Running ADM on my LAN and it found Win32:root Kit-gen on a few machines. It adds to chest but then upon next scan, it finds it again. A few questions:

1. How can I figure out how this Trojan got in?
2. What are the steps to remove it as aVast cant seem to get rid of it

I found another thread about using Malwarebytes and HiJackThis on here. On other searches, I found:

Disable System Recovery
Run boot scan
Move to chest infected files
Enable system Recovery

Proved to not help matters as it keeps coming back. I also noticed that the above machines had a “AT1” scheduled task, which is not a “valid” task setup by me/other IT members, so it was removed.

Any help would be great!!

have you tryed mbam?
www.malwarebytes.org

Currently I am running a boot scan on my machine…ran overnight and when I got in this morning, I was not able to add system files to chest due to non_responsive (USB) keyboard. Once this scan is completed, I will run that.

Malwarebytes found a few items on another machine infected (Windows 2000). Let the program delete them. Rebooted and ran a scan on the machine…same Win32:RootKit appeared.

One a few other XP Pro machines I did:

Disabled Checkpoint
rebooted
reenable Checkpoint
scan
Win32:RootKit came back

Not really getting much of any progress…any suggestions?

How to remove please…

What is the location and name of the files?

See attached

I think you need help from Essexboy

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

try this tool

Ran anti-root kit yesterday…found alot of hidden items, but nothing that was marked as to delete. Nor any in the directory where root kit gen is “supposed” to be. I will now follow the Essexboy post/tasks.

See attached

you forgot to update Malwarebytes before you scanned, Malwarebytes have several daily updates

Essexboy have been notified

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4711

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/28/2010 11:25:46 AM
mbam-log-2010-09-28 (11-25-46).txt

Scan type: Quick scan
Objects scanned: 195034
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OK never worked a LAN before so I will take baby steps
First I would like you to run the following programmes on the prime system. And any AT*.job is malware

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please attach the report into your Post.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Started to run GMER, but after 4 hours I had to use my machine. I will let this run over night tonight and then continue onto the next task. Much thanks for the guided help.

ark.txt

OTS part 1

OTS part 2

Had to split the OTs file…size more than allowed.

Again primary system only

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the OTS_log and combofix log.