Root Kit

I found a Root Kit on my computer using AVG's free Root Kit detector that my Trend Micro missed. TM was working as the server and covering all of the client computers.

The Root Kit was in the drivers folder of System 32 and was quarantined. Everytime, I chose to delete it, it would just reboot it and say it got rid of it but would just show another one in the same location only named differently by one letter.

So, is this something I should worry about? How do I get rid of it permanently? It just adds a new number to the file which is a sys file. Not sure if I could even delete it.

I have run GMER after AVG, and it doesn't seem to find it.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try using MalwareBytes Anti-Malware ( to scan the computer to see if it can find any supporting malware and remove it. Follow it up with another scan by AVG.

Alternatively, download the Dr Web Cure It Live CD from : and burn it as an image on a CD and boot from it and run the scanner. After that scan with MalwareBytes to finish off the infection.
SoulwinnerIT ManagerCommented:
Is ur avg antivirus a license one ? if not download the trial version of eset nod 32 and run a complete scan this will detect it and also will help in cleaning it out.
If not go to ThreatSense engine parameter and increase the cleaning level to strict cleaning under custom scan menu this will definately work..

Bert2005Author Commented:
OK. I hate these Root Kits. But, I guess half the battle is finding them. I am really starting to think that AVG is better than Trend Micro although this was a standalone.
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

Bert2005Author Commented:
Thanks everyone,

These are all great suggestions. Does anyone know which ones I should try first?
Try scanning with SUPERAntiSpyware first...
Bert2005Author Commented:
Will try after work. I think I need more than ten minutes during work to try these. I suppose it is not as easy as going into Safe Mode and deleting the file. The root kit may have done some things to the computer?
SoulwinnerIT ManagerCommented:
Bert2005 just try the eset nod 32 first u need not try the safe mode
Your typical antivirus/antimalware is not going to be your best defense against a rootkit.  You'll want a piece of software that directly has access to your kernel to spot attempted 'hidden processes' that would be able to hide itself from your normal userland piece of software.  Now, we have a great solution called Icesword .   This creates a driver that lets the program have direct access to kernel and allows you to interact with it in userland.  We also have a program, developed by F-Secure, that uses explorer.exe to find the hidden processes.  Here's a detailed rundown of how this program works, how to use it, and how to get rid of the rootkit after the it's found.
Bert2005Author Commented:
Until the problem is resolved should I disable the network card? Even if I need to use the printer for a few seconds?
If you need to access the network, your best bet is to just not use anything other than what you need while working on a remedy for this problem.  You don't want it to effectively infect you & create a denial of service from your work.  If you have a firewall, however, there may be a setting that allows you to verify everything that is traveling inbound and outbound from your computer before it get sent or received.  This has many alerts, however you can make sure you are only sending and receiving what you want.  This is dependent on the firewall, though.
You don't really need to disable your network card or anything of that sort. The rootkit is basically a technology that virus uses to hide from the antivirus scanners. Generally, its a file that registers itself as a driver in your system and loads when your computer starts.
Bert2005Author Commented:
F Secure found nothing. Ice Sword was a bit confusing, OK overwhelming, lol. It showed things like verclsid and notepad in red and in a deleting state. It showed wmiprvse in red. It even showed F secure in red.
Download and run Combofix(as has been suggsted), we should be able to see it(rootkit) in the log and delete it using Combofix' script function.
Please download ComboFix by sUBs:
(If it doesn't run re-download but rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

Bert2005Author Commented:
@ warturtle,

I am running all of them all the way down. This is the log that Malwarebytes produced.
Icesword would be, I'm sorry about that.  However, it is truly the best in rootkit detection by monitoring memory and syscalls.  What you seen was really nothing to be worried about.  However, can you verify that both wmiprvse and verclsid are located in the system32 folder and not something like purely drive:\WINDOWS.  As for ComboFix, I am unaware of its internals, but can it access safe protected files?  It seems to be your general "how to remove antivirus" guide with a logging feature.
Bert2005Author Commented:
I am very appreciative of everyone's working with me here. I just figure the more information I can give back, the better some or all can help.

We have never had a virus in two years and all of a sudden one of my employees brings her eight year old in who plays video games on this computer (without my knowledge) and, wham, I have this Root Kit thing. So, I am pretty ignorant when it comes to understanding it.
I find it difficult to believe your average malware author is so sloppy that he won't modify his own file(s) metadata.  Especially for a rootkit.  Does ComboFix have direct access to physical memory for things along the lines of a memory snorting type feature?
If you have any questions about Combofix I suggest you ask its author.
I just see a lot of 'experts' refer to ComboFix for the solution, but no clear explanation why ComboFix is a good solution to finding a rootkit.  Is it good for antivirus detection and removal?  Of course.  But I see no special features that would make it a good solution for actually finding rootkits, especially not over any software specifically written to do such things as rootkits will employ their tricks in ring 0, not userland.
"...It seems to be your general "how to remove antivirus" guide..."

It sems that you're not clear what you are talking about here...
It's not antivirus..I think you meant "virus" if not "rogue antivirus"
And I didn't say ComboFix is better for finding rootkits than a rootkit scanner.
The Combofix log is what I am relying when I said we should be able to find because it lists all files created in the last 30 days.

Bert2005Author Commented:
Interesting discussion, but a bit over my head.

To answer your questions TurboBorland,

vercslid.exe was in System32.
wmiprvse.exe was not and was found in two places:
C:\WINDOWS\system32\wbem   (I was thinking you meant the actual system32 root folder)
There was also a C:\WINDOWS\Prefetch\
Bert2005Author Commented:
I will run the Combofix tomorrow rpgamergirl. Just too tired tonight. As I said, I appreciate all the help. Can't try to figure what is the best. This is a lot like the movie "Memento." If you saw it, you will get what I mean, lol.

