Skip to main content

Rootkit virus

More
16 years 10 months ago #24453 by S0lo
Rootkit virus was created by S0lo
Just a note about AVG. I recently caught a virus at my home PC. It was running a hidden svchost.exe that regularly reads from the local drives and slows down every thing. I have to say, it was my fault from the beginning, although I was running AVG, I disabled the Resident shield (Just to make it faster). However, After installing the newest version, updating AVG and full scanning. It doesn't detect the virus!!. After few restarts and desperate registry tweeks, Filemon analysis and frustration. I found out that AVG was removed :shock: then I was sure that it is a virus.

Further more, I noticed some thing screwy about a file called msze.exe. further readings pointed out that it is a spyware and that it is ranked as "safe" :!: I managed to delete the file, it was hidden, Then I ran every possible spyware app I could download but no gain. Note that I could not download couse this was making the connection so slow, I went to an other place to do my downloads. The spywares detected loads of stuff, I removed all, but the problem was still there. The next day comes, and I was thinking should I just reformat.

Scvhost.exe was accessing every part of all the drives I've got. Even when I kill all Scvhost.exe proccesses (which is not possible by the way with taskmanager), Filemon still shows me that Scvhost.exe is reading my drive, and I do indeed see activity.

Further readings leads me to some thing called root kit viruses. basically, root kits are programs that are designed to integrate them selves into the operating systems kernel or drivers and hide such that they are very hard to crack out. I downloaded every rootkit removal tool I came across, gmer, AVG rootkit tool, sophos rootkit tool and catchme. Tried them all, gmer caused a stop error, sophos did not find any thing. catchme, nothing. Only AVG found 3 hidden things:

msac32.dll
c:\windows\system32\msae (folder)
svchost.exe << :!:

It offered to delete them but warned me that problems could occur. I was sure that if I deleted svchost.exe I most probably not going to be able to start the machine. So I deleted only msac32.dll and c:\windows\system32\msae. It rebooted, confirmed that the files were removed, then ..... :) :D yaaay no disk activity. It worked!!. I went to check every thing and svchost.exe was silent. :twisted:

The file msac32.dll was backed up (renamed) by AVG rootkit tool. I installed an AV called AntiVir, then tested that file, it indeed is a virus, (forgot the name). Then I reinstalled AVG AV to test the file and It did not detect the virus :!: I guess you see the irony here.

I like AVG and still like it. It's small and fast. But this incident places some droughts. still, I'm gratefull for that AVG root kit removal tool that saved the day..... well, two days :)

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
16 years 10 months ago #24463 by toddwoo
Replied by toddwoo on topic Re: Rootkit virus
Let us know the name of the actual virus/rootkit.

Also.. ClamWin is an excellent AV app. I find myself using both when I find a really nasty problem.

T
More
16 years 10 months ago #24467 by S0lo
Replied by S0lo on topic Re: Rootkit virus
You got it, AntiVir says it's (TR/Crypt.XPACK.Gen)

By the way, A recent update of AVG made the virus detectable, AVG says it's (Generic9.AHOA). I guess it's new, or may be AVG team is slow.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
More
16 years 3 months ago #26916 by Starfire
Replied by Starfire on topic Re: Rootkit virus
I know this is 7 mmonths after the origional post but I would just like to add that with AVG, you get what you pay for.. Same with all AV/AS.

Seriously, stay away from this product. It lulls you into a completely false sense of security. The stuff they have out there these days will chew this up and spit it out ... or ... may you think it's working wonderfully ...
More
16 years 3 months ago #26927 by S0lo
Replied by S0lo on topic Re: Rootkit virus
Starfire, So what do you suggest then for an AV? I'm still using AVG and yes I have heard complaints that it doesn't catch every thing.

And please don't say Symantec, I divorced it along time ago. Any thing free?

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.134 seconds