need help/information - Rootkit found, ksnhtr

C:Windows\system32\ksnhtr.sys

When I run a scan, and every time I turn on my computer I get an Avast message that a Rootkit was found. I click delete, and it’s still there next time I turn on or scan.

I searched my system32 folders and found an item named ksnhtr.sys, should I delete this item?

Thanks for any help:)


Welcome to the forums, sam1. :slight_smile:

For information purposes:

Description: Added by the Backdoor.Rustock backdoor rootkit.
File Location: %System%
Startup Type: This startup entry is installed as a Windows NT, 2000, 2003, XP, or Vista service.
Service Name: ksnhtr
Service Display Name: ksnhtr
HijackThis Category: O23 Entry

Have you run a boot-time scan with avast? First do that and if that does not help …

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


Here are some interesting infos about this infection…
http://www.bleepingcomputer.com/startups/ksnhtr.sys-23066.html

and here’s a possible way how to remove it:
http://www.bleepingcomputer.com/forums/topic131299.html

don’t know if this works ::slight_smile:

yours
onlysomeone

I did a boot time scan and that cleared it up. I then did a regular scan which found some stuff as well, and now one of my windows programs is working properly.

Thanks!!

To be sure you’re clean, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Glad we could help, sam1. :slight_smile:

Please come back often, learn more, and maybe help others.