Fellows;
How does this “W32:Rootkit-gen[Rtk]” virus work?
One guy from another suggested this;
http://forums.techguy.org/malware-removal-hijackthis-logs/712288-solved-win32-rootkit-gen-rtk.html
Those are not a problem. They are just left-over from a previous scan of some sort. They are located in the system restore and cannot run unless the system is restored to one of those points. They can be removed simply by clearing all restore points and setting a new one. Follow the steps below to clean out the restore points.Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart your computer.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.System Restore will now be active again.
After that you are good to go.
Cheers.
OT
I am not convinced though since if it maybe a normal Windows operation that’s needed to accommodate a new device then why the need to propagate it across the entire network of PCs?
What I have observed is that when an infected USB drive or Internet website has gained access (autorun feature for USB while simply browsing the site downloads destructive scripts), the virus (Rootkit-gen) suddenly propagates itself across the local network.
It usualy needs propagates this file first ;
avast! [037]: File "[b]C:\WINDOWS\System32\x[/b]" is infected by "Win32:Rootkit-gen [Rtk]" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090815-0, 08/15/2009This file (C:\WINDOWS\System32\x) is always in the there.
If this is a usual device driver file, how come it was named “x” and not “sonyusb.dll” or the typical naming protocol?
Then the file seems to be supported by two other files. Theese are named with varrying names like gibberish or garbage files. The files infectd or the carriers are usually picture files like JPG, BMP, PNG and GIF.
avast! [066]: File "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NMKMZ35X\[b]uaigj[1].jpg[/b]" is infected by "[b]Win32:Rootkit-gen [Rtk][/b]" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090814-0, 08/14/2009
The infected USB files normally contains this;
avast! [023]: File "D:\Workbook 1.exe" is infected by "Win32:Trojan-gen {Other}" virus. "Resident protection (Standard Shield)" task used Version of current VPS file is 090812-0, 08/12/2009avast! [023]: File “D:\Unknown Artist.exe” is infected by “Win32:Trojan-gen {Other}” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 090812-0, 08/12/2009avast! [023]: File “D:\Do not delete.exe” is infected by “Win32:Trojan-gen {Other}” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 090812-0, 08/12/2009
As you can see from the 3 files above, one is an EXCEL file, the other an MP3 file and the 3rd is a WORD or EXCEL. The virus overwrite the original file and turns it into an executable file. I believe this one is the primary engine that does the propagation.
Then the “Rootkit-gen” is unleashed with the filename “x” ( C:\WINDOWS\System32\x ). Other supporting file is embedded in the JPG or GIF forms ( “uaigj[1].jpg” ).
Now, if this is a normal Windows operation, then why the crazy naming style?
Also, the USB was inserted in just one PC but how come the other PCs are suddenly infected, as per AVAST resident scanner?
This sudden event only happens (or the propagatiopn of the “Rootkit-gen” virus is excited or enhanced) when a USB is inserted or when an infected website managed to infect the local system?