Does anyone know if the text file I uploaded means anything?
"The Combofix log is what I am relying when I said we should be able to find because it lists all files created in the last 30 days." <-- right, but where does it find this information from?  The file's metadata?  The system's logs?  A rootkit has direct access to the kernel, this feature should not be a rootkit finding feature as it would be sloppy for the rootkit creator to not modify this information.  I'll add the discussion in the experts section so we can continue this. I just don't see the use for ComboFix in rootkit detection, as the question provider has asked for help in exterminating a rootkit, not a virus.  The text you uploaded seems to be good, it shows only infected registry entries to hijack certain user controls, such as display.  If we can't find anything, but only these registry entries remain, we are in good shape, unless this is a rather new rootkit.  As for those locations of wmiprvse, those are correct locations.  The reason I ask this is sometimes they will name and run SYSTEM level processes that is typical Microsoft process, svchost is notorious for this due to the amount of instances you can see.  What will happen is they will create another instance, their own modified instance, and place it in a different directory (like drive:\WINDOWS).  However, I await you getting back to us with your ComboFix scan and see if anything new is presented in the logs and hopefully we can help you further.
Your "IceSword" recommendation is a first for me - never having heard of it.
I note that the forums for that application have had no posts for months or years.
Are you sure that it is a functional program?
Your use of the personal pronoun ("... we have a great solution...") makes it appears as though you have some connection there.
Please enlighten the rest of us 'experts' about your recommendation.
I second for IceSword too. But, the user should know how should it be used. As for rootkits, I suggest that you download and burn this file: to a CD and then boot with it.
1. Download Kaspersky Rescue Disk ISO.
2. Burn the ISO with your CD/DVD burning software.
3. After you are done burning the Kaspersky Rescue Disk to a CD, insert the CD to your CD/DVD-ROM, and boot up your computer with it.
4. Hit the ENTER key to start booting the Anti-Virus using linux.
5. Once everything is loaded, the latest Kaspersky Anti-Virus 2009 will load. Check the hard drives that you want to scan and click Start scan.

Until I see some reasoning, I would strongly recommend against using this 'IceSword' product.

The references I see to it are way out of date, there is no current activity in the forums, "MajorGeeks" (a huge download site) has only had it downloaded 125 times in history, and even the site says that it cannot do anything about actually removing rootkits, those I know who have used it say that it should never be used by a casual user - in short - I'm skeptical about both that program and those who are recommending it.
Bert2005Author Commented:
OK, thanks guys and gals. I am off to run Combofix and Kapersky. Should I change the 1s to 0s on the registry keys? All of my desktop configurations are done by SBS group policy.

I am definitely a casual user when it comes to root kits.

The only thing I have to say is and I appreciate everyone taking up for me as the asker as a lot of posts have little to do with the question, but I have asked over 350 questions in over 3 1/2 years and find this site to be the best ever. I respect, practically worship the Experts. But, I am not quite sure why whether it be lower case or upper case should make a difference.
Bert2005Author Commented:
Oh, sorry. I just saw the word experts in semi quotes: 'experts'   My mistake.
Bert2005Author Commented:
OK, am running ComboFix.

Have burned Kapersky.iso (it's next in line)
Bert2005Author Commented:
OK, I am uploading the ComboFix text. I did finally turn off Trend Micro real time AV. I had to turn off the service, so if it shows up still, I don't know why.

Now, all of a sudden I have no Internet access, and it is very slow browsing through the network to the domain and server. I have turned off the NIC again after that.
Thanks for the log. Combofix does stop your connection, but will also restore it later in the scan, or a reboot restores it also.

Combofix though it deleted some files, it did not find the rootkit you mentioned.
Did you install or use sqlite?
If not, then empty your temp folder of delete this folder --> C:\WINDOWS\TEMP\sqlite_TSREXynltdglMNV

The Kaspersky rescue might have more luck on this.
Or you could also try Rootkit Revealer.

Did the Gmer log show any registry entries at all?
Bert2005Author Commented:
I have to run the Gmer log again. I started it but stopped when I went to run Combofix. I shall run that one again. I already have the CD from the iso file.

There was a strange thiing I saw which may not be strange to you. Before Combofix was starting or just as it started, I looked on the C drive. I think I thought it was stuck or something because the computer couldn't find this file called NIRV something. I think I wrote it down. But, anyway, on the C: root drive, there was a computer icon and when you clicked on it, it was as if you had clicked on the actual My Computer icon but then it seemed to be replaced by Combofix later. Also, when getting the text file, it was among a LOT of other files.

I do know that the Gmer thing was showing a lot of the file that the AVG showed.

I guess I don't quite understand it all. When I run the AVG and it shows me the root kit IMMEDIATELY and always renamed, the root kit doesn't do anything correct? It must just be something that allows the malware to hide. So, there is no way to know if two things have been done or 50? And, why can't I just delete that file? Is it because it is a .sys file?

On the registry files that show they were changed. They say that 1 is bad and 0 is good. Should I change those?

How do these things get on your computer? Email, web sites? It seems it was just after the 8 yo downloaded and played some games. That seems to be the only time we have ever been in trouble.

Oh well, way too many questions I guess. Thanks.
Yes, run Gmer again and show us the log.
 <<<"Before Combofix was starting or just as it started, I looked on the C drive.">>>
Oh it is very important that you don't do anything while Combofix has already started running. You have to leave your pc doing nothing but scanning so nothing goes wrong.

Same goes when you scan with rootkit scanners e.g. Rootkit Revealer otherwise the log will be full wth legit entries.
<<<"On the registry files that show they were changed. They say that 1 is bad and 0 is good. Should I change those?">>>

Which registry value was it asking you? Can you attach the Gmer's log please?
 <<<"why can't I just delete that file? Is it because it is a .sys file?">>>

If you had deleted and it still won't delete, it could be because a service ot something else is protecting the rootkit from being deleted.

