Win32:Rootkit-gen[Rtk] virus removal

Fellows;

How does this “W32:Rootkit-gen[Rtk]” virus work?

One guy from another suggested this;
http://forums.techguy.org/malware-removal-hijackthis-logs/712288-solved-win32-rootkit-gen-rtk.html

Those are not a problem. They are just left-over from a previous scan of some sort. They are located in the system restore and cannot run unless the system is restored to one of those points. They can be removed simply by clearing all restore points and setting a new one. Follow the steps below to clean out the restore points.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

  1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

  2. Restart your computer.

  3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.

System Restore will now be active again.

After that you are good to go.

Cheers.

OT

I am not convinced though since if it maybe a normal Windows operation that’s needed to accommodate a new device then why the need to propagate it across the entire network of PCs?

What I have observed is that when an infected USB drive or Internet website has gained access (autorun feature for USB while simply browsing the site downloads destructive scripts), the virus (Rootkit-gen) suddenly propagates itself across the local network.

It usualy needs propagates this file first ;

avast! [037]: File "[b]C:\WINDOWS\System32\x[/b]" is infected by "Win32:Rootkit-gen [Rtk]" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090815-0, 08/15/2009
This file (C:\WINDOWS\System32\x) is always in the there.

If this is a usual device driver file, how come it was named “x” and not “sonyusb.dll” or the typical naming protocol?

Then the file seems to be supported by two other files. Theese are named with varrying names like gibberish or garbage files. The files infectd or the carriers are usually picture files like JPG, BMP, PNG and GIF.

avast! [066]: File "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NMKMZ35X\[b]uaigj[1].jpg[/b]" is infected by "[b]Win32:Rootkit-gen [Rtk][/b]" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090814-0, 08/14/2009

The infected USB files normally contains this;

avast! [023]: File "D:\Workbook 1.exe" is infected by "Win32:Trojan-gen {Other}" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090812-0, 08/12/2009

avast! [023]: File “D:\Unknown Artist.exe” is infected by “Win32:Trojan-gen {Other}” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 090812-0, 08/12/2009

avast! [023]: File “D:\Do not delete.exe” is infected by “Win32:Trojan-gen {Other}” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 090812-0, 08/12/2009


As you can see from the 3 files above, one is an EXCEL file, the other an MP3 file and the 3rd is a WORD or EXCEL. The virus overwrite the original file and turns it into an executable file. I believe this one is the primary engine that does the propagation.

Then the “Rootkit-gen” is unleashed with the filename “x” ( C:\WINDOWS\System32\x ). Other supporting file is embedded in the JPG or GIF forms ( “uaigj[1].jpg” ).

Now, if this is a normal Windows operation, then why the crazy naming style?

Also, the USB was inserted in just one PC but how come the other PCs are suddenly infected, as per AVAST resident scanner?

This sudden event only happens (or the propagatiopn of the “Rootkit-gen” virus is excited or enhanced) when a USB is inserted or when an infected website managed to infect the local system?

Download HiJackThis and post a log here.

I suggest you run MBAM.

Result of MALWAREBYTE scan on our PC;

Malwarebytes' Anti-Malware 1.40 Database version: 2629 Windows 5.1.2600 Service Pack 2

8/15/2009 8:55:21 PM
mbam-log-2009-08-15 (20-55-21).txt

Scan type: Quick Scan
Objects scanned: 108939
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nonetheless, the AVAST full scan was undertaken before this.

The point here now is, there’s no malware that AVAST was not able to see.

Also, as per my observation, AVAST resident scanner is weak against a persistent attack.

When the PC is bombardment with attacks, the shield is penetrated.

But a full scan easily rids the virus.

May I know how this particular virus works so I better understand the strategies I need to implement to mitigate the attack?

I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

One guy from another suggested this;
http://forums.techguy.org/malware-removal-hijackthis-logs/712288-solved-win32-rootkit-gen-rtk.html

Those are not a problem. They are just left-over from a previous scan of some sort. They are located in the system restore and cannot run unless the system is restored to one of those points. They can be removed simply by clearing all restore points and setting a new one. Follow the steps below to clean out the restore points.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

  1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

  2. Restart your computer.

  3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.

System Restore will now be active again.

After that you are good to go.

Cheers.

OT

This one didnt work.

The W32:Rootkit-gen is still appearing in the resident scan messages. A full scan showed the infected file and it was deleted. The reisdent scanner either failed to delete the file or that one of many simultaneous attacks managed to break through the shield and got in somehow.

Fellows;

I updated the first post.

Please review this post to better understand the case.

I have installed SP3 and Internet Explorer 8.

I will update this thread as soon as I get a noticeable improvement.

As for the links, i’ll check.

It seems like SP3, IE8 and Adobe9 arent enough still.

I have now tried disabling System Restore.

I noticed that in one case while I was browsing Microsoft’s own site (for the updates), the Rootkit-gen virus suddenly got excited.

Any ideas, fellows?

Please help.

(1) Would it be okay if you’ll attach a log file of Hijack This? I’ll try my best to diagnose anything I could find in the logs.

(2) Moreover, if you are experiencing problems with autoplay/autoruns in Flashdisks you may do any of these:

(1) Install [url=http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html?tag=mncol]Autorun Eater[/url] or [url=http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/]Flash Disinfector[/url]

(2) Disable autoplay to all drives via:
   1. Start Menu
   2. Run
   3. gpedit.msc
   4. Administrative Templates \ System
   5. You'll find Turn off Autoplay
   6. Double click it and select Enabled
   7. Click OK.

(3) Regarding Adobe Reader 9, A.R.9 is very notorious for being exploited with security holes. I would suggest some other free and significantly lighter on resource softwares like Foxit Reader and PrimoPDF.

