Avast was scanning my memory when it was opening and found a rootkit; trojans were found via boot-time scan Avast. They were immediately put in the virus chest.
I use Windows XP Home Edition, SP3. RustNT is a rootkit.
So - should I delete the above infected files or not? Or how do I remove them? As I had used GMER to detect the rootkit two weeks ago. I deleted the rootkit service. After that, GMER Rootkit Detector and Remover (gmer.net) didn’t find it. But now the same rootkit file is back. How do I delete it for good? Help is much appreciated.
PS: I don’t think I have a F: drive. I have local disks C: and E:, and Floppy Drive A: and DVD-RAM Drive D:.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
The F: was probably a USB Flash drive when connected to your system ?
So your flash drive might well be infected and the batch file, 2fiy.bat, could have been what brought in more guests.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of securty, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Usually the F: is associated with external media, i.e. a memory stick (F is the drive letter for my memory stick on the PC)
Did you have anything like this plugged in during the boot scan?
You may need to use one of these:
-Scott-
EDIT:Sorry, I missed that you’d already answered that part, DavidR