locked
VirTool:WinNT/Rootkitdrv - Quarantine Failed RRS feed

  • Question

  • My basic research on this is its a process that can hide other processes. My computer has been experiencing popup advertising. I have worked with some adware removal people to try and fix it but the problem persist.

     

    I have already put a service request in.

     

    If you experienced this, what was your solution?

    Tuesday, February 19, 2008 3:59 PM

Answers

All replies

  • You did the right thing in contacting OneCare support, but you may also want to review this:

    See this post for information about Quarantine Failed - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1548384&SiteID=2

     

    Since you are getting popups, it is indeed possible that your infection is not just with the item in your subject that has been found by OneCare to exist in a compressed file, mail store, system restore point, or other location that cannot be cleaned. It isn't active, so it either already spread the infection to allow other malware in, or the adware popups are unrelated and, unfortunately, undetected by OneCare.

     

    -steve

    Tuesday, February 19, 2008 4:29 PM
    Moderator
  • I have the same problem and I continue to get popups. I assume the VirTool:WinNT/RootKitdrv as something to do with it because it's the only thing that's not "cleaned up" by OneCare.

     

    I just switched from Spy Sweeper which had no problem stopping the spyware and popups. My installation of OneCare in in Trial mode, could that have something to do with the problem?

     

     

     

    Sunday, March 2, 2008 12:57 AM
  • I still don't know what VirTool:WinNT/RootKitdrv is or why it can't be quarentined. However, I reinstalled Spy Sweeper and it found the following that OneCare did not:

    Trojan-agent.gen

    Zquest

    PurityScan

    WebBuying

    RadioSearchEnhancer

    Virtmonde

    ZenosearchAssistant

    Why doesn't OneCare find these?

     

     

    Monday, March 3, 2008 9:20 PM
  • It always bothers me when threats are not detected by OneCare, but then no product is perfect protection. The official response for infections not found by OneCare care is to report them. The list you have provided may have been active infections or they may have been dormant, but I can't say for sure.

    Follow the instructions in this post, http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2, to report a virus that is not cleaned by OneCare and to get help in removal.

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

     

    -steve

    Friday, March 7, 2008 10:39 PM
    Moderator
  • A quick fix for me was to boot in safe mode. Run regedit. Hit CTRL+F to find BHO (brouser helper object). Click Find Next. If you don't recognize the object (like google.com) delete the folder, not just the data entries. Hit CTRL+F again and find next. Continue until no BHO objects are found or it starts repeating entries. Reboot and run the scan again.

     

    Keep in mind, its just a band-aid. I have not experienced any more pop-ups since. While I was in safe-mode, I removed the pesky cookies from my cookie folder that would not delete in normal startup. These were placed there from all the popups our VirTool:WinNT/Rootkitdrv was throwing up.

     

    A word of note: I had no idea which BHO was causing the problems. My research on this subject yielded very little except there are several WinNT/Rootkitdrvs with different extensions and none where beneficial to anyone but a hacker. It has become an oxymoron for me... Brouser Helpers do NOT help the pc user.

     

     

    Sunday, April 6, 2008 10:49 PM
  • Actually BHO's does help for users who have applications dependent to BHO's but not all are good some if acquired from an infected machine it would be the nastiest one to remove. Actually its a case to case basis, i would advise if you or anyone is dealing with them sometimes if its worm initiated grayware its gonna be far from ok deleting just the registry entries for the Browser Helper Obj. - just think what if the file are the respawning one controlled by say vb, reg and bat file or mix.... some of this bad one doesnt stay as they often they pose as BHO to update constantly to maintain their lifespan.

     

    Anyhow if you guys should be dealing with malware with BHO, use process explorer to best identify what youre dealing with since you are gonna deal with binary *anyname*.dll.

     

    http://www.microsoft.com/technet/sysinternals/security/processexplorer.mspx 

     

    Monday, April 7, 2008 4:33 PM
  • Thanks for the link. A far better tool than registrar lite!

     

    Wanted to clerify that this problem can not be found with an actual step by step cure. No details pertaining to it exist that I have found. I did want to mention a few of the issues I encountered with this problem.

     

    1. Two cookies would not delete from my cookie folder.

    2. Though I had set my privacy to "High", this problem would reset my privacy to "Accept all cookies".

    3. Norton's Anti-virus, AVG Anti-virus, and Spysweeper had all found the viruses, trojans, and spyware this problem let in. Although as quick as you cured one, you received another.

     

    Another issue regarding OneCare; it will not run in safe mode. This should be addressed post-haste. Every experience I have had with "Something Failed" regardless of the program used to do it has been the result of the process still running at the same time the quarantine tries to cure it; preventing the problem from being solved. It is imperative for OneCare to clean in safe mode or many such issues will occur.

     

    Onecare insisted I remove my current protection before it would install. This places my pc solely in the hands of the developers of Onecare. Now, I know I can just reinstall the anti-whatever program after Onecare is installed but most users would not. And... shouldn't have to. After all, isn't that why it's called "one care"? So you won't have to rely on several ant-whatevers?

     

    Yet i regress. The purpose of this forum is to better understand the problems at hand to further advance the study and resolution of such problems as they develop. This is my two cents worth of information from a no-knowledge pc user; and so, to finish up, a few observational notes on this issue:

     

    A. I regret that I did not write down the BHOs I removed which would have been more valuable. Is there a "recycle bin" for that? Sure wish there was.

    B. Every anti-sumthin proggy I tried found everything but a Rootkitdrv problem. Only OneCare was able to narrow it down to that. Truly a blessing for me there. Perhaps the details for the link provided by Onecare can be updated with some information on this issue. http://onecare.live.com/standard/en-us/virusenc/virusencinfo.htm?keyword=avencyclopedia&name=VirTool%3aWinNT%2fRootkitdrv Currently, nothing is on it at this time.

    C. As a regular pc user, this issue was beyond being annoying, it drove me nuts.  I was running every program created, including HijackThis and could not narrow it down to one specific thing.

     

    Thanks for at least getting me on the main problem!

    Monday, April 7, 2008 8:14 PM