<<<"How do these things get on your computer? Email, web sites? It seems it was just after the 8 yo downloaded and played some games.">>>
Can be any of those or some other ways, too many possible ways to get infected.
A System Restore has been good to me so many times, if you have it ON try and roll back to a date before the 8 year old downloaded and played games.
Bert2005Author Commented:
Yes, I checked System Restore, and it was off. It's on now. I can't recall if they are on by default or not.

If you don't mind going back and looking at the text file I uploaded on post #

24790530, it talks about the registry keys. I looked at all of them, and they all are set to 1. But, again, I think most of those settings are set by group policy from the server.
IceSword aides in Rootkit detection. It does NOT remove the rootkit. That is the users job.

Have you run the KAV LiveCD yet? If yes, what are its results?

If you want to remove the service entries from your system, please take a look at AutoRuns from SysInternals here:
Browse to the services tab and delete the needed service. The services will be deleted on a reboot. Please expedite EXTREME CAUTION when you do that as there are chances that you might delete some needed system services too. So, delete the services only if you are sure that you do not need them!
SoulwinnerIT ManagerCommented:
Hello Bert200?
 looks like u did a pile of work to tackle the issue

Did u try eset nod32?
Is ur avg antivirus a license one ? if not download the trial version of eset nod 32 and run a complete scan this will detect it and also will help in cleaning it out.
If not go to ThreatSense engine parameter and increase the cleaning level to strict cleaning under custom scan menu this will definately work..
I see what you mean.. those settings are probably set by your group policy at the server.
Those 2 "DisableMonitoring" values which is turned on(I played around) didn't make any difference in my reg entries.
Though the other one "AntivirusOverride" does when I checked and unchecked the box.

That AntivirusOverride is turned on, which means that Windows is not monitoring the status of your antivirus and won't send you alerts if it's off or out of date which happens when the box that says" I have an antivirus program that I'll monitor myself" is checked.
You can clear the box if you want and the registry value of 1 will auto change to 0.
If you didn't checked the box yourself then they must've done it so I'll just leave it.
Bert2005Author Commented:
Wow, you guys and gals get up early. Or live in different parts of the world. Sorry, I have not gotten back to everyone yet.

So, I can proudly say I ran KAV Live CD, and it was fun to watch but, unfortunately, did not find anything. Which is good and bad, I guess.

So, I still need to run:

eset Nod32
Threat Sense
RootKit Revealer
Gmer and upload log
Get home earlier and get some sleep

I have put off eset Nod32, because when I was looking at SBS AV programs, and I tried all of them, it was the most complicated. And, it was the most demanding of turning off/deleting Trend. The weird thing is I did end up deleting Trend from that PC, but when it rebooted, it came right back. I guess the server installed it and there is some auto-installer there.

A couple of questions:

If the the root kit was able to set up shop on TM's watch and the AVG standalone root kit program found it, is AVG a better program. To be fair, it isn't part of an AV/Anti spyware/malware suite.

The other thing. Since AVG has found what it says is a root kit, and every time I run it, it finds the same file only renamed, how do we know there is any other damage under the hood? Given it is there, is it highly likely that there are some "nasties" as they say there?

All in all, how important is it to isolate the machine from the rest of the network?

I have to go back and add one thing to my list. It's so much fun seeing 25 little kids and then tackling this issue again. Win7 is starting to look awfully good.

Boy, I am glad a couple of other experts aren't on this thread. They would really yell at me for skipping around so much. One basically tells me I am not a good question asker, because I should read one post, do what is suggested, report back to the group, then go to the next post and so on and so on. But, with multiple posts and ideas coming in, it isn't always easy. One thing I tried to tell the Expert was there will be times like with the Kaparsky iso. It wasn't all that hard, but when you compare it to just downloading something and burning an iso, sometimes you skip it. But, I digress.

Hey, I noticed no one mentioned Symantec or McAfee. Just kidding. I suppose I would rather reformat than even download them to my computer. They are worse than the viruses. IMO anyway.

We've had some really interesting discussions here over the years about 'which' AV is best - don't go there (LOL).
I have a very strong (and personal) bias against the Norton/Symantec products, but are well past the point of downloading and testing any of the recommended AV products. Any of several products will suit you well enough - just pick one and really learn how to manage it.

At this point, you need to focus on the programs specifically designed to identify and remove the rootkit.
'rpg' is easily the best on this forum for working through that problem with you.

A huge step in preventing reoccurences of malware is to have your staff (and their children) only have Internet access with "Limited" accounts. I'd bet you a beer in your favorite Norwich bar that most/all of the user accounts on your computers are 'Administrator' accounts. The privs of an Admin account are what allow these nasties to take hold.

You're right about Time Zones of the various Experts. I'm checking out for the night (20:30 Hours) and rpg should be checking in soon (her TZ is about 12 hours ahead of mine).

Good luck with this one - I'm going to butt out and watch it get fixed.
Bert2005Author Commented:
And, when you say Administrators, you mean local not domain, correct. Obviously, domain would be nuts.

If I give them a limited account, if you don't mind specifying just what I should give them and how (I guess it does pertain to this in a way -- I promise not to take it down that road)  there would be one huge issue unless I remembered to log off. Being the domain admin as well as the doctor and everything else, I frequently log on to other computers, e.g. this is an example, maybe not a good one. I tend to just leave and in 30 minutes the computer locks (I know, I should log off). So, if they aren't local admins, they can't log on. I can, of course, log on remotely. Or can, I make one person a local admin on each computer just for that one reason? Or can they do a hard reboot (yikes). Maybe I am mistaken.

