Malware infection with rootkits

Status
Not open for further replies.
Symantec enterprise edition picked up an active file from a security certificate that Windows media player was trying to download. I disconnected my ethernet cable to stop internet access. Symantec found a couple of trojans and cleaned/quarantined them but after restart I noticed that I couldn't access either of my hard drives and that my keystokes were not setting characters. I swaped harddrives and installed a fresh copy of Windows XP along with Avira, Malwarebytes, and CCleaner. I tried to follow the 8 step process but malwarebytes would not run at all (even after renaming the file). Below are my highjack this and superspyware logs. Any help would be appreciated. I had to rename highjack this to xxx.exe to get it to run and had to run the alternate start for superspy ware.
 
So a friend had me use a program called Trojan Remover. I'm attaching the log for that program. That allowed me to use Malwarebytes and I'm attaching that log also. Thanks for any help you can provide.
 
Rootkit viruses are particularly nasty and hard to get rid of.. There are manual ways to do it but it involves modifying the registry and such. I found a new tool called blacklight. Check it out here http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/
I have not used it myself but it is supposed to work. You do need to read the instructions on it before you use it because you can potentially delete essential windows files. There is a tutorial here http://www.bleepingcomputer.com/tutorials/tutorial124.html I did not use because I had a recent image backup of the system I was working on and I just restored that.
 
gxvx and others detected.

aiea: The moderators have their usernames highlighted GREEN, while known malware helpers are highlighted in PURPLE. Both moderators and malwarehelpers stay very busy. One of the experts (Name in Purple) may be able to help you finish the process since you got hung up. If one of the experts (Name in Purple) suggests something not in the 8 steps, you should follow it. Otherwise, veering from the 8 steps may complicate the process of helping you get cleaned up.

guerra: you may want to review the special rules ;) for the Virus and Malware removal area:
https://www.techspot.com/vb/topic120350.html

That being said... yes, rootkits are very nasty, pernicious, and recalcitrant, and a host of other adjectives!
 
Take it from experience, Rootkit malware are not likely removed with your "8 step process" as the poster did follow. I as a matter of fact had to deal one today and one a couple of weeks ago. I ended up re-formatting/installing with one and did a bare metal restore (luckily I had a backup) with the other. Mind you there is probably a way to remove without restore/reinstall but to me anyways it is not worth the time. In my case I was able to access the drives, backup important data and proceed with re-install. I am aware of the 8-step process BUT in this case I know even malwarebytes will not permanently remove rootkits. They will come back as soon as you reboot since it is an embedded in the registry and will regenerate until you remove the associated registry keys and associated randomly named files. In any case good luck
 
I think what B00kWyrm is trying to say is that even though rootkits can't be removed by the 8 step process, its still essential to run that first so the Malware team have a better idea of what they are dealing with. They will then run other steps outside of the simple guideline.

That being said, the boys in purple know how to deal with rootkits and we generally leave it up to them (not saying you cant fix it, I'm sure you are well capable :D). It makes the process a lot less complicating for the user.

Not trying to step on anyone's toes. I myself jumped head first into helping people with Virus issues and have since backed off to be in compliance with the rules ;)
 
I appreciate any help I can get on it. I was going to move all my critical files to my secondary harddrive and reformating, but I'm concerned about moving the rootkit with them.
 
Okay, I was able to clean the original drive enough to get functionality back by using my second drive as master. Attached are the logs. I was able to get the whole 8 steps completed as written this time. The name of one of the trojans is Coldware. I tried looking for a manual removal tool because none of the utilities are able to quarantine/delete it.
 
rootkit malware will attach to exe's (executables) and install themselves usually as .dll files. If you just back up files such as photos, documents, etc you should be ok and will not migrate any malware. You can get an idea which files get infected by simply doing another scan with malwarebytes. In any case you can backup your files and then manually scan that drive for malware. You can then proceed to reformat and re-install. More than likely you got the malware though a website. I would look into using something like Sandboxie to protect your system in addition to WOT (Web of Trust) which will warn you of malicious or suspicious sites. As for cleaning your drive without a re-format, have you researched any on how to manually remove your malware infections? A simple google search should help.
 
Status
Not open for further replies.
Back