How to remove a RootKit

Negatratoron · Post by **Negatratoron** » Sun Sep 24, 2006 5:35 pm

This has nothing to do with the Linux computer. This is a completely separate issue, on a completely separate computer, therefore it's going into a completely separate topic. We have Homeworld 2 (Homeworld 2 is a computer game that my father actually plays more than me

) installed on this computer, with Windows XP. When we try to run Homeworld 2, we get the error, \"Conflict with Disk Emulator Software detected. See www.securom.com/emulation for details\" and a McAfee popup that says that a trojan called \"Generic RootKit.b\" was found and deleted. McAfee says that the file which was infected was \"C:\\Documents and Settings\\Jeff C\\Local Settings\\Temp\\jbridgep.sys\". This same exact thing happens every time we try to start Homeworld 2. I don't believe that any kind of disk emulator software was ever installed on this computer.

Is it practical to remove the rootkit? We could reformat the hard drive if necessary, but we would likely prefer not to.

Rootkit Revealer's output is as follows:

HKLM\\S-1-5-21-1645522239-507921405-854245398-1002\\Software\\Adobe\\MediaBrowser\\MRU\\illustrator\\ApplicationPath 3/27/2006 10:52 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\\SOFTWARE\\Microsoft\\Cryptography\\RNG\\Seed 9/24/2006 1:32 PM 80 bytes Data mismatch between Windows API and raw hive data.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\0F884010d01 9/24/2006 2:04 PM 17.30 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\14401F3Bd01 9/24/2006 2:04 PM 61.75 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\1440BD0Ad01 9/24/2006 2:04 PM 61.75 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\14439C41d01 9/24/2006 2:04 PM 61.75 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\147FAA4Bd01 9/24/2006 2:03 PM 61.75 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\1BAFBC37d01 9/24/2006 2:04 PM 49.12 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\1DFED566d01 9/24/2006 2:03 PM 42.94 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\2AC456A2d01 9/24/2006 2:00 PM 23.61 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\33A976ADd01 9/24/2006 2:00 PM 22.39 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\3E1A6086d01 9/24/2006 2:04 PM 28.70 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\3EBDE03Ad01 9/24/2006 2:00 PM 28.10 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\42AECFF5d01 9/24/2006 2:04 PM 25.09 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\481CAF2Ed01 9/24/2006 2:05 PM 21.39 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\4A208647d01 9/24/2006 2:03 PM 59.09 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\4E39DF6Cd01 9/24/2006 2:04 PM 22.44 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\4E9EB87Dd01 9/24/2006 2:03 PM 82.53 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\50F9D497d01 9/24/2006 2:04 PM 59.09 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\5244BB9Bd01 9/24/2006 2:05 PM 177.27 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\57EB0615d01 9/24/2006 2:00 PM 17.30 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\60D58C07d01 9/24/2006 2:05 PM 17.49 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\6C266B02d01 9/24/2006 2:06 PM 19.96 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\6D93BFA7d01 9/24/2006 2:04 PM 18.03 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\7593507Ad01 9/24/2006 2:07 PM 1.09 MB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\7847D2CBd01 9/24/2006 2:05 PM 3.62 MB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\7847E2CBd01 9/24/2006 2:06 PM 3.62 MB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\7EA705FCd01 9/24/2006 2:03 PM 17.89 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\917D6D1Bd01 9/24/2006 2:08 PM 65.15 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\9B509245d01 9/24/2006 2:04 PM 67.11 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\9F414462d01 9/24/2006 2:05 PM 61.08 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\9FB9F9F2d01 9/24/2006 2:08 PM 61.08 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\A445CCDCd01 9/24/2006 2:00 PM 21.69 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\A99689A4d01 9/24/2006 2:04 PM 16.12 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\AA8CF96Ed01 9/24/2006 2:03 PM 20.81 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\AB60EE56d02 9/24/2006 2:05 PM 24.41 MB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\B2A177C8d01 9/24/2006 2:00 PM 35.22 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\B63F5C57d01 9/24/2006 2:00 PM 20.97 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\B66F76D1d01 9/24/2006 2:04 PM 23.96 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\BADF24B3d01 9/24/2006 2:03 PM 16.51 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\C1B2BCBFd01 9/24/2006 2:03 PM 24.08 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\C7E11121d01 9/24/2006 2:04 PM 20.09 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\D2336DE5d01 9/24/2006 2:08 PM 177.27 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\E3520C2Bd01 9/24/2006 2:04 PM 20.74 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\F1C9C79Fd01 9/24/2006 2:03 PM 30.87 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Application Data\\Mozilla\\Firefox\\Profiles\\m1x1crju.default\\Cache\\F555B56Ad01 9/24/2006 2:04 PM 157.49 KB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Desktop\\FC-5-i386-DVD.iso.part 9/24/2006 2:05 PM 112.56 MB Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Local Settings\\Temp\\plugtmp 9/24/2006 2:05 PM 0 bytes Hidden from Windows API.
C:\\Documents and Settings\\Jeff C\\Recent\\FC-5-i386-DVD.iso.lnk 9/24/2006 2:05 PM 451 bytes Hidden from Windows API.
C:\\System Volume Information\\_restore{110320B4-87BC-4F52-AADB-F298080F762E}\\RP541\\A0098483.old 9/24/2006 4:38 AM 126 bytes Hidden from Windows API.
C:\\System Volume Information\\_restore{110320B4-87BC-4F52-AADB-F298080F762E}\\RP541\\A0098484.sys 11/13/2005 11:18 AM 29.00 KB Hidden from Windows API.

Thank you.

Neumaennl · Post by **Neumaennl** » Mon Sep 25, 2006 1:53 am

It sounds like McAffee thinks the Copy Protection Software is a Trojan and therefore blocks it. And Homeworld thinks Copy Protection doesn't work, so I block myself.
So just try to let that SecuROM thingy pass McAffee and see what happens.