Thanks, by the way, for your help.
Bert2005Author Commented:
OK, so I ran esed Nod32. And, almost instantly, it found a virus or two or something. It then said it could not delete since something was using it so I needed to reboot. There was a window on the screen which allowed me to reboot.

The computer rebooted and came to that point where it says, "Applying Computer Settings" it hung. So, I waited. Four hours later it still said the same thing. I don't believe it was frozen. Anyway, I didn't want to do anything before anyone told me what to do.
Forgive me everyone...I haven't been on this question for days now...I have skimmed through some of the comments posted very if I say something someone else have suggested already...please forgive me...

Bert2005 - If your still having issues...have you tried taking the hard drive out of the computer completely...and putting it into another computer as slave...and then scanning your drive that might want to try that...if your system is now hanging.
Bert2005Author Commented:
What would I scan it with? eNod again?

I haven't tried rebooting yet. Should I try that first?
Is your computer locked up...forzen...hung now? If it's hanged for hours now...try rebooting...if the results are same...try putting your hard drive into another computer...and scan again...try scanning with eNod? Do you mean NOD32? Try scanning again with the following mentioned already...MalwareBytes Anti-Malware...SUPERAntiSpyware...
Putting another antivirus in a machine that already has an antivirus is more likely to create conflicts unless the other one is uninstalled... antivirus is not like having just another program or anti-malware, antivirus like to hooks to all places like at boot, emails etc.

Just uninstall one, or disable Trend for now if you want to scan with Nod32.
Have you tried running Gmer again? We don't really want to fill the system with applications specially antiviruses.
Run small standalone scanners like Rootkit Revealer, Gmer etc.
Very true...just run one antivirus at a time on your mentioned by rpggamergirl.
Bert2005Author Commented:
I'm trying. All of my antivirus software is disconnected. I am running only one at a time. The eset NOD32 (sorry before) seems the most promising so far. It's frustrating that it hung. But, I haven't tried to reboot it yet. Maybe I could boot from the Kapersky CD if it won't boot.

I have gone through Add/Remove programs and uninstalled the programs prior to running the others -- for the most part unless I forget. I definitely don't have two of them active. You have to admit, there have been at least ten or more recommended on here, which I am trying all.
SoulwinnerIT ManagerCommented:
Did u try strict cleaning in eset nod32 u can do this in threat sense engine in esets advance scanning mode option in advance setup..
But try uninstalling other AV if u have two of them...try uninstalling it from Rev unistaller
this software completely removes it from the registry and all the unwanted traces of any software u want to uinstall...

good luck
Bert2005Author Commented:
OK, so the latest. I rebooted and it hung again. So I rebooted into DOS or whatever and used the Last Known Good Configuration. Ran eNOD and found nothing. Didn't run it like Paul said yet. I then ran GMER. I will post what I found, but I am confused (as always during this plight).

When I click on the RootKit/Malware tab, there is a Save button, which is the text file I am uploading. But there are seven other tabs such as Files, Processes and Registry. Just not sure what they are for. They have different information in them.
Good job, thanks for the log.

Run Gmer again please,
when the initial scan is finished and you'll have access to the menus,
click on the "Services" tab, you should then see all the services, startup type, and the filename that is associated with the service.

rightclick on this service --> a8kxkvmu

and click "Delete"
You'll then get 2 prompts, the first one will remove the service, and the second one will attempt to remove the file -->C:\Windows\System32\Drivers\a8kxkvmu.SYS

It should be deleted, if it didn't then you can click on the "Files" tab and delete that file
"C:\Windows\System32\Drivers\a8kxkvmu.SYS"  navigate by expanding "+".

Use a third party tool "Avenger" to delete the service and delete the file.
Please download The Avenger2 by Swandog46 to your Desktop.
Right click on the folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

   *Click on to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

Drivers to delete:a8kxkvmu Files to delete:C:\Windows\System32\Drivers\a8kxkvmu.SYS

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
Bert2005Author Commented:
OK, by the time I go to do anything with the file, it has changed. When I ran GMER again, it is now aou100s8.SYS and, worse, there is no service associated with it.

Nor can I find the a8kxkvmu file or the "aou" file by browsing to it.

I am going to run it again, and see what it comes up with.

Bert2005Author Commented:
Forgot to add the newest text file.
I see what you mean it just respawns into another random name.
No related service? in the Gmer log it has those device drivers "aou100s8 and
aou100s81"  they are not showing in the Services section?
How about this service? -->spko.sys  or any suspicious 4-letter that starts with sp?

Also look in the processes, there's an option there to kill process so you can kill a process before deleting etc. There's also a "Kill all" which kill all processes except Gmer(to easily delete a 'hard to delete' file.
C:\Windows\System32\Drivers\aou100s8.SYS <-- and this file,
C:\Windows\System32\Drivers\aou100s81.SYS <-- and this if present also.

Is the "Restore SSDT" box in Gmer checked?

It could also be that one of the system files is patched, an online Kaspersky scan or a free trial should detect any patched files. Or could be one of Deamon tools files that are patched, something is respawning it.
Try checking if these are files are clean -->

If still no luck, maybe IceSword is better than Gmer in detecting and eradicating it, the Experts who suggested IceSword should be able to walk you through with the removal.
Bert2005Author Commented:
I think you are right. I think it respawns or something. I do know that aou100s81 is being shown rather consistently. I will definitely have to keep this thread for all of the ideas and names of malware detectors. Maybe I should make a list.

I am a bit confused, because when I first ran NOD32, it instantly found some bad things, but then said to reboot. So, I finally rebooted to that last good configuration, and I don't know if anything happened. The file was still there. Of course, I ran it again.

Now, the issue is I somehow made it home before 1AM. The GMER thing was running when I left. So, I could RWW in, but I wonder if that would cause any problems.
Most scanners usually deletes hard to remove file on boot or when it's deleting a driver etc.
Sorry what's RWW?
Gmer won't delete anything without user's interaction.

After researching, apparently IceSword is a highly advanced rootkit scanner so that looks promising for you. I'm not familiar with it but if you read back on this thread TurboBorland and Phateon recommended it and have more experienced with it so they should be able to help you.

Or, I can help you with it(if they are unavailable) shouldn't be that difficult as long as you don't delete any legit files nothing should go wrong. I just found a tutorial I'm reading now.
Bert2005Author Commented:
Oh, sorry. RWW = Remote Web Workplace, the remote software used by Small Business Server. I definitely appreciate your researching Ice Sword. I guess I should take a look as well. There are still a lot of apps on here I haven't got to yet. The funny thing is the computer doesn't seem to do anything funny, but I am obviously not using it. So, it may not have reared its ugly head yet.

If this rootkit file were deleted, how does that get rid of the viruses? Or does it just make it easy for an antivirus program to find them. You know if I hadn't just randomly decided to try AVG's rootkit detector, I wouldn't even know this thing was on there. Thanks again.
Bert2005Author Commented:
Hi rpggamergirl,

I found some services files beginning with the letter "S" that were four letters, BUT I don't know what I would be looking for that would make the suspicious. So, I did a print screen and uploaded it here. Hope this helps.
Thanks for the explanation and the screenshot I appreciate it, they're all legit files by the look.

In reply to your other post...
It is a  good idea to scan for rootkits now and then because resident security scanners like antivirus/anti-malware can't detect them so the user wouldn't know until the pc start misbehaving or in your case not even having any symptoms yet.

Rootkits are different than viruses, viruses are easily removed using antivirus scanners or anti-malware scanners while rootkits are hard to detect, some rootkits can even stay in the system for a long time before the user notices something.
If it helps, here's some writeups about rootkits.

So what's the next thing you're going to do?

If you're going to give IceSword a try, you can start with these steps(providing us the logs).
I'll be away for 3 days but the others and the IceSword Experts will be here to continue.

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of "red entries" in an IceSword log, don't panic

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Please post all of the data collected under the headings for :

Win32 Services
Message Hooks

There are other additional logs you might like to provide if we need more info.

SoulwinnerIT ManagerCommented:
did u run the threat sense engine?
Bert2005Author Commented:
Hi saul2paul,

LOL, I am not even sure. That was on the NOD32 right? I think I tried to make sure it was on. Can you help? Also, rpggamergirl said to ask you more about Icesword?

Thanks. This is actually getting fun in some sort of crazy way. :-)
Actually, it was TurboBorland and Phateon who recommended IceSword - but who can tell any more?
(Insert something about needing a scorecard to know the players here).
Sorry. Was busy with work. So, did you run IceSword yet?
Still here....
I do apologize for the mistake, thinking it was saul2paul... sorry.
Is there an official site to IceSword? I found a couple of sites with IceSword...I don't know if those sites are legit...or if they contain maybe spyware...
SoulwinnerIT ManagerCommented:
hello Bert2005:
Do u want help for eset nod32's Threat sense engine here the print screen
Thanks Phateon...
Bert2005Author Commented:
Wow. Wow. I guess that Expert who took me to talk for jumping around would really be upset with this thread, lol. I am definitely not complaining.

@younghv You read my mind. After work, I was going to go to Word and make a table and write down the name of the anti-malware program, the website, if I had run it and the results.

Someone recommended Dr.Web. I downloaded it -- was 2.5 GB. Burned the .iso to a DVD. It's supposed to boot from it, but it didn't. So, either booting from a DVD is different than a CD, since I did that earlier, or it isn't set up correctly.

I still have some general questions. Say one of these many malware programs finds some viruses or all of them and deletes or quarantines them, will the rootkit file be gone? How would I know if everything were fixed, if the AVG program kept finding the file?

I've followed this thread for a couple of days. And first would like to say that those who have stuck with you and offered their advice have done a great job. As usual, rpggamergirl is all over things. Good advice.
And so that there wasn't another cook in the kitchen so to speak I decided not to ooffer my advice. That is until you asked the following question.

"How would I know if everything were fixed, if the AVG program kept finding the file?"
This has been on my mind since you opened this question. Rootkits are obviously very devious and malicious programs. And whenever I see that someone has encountered one I ask myself that same question. How do you know it's gone?
I don't feel comfortable "cleaning" a rootkit from my system and then sitting down to do my banking, taxes, etc. on that system. I like to sleep at night.
At any rate, whether you detect and remove the rootkit or format/reload your operating system I'd like to acknowledge again the insight and patience from those posting.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bert2005Author Commented:

Thanks for your insight and for posting. I, too, have been very appreciative and amazed at all the help.This isn't like asking how to open ports 443,444 and 4125 in a PIX 501. There, while it may take awhile to talk me through it, there is really only one set of commands you can put in the CLI that work.

Here there are multiple ideas, but there are also many recommendations of which anti-malware program to run. I may end up reformatting. But, at least going through the process will be a learning experience and, like losing a hard drive teaches one a hard lesson about backups, maybe this will teach me not to have local admins and to keep System Restore activated.

I do think I will continue to try and remove it. But, in the end your statement was very ironic about redoing the drive. While I don't do my banking or taxes on that particular computer, I did send my biller and coder home today as that was the only computer she could work from.

