Help with removing Win32: Rootkit-gen (RtK)

closed

no, google update, mdm (that's the IE thing), vnc are still showing

did you reboot?

how is the commit charge and speed after a reboot now?

do you use all the sony photo and media server software?

Milltowngirl

Hi

Def did as you said regarding google update, IE and ticking the VNC thing in hijack this. Just rebooted before I ran the last hijack this log I posted.

commit charge currently:
281772 total
1149840 limit
514180 peak

erm, I dont use all the sony media stuff but would want to keep the option, so dont mind removing stuff from start up etc but dont want to delete altogether...

closed

Wasn't suggesting you remove it, but it's running all the time using ram, they mostly run as a service, so not quite as easy to disable as a normal startup item, so you can leave them

Milltowngirl

ok thanks.

With the IE thing, am I clicked to put a tick against the item or clicking to take the tick away ?

I have two options: disable script debugging (internet explored) and disable script debugging (other), is it both of these I change ?

closed

tick both.

when you ticked the vnc in hijackthis, did you then click fix checked?

HP printer?

Milltowngirl

Hi

Yes had done that (ticked both) but thought perhaps I wasnt meant to. Yes, in hijack this clicked 'fix checked'.

HP printer I do use yes.

Ran Dr Web last night. Somewhere between about 5-7 hours seem to stop as the computer was just switched off ? Does it shut down after its finished ? I cant seem to see how to tell what its done ? i.e. does it save a log / report anywhere ? I know it found these 2 items:
Trojan.NtRootkit.9731 - cured
Trojan.MulDrop2.5713 - uncurable, moved
as it found these whilst I was watching and it asked me for prompts on what to do, but as I say, next time I looked PC was just switched off.

How do I know whether my PC is now clean again ? Im running an avast scan again now as we speak. Anything else I should do ?

Couple of last things, Ive noticed since making all these changes yesterday, when I now log in I get an error message telling me I have no firewall, because windows firewall seems to take a few minutes to switch on ? Is this correct or do I need to change any settings or anything ? Is it safe just to run windows firewall, as some web forums etc seem to suggest its not so good and you should use zonealarm etc ?

Also, since running the Dr Web scan yesterday the computer appears a bit slower and much noisier again ? As Im running an avast scan at the moment I dont know whether its just that at the moment, but before I started that it was still much noisier on loading the desk top and although it now loads quicker (I can be in firefox within a minute, although I guess I should wait until the firewall has switched on) it was continuing to make a lot of noise even after that, as if something is working really hard in the background even though nothing was running ? It wasnt behaving like this yesterday, before the Dr Web scan ? Any ideas ?

Many Thanks

aliEnRIK

Did dr web find anything?

Milltowngirl

Milltowngirl wrote: »

Hi


Ran Dr Web last night. Somewhere between about 5-7 hours seem to stop as the computer was just switched off ? Does it shut down after its finished ? I cant seem to see how to tell what its done ? i.e. does it save a log / report anywhere ? I know it found these 2 items:
Trojan.NtRootkit.9731 - cured
Trojan.MulDrop2.5713 - uncurable, moved
as it found these whilst I was watching and it asked me for prompts on what to do, but as I say, next time I looked PC was just switched off.

How do I know whether my PC is now clean again ? Im running an avast scan again now as we speak. Anything else I should do ?


Also, since running the Dr Web scan yesterday the computer appears a bit slower and much noisier again ? As Im running an avast scan at the moment I dont know whether its just that at the moment, but before I started that it was still much noisier on loading the desk top and although it now loads quicker (I can be in firefox within a minute, although I guess I should wait until the firewall has switched on) it was continuing to make a lot of noise even after that, as if something is working really hard in the background even though nothing was running ? It wasnt behaving like this yesterday, before the Dr Web scan ? Any ideas ?

Many Thanks

Also, avast scan not yet finished, but has so far found 1 infected file

aliEnRIK

sorry, missed your original post

avast might be picking up on dr webs quarantined files

The dr web log should be in one of these 2 places -
C:\Program Files\DrWeb
C:\Users\username\DoctorWeb

The parts its removed or whatever will be right near the bottom

aliEnRIK

Id recommend posting a fresh hijack log and download and run the latest combofix and post that log again. Its possible I missed something