RootKit help needed

Discussion in 'ESET NOD32 Antivirus' started by rhendrix9, Oct 29, 2009.

Thread Status:
Not open for further replies.
  1. rhendrix9

    rhendrix9 Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    8
    Location:
    Atlanta, GA
    I am helping an 81 year old Grandmother with an apparent rootkit.

    I've tried mbr.exe which said it worked but didn't, I tried gemr.exe but it crashed. I just loaded avast and bought eset nod32 antivirus.
    I was hoping avast might do something but so far it just seems to lock thing up.

    To complicate things, she lives about 10 hours from where I live, so I can't get my hands on the pc.

    It looks like I need to reinstall, but when nod32 finally arrives, do you think it can help or should i just go ahead with a new installation?

    also I have a recent backup on a USB drive. I want the pictures and documents, is there a possibility of being infected from the USB DRIVE?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    The best would be to boot from a clean media (e.g. a rescue cd), perform a full scan of the disk and clean all found threats.
     
  3. rhendrix9

    rhendrix9 Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    8
    Location:
    Atlanta, GA
    will i get a rescue cd when my nod32 antivirus package arrives?
     
  4. othersteve

    othersteve Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    30
    You can also hook the hard drive directly to another computer if you have a IDE/SATA to USB adapter and then perform a full offline scan. Be sure to reset any permissions first however. Installing the drive directly in the other PC is also an option, but be careful not to infect the clean PC.

    Steve
     
  5. rhendrix9

    rhendrix9 Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    8
    Location:
    Atlanta, GA
    well I wish I could................ but like I said earlier, she lives 10 hours away from me.

    But what do you mean by "reset any permissions first"

    Thanks
     
  6. othersteve

    othersteve Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    30
    Oh, don't worry about that if you aren't going to hook to another machine. It's important to be sure you can access all files before running a scan from another machine.

    -Steve
     
  7. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
  8. othersteve

    othersteve Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    30
    Yeah; I have used that boot CD to great success also. I would recommend giving it a shot if you can't scan via another PC.

    -Steve
     
  9. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    You guys are a bit confused. or I am.I think he is connecting remotely to this PC that has the rootkit through remote desktop and needs something he can run while windows is up, not from DOS or a boot cd.

    Rootkitrevealer will rarely crash when the others seem to.But it's kind of useless, as it will only show you there is a rootkit there but won't let you do anything about it.
     
  10. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Also try mcafee rootkit detective if this is an XP machine, it will allow you to rename the rootkit files so they become unhidden and then you can delete them and the registry entries.Google it.
     
  11. othersteve

    othersteve Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    30
    Oh, he is remotely connecting? I see. Yeah, that's an issue. Of course, he could always initiate a burn of a boot CD remotely on her PC (with her help of inserting a CD-R) and then instruct her to boot to the CD. It would probably take a few minutes to walk through the process, but at least then you could be fairly sure the disinfection is successful.

    From there, after the rootkit is removed, going back through the logs and removing anything obvious and following up with a combofix scan first, MBAM second could probably rid her of just about anything she's got. All this with minimal intervention on her part... but I think that's really the only surefire way of killing it without having full access to the PC.

    Just my $.02.

    -Steve
     
Thread Status:
Not open for further replies.