Root Kit Found

Help and Discussion

Moderator: The Mod Squad

Root Kit Found

Postby Spark » Thu Apr 26, 2012 5:36 am

This PC, XP Pro SP3, IE8, AVG

Scanned this PC for root kits with AVG and it returned one root kit called IRPhook. I tried to remove it via AVG and it said this item was hidden. AVG was unable to get rid of it. How do I do it.......Thanks
Spark
Anti-Static Strap
Anti-Static Strap
 
Posts: 485
Joined: Thu Jan 11, 2007 10:36 pm

Postby evasive » Thu Apr 26, 2012 6:01 am

Use these 3 in the exact order:

1- rkill.exe
http://www.bleepingcomputer.com/downloa ... irus/rkill

2- TDSS killer
http://support.kaspersky.com/faq/?qid=208280684

3- Malwarebytes
http://www.filehippo.com/download_malwa ... i_malware/

Fix all they find and then reboot. Please report back on how things went.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 36791
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby Karlsweldt » Thu Apr 26, 2012 9:29 am

I have had several "root kit" attacks on one of my systems. Typically, they lodge in the AVG anti-virus log. But AVG (which I use on all systems) does have a process to remove the root kit entry easily.
Just bring up the AVG control panel from the SysTray icon. Click on History then Scan Results. Here is the record of all scans on that system. Scroll down the list, find the oldest listing of a root kit found. View Details of each entry, then you can choose to Remove/Delete that entry. You can do each infected entry separately, or several at one time. But with a root kit entry, the computer will need a restart to complete the operation. I do a check for root kit invasions daily.. before they become harmful. Also part of the 'normal' daily system scan. If there are 'update memory scans' amounting to less than 1 meg in size, they all can be deleted to conserve library history space. Even all those "clean" result entries can be deleted, up to the last 4~5 days.
For the infamous Sony/BMG root kit discoveries, there is a special process.. http://www.lavasoft.com/support/securit ... emover.php
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 19208
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Postby Spark » Fri Apr 27, 2012 2:37 pm

This is an update to the root kit nasty:

What I HAD was a root kit called IRPhook which AVG root kit scan picked up.

What I did:

a) disabled System Restore.
b) updated Malwarebytes, Super Anti Spyware, CCleaner, AVG, Spyware Blaster.
c) cleaned out the Temp folder,
d) ran disc clean-up and defragged the PC
e) downloaded FSecure Black Light.
f) I ran all of the above utilities and the only one that picked up the root kit was AVG.
g) I did what avasive said and downloaded rkill, then ran Kasperski's utility which picked up a few nasties and followed through with cleaning them up. h) I then ran Malwarebytes which returned nothing.
i) I rebooted and ran all what evasive said again. Kasperski said all was clean.
j) I ran AVG again and checked for root kits and it found none.

So the root kit deal seems to be corrected and these nasties can be a real problem, I know.

The Windows Critical update issue has been corrected also.

Thanks to all who commented and helped, its appreciated. Thanks evasive.... :mb_champagne:: :D :wink:
Spark
Anti-Static Strap
Anti-Static Strap
 
Posts: 485
Joined: Thu Jan 11, 2007 10:36 pm

Postby Mr T » Fri Apr 27, 2012 10:06 pm

Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 16795
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Postby Spark » Sat Apr 28, 2012 5:38 am

Mr T wrote:Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...


Yes I do the same, but some utilities will not run in safe mode.
Spark
Anti-Static Strap
Anti-Static Strap
 
Posts: 485
Joined: Thu Jan 11, 2007 10:36 pm

Postby Karlsweldt » Sat Apr 28, 2012 5:40 am

Mr T wrote:Try malwarebytes in SAFE MODE too... It may still find a nasty... (I always run it in SAFE MODE, it seems to find more that way)...

Good advice! When in 'safe' operating mode, most programming (and any other invasive program) likely is not active.. and in stealth mode. That makes them more vulnerable to removal. One critical prior step is to disable the "restore" feature of Windows, until after you are assured of removal of malware/viruses. A clean reboot or two, then enable the "restore" feature again. If not done, then Windows will faithfully undo all your efforts!!
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 19208
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Postby Spark » Sat Apr 28, 2012 5:53 am

Regarding this post:

Now that the nasty has been removed or at least stopped from running, how did I get this????

I run CCleaner almost every day. I run Malwarebytes, Superantispyware and AVG every week and I have my security settings in IE8 set to default with third party cookies not being allowed. I don't open attachments from any one that I don't know nor that of which I am not expecting it. I do receive a good share of unwanted joke email from friends that I have set to be deleted, I don't open them.

I know Root Kits are very bad and can be very difficult to fix but what got me was that although AVG was the only one initially that found it but AVG was unable to fix it and the other utilities didn't find it. The Root Kit file was hidden so that made it more difficult to deal with I guess.

I am not a computer wiz and my wife tells me I have no brains, but I have built a few PC's which we all know is no big deal as long as you do your homework. Knowing this how does a user protect their PC's from nasties like this aside from what I am already doing?
Spark
Anti-Static Strap
Anti-Static Strap
 
Posts: 485
Joined: Thu Jan 11, 2007 10:36 pm

Postby Karlsweldt » Sat Apr 28, 2012 6:15 am

Blocking third-party cookies is a good way to reduce unwanted viral or malware attacks. But even the "good" cookies from trusted sites may be malicious. They assume a neutral or benign attitude, and are not picked up by the viral scanner. But after several of these clandestine cookies come into your system, a 'key' cookie comes along.. and activates all the other non-active associates to become a big problem!
Having separate accounts for each user will not prevent this problem. But a sort of "parental control" checker will reveal what each user has viewed from Web sites, and what features were delved into deeper. An old adage.. "the bigger the prey, the easier to find" applies. Well-known sites are always a big target for hackers and malware purveyors. If those sites do not preview all their ads, something will 'fall through the cracks'.
Many hackers randomly ping IP addresses.. to test the shields. And if there is a void or weakness, it is exploited!!
Beware of any pop-up warnings about "system needs a tune-up" or "your system is infected.. check now" or "your anti-virus program is outdated". By clicking on the closure tab, you can become entrapped by that hacker's foul desires. Any Email warnings about "account numbers needed" or other personal info should be deleted. Never click on links of those pages.. instead go to the true source. If a government agency wants private info via Email, it is fraudulent. Same with those notes about "winning" a lotto or inheritance. You will get a certified mail delivery if indeed true!
Always look for the "https" notation on sites that are supposed to be secure. Those sites do employ a high encryption rate, which makes it more difficult for hackers to crack into.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 19208
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Postby Mr T » Sat Apr 28, 2012 7:59 am

The majority of 'free' antiviruses for windows are very poor as they are a commercial product in the end (ie the company wants you to buy the full product, so they disable a lot of features on the free that allows the nasties in and won't detect some of them or remove them)... That is why on windows I use Microsoft Security essentials... saying that, I hadn't used my XP system for ages, switcheed it on, update all and after a scan with Malware bytes, it found two trojans - from where I do not know...????!!! AVG has been pretty poor recently.. I have switched to Linux,Unix and Mac recently and have had no issues with that yet....
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 16795
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Next

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron