RootKit help needed

I am helping an 81 year old Grandmother with an apparent rootkit.

I've tried mbr.exe which said it worked but didn't, I tried gemr.exe but it crashed. I just loaded avast and bought eset nod32 antivirus.
I was hoping avast might do something but so far it just seems to lock thing up.

To complicate things, she lives about 10 hours from where I live, so I can't get my hands on the pc.

It looks like I need to reinstall, but when nod32 finally arrives, do you think it can help or should i just go ahead with a new installation?

also I have a recent backup on a USB drive. I want the pictures and documents, is there a possibility of being infected from the USB DRIVE?

 

The best would be to boot from a clean media (e.g. a rescue cd), perform a full scan of the disk and clean all found threats.

 

will i get a rescue cd when my nod32 antivirus package arrives?

 

You can also hook the hard drive directly to another computer if you have a IDE/SATA to USB adapter and then perform a full offline scan. Be sure to reset any permissions first however. Installing the drive directly in the other PC is also an option, but be careful not to infect the clean PC.

Steve

 

well I wish I could................ but like I said earlier, she lives 10 hours away from me.

But what do you mean by "reset any permissions first"

Thanks

 

Oh, don't worry about that if you aren't going to hook to another machine. It's important to be sure you can access all files before running a scan from another machine.

-Steve

 

Try Dr. Web CureIt

Its free!

http://www.freedrweb.com/cureit/

 

Yeah; I have used that boot CD to great success also. I would recommend giving it a shot if you can't scan via another PC.

-Steve

 

You guys are a bit confused. or I am.I think he is connecting remotely to this PC that has the rootkit through remote desktop and needs something he can run while windows is up, not from DOS or a boot cd.

Rootkitrevealer will rarely crash when the others seem to.But it's kind of useless, as it will only show you there is a rootkit there but won't let you do anything about it.

 

Also try mcafee rootkit detective if this is an XP machine, it will allow you to rename the rootkit files so they become unhidden and then you can delete them and the registry entries.Google it.

 

Oh, he is remotely connecting? I see. Yeah, that's an issue. Of course, he could always initiate a burn of a boot CD remotely on her PC (with her help of inserting a CD-R) and then instruct her to boot to the CD. It would probably take a few minutes to walk through the process, but at least then you could be fairly sure the disinfection is successful.

From there, after the rootkit is removed, going back through the logs and removing anything obvious and following up with a combofix scan first, MBAM second could probably rid her of just about anything she's got. All this with minimal intervention on her part... but I think that's really the only surefire way of killing it without having full access to the PC.

Just my $.02.

-Steve