To everyone. As stated in my last two or three posts, I plan to organize everything and give it a shot. However, I will need to wait until tomorrow as I am exhausted after a long week. So, I will get after it again after a good night's sleep.
Bert2005Author Commented:

What David says makes sense. I would like to get other's opinion (if this werer there machine), would they recommend trying to clean it or just starting over with a reformat?
Bert2005Author Commented:

Probably obvious or a stupid question. But, did you take your nick from the Christian rock group? They are very good. It's ironic that there is such a dichotomy between Christians and people who do good in the world and those that enjoy destroying others and their things such as those who make malware.
Depending on certain viruses...spyware ect.. and how vishes they are...your sometimes better off reformatting and starting over...but in other cases you can remove them and your pc will be fine...
Bert2005Author Commented:
Suppose I also worry about spread over the network.

One of the Uber-Geniuses around here (garycase, MS MVP) gave me a great recommendation a while back about using "Boot-IT" imaging software as the ultimate solution to any really horrendous situations.

As I remember, the cost was about $35/computer (lifetime), but a full - complete - total reinstall of the OS partition of any computer takes about 14 and a half seconds.

In a situation like this one (if all of your data was on a separate partition), you could format your OS partition and load the image back on in about the time it take to get a cup of coffee.

With all of the HIPAA compliance issues in your business, I would be even more hesitant to do a 'repair' - when a full format/re-imaging could be done so easily.

Gary has a full set of guidance (for real people) that he will post if you ask for some help over in the "Hardware" Zones - be specific in your title about "Boot-IT" and don't post in the morning. Gary is an older gentleman who needs his rest.
Bert2005Author Commented:
Hmmm....interesting. So this is different than Acronis, ONE of the backups I run on my server?

I know Gary very well, well at least from Experts Exchange. A nicer guy you won't find. He pretty much picked out my home theater for me. I will post that and get some info. So, does this reinstall your OS during the boot process in case you're hung.

Of course, when you have a network and you have backed up and protected your server to the max, you tend to not worry that much about your clients except, ironically, for the virus. Back before I was using a domain, I always used GoBack especially when it was Roxio and not Symantec. At that time it was much easier to "Go Back" before boot up where System Restore was fairly complicated. Now, you can boot to System Restore at the safe mode place.

But, I must say, if I were trying to keep score, I would say as far as successful going back to original images, it would be GoBAck 100% and System Restore about 40%. I would get back to the original restore point only to say it didn't work. Microsoft for you.
I don't want to steal his thunder (and this question is hopelessly muddled anyway), but here are the basics.
On this computer, I have three partitions:
XP-1 (Licensed XP Pro - OS only)
XP-2 (Same License - OS only)
Data - all data from either partition is stored here. All applications (and profiles) for both OS's point here.

On boot-up, Boot-IT asked me which OS I want to load - or defaults to the last one I used.
The 'Desktop' on both OS boots has a short-cut to create a new image.
Creating a new image takes about 12-15 minutes.
About once a week, I run the short-cut and create a new image for both OS drives.
I also keep one spare image (for each) that is about a month old and one that is about 3-4 months old (disk space is cheap).

I tested this thoroughly during the install procedure, and it was flawless for putting me back exactly where I was with any of the images.

My first install was about a year ago and I have only had one instance of where I had to actually use the product. The most recent (about a week old) image worked perfectly, so I played with the spares and loaded them one at a time. All three loaded within minutes - with the older images only needing the Security and MS patches updated.

Regarding the last part of your post - so often one of the big boys will buy a great product - because it is so great - and let let it die on the vine. Symantec, Trend (HijackThis), MS, and several other big boys have done the same thing.

Bert2005Author Commented:
OK, so I am so paranoid now that I am not even sure if adware is a virus. I find adware everyday with Trend Micro. But, Dr. Web's AV scanner found three "viruses" even though it reported only two. I will list the names of the files here just in case:

C:\Qoobox\Quarantine\C\WINDOWS: Coupon~1.OCX.vir

C:\Qoobox\Quarantine\C\WINDOWS\Installer: 27837eec.msi.vir  (I don't know. The msi kind of scares me)

C:\Qoobox\Quarantine\C\WINDOWS\system32: BSTIEPrintCtl1.dll.vir

There is an A0004786.ocx which is supposed to be in C:\System Volume Information\ but I can't open the folder, and it says it is empty.
C:\Qoobox\ .... I'm pretty sure that is the 'quarantine' for ComboFix.

Have you 'uninstalled' CF yet?
Bert2005Author Commented:
No, but that would be strange as ComboFix just made some text files and didn't say that it quarantined anything. The only program that did anything was NOD32.
If rpg has reviewed your CF logs and declared them clean (I'm not going back through all of the posts :)), then your can uninstall CF.

**ComboFix Uninstall directions follow**

Do not uninstall until one of the Experts has certified that you no longer need to run ComboFix 'Scripts'.

Click START then Run...
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Gary CaseRetiredCommented:
Wow, this is a long thread !! I noticed a few comments r.e. Boot-It, so I thought I'd chime in.

First, as far as the fundamental issue here (the rootkit), I'll simply make one comment: Listen to rpggamergirl :-)    That's all you need to do to resolve this issue.

As for Boot-It -- as younghy noted, it's a superb utility for managing multi-boot systems; imaging; and partition management. It IS a bit "geeky", and it isn't for all systems -- it can't deal with dynamic disks, GPT disks, etc.   But for virtually any system based on MBR-formatted basic disks, it's tough to beat. Doesn't exactly restore an image in "14 and a half seconds" (thanks youngrv) ... but you CAN start the process about that quick ... and it doesn't take any more of YOUR time.

Your comment "... So this is different than Acronis, ONE of the backups I run on my server ..." ==>  Depends on how you're using Acronis.   If you in fact have an image backup of the system that got infected, that's no different than if it was made by Boot-It ==>  if that's the case (and you're SURE the image was made BEFORE the infection), just restore the image and you're done :-)   Obviously you'll lose everything that was done on that system partition since the image was made -- but it will be restored to an infection-free state !!

