?

This really might be something we need to keep an eye out for.

[Provided by Geekstreak]