Hidden Object, Rootkit

[Solinari]

A friend of mine gave me his Fujitsu Siemens SCALEO P to sort out because it was badly infected. i installed Kaspersky AV and ran a full system scan, it found 26 threats, 9 of which were Trojans and 1 was a 'Virus Package' (whatever that means), the rest were Ad/Spyware. I then installed and ran SpyBot - Search and Destroy, it found 185 entries which were all dealt with.

The thing is Kaspersky is still showing a threat, a pop up appears with "detected: riskware Hidden object Running process: C:\WINDOWS\system32\wscphost.exe", it asks if i want to Quarantine, Terminate or Allow. Of course i selected Quarantine, but i got an error, a few minutes later it popped up again and this time i selected Terminate. My friend has a legit key on the case itself, but he can't find his Windows XP Home disc, and i have XP Pro, otherwise i would just format and reinstall Windows. I tried searching Google for both wscphost and wscphost.exe, which found absolutely NOTHING.

I went in to the System32 folder to try and manually delete this file, but i couldn't find it despite using the Folder Options to show hidden and protected files. Then i tired using the Command Prompt in Windows to delete it, but it says File Not Found. After that i thought about trying Safe Mode, so i rebooted and selected 'Safe Mode with Command Prompt'. Once it loaded up i went in to C:\WINDOWS\System32 and typed Del wscphost.exe, and it appeared to work, i didn't get 'File not Found'.

I haven't had any more pop ups from Kaspersky, never the less, i am still not completely happy that i have totally dealt with this thing, so that's why i am asking if anyone here can tell me what i need to do, or if you think what i have done is enough? Any advice or comments are welcome.

Thanks.

[ViPeR.Ja]

if you think its a rootkit then AVG has a rootkit remover on there site. maybe you should check that out

[Solinari]

As it happens, the PC already had AVG Free Edition on it, but i took it off and put Kaspersky on.

I see there is a specific Anti-RootKit program here, so i think i'll try it.

Thanks for that.

[DMB2000uk]

Download and Run Hijack this. And post your log.

Unfortunately I'm off out now, but someone else will be able to help you with what you need to remove with it (Dicecca will if no-one else can).

Dan

[Darkstar]

M$ bought out Sysinternals which had all kinds of utilities, so if you go to the M$ site you can download a rootkit revealer to see if your infected.
http://www.microsoft.com/technet/sysint ... ealer.mspx

[Zertz]

http://www.f-secure.com/blacklight/try_blacklight.html

[Solinari]

I tried using both the AVG Anti-Rootkit and that Sysinternals utility which is kind of difficult to use (at least i am not sure what the results are). The AVG Anti-Rootkit did detect something and deleted it, i am unsure if it was related to this wscphost thing which still doesn't give any results on Google, apart from my own posts (i'm famous! ).

I have also installed Ad-Aware and it started to scan, it found another 36 objects and then Kaspersky went nuts, every two seconds i got a pop-up saying Trojan detected, Virus Detected, lucky i used Ad-Aware or a few things may have slip by. After that i scanned the whole thing again with Kaspersky, SpyBot, AVG Anti Rootkit and Ad-Aware, all four scans were completely clean. It would seems i have totally disinfected the PC, at least i hope i have. I had another problem with the Display Properties and RunDll32 but i think it was related to all the malware that was there and it now it works fine.

I would still rather do a clean installation of Windows, but i don't know if he will be able to find his Windows disc, or even if he has it (the legit key is on the case though). Since Windows came pre-installed i imagine it's not a Windows disc as such, it will probably be some sort of recovery disc, so i will ask him if he has that.

Thanks for the replies and suggestions.

[Major_A]

Download Ultimate Boot CD and run some of the AV programs that are on the disk. If the computer is infected and can't be cleaned in Windows this should take care of it since UBCD is DOS based.