Bitdefender Keeps Finding A Hidden Rootkit

Hi,


I have a brand new lenovo laptop that uses XP pro which i just installed bitdefender internet security 2008 on it - The 1st run of the deep system scan found a hidden rootkit which infected a no of files - i followed the process to unhide the rootkit, reboot my laptop and clean the system. The problem is that i have run this deep scan system about 20times now and it keeps finding a hidden rootkit which has infected a different number of files everytime.


How come bitdefender cant find everything all at once? Why do i have to keep running the scan, cleaning and rebooting my system?


Thank You!

Comments

  • Sm3K3R
    Sm3K3R ✭✭✭
    Hi,


    I have a brand new lenovo laptop that uses XP pro which i just installed bitdefender internet security 2008 on it - The 1st run of the deep system scan found a hidden rootkit which infected a no of files - i followed the process to unhide the rootkit, reboot my laptop and clean the system. The problem is that i have run this deep scan system about 20times now and it keeps finding a hidden rootkit which has infected a different number of files everytime.


    How come bitdefender cant find everything all at once? Why do i have to keep running the scan, cleaning and rebooting my system?


    Thank You!


    It may be posible that the rootkit has a back up somewhere and reinfects your system.Disable System Restore on all drives and then delete in Safe Mode Temporary folders, Recycled folders and System Volume Information(you need to "own" this folder to delete it) folders on all drives.Do the BD scan in safe mode from Start >>All Programs>>BD>>Manual Scan BD.Reboot.It should be fixed.If not its probable you have a master boot malware not properly detected.

  • It may be posible that the rootkit has a back up somewhere and reinfects your system.Disable System Restore on all drives and then delete in Safe Mode Temporary folders, Recycled folders and System Volume Information(you need to "own" this folder to delete it) folders on all drives.Do the BD scan in safe mode from Start >>All Programs>>BD>>Manual Scan BD.Reboot.It should be fixed.If not its probable you have a master boot malware not properly detected.


    Thanks for the response Sm3K3R - how do i disable system restore on all drives and delete system volume information?


    Thanks

  • To disable/enable System Restore on all drives


    1. Click Start, right-click My Computer, and then click Properties.
    2. In the System Properties dialog box, click the System Restore tab.
    3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
    4. Click OK twice.


    To delete files in the System Volume Information


    1. Open My Computer.
    2. On the Tools menu, click Folder Options.
    3. On the View tab, click Show hidden files and folders.
    4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
    5. Double-click the System Volume Information folder in the C:\ drive to open it
  • It s very important to delete System Volume information folders on all drives in safe mode to avoid problems.Remember, if System Volume Information refuses to be deleted go in Folder Option/View(in My Computer window for example, from the Tools button) and disable(is the option on the butom of the list) Simple File Sharing,then go right click on the System Volume Information folders(you will need to do that for each folder) and in the tab Settings asign the admin rights you need to be able to delete the folder.The Recycled folders can be deleted if the Recycle bin is disabled on all drives from the desktop icon,right click Properties >> "Do not move files to the recy ..." (must be checked).

  • It s very important to delete System Volume information folders on all drives in safe mode to avoid problems.Remember, if System Volume Information refuses to be deleted go in Folder Option/View(in My Computer window for example, from the Tools button) and disable(is the option on the butom of the list) Simple File Sharing,then go right click on the System Volume Information folders(you will need to do that for each folder) and in the tab Settings asign the admin rights you need to be able to delete the folder.The Recycled folders can be deleted if the Recycle bin is disabled on all drives from the desktop icon,right click Properties >> "Do not move files to the recy ..." (must be checked).


    Thanks Chesna and Sm3K3R - I am getting stuck at viewing the system volume info - Sm3 i have tried what you suggested and still it didnt allow me toopen it

  • Thanks Chesna and Sm3K3R - I am getting stuck at viewing the system volume info - Sm3 i have tried what you suggested and still it didnt allow me toopen it


    Ok ill repeat the steps to delete the System Volume Information.


    First you need to turn off System Restore on all drives(in normal Windows session).


