Win32:Root Kit-gen Help

[fastshark]

Running ADM on my LAN and it found Win32:root Kit-gen on a few machines.  It adds to chest but then upon next scan, it finds it again.  A few questions:

1)  How can I figure out how this Trojan got in?
2)  What are the steps to remove it as aVast cant seem to get rid of it

I found another thread about using Malwarebytes and HiJackThis on here.  On other searches, I found:

Disable System Recovery
Run boot scan
Move to chest infected files
Enable system Recovery

Proved to not help matters as it keeps coming back.  I also noticed that the above machines had a "AT1" scheduled task, which is not a "valid" task setup by me/other IT members, so it was removed.

Any help would be great!!

[Left123]

have you tryed mbam?
www.malwarebytes.org

[fastshark]

Currently I am running a boot scan on my machine...ran overnight and when I got in this morning, I was not able to add system files to chest due to non_responsive (USB) keyboard.  Once this scan is completed, I will run that.

[fastshark]

Malwarebytes found a few items on another machine infected (Windows 2000).  Let the program delete them.  Rebooted and ran a scan on the machine...same Win32:RootKit appeared. 

One a few other XP Pro machines I did:

Disabled Checkpoint
rebooted
reenable Checkpoint
scan
Win32:RootKit came back

Not really getting much of any progress...any suggestions?

[fastshark]

How to remove please..

[!Donovan]

What is the location and name of the files?

[fastshark]

See attached

[Pondus]

I think you need help from Essexboy

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

[Left123]

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

try this tool

[fastshark]

Ran anti-root kit yesterday...found alot of hidden items, but nothing that was marked as to delete.  Nor any in the directory where root kit gen is "supposed" to be.  I will now follow the Essexboy post/tasks.

[fastshark]

See attached

[Pondus]

you forgot to update Malwarebytes before you scanned, Malwarebytes have several daily updates 

Essexboy have been notified

[fastshark]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4711

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/28/2010 11:25:46 AM
mbam-log-2010-09-28 (11-25-46).txt

Scan type: Quick scan
Objects scanned: 195034
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[essexboy]

OK never worked a LAN before so I will take baby steps
First I would like you to run the following programmes on the prime system. And any AT*.job is malware


GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please attach the report into your Post.

THEN 

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[fastshark]

Started to run GMER, but after 4 hours I had to use my machine.  I will let this run over night tonight and then continue onto the next task.  Much thanks for the guided help.