LONGECITY

The other day I was attacked by 'Antimalware Doctor', a virus that disguises itself as antivirus software in order to prompt you for personal information. Being way too smart to fall for that , I killed the process and deleted the files and registry entries I could find. Then, I downloaded Prevx virus scan to make sure I got everything since McAfee Virus scan didn't even catch the thing to begin with. It found some viruses but refused to delete them unless I bought the full version. I could just delete most of them manually but one, labeled a 'High Risk Rootkit' won't let me delete it. It's a file called exnbm.sys in C:\WINDOWS\system32\drivers and every time I try to delete it, I get this message: "Cannot delete exnbm: Cannot read from the source file or disk". Since the file properties list its creation date as about the same time as the known infection, so I'm relatively certain it isn't an important system file. How in the name of humanity do get rid of this thing?

you can download he free version of AVG or of Avira antivirus; they should be able to remove these.

Using system restore to do a roll back can sometimes do the trick.

Sophos rootkit remover

http://antirootkit.c...tware/index.htm

Kill it with fire. There is no sure way to clean up. Reinstall if you deal with sensitive data (also often the quickest way to clean up..)
Edited by kismet, 02 October 2010 - 10:41 PM.

The other day I was attacked by 'Antimalware Doctor', a virus that disguises itself as antivirus software in order to prompt you for personal information. Being way too smart to fall for that , I killed the process and deleted the files and registry entries I could find. Then, I downloaded Prevx virus scan to make sure I got everything since McAfee Virus scan didn't even catch the thing to begin with. It found some viruses but refused to delete them unless I bought the full version. I could just delete most of them manually but one, labeled a 'High Risk Rootkit' won't let me delete it. It's a file called exnbm.sys in C:\WINDOWS\system32\drivers and every time I try to delete it, I get this message: "Cannot delete exnbm: Cannot read from the source file or disk". Since the file properties list its creation date as about the same time as the known infection, so I'm relatively certain it isn't an important system file. How in the name of humanity do get rid of this thing?

You can probably delete it in Windows system restore mode.

I have a rootkit virus on my computer too, so far none of the rootkit removal tools (like TDSSKiller) have worked. I guess a Windows reinstall is due.

The problem you face is that when windows starts the rootkit has already activated itself and is hiding, you can't touch it. What you want to do is to access your hard drive without activating windows to keep the rootkit sleeping. The easiest way is a bootable dvd with linux as it ignores any right management from windows, if you know the files you can start from cd/dvd delete them and voila windows without rootkit, if you dont know the files: there are already preconfigured disk images with virus/rootkit scanners - since you run the scanner from cd while windows is inactive you can be sure to get all malware that would otherwise hide itself when running windows

Works also with a parallel installed linux as windows cant access linux files so your linux wont get infected by windows
Edited by Sumol, 11 October 2010 - 09:09 PM.

The problem you face is that when windows starts the rootkit has already activated itself and is hiding, you can't touch it. What you want to do is to access your hard drive without activating windows to keep the rootkit sleeping. The easiest way is a bootable dvd with linux as it ignores any right management from windows, if you know the files you can start from cd/dvd delete them and voila windows without rootkit, if you dont know the files: there are already preconfigured disk images with virus/rootkit scanners - since you run the scanner from cd while windows is inactive you can be sure to get all malware that would otherwise hide itself when running windows

Works also with a parallel installed linux as windows cant access linux files so your linux wont get infected by windows

Ah, another reminder of why I use Linux. Checkout Ubuntu 10.10 if it works for you. Very happy with Ubuntu 10.

EDIT: I just realized this is a old thread. lol


Use Malwarebytes,(Free version) TDSSKiller, and superantispyware (free version). Download these and CCleaner, and update them. Turn off system restore. (The reason why is because it also may be infected) First try running the programs in normal mode, and if you can not (Whether the rootkit blocks them or shutdown your pc) then have your pc go in safe mode. Running all these programs may take awhile, but unless you want to reinstall your OS you will have to use as many anti-viruses as possible. After you are done I would rerun the anti-virus programs in normal mode, and then download hitman-pro and run the trial as well. Then use CCleaner after you are done. I would also turn system restore back on. If your rootkit is a MBR rootkit, then you may need to reinstall the MBR to get rid of it.

I had the same problem with the "Antimalware Doctor" malware before, and I could not afford to reinstall the OS because I had too much important programs on my laptop.
Edited by firespin, 13 October 2010 - 06:16 AM.