Need help removing a rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by flanneldude, Apr 28, 2006.

  1. flanneldude

    flanneldude Private E-2

    Hi everyone, a newbie here needing help.

    I'm pretty careful about using antivirus software (AVG, CA online scan, Microsoft online scan) and Zone Alarm, but both RootkitRevealer and F-Secure Blacklight say I have the sccfg.sys rootkit. I have tried to find the file (I have XP and I did as the FAQ here says, making it so ALL hidden files, including system files were included in the search) and it's not coming up. I was hoping to find the file, delete it, and create a directory so it couldn't load up when I rebooted.

    I tried a couple of Sony rootkit removers, including ARIES, but the removers said I didn't have the file they were looking for.

    I'd appreciate any advice before saying the heck with it and deleting everything and starting over.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    If you have completed the READ & RUN ME and still need help, you should follow the directions in the READ ME. That is, attach the two logs from step 6 and then install HijackThis as requested in step 7 and attach a HijackThis log.

    It would also be helpful if you attached the logs from Blacklight and RootkitRevealer.

    Do the below files also exist:
    C:\hook.log
    C:\setup.iss
     
    Last edited: Apr 28, 2006
  3. flanneldude

    flanneldude Private E-2

    I've gone through the gauntlet of the antivirus and crapware software recommended (HJT will confirm) and only found cookies to remove. Attached are pics of the HJT and the RootkitRevealer and Blacklight scans. Blacklight changes the file name, but it comes back every time I reboot. Again, I've tried to delete the file, making windows system files available, and create a new directory, but I can never find the file.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must follow directions! Attach the TEXT log files from step 6 and also a HijackThis log in text format as requested in step 7. Also attach text logs from Blacklight and RootKitRevealer. Screen snapshots are not useful or wanted.

    Here is some info on how to run BlackLight and get a log!

    Download & run Blacklight Beta
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the Blacklight log file here.

    Here is how to use Rootkit Revealer!
    1. Please download and unzip Rootkit Revealer to your desktop.
    2. Please leave the defaults set as they are to:
      • Hide NTFS Metadata Files: this option is on by default
      • Scan Registry: this option is on by default.
    3. Launch rootkit revealer on the system and press the Scan button.
    4. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
    5. The log can be very large please edit out the items in the following folders in the log : C:\System Volume Information, if in the log, before attaching it.
    6. Please attach the the log here in this thread to your next post.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds