Author Topic: How do I remove rootkits? Such as system modificated ones of high danger?  (Read 17194 times)

0 Members and 1 Guest are viewing this topic.

Mo0nwalker

  • Guest
Avast always detecs 3 of them in the C drive, and I dont quite know what to do...
 
Should i reformat I guess? If so is there a way to just reformat the C drive (since ive got stuffs on D drive) or not?
 
Or is there a possibility to get rid of these rootkits?
 
Ive got Windows 7 64 bit and I use Avast free, Malwarebytes free and the Win7 firewall (should I try Comodo?). 
 
Avast detects them - Malwarebytes dont.
 
Thanks and please help.
 
Edit: Here are the following reports/logs which I hope will serve as help for essexboy:
 
Avast! detection report: http://www.mediafire.com/?ivc0o1wrnsid3t0
 
Malwarebytes log (safe mode without network): http://www.mediafire.com/?9m9po9yh1erq707
 
OTS log (safe mode without network): http://www.mediafire.com/?wrdsrgr343rdimd
« Last Edit: June 29, 2011, 08:13:36 AM by Mo0nwalker »

Mo0nwalker

  • Guest
No response yet from anyone?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Essexboy is notified, so you just have to wait....

he is usually in here from 8:00pm to 11:59pm UK time


If you dont have the time to wait
try Geeks to go forum or Malwarebytes forum
« Last Edit: June 29, 2011, 11:39:31 AM by Pondus »

Mo0nwalker

  • Guest
Ah thx  :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi Mo0nwalker,

Of course it is an interesting question, but a much more important question would be how to prevent rootkits from landing on your system, one ounce of prevention is worth a pound of cure, as they say.
Limiting a full account will help enormously towards that goal, and run an install inside the avast sandbox whenever in doubt and shun from dubious downloads and pre-scan others. Use EMET on the software you use.

Regularly check  your OS and third party software for the latest updates and upgrades (use secunia.com/vulnerability_scanning/online/ ). Whenever using a browser use in-browser security (malcious script blocking etc.)(NotScripts, BetterPopupBlocker, Blocker 0.2. and NOREF extensions installed in GoogleChrome browser for instance), use avast fully updated, MBAM and SAS non-residential, a firewal, if you are into P2P-ing, which activities are being frowned upon by certain parties, be extra carefull and run a bootable AV cd to double check every now and then, but staying clear of unsafe Internet practices might be the best piece of advice there is to prevent that your original question even has to enter your head. So watch your clicks and stay safe and secure in the digital world,

polonus

P.S. For reading on your initital question, see this link:
http://technet.microsoft.com/en-ca/sysinternals/bb897445.aspx by By Bryce Cogswell and Mark Russinovich
Version 1.7 of that software downloads from here: http://www.sysinternals.com/Files/RootkitRevealer.zip

D
« Last Edit: June 29, 2011, 05:28:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Nothing jumps out at me from that which would indicate either a false positive or a rootkit.  Lets clear the rootkit option first

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Mo0nwalker

  • Guest
So Should I disable Avast, MBAM and Windows 7 Firewall? 
 
How do I disable them, just right-clicked on Avast icon and nothing looks to be "turning it off" there really.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Nope just right click the orange blob - select shield control - disable for one hour.  Remembering to reset it when combofix finishes doing its thing

Do not let Avast sandbox anything during the run

Mo0nwalker

  • Guest
The thing is that I use norwegian language, so all I can really say is - is it under the first option you get when you right click, under open? If so, which option do I choose once I click that, I get to a new window with two options then.
 
Or what I mean to say is that I dont get any options that says "disable shield" or such when I right click - this is what I get when I right click, which is the same I get for MBAM and such:
« Last Edit: June 29, 2011, 09:37:12 PM by Mo0nwalker »

Mo0nwalker

  • Guest
Oh never mind, now I understand, sorry!!! 
 
BTW, here is a link to the OTS (without safe mode) if that helps: http://www.mediafire.com/?cm6rh789c8u1g1h
 
Will be posting the Comodo log very soon!!!  :)

Mo0nwalker

  • Guest
Nothing jumps out at me from that which would indicate either a false positive or a rootkit.  Lets clear the rootkit option first

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.


 
Yes im finished one, disabled Avast like you said and runned it while I was away a bit, saw that my pc got restarted and that when I logged on that it would create the log, so amma attach it now, please comment.
 
BTW, is it possible to scan with Avast or do I have to delete Combofix? Just wondered.
« Last Edit: June 29, 2011, 10:57:26 PM by Mo0nwalker »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
No you can restart Avast now - i will look at the log and get back to you soon

Also could you try the net and see if the alerts have gone

Mo0nwalker

  • Guest
What do you mean by the net?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Sorry is Avast giving alerts anymore when you are online, or at any other time ?

Mo0nwalker

  • Guest
Nope, not on the sites I visit anyways.
 
And I scanned recently, found nothing, so for now it looks good I hope.. Ill reply if it finds something, but this looks good for now, and you havent seen any suspicious of the logs yet have you?
 
Well in that case, its fine at this moment I hope!  ;D
 
BTW, should I start using Firefox, since it has Noscript unlike Chrome?