rootkit-gen virus and windows\system32\ files

Forums › Microsoft Windows › rootkit-gen virus and windows\system32\ files

chico44

3 posts

Wannabe Geek

#55944 11-Jan-2010 05:43

Hi Geeks
I used Avast to scan our IBM laptop which has Windows XP, Avast found the rootkit-gen virus to be present in a couple of the windows\system32\ files. Avast gave me an option to delete and wisely or otherwise - I chose to do so. Avast did not then complete the scan but the computer seemed to "trip" onto the windows screensaver. The computer will now reboot, but when it comes to logging on to windows it accepts the user id and the password, then promptly logs off. I have tried rebooting on safe mode using F8, however there is only one option, ie. to use Microsoft Windows XP Professional, so the computer goes back to the logging on to windows window.
Can any one give me some advise as to how to overcome this?
Thanks in advance. Chico44

heretohelp

360 posts

Ultimate Geek

#289053 11-Jan-2010 18:40

I fix this type of stuff all the time its a little easier if you have the equipment.

the way i would start out

stuff needed

1 old pc that you dont mind getting infected (probly one get infected though), or a usb adapter you can put run it as a slave drive. make sure you have avast installed on the second pc. do a boot scan with avast delete any thing it finds.

next run a malware bytes scan on your infected computers hard drive. aslo manually delete any temp files from application data.

plug your hard drive back into your main computer see if you can get into safe mode.
if you carnt.

get your self a windows xp disk. boot from cd to load the disk. when it first comes up it will ask you what you want to do. hi r this will take you to a black screen where you see your drive. if you carnt see it type map then hit enter

see if you can see it then if you can
type fix boot somtimes that brings it back

ither way type

fixboot

then press enter

now type fixmbr

if you have time but probly not a big deal while in there type

chkdsk /p /r

push enter this one will take some time and it will jump % alot maby 30 to 50 to 75 back to 40 just let it run till its finished. not a neceacry step just somthing like to do it helps fix some errors on your hard drive

once done type

exit

press enter

see if you can get into windows yet

if you carnt you may have to do a windows repair reboot pc boot back to windows cd. this time instead of pressing r press f8 i agree it will take you through to the next screen keep going you will eventually have the option to repair your windows. run this. warning you will need your windows xp COA sticker should be stuck on the side of your pc if its not dont bother wit hthis as you wont be able to do it as it needs it.

once done see if you can get into safe mode.

also after pushing the f8 and says which os do you want to boot from keep hitting f8 it may bring it up.

hopfully you can get into safe mode doing so.

if this does not work with our doing a manual clean out on the hard drive while connected to the second pc you may need to reformat if you dont want to take it to a computer store or sombody willing to write a very long post for you. hope this gets you started. let me know how you get on thanks

get a windows xp disk

Hu? did i do that?
16Mb (EDO RAM), K6-II processor, 2Mb of onboard graphics. 32k dial up modem. 12 speed CD ROM. 5¼-inch floppy drive. 500Mb HDD.

heretohelp

360 posts

Ultimate Geek

#289056 11-Jan-2010 18:43

oh forgot to mention make sure you have the same xp disk as what you are running sounds like xp pro. also make sure your windows COA matches your version eg. you have a windows xp pro coa not a windows xp home coa.

if you can get into windows i would suggest doing another malware bytes scan from within windows in safe mode. also do another boot scan within your laptop somtimes it picks up stuff it didnt on the second pc.

make sur eyou turn off system restore as soon as you get into windows cause stuff hides in there

Hu? did i do that?
16Mb (EDO RAM), K6-II processor, 2Mb of onboard graphics. 32k dial up modem. 12 speed CD ROM. 5¼-inch floppy drive. 500Mb HDD.

chico44

3 posts

Wannabe Geek

#289198 12-Jan-2010 10:55

Thanks heretohelp for your detailed instructions, but unfortunately I do not have an old computer I can sacrifice and am not confident about taking inards out of computers. Do have a windows xp professional boot disc though, but the laptop does not look in the CD drive to boot and i can find no way of getting it to do so! Looks like I'll have to take it into a shop.
thanks again

heretohelp

360 posts

Ultimate Geek

#289430 12-Jan-2010 21:18

what is the brand and model number of your laptop. i will see if i can find a manual on the bios or some instructions. often hitting f8 on the laptop as it boots will give you the option to boot from aontehr drive somtimes its f12

failing that you should be able to change it in the bios.

maby delete button f1 or f2 at the right time just as it boots you will be good to get in. on the odd time its space bar or if its ibm they have an ibm button you push to get to bios set up

Hu? did i do that?
16Mb (EDO RAM), K6-II processor, 2Mb of onboard graphics. 32k dial up modem. 12 speed CD ROM. 5¼-inch floppy drive. 500Mb HDD.

chico44

3 posts

Wannabe Geek

#290173 15-Jan-2010 06:40

Hi Again
I got into the BIOS but was unable to change anything, well I thought I had done when the laptop booted and I could hear the disc drive rotating, but that was all it did, the computer still booted from the hard drive, so I have conceded defeat and my other half took it into a local computer shop. they are going to reformat the harddrive, reinstall windows and put malware and a different anti virus software on for us. Thanks once again!

heretohelp

360 posts

Ultimate Geek

#290397 15-Jan-2010 18:47

ah i c. i remove viruses for a living. would of liked to see it. but some are very nasty and do need formating usually a last resort as far as im concernd though, hopfully they back your data up for you. i would still keep with avast or nod32 dont let them sell you anything else like norton or CA.

the best anti malware/spyware is spybot and malwarebytes as far as im concernd.

hope it works out for you. i think that it owuld of been to much for a home user to fix much easier and less stress to take it to a shop hehe.

let me know what programs they isntalled just out of intereast thanks

Hu? did i do that?
16Mb (EDO RAM), K6-II processor, 2Mb of onboard graphics. 32k dial up modem. 12 speed CD ROM. 5¼-inch floppy drive. 500Mb HDD.

trig42

5810 posts

Uber Geek

ID Verified

#290732 17-Jan-2010 17:21

I have seen a few of those rootkits over the last couple of weeks. Avast shouldn't have been able to delete the files in System32 it found (normally one of them is NDIS.sys, and there is another one that windows needs to logon) as they are system files.

I use NOD32 and it finds the infected files, but won't delete them.

What has to be done is the drive putting in another machine, and those infected files replaced with good copies, either directly off the XP CD, or from the \i386 folder. Could also do it from the recovery console. Both methods require a fair bit of knowledge, but are quick and easy to fix (compared to wiping everything on your computer and starting again)