Jump to content


Photo

Should I Remove this Rootkit?


  • Please log in to reply
5 replies to this topic

#1 BlahBlahBlah

BlahBlahBlah

    New Member

  • Members
  • Pip
  • 7 posts

Posted 12 November 2009 - 09:59 PM

Well, after having my computer down for a couple days I'm a little more hesitant to remove a Rootkit. I just finished getting my computer back up from this thread, so I figured it'd be best to ask prior to removal this time around. I updated and ran a quick scan, which found nothing. Then I ran a full scan while I was gone, and it shows 2 results:

Files Infected:
C:\System Volume Information\_restore{938C10F9-3F09-41C9-8FF0-43EFAA473BA8}\RP233\A0038298.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{938C10F9-3F09-41C9-8FF0-43EFAA473BA8}\RP240\A0043112.sys (Rootkit.Agent) -> No action taken.

Should I remove these, or leave them? Thanks for reading.

#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,497 posts
  • Gender:Male
  • Location:US

Posted 12 November 2009 - 10:07 PM

Just empty your System Restore and create a new one.

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the new Restore Point a name, then click "Create".
  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr.exe
  • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
  • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Posted Image Posted Image


Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,253 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 12 November 2009 - 11:26 PM

You may also wish to read this article from Microsoft.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#4 BlahBlahBlah

BlahBlahBlah

    New Member

  • Members
  • Pip
  • 7 posts

Posted 12 November 2009 - 11:57 PM

All done, thanks guys.

GT500: that link takes me to a broken page.

#5 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,253 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 13 November 2009 - 12:02 AM

GT500: that link takes me to a broken page.


Weird. Must have had the wrong URL in the clipboard. :)

Oh well, it's fixed now. :)

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#6 mountaintree16

mountaintree16

    bird lover

  • Honorary Members
  • PipPipPipPipPipPip
  • 7,759 posts
  • Gender:Not Telling
  • Location:USA
  • Interests:Hiking, music, birds, bird watching, walking, reading, animals, computer security, poetry...

Posted 13 November 2009 - 12:03 AM

Thanks for the link GT500, I am reading it now :)

Our character is what we do when we think no one is looking.

-H. Jackson Brown Jr.

 

It's not what we do once in a while that shapes our lives.
It's what we do consistently.

Tony Robbins





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users