Virus - rootkit removal? [Archive] - Glock Talk

PDA

View Full Version : Virus - rootkit removal?


vote Republican
07-17-2011, 06:45
My father in law has an old XP computer. It got virused, and running from a AV boot CD it shows volsnap.sys has a rootkit. So I need to replace this file, not just delete it (important system file). Thoughts? I am gearing towards format/reinstall, but I'm just wondering if there's anything anyone has done here.

When I run AV from the OS, it doesn't show this infection. Malwarebytes, Sophos show clean.

eracer
07-17-2011, 07:03
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

This provides a link to GMER and RootRepeal, which are a bit more sophisticated than Sophos.

GIockGuy24
07-17-2011, 07:33
Kaspersky TDSSKiller is suppose to repair that one.

How to disinfect a compromised system

# Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
# Run the TDSSKiller.exe file;
# Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

More info

http://support.kaspersky.com/faq/?qid=208283363

GIockGuy24
07-17-2011, 07:41
Ah the zip file version may be out of date.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

* Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
* If TDSSKiller does not run, try renaming it.
* To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
* Click the Start Scan button.
* Do not use the computer during the scan
* If the scan completes with nothing found, click Close to exit.
* If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
* Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
* A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

Pierre!
07-17-2011, 09:46
RootKits *suck*...

I have always just 'Nuked Them From Space' so that I am sure... Particularly on Business systems in highly regulated industries.

And, after the re-install, it's so much faster!

It will be interesting to see if this gets effectively cleaned!

Nice links GlockGuy24... looking to hear this fixes up nice and easy!

vote Republican
07-17-2011, 11:18
Kaspersky TDSSKiller is suppose to repair that one.



http://support.kaspersky.com/downloads/utils/tdsskiller.zip

More info

http://support.kaspersky.com/faq/?qid=208283363

that seems to have found it, says it removed it... reboot & rescan it didn't find it again. Browser isn't hijacked. I'll see if SP3 goes on OK now, and rescan with some other tools as well. Thanks for the find!

vote Republican
07-17-2011, 11:19
RootKits *suck*...

I have always just 'Nuked Them From Space' so that I am sure... Particularly on Business systems in highly regulated industries.

!

100% agree for work computers, make an image & keep docs on a network drive. This is an old PC, not sure where all the CDs are even (I could probably find one if I had to).

Pierre!
07-17-2011, 11:47
that seems to have found it, says it removed it... reboot & rescan it didn't find it again. Browser isn't hijacked. I'll see if SP3 goes on OK now, and rescan with some other tools as well. Thanks for the find!

Thanks for letting us know how it went!

I may have a new tool for the future, you too no doubt! :supergrin:

Thanks, and I dig your 'Handle' - vote Republican - and vote em all out till further notice (LOL)

Patrick

vote Republican
07-17-2011, 11:50
You've been around almost as long as I have, and you've never noticed? LOL

srhoades
07-17-2011, 22:45
combofix is now pretty good at replacing infected system files.

gemeinschaft
07-18-2011, 06:04
VR, I have a bunch of Windows OEM discs. As long as you still have a valid license key, you might be able to use another disk.

What OS and who is the Manufacturer?