Page 1 of 2

Root Kit Found

PostPosted: Thu Apr 26, 2012 5:36 am
by Spark
This PC, XP Pro SP3, IE8, AVG

Scanned this PC for root kits with AVG and it returned one root kit called IRPhook. I tried to remove it via AVG and it said this item was hidden. AVG was unable to get rid of it. How do I do it.......Thanks

PostPosted: Thu Apr 26, 2012 6:01 am
by evasive
Use these 3 in the exact order:

1- rkill.exe ... irus/rkill

2- TDSS killer

3- Malwarebytes ... i_malware/

Fix all they find and then reboot. Please report back on how things went.

PostPosted: Thu Apr 26, 2012 9:29 am
by Karlsweldt
I have had several "root kit" attacks on one of my systems. Typically, they lodge in the AVG anti-virus log. But AVG (which I use on all systems) does have a process to remove the root kit entry easily.
Just bring up the AVG control panel from the SysTray icon. Click on History then Scan Results. Here is the record of all scans on that system. Scroll down the list, find the oldest listing of a root kit found. View Details of each entry, then you can choose to Remove/Delete that entry. You can do each infected entry separately, or several at one time. But with a root kit entry, the computer will need a restart to complete the operation. I do a check for root kit invasions daily.. before they become harmful. Also part of the 'normal' daily system scan. If there are 'update memory scans' amounting to less than 1 meg in size, they all can be deleted to conserve library history space. Even all those "clean" result entries can be deleted, up to the last 4~5 days.
For the infamous Sony/BMG root kit discoveries, there is a special process.. ... emover.php

PostPosted: Fri Apr 27, 2012 2:37 pm
by Spark
This is an update to the root kit nasty:

What I HAD was a root kit called IRPhook which AVG root kit scan picked up.

What I did:

a) disabled System Restore.
b) updated Malwarebytes, Super Anti Spyware, CCleaner, AVG, Spyware Blaster.
c) cleaned out the Temp folder,
d) ran disc clean-up and defragged the PC
e) downloaded FSecure Black Light.
f) I ran all of the above utilities and the only one that picked up the root kit was AVG.
g) I did what avasive said and downloaded rkill, then ran Kasperski's utility which picked up a few nasties and followed through with cleaning them up. h) I then ran Malwarebytes which returned nothing.
i) I rebooted and ran all what evasive said again. Kasperski said all was clean.
j) I ran AVG again and checked for root kits and it found none.

So the root kit deal seems to be corrected and these nasties can be a real problem, I know.

The Windows Critical update issue has been corrected also.

Thanks to all who commented and helped, its appreciated. Thanks evasive.... :mb_champagne:: :D :wink:

PostPosted: Fri Apr 27, 2012 10:06 pm
by Mr T
Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...

PostPosted: Sat Apr 28, 2012 5:38 am
by Spark
Mr T wrote:Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...

Yes I do the same, but some utilities will not run in safe mode.

PostPosted: Sat Apr 28, 2012 5:40 am
by Karlsweldt
Mr T wrote:Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...

Good advice! When in 'safe' operating mode, most programming (and any other invasive program) likely is not active.. and in stealth mode. That makes them more vulnerable to removal. One critical prior step is to disable the "restore" feature of Windows, until after you are assured of removal of malware/viruses. A clean reboot or two, then enable the "restore" feature again. If not done, then Windows will faithfully undo all your efforts!!

PostPosted: Sat Apr 28, 2012 5:53 am
by Spark
Regarding this post:

Now that the nasty has been removed or at least stopped from running, how did I get this????

I run CCleaner almost every day. I run Malwarebytes, Superantispyware and AVG every week and I have my security settings in IE8 set to default with third party cookies not being allowed. I don't open attachments from any one that I don't know nor that of which I am not expecting it. I do receive a good share of unwanted joke email from friends that I have set to be deleted, I don't open them.

I know Root Kits are very bad and can be very difficult to fix but what got me was that although AVG was the only one initially that found it but AVG was unable to fix it and the other utilities didn't find it. The Root Kit file was hidden so that made it more difficult to deal with I guess.

I am not a computer wiz and my wife tells me I have no brains, but I have built a few PC's which we all know is no big deal as long as you do your homework. Knowing this how does a user protect their PC's from nasties like this aside from what I am already doing?

PostPosted: Sat Apr 28, 2012 6:15 am
by Karlsweldt
Blocking third-party cookies is a good way to reduce unwanted viral or malware attacks. But even the "good" cookies from trusted sites may be malicious. They assume a neutral or benign attitude, and are not picked up by the viral scanner. But after several of these clandestine cookies come into your system, a 'key' cookie comes along.. and activates all the other non-active associates to become a big problem!
Having separate accounts for each user will not prevent this problem. But a sort of "parental control" checker will reveal what each user has viewed from Web sites, and what features were delved into deeper. An old adage.. "the bigger the prey, the easier to find" applies. Well-known sites are always a big target for hackers and malware purveyors. If those sites do not preview all their ads, something will 'fall through the cracks'.
Many hackers randomly ping IP addresses.. to test the shields. And if there is a void or weakness, it is exploited!!
Beware of any pop-up warnings about "system needs a tune-up" or "your system is infected.. check now" or "your anti-virus program is outdated". By clicking on the closure tab, you can become entrapped by that hacker's foul desires. Any Email warnings about "account numbers needed" or other personal info should be deleted. Never click on links of those pages.. instead go to the true source. If a government agency wants private info via Email, it is fraudulent. Same with those notes about "winning" a lotto or inheritance. You will get a certified mail delivery if indeed true!
Always look for the "https" notation on sites that are supposed to be secure. Those sites do employ a high encryption rate, which makes it more difficult for hackers to crack into.

PostPosted: Sat Apr 28, 2012 7:59 am
by Mr T
The majority of 'free' antiviruses for windows are very poor as they are a commercial product in the end (ie the company wants you to buy the full product, so they disable a lot of features on the free that allows the nasties in and won't detect some of them or remove them)... That is why on windows I use Microsoft Security essentials... saying that, I hadn't used my XP system for ages, switcheed it on, update all and after a scan with Malware bytes, it found two trojans - from where I do not know...????!!! AVG has been pretty poor recently.. I have switched to Linux,Unix and Mac recently and have had no issues with that yet....