1 reply to this topic

[marktreg]

I manage to remove a rootkit on my friend's computer today. It was a hidden process called symupd.exe in the windows system32 folder. This rootkit disabled Malwarebytes, Nod32, Task Manager, Regedit, Folder Options etc, and it also stopped the PC from booting into safe mode. GMER detected the hidden process but could not remove it. The hidden process kept instantly regenerating itself.

This is how I cured it. I booted the PC with a Winternals ERD Commander disk which allowed me to see the hidden symupd.exe file in the windows system32 folder. I deleted symupd.exe. Then I used the ERD Commander Registry Editor to search for, and delete, all (possibly hidden) references to symupd.exe in the registry.

When I rebooted, the hidden process was gone. I then ran Malwarebytes to fix all the disabled Task Manager, Regedit etc options. This worked perfectly. Then I ran a full Nod32 Antivirus scan to fix any leftover virus remnants. This found, and deleted, 32 infected files. The PC now runs fine again.

Is what I did with ERD Commander a possible "generic" rootkit fix? Or did I just get lucky on this occasion?

[negster22]

Using ERD Commander allows you to effectively boot to an alternate operating system (Windows PE environment) and get an untainted view of the infected host's registry and file system.

The rootkit is not active when you do this, so you can see the files you need to delete, providing you know their names.

ERD Commander is a fantastic tool and I use it myself. However, the 30 day trial is no longer available and users, in general, do not have access to it. It is now part of the Microsoft Desktop Optimization Pack (MDOP).