Nasty Rootkit Virus

I had a computer in with a very nasty rootkit virus recently. Identified by avg as trojan win32/zbot g and vbs generic, I tried my usual solution which involved using ComboFix, and that did not fix it. I found the program in the startup of the registry. Typically they tack themselves on after userint is called (which is where you log onto windows) so its always there, even in safe mode. Removed that entry, restarted and it came back. Found where the program was and tried to look at the folder in program files and windows said it was empty but I could still not remove the folder.

Drastic action required here so I took the drive out of the pc and piggy backed it onto another system. A full virus scan found some 6000 infected files. This was due to just about every dll and html file being infected, but the virus scan did not find the one I knew has there. Only by changing the owner and access rights to that folder could I find the file called yeclwdy.exe. Removed it and the folder, restarted and blow me down it came back! Took it out again, but this time cleaing out the folder and denying all access to it, restarted but that dis not fix it, it just created another in program files\common files. Eventually was able to find the same program in users startup menu which was why it always came back but again this was invisible to the system even with hidden and system files turned on. It must have a hook into explorer to hide itself from normal view.

Now happy that it had gone, I looked for other files like that yeclwdy.exe and found a load *mgr.exe e.g iexploremgr.exe, so I removed those aswell. I was able to reinstall those programs affected by dll infection and give it a clean bill of health.

How did the machine become infected you say? Well normally the infections come from the internet but this came on a memory stick. I put an old memory stick on the infected system and was later able to deduce that it created an autorun of itself on a memory stick (hidden of course), so my advise is to make sure autorun is turned off for external drives.