Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Troublesome Infection


  • Please log in to reply
15 replies to this topic

#1 morepheus

morepheus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 02:40 PM

A few days ago I got "something" on my computer, McAfee caught something called "FakeAlert-CM" but stopped it or so I thought. So I went on doing my normal computer stuff not thinking much of it. Now 2 days later My coputer starts as though it were in "Safe Mode" all the time, I'm not able to run Malwarebytes, Spybot, HijackThis, etc to even find out what is on my system. I've tried bootable virus scanners loading from a flash drive that have ran for hours but found nothing. I'm pretty much at the end of my rope here and need some help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 PM

Posted 22 June 2009 - 02:44 PM

Hi try this with MBAm,Malwarebytes.
NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

If still no joy then run ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 03:03 PM

Thanks for the quick reply,

No luck on the MBAM rename,

RootRepeal log is below

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/22 14:48
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB9A9D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: MSIVXckmtnmevxdlmlmddvbawqpsbpfaorodb.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXckmtnmevxdlmlmddvbawqpsbpfaorodb.sys
Address: 0xB9B2D000 Size: 184320 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB929B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXfidlypjbebdywjbauyihnuoulhtitqsl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXutjdkmrcduqjgmmupynageeeaxptftkj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\MSIVXckmtnmevxdlmlmddvbawqpsbpfaorodb.sys
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf764787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7647c10

Stealth Objects
-------------------
Object: Hidden Module [Name: MSIVXfidlypjbebdywjbauyihnuoulhtitqsl.dll]
Process: svchost.exe (PID: 556) Address: 0x10000000 Size: 61440

Hidden Services
-------------------
Service Name: MSIVXserv.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXckmtnmevxdlmlmddvbawqpsbpfaorodb.sys

==EOF==

#4 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 05:31 PM

I've done more research and found that the files identified appear to show that I have a "rootkit" on my computer.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 PM

Posted 22 June 2009 - 08:44 PM

Absolutely do

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\MSIVXcount
C:\WINDOWS\system32\MSIVXfidlypjbebdywjbauyihnuoulhtitqsl.dll
C:\WINDOWS\system32\MSIVXutjdkmrcduqjgmmupynageeeaxptftkj.dll
C:\WINDOWS\system32\drivers\MSIVXckmtnmevxdlmlmddvbawqpsbpfaorodb.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Next run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 10:43 PM

Well I did everything that you listed above and my computer seems to be back in order, unfortunately when I went to the MBAM logs It had several from previous scans but I couldn't find the one from tonight's scan. However I can tell you that there were 22 infected files that were found and removed I can now use my internet connection, and update all of the spyware / malware applications that I was locked out of.

Thank you so much for your assistance with this problem, it is much appreciated.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 PM

Posted 22 June 2009 - 10:50 PM

You're welcome,but before where done ..try once more. It should only take a few minutes and I just want to see if we get the log,
Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 11:10 PM

Here is the log but it looks like eventhough I've got nothing found I'm still not out of the woods here. My computer still thinks that I'm in Safe Mode and so I am unable to start some of my services devices etc.. MBAM log is below. Any help on the Safe mode thing would be great.

Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 3

06/22/2009 10:57:15 PM
mbam-log-2009-06-22 (22-57-15).txt

Scan type: Quick Scan
Objects scanned: 94351
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 PM

Posted 22 June 2009 - 11:23 PM

Shut the PC down completely for 5 minutes ,then restart it. I am leaving now till tomorrow. Let me know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 wj32

wj32

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 23 June 2009 - 05:29 AM

Press Win+R and type in "notepad C:\boot.ini" (without the quotes). Please paste the contents in a reply.

Edited by wj32, 23 June 2009 - 05:30 AM.

MCTS: Windows Internals.
Stupid bureaucracy.

#11 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 23 June 2009 - 11:10 AM

Here's the Boot.INI

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff



At this point my computer cannot detect my Vid card, Monitor, External DVD, but at lease it still doesn't think it's in safe mode

EDIT: HJT log removed - not permitted in this forum. If you were directed to post one, please let us know who told you to do so

Edited by garmanma, 23 June 2009 - 02:57 PM.


#12 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 23 June 2009 - 04:41 PM

I did not know that HJT logs we not permitted I just posted it thinking that it might help resolve the issue I was having. No one directed me to post the HJT log.

#13 wj32

wj32

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 23 June 2009 - 07:54 PM

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff


No luck there. Have you tried pressing F8 and selecting Normal boot? Does it still go into Safe Mode?
MCTS: Windows Internals.
Stupid bureaucracy.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 PM

Posted 23 June 2009 - 08:43 PM

Have you tried reinstall the software for those items. It may have benn corrupted along the way.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 morepheus

morepheus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 23 June 2009 - 10:49 PM

Tried everything short of removing the card physically re-booting and re-installing the card. the graphics driver install is telling me "Setup is unable to find components that can be installed on your current hardware or software configuration. Please make sure you have the required hardware or software."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users