Author Topic: How do I remove rootkits? Such as system modificated ones of high danger?  (Read 18056 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
You only need disable for combofix as it is a tad aggressive, the aswMBR showed a possible TDL3

We did not get round to clearing your restore points, we must ensure that it is done after this.  If you have not run OTS yet then start with this.. MBAM is not geared up for rootkits 

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Mo0nwalker

  • Guest
How do I disable combofix?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Ah badly phrased.  The only time you need to disable the AV is when you run combofix...


Mo0nwalker

  • Guest
so its got nothing to do with what polonus said?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Not with TDSSKiller as it will ignore sptd.sys

Mo0nwalker

  • Guest
Hi Mo0nwalker,

First you can do a check-up with this: http://www.resplendence.com/download/sanitySetup.exe

First make all your hidden files visible: http://www.bleepingcomputer.com/tutorials/tutorial62.html

Will be interesting to see your results with an anti-rootkit removal after having run defogger, see how to, here: http://forum.avast.com/index.php?topic=37542.msg660423#msg660423

Run this free rootkit removal tool - http://www.troublefixers.com/download-sophos-anti-rootkit-remover-to-delete-rootkits/  (after cleansing re-enable with defogger)

pol


 
Um Polonus, the free rootkit removal tool got alot of hits, but when I click on them it says clean up is not reccomended for this file. It goes for all I believe. What should I do, or is it normal to check them all and clean them?  
 
And after that I will re-enable the defogger if I remember right?
« Last Edit: June 30, 2011, 10:51:18 PM by Mo0nwalker »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Hi Moonwalker,

Give me a logfile of what it finds attached as a txt file, so I can evaluate.
Then rou can re-enable all those drivers you disabled temporarily with defogger.
Now also like to see what all starts up/runs there on that box: http://www.niksoft.at/download/startdreck.htm
Run that proggie and attach the logfile as a txt file,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mo0nwalker

  • Guest
How do I find the log file for that? No log file came out, and apparently I read the instruction pdf file which says that after the scan, the files that are to be reccomended to be removed are checked automatically. I got none of that, all of them were not recommended to be removed, which marked them as unchecked unless I felt it was to be checked. And that is alot files, so I dont think it found anything.
 
Ill do the next part of your post shortly.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Hi Mo0nwalker

http://www.sophos.com/sophos/docs/eng/manuals/rk_10_men.pdf
You should only remove files that are explicitly mentioned to be removed, all other should stay.

If at the end if the day we have evaluated the StartDreck logfile, then  as the topping that comes on the cake we can also run
http://www.surfright.nl/en/hitmanpro (it worked all the time even against TDL4 variants),

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mo0nwalker

  • Guest
How do I use startdreck? i get an error when I click on it. Do i have to save it to a specific place?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Download the zip here: http://www.niksoft.at/php/dl.php?f=startdreck.zip
then just run,

Looks like this on Vista, see attached:

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mo0nwalker

  • Guest
The problem is this which I get when I run it:

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Hi  Mo0nwalker,

Did you run it as Admin? Did you re-enable the drives that you disabled with Defogger?

pol
« Last Edit: June 30, 2011, 11:58:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mo0nwalker

  • Guest
Oh I overlooked that, let me try again.
 
Here are the logs for startdreck and Sanitycheck:
« Last Edit: June 30, 2011, 11:59:30 PM by Mo0nwalker »

Mo0nwalker

  • Guest
I runned HitmanPro (one time scan, free license for 30 days) and it found two suspicious files from drive D which I recognized, so I ignored them (it was automatically put on ignore) while it found one malicious in drive C which I believe it got rid away. I can re-scan and double check.
 
Ok I double checked and it got the malicious one it found away, if I am to believe what the scan showed me anyways.
 
With that over, should I go and try tdskiller which essexboy suggested I should try?
« Last Edit: July 01, 2011, 12:12:33 AM by Mo0nwalker »