Rootkit detected but can't remove

compmad1

I have XP and I have found a rootkit with AVG in C:\Windows\System 32\Drivers

It tell me to remove it I must restart the computer, but when I do it is still there, although the name has changed. My son has got the same problem on Vista. AVG gives a message on his that it can't be removed and doesn't give him the option of a restart. I have used Spyware Doctor and Malawarebytes, but without success. Is there anything else I can do? Thanks.

posted_2

Assuming it's not a false positive, use a boot cd

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

compmad1

posted wrote: »

Assuming it's not a false positive, use a boot cd

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

Thanks. I'm not very computer literate and don't know what would be involved in doing this. Actually I find this sort of thing a bit scarey. Could I just ignore the rootkit?

posted_2

Not really.

If you download the file and run it, with a blank CD in your writer, it will create a CD which is bootable - when you boot from it, it will scan for viruses. Rootkits hide themselves from windows, which makes them hard to remove while windows is running

compmad1

posted wrote: »

Not really.

If you download the file and run it, with a blank CD in your writer, it will create a CD which is bootable - when you boot from it, it will scan for viruses. Rootkits hide themselves from windows, which makes them hard to remove while windows is running

I can understand this a bit more now. How would I boot from the CD?

posted_2

Depends on the pc, some will boot from cd automatically, some require you to press F12 to get a boot menu, the rest, you just need to set the boot order in the bios so that the CD drive boots before the hard disk

Browntoa

post the malware bytes log for me

what did it find ??

• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

compmad1

posted wrote: »

Depends on the pc, some will boot from cd automatically, some require you to press F12 to get a boot menu, the rest, you just need to set the boot order in the bios so that the CD drive boots before the hard disk

Thanks for your help. I'll look at doing this.

compmad1

Browntoa wrote: »

post the malware bytes log for me

what did it find ??

• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Thanks.

Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 2

10/05/2009 12:50:04
mbam-log-2009-05-10 (12-50-04).txt

Scan type: Quick Scan
Objects scanned: 118782
Time elapsed: 21 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Browntoa

looks clean , reckon its a false positive (not a real infection)

Hazzanet

Just give it a check with F-Secure Blacklight (a free rootkit remover):

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/

see what it comes up with.