Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Diagnosing possible Rootkit infection


  • Please log in to reply
2 replies to this topic

#1 diditagain

diditagain

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 18 February 2017 - 10:07 AM

Yesterday, I searched my computer for viruses, as I normally do, using Avast. It as usual found no viruses. I decided to also perform a boot-time scan, and then went to sleep. Earlier today I started the computer and the scan started as scheduled. When it was finished, Avast told me that it found something along the lines of "Win32.Rootkit-gen [rtk]" in directory $Recycle.bin which was "moved to virus chest". Having recieved a rootkit on another computer about 2 years ago, I downloaded the same utilities I used back then (Trend Micro anti-rootkit, MBAR, Spybot S&D, TDSSKiller, McAfee Rootkit Remover) which all showed the computer was clean. While I think I'm still infected by something malicious, I've noticed no adverse effects from the infection at all - no toolbars, popups, account hijackings etc.

How should I continue to make sure whether I'm infected or not?

Thanks a lot for taking your time to help me.


Edited by diditagain, 18 February 2017 - 10:08 AM.


BC AdBot (Login to Remove)

 


#2 diditagain

diditagain
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 18 February 2017 - 11:18 AM

So I did an AdwCleaner scan now, which revealed 33 threats, most of which were false positives. One program that stood out though was Sweet Page, which apparently is some sort of search engine adware like Babylon. Could this have some sort of connection to rootkit infection? (Like I said before, I've never had any problems using the computer, and never been redirected to this Sweet Page website.)



#3 diditagain

diditagain
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 19 February 2017 - 06:09 AM

And some more info:

The threat currently contained in the virus chest is named $RS0NNP4.exe. I uploaded it to virustotal  (https://virustotal.com/sv/file/b8556885a6927c6c310ee3ac8f3a930b8cd33e387eb81a5b9eb58b3a0b5127e8/analysis/1487501882/) which is showing a 18/57 detection ratio. Apparently, the file's alternative name was "Extra Bass", and it also had a custom icon which I've never seen before. Anyway, I made Avast re-quarantine the copy of the file again. I also ran a few other scans in the meantime - NPE and something specifically designed to remove Rootkit.Zeroaccess. Both came back with no infection. I'm starting to think the original detection was either a false positive or some type of harmless remnant from an earlier infection. (Or I've met the most intelligent virus I've ever encountered)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users