How do I remove rootkits? Such as system modificated ones of high danger?

Avast always detecs 3 of them in the C drive, and I dont quite know what to do…

Should i reformat I guess? If so is there a way to just reformat the C drive (since ive got stuffs on D drive) or not?

Or is there a possibility to get rid of these rootkits?

Ive got Windows 7 64 bit and I use Avast free, Malwarebytes free and the Win7 firewall (should I try Comodo?).

Avast detects them - Malwarebytes dont.

Thanks and please help.

Edit: Here are the following reports/logs which I hope will serve as help for essexboy:

Avast! detection report: http://www.mediafire.com/?ivc0o1wrnsid3t0

Malwarebytes log (safe mode without network): http://www.mediafire.com/?9m9po9yh1erq707

OTS log (safe mode without network): http://www.mediafire.com/?wrdsrgr343rdimd

No response yet from anyone?

Essexboy is notified, so you just have to wait…

he is usually in here from 8:00pm to 11:59pm UK time

If you dont have the time to wait
try Geeks to go forum or Malwarebytes forum

Ah thx :slight_smile:

Hi Mo0nwalker,

Of course it is an interesting question, but a much more important question would be how to prevent rootkits from landing on your system, one ounce of prevention is worth a pound of cure, as they say.
Limiting a full account will help enormously towards that goal, and run an install inside the avast sandbox whenever in doubt and shun from dubious downloads and pre-scan others. Use EMET on the software you use.

Regularly check your OS and third party software for the latest updates and upgrades (use secunia.com/vulnerability_scanning/online/ ). Whenever using a browser use in-browser security (malcious script blocking etc.)(NotScripts, BetterPopupBlocker, Blocker 0.2. and NOREF extensions installed in GoogleChrome browser for instance), use avast fully updated, MBAM and SAS non-residential, a firewal, if you are into P2P-ing, which activities are being frowned upon by certain parties, be extra carefull and run a bootable AV cd to double check every now and then, but staying clear of unsafe Internet practices might be the best piece of advice there is to prevent that your original question even has to enter your head. So watch your clicks and stay safe and secure in the digital world,

polonus

P.S. For reading on your initital question, see this link:
http://technet.microsoft.com/en-ca/sysinternals/bb897445.aspx by By Bryce Cogswell and Mark Russinovich
Version 1.7 of that software downloads from here: http://www.sysinternals.com/Files/RootkitRevealer.zip

D

Nothing jumps out at me from that which would indicate either a false positive or a rootkit. Lets clear the rootkit option first

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

So Should I disable Avast, MBAM and Windows 7 Firewall?

How do I disable them, just right-clicked on Avast icon and nothing looks to be “turning it off” there really.

Nope just right click the orange blob - select shield control - disable for one hour. Remembering to reset it when combofix finishes doing its thing

Do not let Avast sandbox anything during the run

The thing is that I use norwegian language, so all I can really say is - is it under the first option you get when you right click, under open? If so, which option do I choose once I click that, I get to a new window with two options then.

Or what I mean to say is that I dont get any options that says “disable shield” or such when I right click - this is what I get when I right click, which is the same I get for MBAM and such:

Oh never mind, now I understand, sorry!!!

BTW, here is a link to the OTS (without safe mode) if that helps: http://www.mediafire.com/?cm6rh789c8u1g1h

Will be posting the Comodo log very soon!!! :slight_smile:

Yes im finished one, disabled Avast like you said and runned it while I was away a bit, saw that my pc got restarted and that when I logged on that it would create the log, so amma attach it now, please comment.

BTW, is it possible to scan with Avast or do I have to delete Combofix? Just wondered.

No you can restart Avast now - i will look at the log and get back to you soon

Also could you try the net and see if the alerts have gone

What do you mean by the net?

Sorry is Avast giving alerts anymore when you are online, or at any other time ?

Nope, not on the sites I visit anyways.

And I scanned recently, found nothing, so for now it looks good I hope… Ill reply if it finds something, but this looks good for now, and you havent seen any suspicious of the logs yet have you?

Well in that case, its fine at this moment I hope! ;D

BTW, should I start using Firefox, since it has Noscript unlike Chrome?

BTW, should I start using Firefox, since it has Noscript unlike Chrome?
support norsk software.....bruk Opera ;D

hahahaha lol, nei helt ærlig? :o

Moonwalker,

GoogleChrome has NotScripts extension and that is very easy to handle. Get it here:
https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn

Og hvis du ønsker å bruke Opera på grunn av hva Pondus fortalt deg, har at den også:
https://addons.opera.com/addons/extensions/details/notscripts/1.1.0/?display=en

polonus

I used the google one with notscript, and i already have addblock and such, so am safe?

in regards to avast (free), mbam (free) and win7 firewall too of course. or should i try comodo firewall?

like is the windows 7 in-built firewall good or should i go futher?

Hi Mo0nwalker.

No that is ample protection. Don’t you know that sometimes users can have over-protection and that will work against them?
You just should apply a safe browsing habit, for instance do not go for torrents laden with questionable and possible additional malcode, as keygens, software without the right certification etc. etc.
You know from intuition where you can get infected, so much you already learned here.
Also read what I have posted here: http://forum.avast.com/index.php?topic=37542.msg660804#msg660804
So when you are on the path to SafeHex habits, well stay on that path, come here more often and try to help this community, a belated welcome, Mo0nwalker, to these great forums,

polonus aka Damian