Recently I found an executable file, it was part of a flash game that my friend gave me, a long time ago. Long story short, that executable was ran several times since the past 2 years. After it was found to be infected (I think it was a "virut-f" through avast!), I went ahead and tried to find and remove all viruses on my laptop. Of course, after everything was clean, I was still paranoid.
GMER found tons of ntdll.dll hooks to just random processes, catchme.exe found an ntdll code modification. I've tried all the mainstream rootkit removers, most of them failed to detect anything. Actually most couldn't get their antirootkit driver installed.
Things I've tried:
-Malwarebytes Antirootkit (rootkit driver couldnt load)
-Roguekiller (rootkit driver couldnt load)
-McAfee Rootkit Remover (rootkit driver couldnt load)
-Sophos Virus Removal Tool
-Vba32 Antirootkit (rootkit driver couldnt load)
-RKill (rootkit driver couldnt load??)
-aswMBR (rootkit driver couldnt load??)
I might just give up and do a complete reformat, but it would be a hassle to backup. Can anyone help find this stupid rootkit?
ntdll.dll in system32
ntdll.dll in syswow64
detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12,
ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48,
ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error
The rootkit seems to have avoided all removal attempts. I've tried to run in safemode to remove the rootkit but its not detected in safemode. Can rootkits block kernal-mode antirookit drivers? and also disable itself in safemode?
Edited by greengobbler, 30 October 2014 - 03:53 AM.