How I killed the RootKit Virus, 4 times!

[cncswiss]

1. The 9 ROOTKIT VIRUS INSTRUCTIONS: I have been fighting Rootkit virus's on my three Windows XP Professional based computers for the last 3 weeks. But I have finally succeeded in destroying this bug! Therefore, I am going to share my experiences with you in hopes that others can kill this bug too and learn more fix techniques so eventually it can be smashed like the cock roach who invented it!

2. DISCOVERY: I first discovered I had a problem when I was searching on Google via Internet Explorer 7 using my Dell Latitude D510 Laptop with Windows XP Pro. After I clicked on a web site that sold Flags which I purchase for the production of my Motorcycle Flag Pole business, I received all kinds of warnings and error messages from the Windows based security software. I then immediately closed the web site and ran a spyware scan with PCtools spyware that was currently turned on. The scan located the Rootkit and identified it as the following: (Rootkit.TDSS.) PCtools also identified 4 files that were infectious and contained the text SKYNET at the beginning of each one. Skynet is another file associated with the Rootkit Virus. These files were in system32. So I let PCtools fix the infectious files but every time I ran another scan, I still had the virus. But at least PCTOOLS blocked it from doing any damage to my Laptop because it still worked.

3. SEARCH & DESTROY: So I started a lengthy search and learning process regarding the Rootkit Virus on the Internet. Unfortunately there was no easy fix and everyone had different problems from it and used different methods to fix the problems. And the fixes included very advances procedures and were difficult to follow while most still complained of errors and malfunctions after the fix. And it seems that anyone who had Virus protection still got the Virus. But from research I learned I should search using the Windows search engine and look for files that have the text, SKYNET, Hacknet, symantec or ROOTKIT in them along with other text that make up the file and delete them. Then run a search for these same names in the registry and delete them also. And while your doing that, run a search for this file: Geyekrqqopydtv.sys. If you find it, delete it. Make sure you clear your recycle bin afterwards.

4. FREE DOWNLOAD FIX: But this does not cure the problem, but it does set you up for the kill! I located a little know program from the University of Minnesota that I used to locate, search, and destroy the files that make up the Rootkit Virus. And from all the research and forums I visited, not one person knew about this software. The program is called UnHackMe, and can be downloaded for free at: http://safecomputing.umn.edu/guides/scan_unhackme.html. Someone should give the students at the University of Minnesota an A+ because they not only fixed 3 of my infected computers, but they did it for free! When I found this site I immediately downloaded UnHackMe and ran a scan. It not only identified the Rootkit but told me which files were hidden, and which one's were suspect so I could find out if they are Rootkits and destroy them. After this I used CCleaner again to clean up my registry and files. And the Rootkit was gone and my computer worked fine. I did have a problem connecting to the internet with my internal wireless network card though. But the Ethernet worked well and when I replaced the wireless card with a different one and loaded new software, I was up and running. I also had Network card failure on my other 3 computers after I discovered they too had the Virus! The Virus seems to trash Network card drivers and Video Drivers since I did have a lot of Video problems too.

5. SLITHERS FROM PC TO PC: Most users loose the use of their computer if infected with a Rootkit, mine locked up. If this happens you need to download UnHackMe on a CD and install it to your infected computer using Safe Mode. Unless you can use the Safe Mode Network option which allows you to use the Internet. PCTOOLS which cannot fix the Virus does block it, and you should still have the use of your PC. Unfortunately, my office computer did not have PCtools and for two weeks after I fixed my Laptop I never used this Office PC, therefore I did not know that it too, was infected. It probably got infected from my Laptop thru my wireless network. And to make matters worse, when I turned on the Office PC, the Virus wormed its way back thru the Networks, and infected my Laptop again! But I did not know my Laptop was infected again and took it home and it infected my third computer which is my home PC. So it does crawl thru Wireless Networks from computer to computer infecting mine 4 times. I am not sure if it infects memory sticks or storage drives, but I would count on it. Also, I have located infected files and received error messages regarding Images. So this is something the experts can check out.

6. REPAIRING MY OFFICE PC: My office computer is a Dell 9200 with all the optional bells & whistles on Win XP Pro. The Virus locked it up making it useless, therefore I used Safe Mode with the Network option to run CCleaner and download UnHackMe. Once I went thru the motions for these most valuable programs I was able to use the PC without Safe Mode. I then ran the searches for SKYNET, Hacknet, symantec AND ROOTKIT in my registry and file system. Some are hidden, but a lot can be found. I have even located some that actually say Rootkit. After deleting infectious files, I had good use of my computer but every time I clicked on a video or anything to do with the video card my PC locked up again. I think the virus ruins the drivers of wireless cards and/or video cards because once I replaced the wireless card on the laptop it had worked well. And my office PC had a high dollar GeForce card with a Physics Accelerator and I was not about to trash it. So I went to http://www.nvidia.com/Download/index.aspx?lang=en-us and downloaded all new software and drivers for both the GeForce card and the Physics Accelerator and this fixed everything.

7. SUSPECT FILE SCAN: Be careful when you run UnHackMe. It locates bad files, but some are also good. So after you run a search and destroy mission looking for Skynet and Rootkit files but locate some you are not sure about, goto: http://www.virustotal.com/. Follow the directions to get the file to their browser and run a scan on the file. You can manually place a suspect file in the browser text box by clicking on the Browser button and press scan. The suspect file will be scanned by most of the leading anti virus scan companies. Hopefully one of them will identify the suspect file. But if none of them identify the file as a Rootkit, be safe and leave it alone. Do not ever delete files unless you know for sure it is a virus or you may never get you computer running again. Also I suggest searching for an Anti Virus program called: PrevX. This program was the only one out of 15 in http://www.virustotal.com that identified a suspect file called Geyekrqqopydtv.sys of being a Rootkit. MacAfee and PCtools never noticed it when they scanned it. And after PrevX identified it as a pure Rootkit, I killed it and my PC has worked since. What a great Anti Virus program! I am definitely going to get this software and put it on all three of my computers.

8. CONCLUSION: If you still have problems after doing everything above, open Task manager and watch the processes. If you see a file that pops up every time something goes wrong, search for it and scan it with http://www.virustotal.com. If you still have problems then you may need to re-load Windows unless you have a different version of the virus and you can find a way to kill it. Also, there probably are other methods of removal, but my method is how I did it, and maybe someone has a better way. But right or wrong, it worked 4 times for me. Also, don’t give up just because your PC still works keep running scans and search and destroy missions in the registry and files. I am going to do this for a long time just to be sure. And I suggest using PC tools and keep it on because it blocked the virus so it could not spread.

9. Also, I do not believe I have completely removed the virus. I think I just removed so many files that make it up, that it can not function anymore. It could pop up again someday but for now, I can use my computers. And so I do not get more infections I will be sure to use proper blocking software to protect my PC, all 3 of them!

Good luck and I hope this will help kill the Rootkit, now if we can just destroy the cock roach who invented it!

[Tarun]

It's very easy to clean out with MBAM, SUPERAntiSpyware and Combofix.

[rwycuff]

DO you know what root kit this is

TDSS or anything oh the like

if it is your out of luck with any conventional methods

try a boot disk of some sort with a root kit scanner onit