Perhaps someone here can help me with this.

I can't get rid of this rootkit.

https://forums.symantec.com/syment/blog/article?message.uid=305374

I'm running XP, and Symantec says the way to get rid of this is to boot to the recovery console and type fixmbr. I did that, but it didn't work. The MBR keeps getting overwritten on startup.

Next, I backed up all my data, then reformatted the drives and did a fresh Windows install. That didn't help either, so I reverted back.

From what I've read, this rootkit is aimed at stealing banking info, so I'm using an uninfected machine to access my bank accounts. But that's a hassle, and this rootkit needs to go.

I just upgraded my hard drives 4 months ago so I don't want to throw them in the trash. It's a RAID 5 configuration, so we're talking 3 disk drives. I'll replace them if I have to, but I thought I'd ask here first. Thanks.

Are you using Norton for your AV? If so, go to this site: http://www.trendsecure.com/portal/en-US/tools/security_tools/housecall

and run the online scanner. Reply what it comes up with. If it comes up postitive then we can go from there. Also, make sure you go to Microsoft updates and download all available updates for your OS.

you do not have to toss the drives.
low level format if ya have to.

Perhaps someone here can help me with this.

I can't get rid of this rootkit.

https://forums.symantec.com/syment/blog/article?message.uid=305374

I'm running XP, and Symantec says the way to get rid of this is to boot to the recovery console and type fixmbr. I did that, but it didn't work. The MBR keeps getting overwritten on startup.

Next, I backed up all my data, then reformatted the drives and did a fresh Windows install. That didn't help either, so I reverted back.

From what I've read, this rootkit is aimed at stealing banking info, so I'm using an uninfected machine to access my bank accounts. But that's a hassle, and this rootkit needs to go.

I just upgraded my hard drives 4 months ago so I don't want to throw them in the trash. It's a RAID 5 configuration, so we're talking 3 disk drives. I'll replace them if I have to, but I thought I'd ask here first. Thanks.

Got a few questions so I can help you better, first are these ide drives (much easier to work with) or sata, what brand of drives are these (Seagate, Western Digital, etc)? Are you able to still use your computer to download and burn CDs/DVDs? Do you also have other "tools" such as a usb ide/sata controller? Are you familiar to with Linux at all?

Literally my advice is to use a live distribution of Linux, then thru it's command prompt to delete the mbr, repartition the beginning section of the disks, then tell it to fill it with zeroes or ones (low level format) just the boot partition (this will kill that rootkit), and then install it back in your computer, rebuild your raid, and reinstall your OS. This beats the hell out of low level formating the entire drive. I hate the fact that MS doesn't include such a tool with the Windows disk, this would allow for an ultra clean fresh install.

These would be Western Digital 500 GB SATA. Linux is a complete mystery to me. From all appearances the computer is running perfectly normal - by that I mean no BSODs, no freeze-ups, everything working OK. It does seem to take longer to launch programs, particularly Outlook. The only unusual thing is that my antivirus (NOD32) is intercepting trojans practically every day, whereas I rarely heard a peep out of it before.

I have tried Sophos anti-rootkit, Panda, McAfee, Norton (both the regular anti-virus and the online scan as Clorox suggested), Eset NOD32, and PC Tools Threatfire. None of them even detected this rootkit, much less fixed it. In fact the only program that sees it is Prevx CSI. If it wasn't for Prevx I wouldn't even know that I was infected.

It is not a false positive. This thing came courtesy of some pirate software that I foolishly trusted even though it wasn't from any of the release groups.

I will do a low level format - I hadn't thought of that. That should fix the problem. Thanks, everybody.

You can also try (or anybody else who has this problem) RootkitRevealer at www.sysinternals.com and/or http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

These would be Western Digital 500 GB SATA. Linux is a complete mystery to me. From all appearances the computer is running perfectly normal - by that I mean no BSODs, no freeze-ups, everything working OK. It does seem to take longer to launch programs, particularly Outlook. The only unusual thing is that my antivirus (NOD32) is intercepting trojans practically every day, whereas I rarely heard a peep out of it before.

