Posted on 07/01/2009 7:12:27 AM PDT by Oshkalaboomboom
I have a rootkit trace that refuses to go away. Macafee can't delete it. Malwarebytes Antimalware claims to delete it but it's right there as soon as it closes. I find hundreds of references to it via Google but nobody says how to get rid of it and nobody even discusses what it does besides annoy you. My cd burning programs have been disabled so I can't make an alternative OS like BartPE. I can boot off the Windows CD and get into the Recovery console. I use DOS commands to delete the files but they come right back again.
Microsoft has said that there are some infections that can't be fixed. Is this one of them? I can wipe everything out and start over but I'd prefer that to be the last resort, not the first.
The file that won't go away is uacinit.dll It also makes a few copies of itself and a registry key. Has anyone ever successfully deleted this?
use windows defender
windows malicious software remover (MRT) worked for me. You might be able to download it form Microsoft and update it. I like defender also.
Get a Mac. You won’t have this problem.
Watch where you go and what you download to remove this. For the past three years this type of extortion ware has been infecting computers with false spyware removal programs and fake Anti-virus programs. THe authors who seem to be in China also put up fake websites advertising removal tools that just re-infect the computer.
Normally you can find the removal instructions on Symantec, McAfee, Trendmicro, AVG, F-Secure or one of the other Anti-Virus vendor websites. Also Microsoft’s Malware removal tool has been known to remove this type of infection.
http://www.softwarepatch.com/windows/microsoftvirusremoval.html
This has interesting non-technical things you should do, in addition to getting the technical problem fixed: http://www.bleepingcomputer.com/forums/topic227700.html
I’d hit it.
You probably need to put the hard drive in an external case, and then attach via USB or Firewire to a second system. Then, mount your drive, go into the location, remove the file, etc.
If you know the day of the infection erase every file that was made that day.
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
-----------------------------------------------------------
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall
9. Please restart your PC, check how its running.
The last time I had something like this a few weeks ago it was like described here. It just kept self replicating. Did you try combofix? That is what fixed it for me.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I thought this was a thread about prez Obeyme....
Get Root !
Download.com has a couple hundred thousand free downloads. AVG free 8.5 is a good choice if you can find it. They want you to buy the other program but keep going to AVG free. I have used it for years and it is better than norton, and the others I have used.
The most recent updates for MalwareBytes are able to remove this. Be sure you download updates before you run MBytes.
As for Combofix (CF), it may or may not totally remove the infection. When CF produces a log post-run, a lot of times there's additional rogue DLL, DAT, EXE, etc. files to remove, in addition to rogue drivers/services, which may have been missed on the first run.
The only way to get rid of those is to write a custom script in Notepad and then drag the Notepad file into the CF icon on your desktop, so CF can proceed with the custom fix.
I ran MRT and AVG at the same time and AVG removed my trojan/peraonal antivirus virus fist because it ran faster. It came up on mrt but mrt could not remove it because I had already removed it with AVG.
Turn off System Restore
AVG, Norton, McAfee, etc. are not powerful enough to totally and completely remove 99% of malicious rootkits, though. Not to mention that the last two are memory hogs.
Love the irony of using BING for that search.
When I used to use Windows, I’d set up my computer specifically so I could just zap the whole install and start over whenever I needed to. I found this much easier than pounding my head against the wall every few months. When Windows started to slow down, or if I had a problem, I’d format the Windows partiion on the HD. Then, I’d put the Recovery Disks in and start over from the beginning. Really didn’t take that long to do and I knew that when I was finished, I’d have a healthy computer.
Most of my data stayed on a separate partition anyway, and I always had backup copies of any programs I used regularly.
Those days have long passed since I started using Ubuntu.
I’ve been using Linux for two years now. You can boot up your computer with a Linux “live CD”. It does nothing to your Hard Drive and you can then save all the important files you really need on memory sticks or an external hard drive. Once you’ve backed up all the data you really want reinstall Windows. (Or , if you like, stay with Linux and become pleasantly amused at all the hardship others are having when a better choice is free for the taking)
Just a different problem instead...
