Rootkit infection - advice req

cyber69

cyber69

cyber69

Associate
Joined
16 Sep 2009
Posts
2,373
Location
Loogabarooga
Windows defender popped up and warned me about an infection so I ran my AVG scanner and malwarebytes and found that I had a rootkit on my PC along with the Vundo and Hiloti viruses!

Malwarebytes removed most of the infection and the rootkit and I upgraded my AVG from 8.5 to 9 (paid version) and it then detected one more infection (Vundo).

On the last Malwarebytes scan it just picked up one infection with a file in c:\windows\temp\~tmp5.tmp.

What I'd like to know is if the AVG scanner is clean on the next couple of scans, do you think my PC is safe to use now?

I've also run the Sophos Antirootkit and tried running Gmer, but Gmer just BSOD my PC after 30min and runs the CPU at 100%.
 
You should really format and reinstall from a trusted media with rootkit infections. You can't realistically remove them as all of your software including OS kernel level could be compromised and therefore you cant trust what it may tell you. Just my opinion.
 
I recently looked at a Pc that was going haywire .....................click on a program and it would open up a 150 times . Installed SuperAntispyware and it found several rootkits .The Pc is working a little better but it does need to be re-formatted and OS re-installed .
Yes ,rootkits are very difficult to get rid of . I'm just waiting for the go ahead to put this PC right again .
 
I think I got the virus from browsing google images of family guy ! I can just about remember clicking on a picture and got a warning message from AVG.

I have just run AVG and malwarebytes (in safe mode) and both did not detect anything now. Sophos also finds no hiddens files in my registry.

The rootkit I got was "rootkit.agent" :=

Files Infected:
C:\WINDOWS\senviasy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.IE5\CX1MSIXA\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\lheiil.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\xxxx\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxxx\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.
 
If you browse the web with an administrator account, especially with XP, you run the risk of getting caught out. I'm guessing you're probably running 32 bit Windows too which doesn't help.

Your antivirus may well have caught it in time, and if you feel confident all your symptoms have disappeared you may be ok. However, personally, I wouldn't think twice about formatting it.
 
Best way to disinfect rootkits is to boot to the Windows Recovery console. From here the rootkits won't be running and so all their "hidden" files are on show.

Change directory (CD command) to your System32 folder. Sort by modified date descending. Then look for suspicious files which were created in or around the suspected date of infection. Usually they have random "adjzdjesl.sys" type file names. Delete or rename them...

Then change directory your various Temp folders that are hidden away in your \Users\ folder. And delete all files in them. Because rootkits often like to leave traces in these (along with autorun entries in Registry) so they can reinfect.
 
Thanks for everyone's suggestions. I think i've managed to rid myself of them all and ran Combifix last night which just found some files in my local settings folder and deleted them.

I have also disabled system restore. I plan to upgrade my PC when the i930 cpu is released so hopefully my XP will last 3 more weeks or so.

For anyone with similar probs, I found booting into safe mode and running malwarebytes first the best option and then run combifix to clear the rest up.
 
You must log in or register to reply here.
Back
Top Bottom