• 0

[XP] Reoccuring rootkit, nothing is getting rid of it :/


Question

Hey All,

I seem to be having a problem getting rid of a rootkit on a machine, it started off with a fake security alert called i-security.

Ive removed the majority of the malware but malwarebytes is still showing 2 infections which are rootkits and it removes them, however on rebooting it just comes back and finds them again.

Ive tried using tdsskiller and avasts rootkit utility but they also remove it and it comes straight back! Same with MS Security Essentials.

Im just going to try Avast Free now as thats not been to bad for me in the past.

Can anyone suggest a good rootkit removal tool please?

Thank You! x

Link to comment
Share on other sites

Recommended Posts

  • 0

A format is the best removal tool, aside from that, I would recommend

Kaspersky Rescue CD 10

If you wish to boot the rescue CD off USB use this tool

Just please use another machine to create the bootable USB device. Do not stick that USB device into the computer while in windows.

You boot off it and scan your drive, it can be much more effective than a scan running in Windows.

Mainly because by definition a rootkit can be invisible from the OS and most scanning tools. Which is why a scan from outside of windows is much more effective.

Link to comment
Share on other sites

  • 0

Well one thing you could do is:

start -> run -> msconfig

Go to the startup tab and look for any oddities. If you find one disable it, note the file location and then manually delete it.

Check the services tab for the same thing, be sure to tick hide all microsoft services so you don't spend hours looking through the list.

That should stop it from starting up on boot. If it still persists, then re-installing Windows would be your best bet.

Link to comment
Share on other sites

  • 0

Also let me just get this out of the way so the thread won't be flooded with this comment "OMG Your using XP? BLAH BLAH BLAH" ok.... i'm done :laugh: /S

Link to comment
Share on other sites

  • 0

Hehe, its not my PC its part of a companies and the issue is as we all know.... old software they have just wont run on Vista / 7, and they will not pay to upgrade.

At the moment for this evening i just have remote access to the PC, i was hoping i could fix it by the morning, still got 12 hours i suppose!

So all boot from CD / Safemode scans cant be done, its not ideal and i can get access to the machine tomorrow locally, i just want to try try try now.

Link to comment
Share on other sites

  • 0

More than you could imagine, its the payroll machine.

Looks like isecurity was listed in the msconfig startup programs and there was a blank entry which ive now de-selected, it will be interesting to see if it stops repeating now.

Link to comment
Share on other sites

  • 0

Looks like isecurity was listed in the msconfig startup programs and there was a blank entry which ive now de-selected, it will be interesting to see if it stops repeating now.

If it doesn't, F-secure has a rootkit removal tool called Blacklight that might help.

What were the names of the rootkit that malwarebytes found? Doing a google search for it might bring up some specialized removal tool too.

Your best bet is to just re-install though tbh. The tools may find something and delete it, but you can't be 100% sure its fully gone.

Link to comment
Share on other sites

  • 0

It has been removed from the domain and plugged up to a spare broadband supply in the same building which is usually used for the people visiting so they can get online. At least that way it limits the possibly of spreading to the other machines + servers etc, most of the data is on the servers but things like outlook does store a local copy on the machine etc so it could be sending out a nice bulk of spam while its active.

I just want to be able to say... its fixed... in 12 hours time when they all come into the office.

Edit - Thank You Razorfolds ill check that out trying that

Link to comment
Share on other sites

  • 0

More than you could imagine, its the payroll machine

yikes

if it's a machine used for something that important I'd definitely just reformat, I wouldn't even chance something still possibly be hiding somewhere on there

Link to comment
Share on other sites

  • 0

You may also want to take this opportunity to scan the other machines and if the checkup clears them , make drive images of those machines, so in cases like this you can restore a good copy and get them up and running quickly.

Link to comment
Share on other sites

  • 0

I dont know how isecurity infects systems and its bad to assume its not got a keylogger etc anyway.

Problem with reformatting is payday was ment to be today... this is the only machine that can do it! i was hoping for a quick fix you see, if i do have to format, i will

Link to comment
Share on other sites

  • 0

I dont know how isecurity infects systems and its bad to assume its not got a keylogger etc anyway.

Problem with reformatting is payday was ment to be today... this is the only machine that can do it! i was hoping for a quick fix you see, if i do have to format, i will

Check the control panel for a Java icon. Open it and click the about button my guess is she is running (like most people) an out of date version of java, current mainstream version is 6.31

reference my sig.

Link to comment
Share on other sites

  • 0

Problem with reformatting is payday was ment to be today... this is the only machine that can do it! i was hoping for a quick fix you see, if i do have to format, i will

Well there doesn't seem to be any specialized removal tools. What you could do is restore the computer back a couple of months.

If the rootkit was recently added, that would disable it by deleting its registry entries and renaming any new executable files since then.

And then reformat and reinstall as soon as you possibly can.

Check the control panel for a Java icon. Open it and click the about button my guess is she is running (like most people) an out of date version of java, current mainstream version is 6.31

reference my sig.

Um isn't it on 7.03 now?

Link to comment
Share on other sites

  • 0

I may try that restore first,

Ive just rebooted after removing it from msconfig and now malwarebytes isnt finding the rootkit. I may try a few other scanners now to see how it goes.

Link to comment
Share on other sites

  • 0

Well there doesn't seem to be any specialized removal tools. What you could do is restore the computer back a couple of months.

If the rootkit was recently added, that would disable it by deleting its registry entries and renaming any new executable files since then.

And then reformat and reinstall as soon as you possibly can.

Um isn't it on 7.03 now?

though it's also possible that doing that wouldn't do jack **** if the system restore files have been infected

and no, Java 7 is technically still just for developer use, Oracle doesn't see it fit yet for everyday use apparently

Link to comment
Share on other sites

  • 0

Um isn't it on 7.03 now?

Ya it is, but on the website they are still pushing 6.31 as the main version. But yes 7.03 is available.

Well there doesn't seem to be any specialized removal tools.

The rootkit he has is referred to as "Zero Access" (malwarebytes calls it 0access) usually comes in through an old version of java and there are a BUNCH of specialized removal tools for Zero Access. Norton makes one, Webroot makes one.

It's a hard one to remove because it infects the TCP IP tack.

While everything might look fine, if you were to run combofix it would probably still detect rookit activity.

When you run combofix it will kill your remote connection to that machine while it's running.

Link to comment
Share on other sites

  • 0
though it's also possible that doing that wouldn't do jack **** if the system restore files have been infected

Well you can't be 100% sure with rootkits anyways :/ So pretty much anything apart from a reinstall is a game of chance.

and no, Java 7 is technically still just for developer use, Oracle doesn't see it fit yet for everyday use apparently

Interesting. Don't really see the difference tbh, from the end user point anyways.

Link to comment
Share on other sites

  • 0

Interesting. Don't really see the difference tbh, from the end user point anyways.

yeah, Oracle's weird like that
Link to comment
Share on other sites

  • 0

Have updated Java as a precaution and ran a tdsskill , super anti spyware and security essentials nothing is being found now.

Windows Updates are being downloaded now aswell so hopefully that will plug some holes.

Starting to dislike Symantec Endpoint now, its sat active in the system tray throughout this and not once alerted me to a virus.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.