Rootkit removal for Vista 64 Sp1?

sWiZzLe · 30 Mar 2008 at 19:12

I have a Rootkit called NDT2 and a Trojan called ANDT on my laptop. I have tried many different anti-virus and ant-spyware programs but so far only McAfee and SuperAntiSpyware have been able to identify them.

But all McAfee does is block them and although SAS says its removed them they always reappear a few hours later. When i scan my laptop in Safemode it cannot see them :confused:

Dont suppose anyone could help me here, im really not in the mood for reinstalling vista. I cannot find any Rootkit programs which will work with Vista 64, anyone know of one?

Cheers

RobH · 30 Mar 2008 at 19:27

For a start trying to get rid of something that is in control of your system by using programs runing on your system isn't going to help, you need to step outside. This means scanning it from a a different operating system to the one that you suspect is infected. Secondly are you sure it's a rootkit (might be worth googling the thing that was found, could be a false positive)? Microsoft went to some length to prevent the kernel in their 64-bit operating systems from being patched, I wasn't aware of the existence of such root kits.

The only real solution is to format and reinstall, even on the 32-bit operating systems where rootkit scanners exist it is not always possible to completely eliminate them.

Smorgasbord · 30 Mar 2008 at 20:05

AVG Anti Rootkit isn't x64 friendly is it?

Avast 4.8 incorporates antispyware and antirootkit, could give that a go!

sWiZzLe · 30 Mar 2008 at 20:10

Well i have a dual boot of Vista 32 and 64 so i guess ill try removing it from 32. I've googled everything, found some people with the same thing but nothing i have tried has worked yet.

I heard that AVG had a rootkit so installed a trial of AVG 8 which says it has one but did not find anything. Ill have a look at Avast 4.8

Cheers

deadite66 · 30 Mar 2008 at 22:19

f-secure online scan says it includes blacklight (rootkit) scanning
http://www.f-secure.com/blacklight/blacklight.html

Uhtred · 31 Mar 2008 at 09:32

if you've got a rootkit on there you could have any number of nasty things on your machine by now. I would go with a full format to be safe and it's probably not going to take much longer than messing about with scanners.

sWiZzLe · 31 Mar 2008 at 13:42

Did a full scan within Vista 64 last night using Avast 4.8 Beta and it found even more virus's :eek:

Not keen on the skin but on first start up it discovered infections that no other program has been able to find and i have feeling it may have actually removed them. Also Avast identified the Rootkit which SAS found, as a Trojan. Im thinking the 2 virus's that it found in the memory - perfs.exe & routing.exe were the triggers for ANDT and NDT2.

With SAS i would remove ANDT and NDT2 but then a reboot and half an hour later there would reappear. That has not happened with Avast

Gonna do another complete scan with Avast now then i will try F-Secure just to make sure.

sWiZzLe · 31 Mar 2008 at 19:53

Err this is a new one on me.... Avast has just popped up telling me that the pagefile.sys on my Vista 32 partition contains a Win32:Adloader-AC Trojan Horse

I cant move it to the chest as it is too large, so if i delete it, should i be able to boot into Vista 32? I vaguely remember deleting the pagefile in XP and not being able to boot.

Cheers

Dolph · 31 Mar 2008 at 19:56

How did you manage to get a rootkit onto vista 64? Do you have UAC turned off by any chance?

Final8y · 31 Mar 2008 at 19:58

Dolph said:
How did you manage to get a rootkit onto vista 64? Do you have UAC turned off by any chance?

I bet UAC was off.

sWiZzLe · 31 Mar 2008 at 20:02

Final8y said:
I bet UAC was off.

Yes it is

it got on my ****. But i no longer think it is a rootkit, but i really need to know about this pagefile thing. Can i delete it?

Ive been using AVG for such a long time now i assumed it was doing its job..... i guess not - its total rubbish and will no longer recommend it to anyone

Dolph · 31 Mar 2008 at 20:11

sWiZzLe said:
Yes it is it got on my ****. But i no longer think it is a rootkit, but i really need to know about this pagefile thing. Can i delete it?

The pagefile is the windows virtual memory file, deleting it would be a bad idea.

As to getting rid of the rootkit (if it is one), you're going to struggle, because Vista is very picky about giving anything access to the kernal to make changes.

With regards to UAC, did you give no consideration as to the reason it's there? It's because of the bad habits of windows users...

sWiZzLe · 31 Mar 2008 at 20:23

Dolph said:
The pagefile is the windows virtual memory file, deleting it would be a bad idea.

As to getting rid of the rootkit (if it is one), you're going to struggle, because Vista is very picky about giving anything access to the kernal to make changes.

With regards to UAC, did you give no consideration as to the reason it's there? It's because of the bad habits of windows users...

To be quite honest mate ive never really looked into what UAC actually does apart from dulling the screen and popping up with annoying messages. I take it does more than that then

I have an idea what to do about the pagefile though

21,873 posts :eek:

blimey, you here a lot then

NathanE · 31 Mar 2008 at 21:12

I thought this was a bit suspicious so I didn't add any input earlier today.

Now that it has been revealed that UAC was turned off things make more sense. UAC is one of and probably the most critical layer of security in Vista!

If you give some malware administrator-level access then yes of course it will still be able to install a signed rootkit driver

As far as Vista is concerned - you did it delibrately!

Dolph · 31 Mar 2008 at 22:49

sWiZzLe said:
To be quite honest mate ive never really looked into what UAC actually does apart from dulling the screen and popping up with annoying messages. I take it does more than that then

UAC means that processes don't run with administrator rights as default, as well as providing a few other protections (such as virtualisation of registry and protected mode IE). If UAC had been turned on, it would, at the least, have warned you that a program was trying to install something on your PC.

I have an idea what to do about the pagefile though

21,873 posts blimey, you here a lot then

I've been here ages, not here as much now as I used to be cos of time constraints and stuff though

sWiZzLe · 31 Mar 2008 at 23:27

Thanks for the heads up, i'll turn it back on <= Dimwit alert!
Thinking about it, i could've turned it back on after i had finished installing Vista etc.

Dolph said:
I've been here ages, not here as much now as I used to be cos of time constraints and stuff though

Joined the same time you did, except you are beating me by 20,735 posts lol

Good news is i think i am free of virus' now

Gonna buy Avast i think!

Cheers

Dolph · 31 Mar 2008 at 23:35

sWiZzLe said:
Thanks for the heads up, i'll turn it back on <= Dimwit alert!
Thinking about it, i could've turned it back on after i had finished installing Vista etc.

The problem is so many people are anti-UAC, it's a common recommendation to switch it off, but it should not be going off in regular use, unless the program is badly written.

Joined the same time you did, except you are beating me by 20,735 posts lol

Good news is i think i am free of virus' now Gonna buy Avast i think!

Cheers

You must have joined a few days after the big nuke of 2002, I was here before that too... Mind you, 4.5 years as a don probably also helped my postcount

Good news that you've got rid of it too