As youngrv knows, I'm a HUGE fan of Boot-It. My main system currently has 7 bootable OS's [XP Pro, XP Home, XP MCE, Vista Ultimate x32, Vista Ultimate x64, Windows 7 x32, and Windows 7 x64] ... and ANY of them can be fully restored to an imaged state in ~ ten minutes.   I maintain about 3 images of each. Since you mention GoBack, I'll toss in a comment r.e. that as well ==>  First, Symantec ruined it when they took it over (Norton GoBack is nowhere near as reliable as its Roxio predecessor).   Second, it was a GREAT program, but had a major flaw ... the 4GB limit on the GOBACKIO.BIN file (the buffer it uses to track changes).   This was updated to 8GB by Symantec, but could also cause serious system crashes.   But either size was too small for modern hard disks.   GoBack provided what was essentially a "real-time image" -- i.e. you ALWAYS had the ability to restore to ANY selected point in the past ==> UNTIL you reached the end of the buffer (the 4GB I just noted).   With an active system, this often meant only a day or two of history.   A "real" image (Boot-It, Acronis, etc.) is fixed ... you can ALWAYS restore to that image.   It's purely a matter of how much storage you dedicate to storing images in terms of how many choices you can have to revert.   You don't need many -- a baseline and perhaps a once-a-month and once-a-week image is plenty.

Enough rambling -- my point is simple:  IF you have an image of the system made before the infection, you could save yourself a LOT of time by just restoring that image.

One other point I always make when advising folks on how to structure a system (this is what youngrv mentioned above) ==> Separate your OS and your data partitions (and relocate "My Documents" to the data partition).   This way if you ever have to restore an image it has NO impact on your data.   In a multi-boot system, this structure also lets all of your OS's access the same data partition (if you choose to).   For example, on my system, no matter which of the 7 OS's I boot to, all of my data is available with no problem.   So I can do my e-mail, edit Word docs, Excel spreadsheets, etc. exactly the same no matter which OS I'm running.   And if I mess up an OS I can quickly restore it by just booting to Boot-It's maintenance menu. (I rarely do that ... but, for example, I've been "playing" with Windows 7 a lot lately, and have reverted to a baseline image quite a few times as I've found things that don't quite work right)

Finally, with regard to the advice "... don't post in the morning. Gary is an older gentleman who needs his rest ..." ==> you can POST anytime you want !! ... just don't expect a RESPONSE in the morning :-) :-)

I am SOOO busted!
In the interest of full disclosure, I am actually older than Gary - but I normally work the early shift and he covers the Night Owls (or Eagles).
Bert2005Author Commented:
Thanks Gary,

Only two questions:

One, why do you have XP Home on your computer? And, two, as I know you have been known to run an OS or two on VM, why not just have Win7 as virtual and restore to snapshots?


PS Thanks for such a well written and thorough post.

PPS Finally making up my Word table to include all of the applications suggested. Hey, even as a non-expert, if I see a post like this one, I can just upload my table and save everyone a lot of time.
Gary CaseRetiredCommented:
I have XP Home so I can boot to it on the rare occasion when a question involves XP Home and I want to check out the behavioral differences between Home & Pro.    RARELY used -- although I do boot to all OS's every few months and catch up on the updates (so they're all up-to-date).

I have an even larger collection of virtual machines (EVERY version of Vista, for example ... in both x32 and x64 versions), as well as every version of XP & Windows 7.     However, there are times when the hardware interactions make it more realistic to use a "real" machine  (especially with Windows 7) ... so I have the system set up so I can use them as well.     With Boot-It images it's trivial (think 10 minutes max) to restore any OS back to an image of my choice.    I keep a spare 1TB drive just for images :-)   [This system has a total of 5TB of storage.]
Bert2005Author Commented:
OK, my list is complete. I should definitely be able to sell this thing. J/K. But, it does put things in perspective. I need to run a couple of things.
Bert2005Author Commented:
Well, it takes me multiple times to reboot now. Hangs a lot. AND, as mentioned previously, System Restore never works. But, at LEAST it will get be to the desktop so it can tell me it didn't work. I doubt this happens with Boot-it and I know that it NEVER happened with GoBack or it would have been called GoBack and see if it worked.

I am running a scan now. I think I will go over to my other question about digital cameras. Same number of days, only two posts, lol.
Gary CaseRetiredCommented:
Do you have an image of this system that you can simply restore?
Bert2005Author Commented:
No, because I only image or back up three computers. The server, which I think we have discussed before, is imaged and backed up and imaged and backed up online and off so many times, I think I spend more time backing it up than using it. And, the hardest part if it were to crash or I lost a file would be to decide which of the 10 backups to use (and I am not talking about yesterday vs last week).

I then obviously image my personal office computer daily. And, I back up my home computer. But, all of the client computers are basically used to run applications and access application databases and files from the server, so other than checking for spyware, adware and viruses, I don't generally back them up. Maybe this event will change that, and I do have extra USB 2.0 drives to do that. Maybe Boot-it will do that.

I can tell you I would trust a dime on System Restore. It's about the only program I know of that Symantec could improve!
Gary CaseRetiredCommented:
It would be a good idea to have an image of each of the client PC's ==> sounds like a once-a-year (or once-per-major update) image is all you need, since all the data is on the server and the applications seem pretty stagnant.     Sure would have been nice to have one now :-)

Boot-It would do it fine;  but so will Acronis (which it seems you have and are familiar with).

I agree with your thoughts r.e. System Restore -- in fact it's turned off on all my computers [No need when you have an image.].
Bert2005Author Commented:
Very true. When I looked at Boot-it's website, they seem to have a product multibooting which you can image with I believe and one more suited to just imaging Windows, etc.

