Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Rootkit virus

Rootkit virus 8 years 11 months ago #24453

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Just a note about AVG. I recently caught a virus at my home PC. It was running a hidden svchost.exe that regularly reads from the local drives and slows down every thing. I have to say, it was my fault from the beginning, although I was running AVG, I disabled the Resident shield (Just to make it faster). However, After installing the newest version, updating AVG and full scanning. It doesn't detect the virus!!. After few restarts and desperate registry tweeks, Filemon analysis and frustration. I found out that AVG was removed :shock: then I was sure that it is a virus.

Further more, I noticed some thing screwy about a file called msze.exe. further readings pointed out that it is a spyware and that it is ranked as "safe" :!: I managed to delete the file, it was hidden, Then I ran every possible spyware app I could download but no gain. Note that I could not download couse this was making the connection so slow, I went to an other place to do my downloads. The spywares detected loads of stuff, I removed all, but the problem was still there. The next day comes, and I was thinking should I just reformat.

Scvhost.exe was accessing every part of all the drives I've got. Even when I kill all Scvhost.exe proccesses (which is not possible by the way with taskmanager), Filemon still shows me that Scvhost.exe is reading my drive, and I do indeed see activity.

Further readings leads me to some thing called root kit viruses. basically, root kits are programs that are designed to integrate them selves into the operating systems kernel or drivers and hide such that they are very hard to crack out. I downloaded every rootkit removal tool I came across, gmer, AVG rootkit tool, sophos rootkit tool and catchme. Tried them all, gmer caused a stop error, sophos did not find any thing. catchme, nothing. Only AVG found 3 hidden things:

msac32.dll
c:\windows\system32\msae (folder)
svchost.exe << :!:

It offered to delete them but warned me that problems could occur. I was sure that if I deleted svchost.exe I most probably not going to be able to start the machine. So I deleted only msac32.dll and c:\windows\system32\msae. It rebooted, confirmed that the files were removed, then ..... :) :D yaaay no disk activity. It worked!!. I went to check every thing and svchost.exe was silent. :twisted:

The file msac32.dll was backed up (renamed) by AVG rootkit tool. I installed an AV called AntiVir, then tested that file, it indeed is a virus, (forgot the name). Then I reinstalled AVG AV to test the file and It did not detect the virus :!: I guess you see the irony here.

I like AVG and still like it. It's small and fast. But this incident places some droughts. still, I'm gratefull for that AVG root kit removal tool that saved the day..... well, two days :)
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Rootkit virus 8 years 11 months ago #24463

  • toddwoo
  • toddwoo's Avatar
  • Offline
  • Distinguished Member
  • Posts: 173
  • Karma: 0
Let us know the name of the actual virus/rootkit.

Also.. ClamWin is an excellent AV app. I find myself using both when I find a really nasty problem.

T
The administrator has disabled public write access.

Re: Rootkit virus 8 years 11 months ago #24467

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
You got it, AntiVir says it's (TR/Crypt.XPACK.Gen)

By the way, A recent update of AVG made the virus detectable, AVG says it's (Generic9.AHOA). I guess it's new, or may be AVG team is slow.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Rootkit virus 8 years 11 months ago #24488

  • websiteh
  • websiteh's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
The administrator has disabled public write access.

Re: Rootkit virus 8 years 4 months ago #26916

  • Starfire
  • Starfire's Avatar
  • Offline
  • Distinguished Member
  • Posts: 154
  • Karma: 0
I know this is 7 mmonths after the origional post but I would just like to add that with AVG, you get what you pay for.. Same with all AV/AS.

Seriously, stay away from this product. It lulls you into a completely false sense of security. The stuff they have out there these days will chew this up and spit it out ... or ... may you think it's working wonderfully ...
The administrator has disabled public write access.

Re: Rootkit virus 8 years 4 months ago #26927

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Starfire, So what do you suggest then for an AV? I'm still using AVG and yes I have heard complaints that it doesn't catch every thing.

And please don't say Symantec, I divorced it along time ago. Any thing free?
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup