http://www.howtogeek.com/forum/ How-To Geek Forums Topic: Remove Rootkits en Tue, 02 Dec 2008 12:54:02 +0000 http://www.howtogeek.com/forum/topic/remove-rootkits/page/2#post-38717 Thu, 31 Jul 2008 04:54:48 +0000 COMPIDIOT 38717@http://www.howtogeek.com/forum/ <p>Okay I followed the instructions to delete the malware but it just kept switching names.</p> <p>So I ran AVG in Admin Mode and deleted both.</p> <p>After that I completely un-installed AVG and it gave me an option to also delete any viruses or anything that was in the vault so I did.</p> <p>I read up a little on different security and decided to go with BitDefender Total Security 2008.<br /> In a few tests of products it came out number 1 and AVG didnt fare so well.<br /> Now Ive run scans and come up clean :)</p> <p>I also have SUPERAntispyware installed &lt; great program.</p> <p>Just wanted to post and say thanks for all the help.</p> <p>Sorry for the lag between responses,all the help is greatly appreciated! </p> http://www.howtogeek.com/forum/topic/remove-rootkits/page/2#post-36228 Mon, 21 Jul 2008 01:07:05 +0000 ScottW 36228@http://www.howtogeek.com/forum/ <p>Well, a search on mchInjDrv.sys shows exactly what I suspected. This malware is hiding and regenerating when removed. Here are instructions from Symantec on removal:<br /> <a href='http://www.symantec.com/security_response/writeup.jsp?docid=2003-111816-3817-99&#38;tabid=1'>http://www.symantec.com/security_response/writeup.jsp?docid=2003-111816-3817-99&#38;tabid=1</a></p> <p>Note this line: "Loads the following driver, when stealth mode is activated, and uses it to hide its process and service: mchinjdrv.sys". The idea of hiding itself and recreating the random letter filename is why this is being called a rootkit by AVG. </p> http://www.howtogeek.com/forum/topic/remove-rootkits/page/2#post-36224 Mon, 21 Jul 2008 00:17:49 +0000 COMPIDIOT 36224@http://www.howtogeek.com/forum/ <p>Okay I managed to delete :<br /> C:\Windows\system32\Drivers\mchInjDrv.sys<br /> and<br /> C:\Windows\System32\Drivers\a90thxv.SYS<br /> using Admin Account.</p> <p>So Im running another scan and now its :<br /> C:\Windows\System32\Drivers\ayx8md7x.SYS</p> <p>Any thoughts on how to get rid of this?</p> <p>Thanks for all the help. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36209 Sun, 20 Jul 2008 22:27:56 +0000 COMPIDIOT 36209@http://www.howtogeek.com/forum/ <p>@ jraparrish I will try that Administrator Account thing and see what happens.</p> <p>@ whs I tried all three of those apps with no luck :( is there any other apps you can think of?</p> <p>Thanks for the help </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36183 Sun, 20 Jul 2008 20:48:42 +0000 whs 36183@http://www.howtogeek.com/forum/ <p>AVG may not do the job. Maybe you want to try the programs we linked earlier. Those are specialized on Rootkits. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36178 Sun, 20 Jul 2008 20:43:37 +0000 jraparrish 36178@http://www.howtogeek.com/forum/ <p>Since this is a Vista computer, it may be a good idea to enable the Administrator Account and use it to perform the tasks you are suggesting. I have found where only the Administrator account itself has total control over the machine, even when the user account the person is using is a member of the Administrators. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36159 Sun, 20 Jul 2008 19:52:39 +0000 COMPIDIOT 36159@http://www.howtogeek.com/forum/ <p>When I try to Remove all unhealed infections the same pop up comes up saying access is denied.</p> <p>Currently Im not in safe mode(When I try to run the AVG scan in safe mode it starts some line command scan or something like that)that I dont understand. </p> <p>Yes I am the admin on this computer.</p> <p>How did it change numbers like that?</p> <p>Thanks. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36156 Sun, 20 Jul 2008 19:43:21 +0000 ScottW 36156@http://www.howtogeek.com/forum/ <p>Does your user account have admin authority? AVG should not care whether you have hidden files enabled or disabled. That's just for you the user to see or not see them in File Explorer.</p> <p>Are you still running in Safe Mode? It looks like what I said has happened -- the malware created a new jumbled letter filename and copied itself again. What did AVG do with the files? Heal, quarantine, or delete? </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36152 Sun, 20 Jul 2008 19:20:49 +0000 COMPIDIOT 36152@http://www.howtogeek.com/forum/ <p>OK I did a scan and no rootkits were found......but then I remembered I had changed that folder thing so I changed them back to the way they were(do not show hidden files and folders;hide protected operating system files[recommended])and ran another scan and now this:</p> <p>C:\Windows\system32\Drivers\mchInjDrv.sys<br /> and<br /> C:\Windows\System32\Drivers\a90thxv.SYS<br /> both hidden drivers.:(</p> <p>Dont know how but that second changed I guess.