"Gaz" <gazter@msn.com> wrote in news:4vuu3fF1dm0h2U1@mid.individual.net:

> Andy Walker wrote:
>> Gaz wrote:
>>
>>> Gaz wrote:
>>>> Andy Walker wrote:
>>>>> Gaz wrote:
>>>>>
>>>>>> machine completely cleansed with hijack this....
>>>>>>
>>>>>> Any ideas??
>>>>>
>>>>> Hijackthis requires user input; what did you do to "cleanse"? If
>>>>> no other program deleted the original problem files the pc is not
>>>>> clean yet.
>>>>
>>>> The only files left following a hijackthis scan, those that should
>>>> be there.
>>>> The system is still infected, but hijackthis is not sufficient at
>>>> removing
>>>> it.
>>>>
>>>> Gaz
>>
>> I'm sorry, I misunderstood what you had written.
>>
>>> ok, it seems that it is some kind of bagle variant hiding itself as
>>> rootkit
>>> especially m_hook.sys
>>>
>>> Gaz
>>
>> You'll need to run a rootkit reveal/remove program to get rid of it.
>> If you don't have one you can try BlackLight from F-Secure
>> (free...for now)
>>
>> http://www.f-secure.com/blacklight/try_blacklight.html
>>
>> Another way to get rid of it may be to boot using a boot disk and
>> navigate to the hidden directory in a DOS window and delete the
>> files.
>>
>> The rootkit is most likely located in
>>
>> c:\documents and settings\{current user}\Application Data\hidn
>>
>> Here's a pretty good analysis of the rootkit infection
>>
>> http://www.fortinet.com/VirusEncyclo...pediaSearch.do
>> ?method=viewVirusDetailsInfoDirectly&fid=226180 or
>> http://************/w6dzf
>>
>> This is definitely not an easy fix but at least you're one step ahead
>> of the game by identifying the malware.
>
> I used erd commander to remove the files (sorry i am lazy and over
> dependent on gui), now sorted...
>
> This whole rootkit development is very worrying, spyware distributors
> etc are going to start masking their software using this technique as
> a matter of routine.
>
>
> Gaz
>
>
>

Hiya Gaz, should you run across something like this again, feel free to
send samples along to me. If BugHunter doesn't presently detect the
files, it will.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V2.0
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 4th, 2007