| View previous topic :: View next topic |
| Author |
Message |
MollyBloom
Joined: 21 Jul 2006
Location: James Joyce's pants
|
 Posted: Mon Jun 06, 2011 4:37 pm Post subject: killing a rootkit (IRP hook)...ideas? |
 |
|
| AVG keeps on finding this rootkit (IRP hook) that I can't seem to get rid of. I have AVG anti-rootkit, but it says there's no threat after a scan, which isn't true. Any ideas on how to attack it? |
|
| Back to top |
|
 |
Swampfox10mm
Joined: 24 Mar 2011
|
| Posted: Mon Jun 06, 2011 7:20 pm Post subject: |
|
|
| Malwarebytes.org free. All the way, baby! |
|
| Back to top |
|
|
Xylox
Joined: 09 Jul 2010
|
| Posted: Tue Jun 07, 2011 1:28 am Post subject: |
|
|
I found this using google, I don't really know much about rootkits or whatever, but it looks like these guys might. It seems a little daunting, but may be worth a look.
http://tweaks.com/forum/Topic4303-29-1.aspx |
|
| Back to top |
|
|
MollyBloom
Joined: 21 Jul 2006
Location: James Joyce's pants
|
| Posted: Tue Jun 07, 2011 3:37 am Post subject: |
|
|
| Swampfox10mm wrote: |
| Malwarebytes.org free. All the way, baby! |
I'm using that as well. Isn't doing a damn thing. |
|
| Back to top |
|
|
Swampfox10mm
Joined: 24 Mar 2011
|
| Posted: Tue Jun 07, 2011 4:43 am Post subject: |
|
|
Post about it on the malwarebytes forum. Those guys will help you with it, and set up definitions for it very quickly. They do good work.
Another thing I used to use (been a while though) is a program called BHR. I got it from here:
http://download.cnet.com/Browser-Hijack-Recover-BHR/3000-8022_4-10316141.html?tag=mncol;2
A bit dated, but might work for you (not sure it would on Windows 7). Worth a shot, anyway. |
|
| Back to top |
|
|
Swampfox10mm
Joined: 24 Mar 2011
|
|
| Back to top |
|
|
MollyBloom
Joined: 21 Jul 2006
Location: James Joyce's pants
|
| Posted: Wed Jun 08, 2011 5:25 pm Post subject: |
|
|
| Thanks for the tips! I'll try them and get back to you about it. |
|
| Back to top |
|
|
Swampfox10mm
Joined: 24 Mar 2011
|
| Posted: Wed Jun 08, 2011 7:39 pm Post subject: |
|
|
| Dump AVG and try Avast for a while. I bet it is a false positive. You can test individual files at Virustotal.com |
|
| Back to top |
|
|
Mr. Peabody
Joined: 24 Sep 2010
Location: here
|
| Posted: Thu Jun 09, 2011 1:19 am Post subject: |
|
|
| Just curious, how did you aquire this rootkit? |
|
| Back to top |
|
|
MollyBloom
Joined: 21 Jul 2006
Location: James Joyce's pants
|
| Posted: Thu Jun 09, 2011 5:26 pm Post subject: |
|
|
AVG finds 28 rootkits with this message and path:
"";"C:\WINDOWS\system32\drivers\AnfdTDnt.sys";"IRP hook, \Driver\Tcpip IRP_MJ_FILE_SYSTEM_CONTROL ->
AnfdTDnt.sys IAnfdTDSystemInformation+0x5E7";"Object is hidden"
However, the file is not there because the program (Ahn Lab) was deleted.
I'm not sure how I got it. It's my work computer, so God knows who is using it and what junk they have on the USB's they are putting into the drive, or what sites they are going to or what stuff they are downloading. I just found out that my classroom is being used as an after school classroom, so now I can't keep it locked by password.
Swampfox: I downloaded BHR, but the rootkit still came up on the daily scan.
I'll try Avast and see if that works. |
|
| Back to top |
|
|
MollyBloom
Joined: 21 Jul 2006
Location: James Joyce's pants
|
| Posted: Thu Jun 09, 2011 5:34 pm Post subject: |
|
|
| Swampfox10mm wrote: |
| Dump AVG and try Avast for a while. I bet it is a false positive. You can test individual files at Virustotal.com |
You may be right. I tested the files and they came up on virustotal.com as okay. I'll switch to Avast and see how that goes. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
