• 0

[XP] Reoccuring rootkit, nothing is getting rid of it :/


Question

Hey All,

I seem to be having a problem getting rid of a rootkit on a machine, it started off with a fake security alert called i-security.

Ive removed the majority of the malware but malwarebytes is still showing 2 infections which are rootkits and it removes them, however on rebooting it just comes back and finds them again.

Ive tried using tdsskiller and avasts rootkit utility but they also remove it and it comes straight back! Same with MS Security Essentials.

Im just going to try Avast Free now as thats not been to bad for me in the past.

Can anyone suggest a good rootkit removal tool please?

Thank You! x

Link to comment
Share on other sites

Recommended Posts

  • 0

Starting to dislike Symantec Endpoint now, its sat active in the system tray throughout this and not once alerted me to a virus.

That's because traditional anti-viruses, like symantec endpoint, usually will fail to detect rootkits. And you also have to remember no anti-malware, regardless of how good it is, will be able to detect 100% of viruses/trojans/rootkits etc.

Once an OS is compromised by a rootkit (especially kernel mode ones), you cannot trust it to find rootkits since they can hide themselves from process explorers, file explorers etc. Which is why Warwagon suggested using a rescue CD. By running it before the OS boots, the rootkit is easier to detect since it isn't able to load its payload and manipulate system calls.

Link to comment
Share on other sites

  • 0

I dont know if this was mentioned already but look in "Disk management" and check if there's a small partition of a few hundred mb at the end of your hdd. If so, kill it!! The root kit is hiding there!

I had a rootkit survive the clean install; would of saved myself the headache of that if I had knows this a few minutes earlier!!!

Link to comment
Share on other sites

  • 0

I had run TDSSKiller on the workstation with the hidden partition and it wasn't able to successfully clean the machine until I killed the partition. So even if it says it found and deleted something; check for the hidden partition!

Link to comment
Share on other sites

  • 0

Not sure if this has been mentioned, but you could use the MSRT: http://www.microsoft...aylang=en&id=16

Or the System Sweeper beta: http://connect.micro...m/systemsweeper

Good suggestion about System Sweeper but I find Kaspersky to to do a far better job in scanning and finding rootkits on the boot sector.

Link to comment
Share on other sites

  • 0

Thanks for the suggestions guys, TDSSKiller kept removing the rootkit but it would end up coming back after a reboot.

Hitman Pro seems to have done the job, seems to be working ok again and not redirecting me to weird and wonderful webpages.

Thanks for the help :)

Link to comment
Share on other sites

  • 0

Hitman Pro seems to have done the job, seems to be working ok again and not redirecting me to weird and wonderful webpages.

Thanks for the help :)

Good to hear, Hitman has always been great, for me anyway :D

Link to comment
Share on other sites

  • 0

If it runs in XP, the company can't use this as an excuse. XP mode was made specifically to address this.

I see where your coming from, but in the real world its very hard to get directors to pump money into IT as it is and if you tell them your gonna have to open up a virtual machine just to run some software, they are gonna see that as being to complicated and all the staff will agree because of sheer lazyness.

Double clicking the old program icon and it automatically opening up XP Mode and loading itself into XP Mode might work, but is that possible?

Link to comment
Share on other sites

  • 0

Hey

What about using unlocker? That tool is great... Try using it in safe mode...wait I've never tried this .. Humm need to test now.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.