Thanks for the reply.

I have observed that it’s not just the USB as the source. Website’s including Microsoft’s (or the system in between) isnt’ clean as it seems.

The one embedded in USB seems to be more destructive though. It propagates faster.

Thank’s for info on the PDF reader. Which among the two alternatives is better, by the way?

As for the Hijack tool, i’ll try tomorrow. I have to go and get a good sleep. Im exhausted already.

By the way, I got a Rootkit remover from another antivirus vendor. It got some which the AVAST AV seem to have overlooked.

Im using both in cleaning up the PC. I believe both are not enough still. I’ll try to get the Hijack tool tomorrow. And the autorun settings. My boss actually advised me on that. I will surely add that task too.

Thank you so much for your reply.

By the way, the AVAST Resident scanner can see this Rootkit-gen attacks.

But why can it not delete the infected files right from there?

Only a manual full scan can delete the virus.

Why is this?

I also got the same Rootkit and the same problem - the Scanner detects it, then I clicked Delete, only to have the message appear again some minutes later, which indicates the problematic file is not getting deleted…

Also be sure to check c:/windows/tasks. My copy of rootkit put a task in there to run a randomly named file (i.e. kjdjkhda.exe) every hour. Avast reported the virus every hour in a file of another random name (oshelai.dll) in my windows\system32 directory.

I actually think Avast deleted the virus but it gets recreated every so often. The only ill effect that I experienced from the virus is that I could not browse to Microsoft or any AV sites such as Symantec, avast, trendmicro.

The file is also in my system restore but that’s easy to get rid of as people have discussed.

This virus is on critical systems (8 computers) of mine that cannot be shut down easily.They have had this virus for over a year. I have seen no other ill effects than the ones decribed above.

I only connect to Internet to download windows updates then i disconnect network wire to router. I got this from a USB drive >:(

Mike Smith

I’m posting in this thread because I think this virus may have mutated. Same virus (win32:rootkit-gen [RTK], but with different symptoms. Heres what happened.
BTW, Ive been using Avast free for years with zero probs.

Yesterday (10 July 2010), I was doing a Google search on “Mac vs PC for audio…”
I clicked approximately the 5th link down on results (Avast 5 free was running at the time), and a strange screen appeared… then a security type screen appeared and began scanning my system. Not avast, and this wasn’t from anything installed on my system…

A little green and white shield also appeared in my system tray, and I lost all control of the computer. All it would let me click was the “security” program that had appeared.

When I tried to bring up task manager (to try to find and kill the process), I got a windows (type) alert… something like:
“cannot open file. taskmangr.exe is infected. Do you want to activate your virus software?”

It also brought up a java pop-up in my system tray (that java was running).

I did manage to bring up avast (from the sys tray), but it said in red letters " your computer is not protected" or something like that…

Basically, all of my shields had been turned off, and I could not restart them. When I clicked “FIX NOW”, or “turn on” (for a shield) it had no effect. Nothing happened.

I pulled my (USB) wireless adapter to disable the network, and did manual power down and reboot. When my system came up, the virus was still there controlling my system.

After a while, I was able to somewhat disable the virus by doing the following.

I booted (XP) in safe mode, and uninstalled Java (I figured the virus may need it, since Java had come up).
I also brought up the startup configuration tool and disabled most of the startup files.

After that, when I re-booted I was able to control my system again, and ran an Avast 5 boot scan, + a Panda on-line scan, + the MS malicious software removal tool.
None of the scans produced a virus hit at that time.

Also, the problems with Avast 5 continued… (I attribute that to changes that the virus made)

Avast 5 said that my license was expired… (I hit the “register now” button, and it would say “retrieving information”, but nothing would happen. It just returned to the same screen.

I did do an uninstall / re-install of Avast 5. When I first re-installed, I was able to enter my license number, and the text dialogue said “Thanks for registering!”.
But then it immediately went back to the previous behavior saying that my license is expired.
I still could not turn on any shields (in Avast 5)… and could not connect to the Avast server to update virus definitions (or enter my license #)

I did restore my firewall to default settings as well ( thinking that the virus may have messed with them), but it did not help.

So, I uninstalled Avast 5 and installed 4.8.
The problem I had with 4.8 is that it also could not connect for virus updates (it just said “cannot connect to server”).

All this was last night.

This morning, I enabled each of my startup files one by one, and identified the virus manually (gibberish.exe). Then I did a windows search and moved the virus to a folder on my desktop so it would not be executed when the system starts.

Then I started researching the “cannot connect to server” issue that avast was having.
What I found is that the virus had changed my proxy settings in IE options to use a proxy to connect to the internet, but because I was browsing with Firefox (settings in Firefox were not changed) I had not noticed it.
When I changed my settings in IE back to NOT use a proxy, Avast 4.8 was able to connect to the update server.
After the update was done. I right clicked the virus file to look at properties. It was then that Avast 4.8sounded the Malware alarm and moved the virus to the chest.

My concern here (and the reasons Im posting) is that I’m not sure I have completely removed the virus.
Since it seems to have mutated, I’m worried that there may be parts of it left on my system which could be doing their own damage without my knowledge.

It should be noted that this virus changed my proxy settings, and somehow rendered Avast usless. It also messed with my avast expiration date somehow.
I haven’t seen those symptoms reported in the past in association to this virus, so this may be something new.

I also am concerned that this virus went through Avast like butter. It took immediate control of my system, and I’d done nothing except click a link in my Google search results. That doesnt leave me real confident that Avast is on this problem, though I do feel better that Avast found it after the definition update.

I would appreciate any information or ides that someone may have on this?

Thanks very much.
-Haze