Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ntoskrnl.exe!kereleasemutant+0x13b Removal

  • Please log in to reply
No replies to this topic

#1 MtnBerry


  • Members
  • 1 posts
  • Local time:03:32 PM

Posted 27 December 2007 - 02:56 PM


A backdoor / rootkit infection (Ntos) was found on my laptop running XP pro. Kdhbt.exe, _svchost.exe, xpdx files were found and deleted - among others. AV software tools run (in safe mode as req'd) include: rustbfix, sdfix, gmer, combofix, atfcleaner, superantispyware, processexplorer, hijackthis2.2 and adaware. All av software reports that my system is clean of infection - HOWEVER processexplorer continues to show ntoskrnl.exe!KEreleaseMutant+0x13b routines running within the "SYSTEM" process. Previously those routines had been found executing within subordinate processes as well (eg "SERVICES", "SVCHOST" etc) but no longer are found. My guess is that KEreleaseMutant is a base address for an offset datatable where instructions or data are being parsed or stored etc. I have been unable to identify the source of this routine, and have not been able to kill the process directly since it attaches itself to various instructions being executed, killing it when it executes is pointless - rather like running over a dead snake :thumbsup:. Any help with identification or methodology on how to erradicate these instructions/routines would be greatly appreciated. My hope is that someone has seen this before and can id the likely reg keys or files etc that are most suspect - or possibly a specialized av program written to deal with this.

Thanks very much!

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users