    Second you need after disableing System Restore to reboot and enter in Windows in SAFE MODE,hit the F8 on keyboard(repetedly) right after the BIOS messeges has finished until the boot menu is shown.Choose Safe Mode and the Administrator log in..


    Then you need to do the folowing to make the System Volume Information folders visible, thing that you seem to have made ,and then to give yourself the deletion rights for this folders.


    To be able to acces them go in My Computer click up on the Tools tab then go to Folder Options>> View(the place where you already unhide them) and here scroll down to the Simple File sharing and disable it(untick the box).Now you are able to change the acces rights to System Volume Information.Go in each drive and right click on the System Volume Information folders and enter in the Security tab.Here you will see "Group or user names" click on "add" and add Admin/User(the one with wich you are loged in).In that little field you will see Admin/User added.Now in the "Permision for system" tick all those boxes click apply then ok .After this procedure right click on the folder and delete,you dont need to enter in it.After deleting every one of this folders on all partitions with same procedure for all of them, delete the new created Recycled folders,delete Temp files from "Windows" and "Documents and Setings/Local Settings" and delete the content of the folder "Prefetch" from "Windows" folder.Now restart.It should be clean.


    If its not i cant advise you more than low level format and Windows reinstall or to use some other security software that may detect your problem.

  • Ok ill repeat the steps to delete the System Volume Information.


    First you need to turn off System Restore on all drives(in normal Windows session).


    Second you need after disableing System Restore to reboot and enter in Windows in SAFE MODE,hit the F8 on keyboard(repetedly) right after the BIOS messeges has finished until the boot menu is shown.Choose Safe Mode and the Administrator log in..


    Then you need to do the folowing to make the System Volume Information folders visible, thing that you seem to have made ,and then to give yourself the deletion rights for this folders.


    To be able to acces them go in My Computer click up on the Tools tab then go to Folder Options>> View(the place where you already unhide them) and here scroll down to the Simple File sharing and disable it(untick the box).Now you are able to change the acces rights to System Volume Information.Go in each drive and right click on the System Volume Information folders and enter in the Security tab.Here you will see "Group or user names" click on "add" and add Admin/User(the one with wich you are loged in).In that little field you will see Admin/User added.Now in the "Permision for system" tick all those boxes click apply then ok .After this procedure right click on the folder and delete,you dont need to enter in it.After deleting every one of this folders on all partitions with same procedure for all of them, delete the new created Recycled folders,delete Temp files from "Windows" and "Documents and Setings/Local Settings" and delete the content of the folder "Prefetch" from "Windows" folder.Now restart.It should be clean.


    If its not i cant advise you more than low level format and Windows reinstall or to use some other security software that may detect your problem.


    Hi Sm3 - was able to go through all the steps you mentioned correctly but it didn't clean the rootkit - i then reinstalled the OS via the thinkvantage button as the system was booting up - i reinstalled it to the original factory state but still a rootkit was found by both bitdefender and microsoft's rootkit revealer.


    I tried 3/4 other anti-virus programs including nod32 and they couldnt even find a rootkit let alone clean it


    My laptop didnt come with any recovery discs - is there any other suggestion you might have?


    Thanks!

  • well , if other engines don't detect the ”possible” rootkit there is a 80% probability it's a false positive


    1. Download HijackThis


    2. Run it


    3.Post log here.

  • Sm3K3R
    Sm3K3R ✭✭✭
    edited September 2008
    Hi Sm3 - was able to go through all the steps you mentioned correctly but it didn't clean the rootkit - i then reinstalled the OS via the thinkvantage button as the system was booting up - i reinstalled it to the original factory state but still a rootkit was found by both bitdefender and microsoft's rootkit revealer.


    I tried 3/4 other anti-virus programs including nod32 and they couldnt even find a rootkit let alone clean it


    My laptop didnt come with any recovery discs - is there any other suggestion you might have?


    Thanks!


    Maybe is something related to your Back-ups delivered with your laptop.Ask the manufacturer or reseler.


    False positive most probable.