AFX Rootkit

I keep finding the AFX rootkit installed on my PC. I clean it off, then a day or so later it shows up again. I have the XP firewall running, a Cable DSL router with a firewall, yet I still get this.

What do I need to disable/fix to prevent this?

 

Hi jeffczyz,

One option is to download and install the trial version of UnHackMe. The latest version supports removal of the AFX rootkit.

Another option is to follow these removal instructions (from the rootkit's readme):

Method 1
1. Run the root.exe with the "/u" parameter
2. Delete all the files associated with it
3. Reboot

Method 2
1. Boot into safe mode
2. Locate the service with the root folder name
3. Remove the service and delete all the files associated with it
4. Reboot

You would first have to scan with RootkitRevealer in order to locate the hidden executable and its folder.

Nick

 

Nick,

Thanks for the reply. I'm running unHackme now and that's what keeps finding it. My real question is, how is it getting installed? Do I have an open port, running something I shouldn't be? I can't seem to find the connection to where it is coming from.

Thanks

 

More than likely it is another autostarting process. A scan with RootkitRevealer might give you more information.

Nick

 

Hi jeffczyz,

I was pressed for time and not able to add some suggestions to my last post.

Regarding open ports, you should be able to get a basic view of any unauthorized network traffic by looking at XP's firewall log (C:\WINDOWS\pfirewall.log). Your router logs are also worth looking at.

Regarding the repeating rootkit installation, the AFX rootkit is installed (by some process/executable) as a service via registry modification. The safest way to pinpoint the installing process without becoming reinfected is to use the trial version of RegDefend to monitor processes that attempt to modify the registry. It's safe because you are alerted and given the option to allow or deny the change. If you deny, the rootkit fails to install correctly. Once UnHackMe removes the rootkit, install RegDefend. If you use the setting below, any attempt to create the rootkit service will be blocked and logged.

If you want to clean your system (and bypass the detective work), I recommend following Blackspear's General Virus and Trojan removal Instructions.

Nick

 

Hi,

You had not mentioned the version of this aphex rootkit (AFXRootkit2003/2004/2005?) but they are only variants of the original one.
UnHackMe detects it and can remove it easily.

RootkitRevealer is a good tool to search a sign of a rootkit's presence, but it's almost intented to advanced users.
You can also try RKDetector professional which is easy to use (run rkdetector.exe): this tool will search hidden process, service and regkeys likerun/runonce (see image) : http://bagpuss.swan.ac.uk/comms/


If you want to be sure that the rootkit was TOTALLY removed, take a look at its files (dll...) on this page:
http://www.uk.sophos.com/virusinfo/analyses/trojafxroote.html

And use a registry tool to find traces of the rootkit.

For a rootkit prevention, ProcessGuard and UnhackMe are an efficient (and easy to use) solution.
I can just recomend to disable the Windows Firewall and install another one

-Free ones: ZoneAlarm, Kerio, Sygate and Jetico,
-Paid ones: just take a look at the firewall area on this forum.

A router is not enough.

Regards

 

Hi Nick,

I did not find the entry that you are referring to in RegDefend's standard entries nor in the RegRun entries dataset. Are you recommending that this entry be added to the Special Registry Items in all cases, or just in the case where there is a suspected rootkit? Thanks for the info.

Rich

 

Hi Rich,

I believe it should be there by default in the "Auto Starts" group. If it is not there, I would absolutely include and protect it in all cases.

Nick

 

Here's a brief overview of Control Set and related keys: What are Control Sets? What is CurrentControlSet?.

In addition to HKEY_LOCAL_MACHINE\CurrentControlSet\Services, I would also protect these:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services
HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery
HKEY_LOCAL_MACHINE\SYSTEM\Select

Nick

 

Thanks Nick. I found the CurrentControlSet in Autostarts as you indicated and added the other registry keys as you suggested. After reading the link you provided, it seems like they are important keys to register under RegDefend. Hopefully Jason is following these threads and is making note of these suggestions.

Rich