Of course, with Acronis, you mainly do backups, but the Boot-it program talked about real time back ups of servers or at least imaging of servers. Maybe I have it wrong. Or maybe we are getting off topic. But, I have to do something while this AV program is scanning. Takes forever.
Bert2005Author Commented:
OK, the latest update. I really thought I had gotten somewhere as Dr. Web did seem to remove something, although I have not been able to find out what it was. I know. Sounds weird. From that point on, I have been able to reboot without hanging, which is a first. I then ran AVG's rootkit detector, and it did not find one, so I thought I was getting somewhere.

However, later I ran it again, and it continues to find the ever-morphing rootkit file in System 32. So, I went to run Rootkit Revealer, which needed to be installed, but the Microsoft Installer is not working. I have registered it and unregistered it and tried to download and install it, but it says that SP3 is newer than the installer. I tried uninstalling SP3 all three ways, but had no success.

In the error messages, I found:

DCOM got error: "The pipe has been ended. "attempting to start the service Seaport with arguments "-Service" in order to run the server.

The Windows Installer service is not running and will not allow me to start it.

The associated number with the error is:


I don't know if all of these occurrences are due to viruses or not.

I think I am getting closer and closer to a re-install.

Would Hijack This be helpful?
HJT wouldn't hurt, but since Trend bought they haven't done much (if anything) to maintain it.
For 'rootkits', I don't think it will be much use at all.

(Boot-IT -- 35 bucks and your Data/Records person wouldn't be on extended vacation).

This has been a wild ride.
Bert2005Author Commented:
Well, true, but it's her daughter who did it, so she can work without pay. Of the Boot-it versions, I don't think I want what Gary uses, correct? e.g. Boot-it NG. I don't ever do any multiple booting.

It has been a wild ride. I haven't given up yet though.
Still going I see....sorry I haven't read back the whole thread.
I don't know what to think of this question anymore, but this must be the longest question I have ever participated in all my years here at EE.

This question seemed to morph from a rootkit problem to rootkit/malware and other discussions which of course are all good but I was expecting that you would stick to the rootkit problem.
Have you tried IceSword? it's your choice of course if you don't want to try it but if I were you I would try it since the other rootkit scanners seemed to have failed.

<<<"Would Hijack This be helpful?">>>
I am sorry, but Hijackthis wouldn't help much as younghv already stated in finding and removing the rootkit.
Hijackthis can not even detect some common nasties..... a lot I mean A LOT of nasties can hide from the Hijackthis scan and because of that it is no longer a number one choice as a malware diagnostic tool.

Well, I can see you're in good hands so I'll just watch from now on.

Bert2005Author Commented:
Sorry, I didn't know I wavered much from the rootkit problem. I have read a lot about them and understand them (I think), but many apps have been recommended that seem to blur the distinction. I think any program that is designed to cause harm to your computer would fall under the category of malware.

But, given my excerpt from above, it is hard for me to install IceSword, Rootkit Revealer or anything given the lack of anyway of installing anything.

"but the Microsoft Installer is not working. I have registered it and unregistered it and tried to download and install it, but it says that SP3 is newer than the installer. I tried uninstalling SP3 all three ways, but had no success. In the error messages, I found: DCOM got error: "The pipe has been ended. "attempting to start the service Seaport with arguments "-Service" in order to run the server.  The Windows Installer service is not running and will not allow me to start it."

So, my big quetsion that no one has talked about, since a rootkit can open a backdoor to an intruder, am I safe continuing to try to fix this? Or should its Internet access or network access be off?
Since we are coming back to the main point, I am going to stress that you scan with Kaspersky Boot CD (as advised before by Phateon). That will skip loading Windows drivers and should hopefully help with the detection of rootkit and removal as well.

When you are using the Kaspersky Boot CD, it will not load any Windows files, so you have nothing to worry about ( no backdoors are open, when Windows is shut ;-) ).

Let us know, how your computer behaves after this scan.
Gary can speak for himself, but the version he had me load was the "NG" ( and it works great.

Based on my "HIPAA" comments earlier - and the on-going difficulties - I think your best bet is to back up the data (probably already done), then format/reinstall.

You really are not in a position to take the slightest chance with active malware on any of your computers - especially one with with client/patient data.

In almost all cases, I take it as a personal challenge to find and eradicate the malware - but normal rules don't apply on your computers.
SoulwinnerIT ManagerCommented:
HELLO BERT ne help so far
Bert2005Author Commented:
Yes, thanks. I will post later. I haven't been in the office for a bit, but I do have a solution.
Bert2005Author Commented:
Wow, thishas been an informative if frustrating thread. If I count correctly, there are 103 comments. My longest was 241 comments although split into two related questions, one of which was 140 finally answered by grsteed and robwill.

My bottom-line conclusion is that younghv's advice to format/reinstal, reiterated by David-Howard,l is the best for this system primarily to be sure there's no violation of HIPAA or my patient data. I have to give credit also to rpggamergirl for her persistence and excellent advice, to garycase for his excellent advice on how to best structure the system, to saul2paul whose NOD32 advice seemed to come closest to finding malware, to warturtle for suggesting Dr Web which also worked to some degree and TurboBorland and phateon whose IceSword recommendation may have been of more help, well, with more help on it.

Now, I will try to give out points. I will do the best I can. Everyone helped and should be rewarded.
Bert2005Author Commented:
I have read and re-read this post, and I believe David-Howard suggested reformatting first. In the end, again, the best solution for me.

To those who seemed to think the thread deviated from the original question, I can only say if it did, it was because of my lack of knowledge of rootkits and viruses. I do think that imaging software pertains to the issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.