Found Rootkits On My System

[Daffy D]

Did a full scan with Rising Antivirus and it picked up a bunch of RootKits.

I was curious as to what they were so did a Google search but nothing turned up.

This is a first; normally Google throws up something but nothing on these RootKits.

dbldtfnjlenk.sys

fbbgncyovfbl.sys

hisyaorsjytd.sys

hmqsthpyydpf.sys

They all have the same location, virus type and size

Original path:- C:\WINDOWS\system32\drivers

Virus Name:- Rootkit.Win32Undef.ov

Size:- 8704(byte)

Any one know what these files are about?

Thanks.

[TopDogger]

http://en.wikipedia.org/wiki/Rootkit

[katana]

Those look like randomly-generated names and hence won't show up in a Google search. The Pepper Trojan used to do the same ie have a couple of random entries in a HijackThis log, the names varying from infection to infection. It might be worth trying a different rootkit scanner to see if it confirms those entries.

eg RootkitRevealer

http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx

[Daffy D]

Thanks "Topdogger" I kina know what RootKits are I was just trying to get some information on these particular file names. Normally if you do a search with Google "nasty Virus.exe" a whole lot of info come up, but as I said nothing on these names.

"Katana" I have quarantined these so hopefully they are out of harms way. Will try another Root Scanner see if it picks up anything in the future. Thanks.

[katana]

Hi Daffy D,

I hadn't heard of Rising Antivirus before. What's it like?

[TopDogger]

ahh.. I assumed it was pretty obvious they were random names, I would have thought you'll need to do more than quarantine those files to get rid of the rootkit.

[Daffy D]

“katana” Rising Antivirus is one of the many great programs that “Reimar” posts on here on a regular basis.

I think it’s a great program. Looks slick with real time protection and can be set for daily update and daily scan. Once it’s set up just forget about it.

Have had a look at Rootkit Revealer. A bit complicated as after scanning you have to then Google the results to see what is or is not a threat and then Google a way to eliminate a found threat. Will give it a go when I have some more time.

Rising Antivirus

“TopDogger” It had never accord to me that these things would have random names.

I don’t quite understand then how they work or how they can be got rid off. If the names are random how can any seek and destroy program know what to look for.

I’m going to run again Rising Antivirus over night doing a full system scan and see what it’s found in the morning.

[thetravellingcat]

big fan of NOD32 when it comes to removing the deeper 'rootkit' style viruses.

NOD32 was written by good hackers to counter the bad hackers.

[Indi]

Daffy D

IMHO , Rising is a new Antivirus from China which looks promising but not yet reached levels of :

Antivir Premium(Avira)/ Kaspersky AV-2009/ NortonAV 2009/ Eset AV 3.0.672 or 2.7.0.39) -

(this is my list -in descending order of detection).

"Messing" w/rootkits is v.risky, for research purposes you can try using:

1] Rootkit Unhooker :

https://www.rootkit.com/board.php?thread=12...&disp=12403

2] RootRepeal :

http://rootrepeal.googlepages.com/

3] Gmer:

http://www.gmer.net/index.php

4] F-Secure's Blacklight:

http://www.f-secure.com/blacklight/blacklight.html

5] Sophos Anti-Rootkit:

http://www.sophos.com/products/free-tools/...ti-rootkit.html

HTH

Indi

Edited September 24, 2008 by Indi

[Daffy D]

I am running Avira (free) which picks up just about everything. I also run Spybot - AD-Aware - Dr.Web and A-Squared on a regular basis. Although each of these programs picks up something non of them caught these rootkits.

Since this happened I have tried other rootkit programs but they are too complicated with dire warnings about deleting something essential to the operating system. Even Googling the results does not give a yes you can delete this without “be sure you know exactly what you are doing before proceeding”.

Indi - I have tried Sophos Anti-Rootkit but am not nerd enough to feel confident in using it. I’ll have a look at your other suggestions and see if any are simple enough for me to understand. – Thanks

[Indi]

Daffy D

As katana told you - These are randomly generated file names - so you sure wont find similar/ identical names via Google/net.

I guess I went overboard in telling you other AntiRootkit tools to try, esp. first 3 are complex tools - best you avoid messing w/them,my bad !

If Rising AV calls it as rootkit ,but 3 top AVs dont, then suggest you try following:

a] Run Hijack This ,save its log as text file, review it at: www.hijackthis.de , also PM me the log as a text file.

b] Run these 2 anti-spyware programs(free):

b1] Superantispyware(SAS) - www.superantispyware.com

b2] Malware Bytes AntimAlware MBAM 1.28 - www.malwarebytes.com

Hopefully, either SAS or MBAM may help you.

Indi

Edited September 26, 2008 by Indi

[Daffy D]

Indi

I have both Superantispyware and Malware Bytes AntimAlware that I also run on a regular basis (I tend to try just about every program I hear about - I really should get out more)

Neither of these have shown any RootKits but then they would'nt as Rising has found them already. Since installing Rising I've been relying on that and Antivir as they seem to cover just about everything. Think next time I'll scan with SAS or MBAM first and see what they throw up.

I'll download the latest version of Highjack and give that a try. I'm not having any actual problems (exept the normal Windows / IE ones) so don't know what those rootkits were supposed to do.