The computer, or the girl?
OK, if none of that stuff works, go to www.majorgeek.com and follow their instructions TO THE LETTER for removing malware. Why are they different? Because they walk you through the process (in part using the hijackthis tool) of actually digging into the registry, bootup process, etc where malware hides and manually ripping it out by the roots. Warning: The process is long and tedious and if you mess up a step, you just might (in fact probably will) trash your computer. Its where I go when all else fails (and I have both trashed and saved my computer on different occassions).
I agree. Eating and drinking lots of beer make lots of problems just disappear.
Depending on the age of your hard drive and type, buy a SATA/IDE-to-USB adapter or an external drive enclosure. Pull your hard drive, plug it into the USB adapter and then plug into a system with the very latest Windows updates, AVG/other antivirus and spyware removal tools.
Once mounted externally, you can treat it as another drive. I start with an AVG scan and finish with a Malwarebytes scan.
There are a few extra “super-hidden” files that you can't get into on a drive that is the boot drive. I typically find these infected files in “Recycler”.
While you have the drive out, go ahead and run a defrag of the drive.
If this is a true rootkit then you will need better tools, but for most things AVG, Windows Defender and Amlwarebytes work fine.
There comes a time that you may be well advised to take the system into a local nerdshop and pay them to help.
If you can wait a day, I can build you a BartPE and send it over. FReepmail me if you need it.
Well, “delete computer” and then “get a Mac” and you’re home free... :-)
Then the computer.
Then the girl.
Then the girl again.
Did you turn off/disable Windows Restore before trying to delete the trojan?
If not, you need to do that.
Bookmark
You do know that “I’d hit it” comments makes some people break out in hives don’t you?
But then, that’s probably why you said it.
I wouldn’t hit it because I am married.
Is fantasizing really cheating?
I'd hive it.
I wouldn’t hit it because I am married.
Oh, you'd hit it. You just don't want the consequences of hitting it.
But make no mistake.
You'd hit it.
bump for later
In a heartbeat, on her big fat....I mean, no I wouldn’t.
What should I do?
I think you're fibbing. You clearly got on the wrong side of Admin Moderator and got zotted!
Call ServPro. “Like it never even happened.”
Reformatting got rid of the problem and cleaned up two years worth of crap on the hard drive. The system runs faster and I think it was worth it.
As a small business owner who deals with this for a living, I’d say: do a reload. Save all your data on an external drive, then reload all your operating systems and programs. Then update them all.
You may never be able to find out where you got it, but be sure to have antivirus, spyware, and malware detector programs on your system and keep them up to date. If you don’t have all of them, get them.
Of course, you could always call a pro if you don’t have a spare 6 to 8 hours ;)
Many times some viruses will effectively go into ‘hide’ mode and reassert themselves after running a virus cleaner by pulling new code from the web. When you run a virus cleaner, update the cleaner to make sure you have all the latest and greatest virus-killing love, and then disconnect your computer from the internet. Run the virus cleaner. Reboot and run it again. Then reconnect to the internet and run it a third time to see if it still detects the virus.
I do have all of my data on a separate drive from the OS, it’s more the pain of reloading all of the programs. I use 3 different scanners and it beat all of them. Even the remote scanner on Trend Micro doesn’t get rid of it.
Yep, the pain of reloads ... that gets me a lot of work. least you know enough to know what you’re doing. Good luck..some of those suckers are worse than lampreys.
One little trick the virus writers used almost made me format my hard drive in exasperation. They created a registry entry under a certain user name that would replicate the virus then deleted that user.
I tried all the above (Malwarebytes, ComboFix, etc...) following the directions to the letter and they would do everything but could not delete the registry entry that would replicate the virus. I finally nailed down the the hex signature of this virus registry entry, found it in the registry and tried to delete it as the Administrator but it would not delete. I had to change the permissions of the virus entry first, then I was able to delete the virus registry entry. ***DISCLAIMER*** be VERY careful when dealing with the registry. Be sure you have it backed up and be sure you only delete the virus registry key.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.