Author Topic: Win32:Rootkit-gen [Rtk]  (Read 2366 times)

0 Members and 1 Guest are viewing this topic.

Offline jumpy.core

  • Newbie
  • *
  • Posts: 2
Win32:Rootkit-gen [Rtk]
« on: March 05, 2009, 01:54:24 AM »
Apparently my mom did something to get infected by this virus. I installed Avast! and it keeps putting it in the chest, and everytime it gets cleaned up it comes back again after every restart. It's always in this folder on hers, and now mine.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp

How do i get rid of it? Also, i don't know if it is due to this virus, but now i can't go to Folder Options so i can make hidden files/folders visible. So the only reason i can even get to that folder is because Avast! gives me the folder link.

Tell me what you need to know and I'll do whatever I can. It doesn't seem to be infecting anything but those folders (and Program Files folder i THINK). But all my downloaded movies/music are all fine.

this is like my first virus in 8 years :[ thanks for the help

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Win32:Rootkit-gen [Rtk]
« Reply #1 on: March 05, 2009, 05:19:43 AM »
I'd say to download Malware-Bytes and do a scan. http://www.malwarebytes.org/

Then, schedule a boot-time scan with avast.

Let us know how that works, and we'll procede further.
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Win32:Rootkit-gen [Rtk]
« Reply #2 on: March 05, 2009, 06:21:13 AM »
MBAM good.
Also, from the chest send it to Avast, so it can be analysed.
From the folder it keeps reappearing in, upload the file concerned to VirusTotal http://www.virustotal.com/ for an online scan by multiple and up to date scanners. The result will start to show within a minute.

The type of detection is generic. (Rootkit-gen). That makes it slightly more likely to be a false positive than if it was detected using signatures.
I'm definitely not saying it is a FP, just that there is an increased chance of this. Treat with suspicion, meantime, but there should be no need to panic. (Yet.  ;))
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline jumpy.core

  • Newbie
  • *
  • Posts: 2
Re: Win32:Rootkit-gen [Rtk]
« Reply #3 on: March 10, 2009, 06:30:36 AM »
okay cool thanks a lot. when i get home i'll do this asap.

i'd think it was an FP but they keep reappearing in the same folder in a random file name, sometimes in my system32 folder. (such as zxzxyashf.dll for example)

it was in the Local User Settings/mom/Temp or something to that intent originally, i guess my mom somehow picked it up, and it started fucking with the computer disallowing trend micro or any antivirus site to try and remove it, replacing it with tons of pop ups and "install % antivirus and remove virus today" ads.

anyways, i'll get to it hopefully tomorrow, thanks

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Win32:Rootkit-gen [Rtk]
« Reply #4 on: March 10, 2009, 08:56:22 AM »
That puts quite a different complexion on things.
You are almost certainly infected. Probably by one of the rogue programs that seem to be getting more prevalent.
A boot scan, and a scan with MBAM is quite a priority, now. You may have trouble installing MBAM (or even getting to the site, from the sound of things.)
Another excellent scanner to try is Superantispyware. http://www.superantispyware.com/download.html
If you have trouble downloading either of these, try downloading using another computer. Save the installer file to a flash drive. If it won't install on the infected computer, rename it, to something like "jumpycoresnuker.exe" or whatever.
If it installs, try updating then running it.
An antirootkit scan would be a good idea, too, but we'll get to that in due course.
[edit] get Ccleaner, or ATF cleaner, by (respectively) Piriform/Atribune and delete all the temporary files, first. That may help.
« Last Edit: March 10, 2009, 08:58:21 AM by Tarq57 »
Windows 10,Windows Firewall,Firefox w/Adblock.