Sign in to follow this  
Followers 0
BlahBlahBlah

Should I Remove this Rootkit?

6 posts in this topic

Well, after having my computer down for a couple days I'm a little more hesitant to remove a Rootkit. I just finished getting my computer back up from this thread, so I figured it'd be best to ask prior to removal this time around. I updated and ran a quick scan, which found nothing. Then I ran a full scan while I was gone, and it shows 2 results:

Files Infected:

C:\System Volume Information\_restore{938C10F9-3F09-41C9-8FF0-43EFAA473BA8}\RP233\A0038298.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{938C10F9-3F09-41C9-8FF0-43EFAA473BA8}\RP240\A0043112.sys (Rootkit.Agent) -> No action taken.

Should I remove these, or leave them? Thanks for reading.

Share this post


Link to post
Share on other sites

Just empty your System Restore and create a new one.

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is
:

  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Share this post


Link to post
Share on other sites
GT500: that link takes me to a broken page.

Weird. Must have had the wrong URL in the clipboard. :)

Oh well, it's fixed now. :)

Share this post


Link to post
Share on other sites

Thanks for the link GT500, I am reading it now :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.