I have tried Sophos anti-rootkit, Panda, McAfee, Norton (both the regular anti-virus and the online scan as Clorox suggested), Eset NOD32, and PC Tools Threatfire. None of them even detected this rootkit, much less fixed it. In fact the only program that sees it is Prevx CSI. If it wasn't for Prevx I wouldn't even know that I was infected.

It is not a false positive. This thing came courtesy of some pirate software that I foolishly trusted even though it wasn't from any of the release groups.

I will do a low level format - I hadn't thought of that. That should fix the problem. Thanks, everybody.

Damn if that thing could get thru NOD32 then it was done by someone who knew what they were doing. Low level format would be the only thing I'd trust to remove it, and hopefully you have the time to run this for all four disks (ouch). Most versions of linux have a "live CD" mode where you can run it without actually installing on a hard drive, it runs literally like a windows based computer with usually an icon instead of a "start" box to click. From there you can enter a "terminal mode" (depending on the version you'll find it under "accessories" or "tools"), and from there you'll type the following:


fixmbr \Device\HardDisk0

then for each subsequent disks:


fixmbr \Device\HardDisk1


fixmbr \Device\HardDisk2


fixmbr \Device\HardDisk3

then you can exit from terminal, then you'll need to open up some form of partitioning tool such as "G parted" (again depending on the version you'll find it under "accessories" or "tools") and it'll even allow you to partition it in ntfs. I thought I'd include this for anyone else who may need it as well.
thumbsup

PS: for those who want to check out links to live distributions (http://www.pendrivelinux.com/2007/01/30/live-cd-repository/):


Where to download the Live Linux CD/DVD ISO's:

* Gentoo (http://www.gentoo.org/main/en/where.xml) - Based on FreeBSD
* SLAX (http://www.slax.org/get_slax.php) - Based on Slackware
* Knoppix (http://www.knopper.net/knoppix-mirrors/index-en.html) - Based on Debian
* PCLinuxOS (http://www.pclinuxos.com/index.php?option=com_ionfiles&Itemid=28) - Based on Mandrake
* Ubuntu (http://www.ubuntu.com/getubuntu/download?action=show&redirect=download) - Based on Debian
* Kubuntu (http://www.kubuntu.org/getkubuntu) - KDE Ubuntu version
* Xubuntu (http://www.xubuntu.org/get) - Light Ubuntu version uses Xfce desktop environment
* gOS (http://www.thinkgos.com/downloads) - Based on Ubuntu with an Enlightenment interface
* Damn Small Linux (http://www.damnsmalllinux.org/download.html) - Debian (Knoppix remaster)
* Puppy Linux (http://puppylinux.com/download/index.html) - Barry Kauler wrote almost everything from scratch
* UBCD (http://ubcd.sourceforge.net/download.html) (Ultimate Boot CD) - Diagnostics CD
* SuSe Live DVD (http://download.opensuse.org/distribution/10.2/iso/dvd/openSUSE-10.2-GM-LiveDVD.iso) - Based on the Jurix distribution
* System Rescue CD (http://www.sysresccd.org/Download) - Linux system on a bootable CD-ROM for repairing your system and your data after a crash
* Feather Linux (http://featherlinux.berlios.de/download.htm) - Knoppix remaster (based on Debian)
* FreeBSD (http://livecd.sourceforge.net/download.php) - derived from BSD
* Mandriva One (http://www.mandriva.com/en/download/mandrivaone) - formerly known as Mandrake Linux
* Fedora (http://fedoraproject.org/get-fedora.html) - Another community driven Linux distribution


Just a small note:

Slax based is great for older computers or ones with low memory, same with Xfce interface.
If you're in doubt of what versions to download try x86 if you're using an Intel processor, if you're running a dual-core you can download the 64bit version of the disk as well though it'll work with both.
If you run a Mac, download the powerpc version.

You will need to set your computer to boot from CD or DVD to run these, you may need to go into your bios to change the boot order for this, if you want to know how to do this tell us what manufacturer your computer is from (dell, gateway, etc), what model your computer is (inspiron, extensia, etc), model #, and if you can run the PC wizard 2008 (http://www.chimpout.com/forum/showthread.php?t=10095) software so we can answer any questions asked from you about your machine.