I've a pc (not mine) that I'm trying to clean up. It had at least two rootkit (lzx32.sys, pe386), several trojans (igfxtray, hkcmd, mstds, mswsck32.dll) and other malware.
I used Rootkit Unhooker to detect lzx32 and pe386 (removed from the fs and registry using a linux livecd), then run SpyBot S&R, pc-cilling antivirus, avast antivirus, microsoft defender and prevx. Now all these tools say that the system is clean. I checked that everything reported to be auto-run and/or loaded on startup is ok (using autoruns). Fully updated the system.
However I still suspect that another rootkit is present.
The synthoms are:
- rootkit unhooker, upon startup, says "Rootkit unhooker has detected parasite inside itself. It is recommended to remove parasite, okay?" If I say yes, then RU goes on all-right and can't detect anything wrong. Still this message is quite indicative of a rootkit.
- "rootkit revealer" can't open the SOFTWARE hive (giving error: Error dumping hive: The system cannot find the file specified)
What would you suggest ? Is it possible that these error are not related to a rootkit (I never saw them on clean systems) ? Do you know of any good Windows LiveCD that can perform an off-line scan of the HD checking that every windows system file is "uncontaminated" checking file hashes against an online db? Or even a livecd that can do a standard antivirus scan but including rootkit signatures? (while detecting rootkit from a running system can be very tricky, finding them from a livecd should be quite easy)