</p> <p>Any suggestions?</p> <p>Thanks for all the help. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36023 Sun, 20 Jul 2008 07:58:19 +0000 COMPIDIOT 36023@http://www.howtogeek.com/forum/ <p>Well when I try to remove using AVG it says access is denied.</p> <p>Will scan right now will post results shortly. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36013 Sun, 20 Jul 2008 06:23:22 +0000 ScottW 36013@http://www.howtogeek.com/forum/ <p>If the files aren't there, maybe they were quarantined by AVG. Does AVG have a quarantine that you can look at? How about checking AVG's activity log to see what it did with the files. If they are gone, that's great. How about this -- initiate a manual scan and see if it comes up clean or still identifies those same files. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36004 Sun, 20 Jul 2008 03:53:00 +0000 COMPIDIOT 36004@http://www.howtogeek.com/forum/ <p>@ ScottW<br /> Okay I changed those settings but I still cant find those files up there ^^^^^^ in my first post.</p> <p>BTW Im in safe mode.<br /> I had made a post about safe mode too but I dont know what happened to it(maybe it was in the wrong place?)</p> <p>Thanks for the input. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-36000 Sun, 20 Jul 2008 03:33:07 +0000 ScottW 36000@http://www.howtogeek.com/forum/ <p>Sure, sorry I was vague. Go to Control Panel -&gt; Folder Options -&gt; View tab. In the Advanced Settings area, find the Hidden Files and Folders section and choose "Show hidden files and folders". You may also want to temporarily uncheck the box next to "Hide system files and folders" because some malware will disguise itself as system files. When you have deleted the bad files, check that option again.</p> <p>You can get to Folder Options in safe mode as well. The benefit of safe mode is that it is less likely that the malware can protect itself from erasure or generate a new jumbled letters filename and copy itself there. Some of these can be very tenacious. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35994 Sun, 20 Jul 2008 02:46:09 +0000 COMPIDIOT 35994@http://www.howtogeek.com/forum/ <p>@ ScottW</p> <p>I cant find the files even in safe mode because they are hidden(?) and I dont know what you mean by the folder options.</p> <p>Please explain </p> <p>Thanks in advance. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35993 Sun, 20 Jul 2008 02:44:00 +0000 COMPIDIOT 35993@http://www.howtogeek.com/forum/ <p>Okay I tried all 3 suggestions:</p> <p>The spybot one didnt find any rootkits</p> <p>The Hook Analyzer came with this error:<br /> Cannot communicate with device.The operation completed successfully<br /> I then press ok and the screen pops up and I psh scan but this pops up:<br /> Wrong version of RSPSC32.sys installed. You may need to reinstall or reboot.</p> <p>The Root Kit Revealer kept rebooting my system and listed a bunch of HKLM\yada yada yada\(Im guessing registry things(?)<br /> but nothing that I could see of any rootkits :(<br /> I finally had to turn off my computer to stop that because it just kept taking me to the log in screen and after I logged in it would continue the same cycle.</p> <p>Any other suggestions?</p> <p>Thanks in advance. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35870 Sat, 19 Jul 2008 16:56:36 +0000 Lighthouse 35870@http://www.howtogeek.com/forum/ <p>Thanks for that Rick :) </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35869 Sat, 19 Jul 2008 16:54:53 +0000 raphoenix 35869@http://www.howtogeek.com/forum/ <p>All,</p> <p>When using Root Kit Revealer, it will sometimes hang a machine while scanning the registry WPA Signing Hash entry. There is a minor bug in the code if I remember correctly.</p> <p>Regards,<br /> Rick P. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35829 Sat, 19 Jul 2008 12:41:58 +0000 ScottW 35829@http://www.howtogeek.com/forum/ <p>The name "axk3uljd" is just a random string of letters and numbers generated by the malware. This prevents you from googling on it, but it also means it is almost certainly bad. Lots of new malware uses these jumbled names, so always keep an eye out for them. We have seen this many times before.</p> <p>Compidiot: did you try deleting the files in safe mode? Have you set the Folder Options to display hidden files and folders? </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35813 Sat, 19 Jul 2008 11:17:04 +0000 COMPIDIOT 35813@http://www.howtogeek.com/forum/ <p>@ Lighthouse thats the way its spelled on my AVG scan results.</p> <p>@ whs and Lighthouse thanks for the links. Will try and get back with results.(Probably later on tonight though(its already 6:16 A.M. here)</p> <p>Thanks again. </p> http://www.howtogeek.com/forum/topic/remove-rootkits#post-35809 Sat, 19 Jul 2008 10:54:03 +0000 Lighthouse 35809@http://www.howtogeek.com/forum/ <p>And here<br /> <a href='http://www.resplendence.com/hookanalyzer'>http://www.resplendence.com/hookanalyzer</a> </p>