Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A driver has corrupted the memory management system PTES [Moved]


  • Please log in to reply
6 replies to this topic

#1 s2pete

s2pete

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 15 August 2009 - 02:36 PM

Hello.

After paying $100 to have a rootkit removed from machine and have technician run Combofix, I now am receiving blue screen errors when I run a virus scan for example.
I recall the rootkit being named SKYNET and having random numbers and such after it. Reading a post by another poster, which seems to have a similar problem, I tried downloading that program. http://www.bleepingcomputer.com/forums/t/249393/blue-screen-error-a-driver-has-corrupted-the-memory-management-system-ptes/

I went to the website and got the program and when I tried to reboot in safe mode, the
machine got stuck while loading drivers. The point at where is stopped it read:
system 32\Drivers\Mup.sys . I restarted the PC and tried it again and it became stuck at
the same point. I restarted it again and I was going to let it come up normally and I got a blue windows xp screen and it ran CHKDSK. It said that the volume was dirty and it corrected some errors in some index. After it finished, it restarted and came up normally.
I wasn't sure if I should try to start up in safe mode again, so that's where I stopped.


Please advise me on how to correct this problem.

Thank you so much in advance.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,296 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 PM

Posted 15 August 2009 - 10:03 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#3 s2pete

s2pete
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 16 August 2009 - 12:42 PM

Hello.

I apologize, but I did not understand how this system works.

I attached information for you.

DDS log removed. ~ OB

Edited by Orange Blossom, 17 August 2009 - 12:11 AM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,296 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 PM

Posted 17 August 2009 - 12:14 AM

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.


I wrote the above in an effort to keep you from doing what you did: posting HiJack This forum restricted logs after the topic was moved. I have removed the DDS log as we do not analyze them in the general forums.

Please wait for one of our helpers to provide further instructions.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,111 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 17 August 2009 - 07:50 AM

Volumes with file system errors are known as "dirty volumes" and you have to run Chkdsk on the volume to repair the errors. The dirty flag on a NTFS volume usually means that the file system is in an inconsistent state due to:
  • The volume is online and has outstanding changes.
  • Changes were made to the volume and the computer was shut down before the changes were committed to the disk (crash).
  • Corruption was detected on the volume.
  • Power loss during a read-right operation on that particular drive.
When booting your computer, autochk.exe (a version of Chkdsk that runs only before the machine starts) is called by the Kernel to scan all volumes to check if the volume dirty bit is set. If the dirty bit is set, autochk performs an immediate chkdsk /f on that volume, verifies file system integrity and attempts to fix any problems with the volume.

When the computer is restarted, Chkdsk runs at startup to verify the consistency of the volume. You must run chkdsk on a dirty volume before you can defragment it.

If you do a Google search on mup.sys hangs in safe mode, you will find thousands of similar reports about this issue with various causes and possible solutions. What works for one person may not work for another.

How to fix an XP\Win 2000 System that freezes after loading mup.sys while booting

The main reasons for this Windows XP or Win 2000 boot hang or alleged mup.sys issue are:

1. Hard disk failure or corruption
2. A corrupted registry or registry hive
3. New hardware has been installed but not did not completely "Register or re-Register" correctly
4. New hardware has been installed but it is faulty or failing
5. The new hardware's driver or windows itself has been compromised (Disk data corruption or by a virus) or (rare) needs to be updated
6. The power supply is marginal in output or failing (Common per user feedback)
7. BIOS\ESCD\Motherboard chipset driver conflict with a component, its driver, or its registry data
8. Existing hardware including the motherboard may have failed in a specific way but not catastrophically.


Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 s2pete

s2pete
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 August 2009 - 12:13 AM

Hello.

Thank you for your response.

Is there anyway that this could be related to the SkyNet rootkit on the machine? Why did this start happening after the rootkit?
It hasn't happened anymore, but I still believe that the rootkit has done some damage. Is there way of resetting the damage done by the rootkit?

Thanks


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,111 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 20 August 2009 - 07:41 AM

The longer rootkits have remained on a computer, the more opportunity they will have had to download other malcious files so the degree of infection and amount of damage can vary.

Rootkits, backdoor Trojan, Botnets and IRCBots are very dangerous because they compromise system integrity] by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Even tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users