Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32:rootkit-gen [rtk] found by avast


  • This topic is locked This topic is locked
16 replies to this topic

#1 zlev11

zlev11

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 06:41 PM

tried to run a computer game earlier and got a warning by avast that said "rootkit blocked" and then said it was "win32:rootkit-gen [rtk]". ran malwarebytes and it didn't find it, just two "trojan.agent" viruses. odd that it only comes up if i try to run a certain game (nascar racing 2003 season)

im pretty sure it came from a pop-up ad because AVG actually detected the same exact thing right when the pop-up came up (about 3-4 days ago) but since then I have had no issues with it and ran avast/AVG scans and they both found nothing.

can someone help me get rid of this? thanks in advance

Edited by zlev11, 14 June 2010 - 06:42 PM.


BC AdBot (Login to Remove)

 


#2 keller

keller

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Madison, WI
  • Local time:02:10 PM

Posted 14 June 2010 - 08:06 PM

Try running malwarebytes again and see if the two trojan.agent viruses come up again.

#3 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 08:34 PM

ok, did that. they came up again, 3 of them this time. it said "some" of them could not be removed but i would assume it means all of them, then i rebooted. scan it again?

#4 keller

keller

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Madison, WI
  • Local time:02:10 PM

Posted 14 June 2010 - 09:45 PM

Looks like malwarebytes is having a hard time getting rid of it, which isn't all that uncommon. Chances are there's more than one piece of malware on the computer and malwarebytes is only getting to some of it. More often than not you need to attack these things with more than one program to get rid of them. Try running Super AntiSpyware, which can be downloaded free here. Run that and see if anything different comes up. Try the quick scan first, and be sure to update the virus definitions after you install the program.

#5 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 10:05 PM

ok, installing Super AntiSpyware right now. Just for informations sake, I scanned with AVG and it found absolutely nothing.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 14 June 2010 - 10:31 PM

It would be helpful to see that MBAM log so we know what you have removed and not. What is your OPerating System?

he log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Rootkits a serious and some are not removeable with these tools.

Do run the SUPERAntispyware tool , but a FULL scan in Safe Mode and it's safer to download from the Authors site.
http://www.superantispyware.com/?rid=3324


Next do a Rootkit scan,
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 10:34 PM

Super AntiSpyware just found a bunch of tracking cookies. Is it possible that both Trojan.Agent that Malwarebytes finds and the Rootkit that Avast detects when I run the NR2003 game are just false positives? But then again, the pop up (which popped up from megaupload.com, usually a pretty safe site) definitely made AVG detect the same rootkit that Avast is finding. So I dunno.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:10 PM

Posted 14 June 2010 - 10:40 PM

Hello,

As boopme requested, please post the MBAM log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 14 June 2010 - 10:40 PM

False Positives are a possibility,that's why we review the logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 10:59 PM

ran GMER and partway through the scan i got a blue screen saying something (a .sys file? it flashed up too quickly for me to see it) caused the computer to crash and then it rebooted. ill run it again with devices unchecked.

here is the MBAM log from the first scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4197

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/14/2010 1:05:33 PM
mbam-log-2010-06-14 (13-05-33).txt

Scan type: Quick scan
Objects scanned: 124988
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Zach\Local Settings\Temporary Internet Files\Softonic-Eng3_EN.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Zach\Local Settings\Temporary Internet Files\udRemove.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by zlev11, 14 June 2010 - 11:03 PM.


#11 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 11:01 PM

and here is the 2nd one:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4197

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/14/2010 7:55:10 PM
mbam-log-2010-06-14 (19-55-10).txt

Scan type: Quick scan
Objects scanned: 125018
Time elapsed: 15 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Users\Zach\AppData\Local\Temp\QS.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qs (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Zach\AppData\Local\Temp\QS.exe (Trojan.Agent) -> Delete on reboot.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 14 June 2010 - 11:03 PM

Do you have 2 active AV's running in AVG and avast? This can be a cause of FP's and conflicting results.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 14 June 2010 - 11:24 PM

well, my main AV has always been AVG. when the pop up triggered the original rootkit alert on AVG, i did a scan and it didn't find anything, so i installed avast. but i usually close everything else before i scan with something.

got a BSOD with devices unchecked as well, uh oh :thumbsup:

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 14 June 2010 - 11:36 PM

Ok ,well we need to be certain this rootkit is gone. It's not showing in the System Volume in your MABM logs either. So,We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip Gmer.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 zlev11

zlev11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 15 June 2010 - 12:19 AM

Actually running the gmer scan again (posting from another machine) and it is almost done, so I'll post both logs.

Thanks to everyone for the help. It is much appreciated!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users