Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PC Antivirus 2010 - Roque Virus w/RootKit


  • This topic is locked This topic is locked
2 replies to this topic

#1 mutiger

mutiger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 August 2009 - 07:34 PM

I am infected with a rogue virus which shows up as PC Antivirus 2010. The virus attempts to download an antivirus program under the same name. I also have a round icon in the system tray that tells me I have a virus and to click on it to remove. A similar post is on your homepage that you have labeled PC Antivirus 2009 + RootKit Beware! All of my antivirus software has been disabled by the virus. When I try to access it I get a system error stating the path does not exist and I do not have permission to access the file. Lastly, when I access google and do a search all web pages are directed to fake pages or advertisements. I have run through your troubleshoot guide and installed Malware Bytes. This program too is disabled when it attempts to run.

DDS.SCR will not pull up in a dos window. When it is run I get a scripted message in notepad. I saved the file and attempted to paste it here, but the webpage locks up everytime I try to paste it. The Root Repeal Log is attached.

Please help!


ROOTREPEAL © AD, 2007-2009 ==================================================
Scan Start Time: 2009/08/31 19:05 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ==================================================
Drivers -------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE723000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8AB8000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xED2CB000 Size: 49152
File Visible: No Signed: - Status: - Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8860000 Size: 20480
File Visible: No Signed: - Status: - Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF8768000 Size: 61440 File Visible: No Signed: - Status: -
Processes -------------------
Path: C:\WINDOWS\SYSTEM32\braviax.exe PID: 476 Status: Hidden from the Windows API!
SSDT -------------------
#: 041 Function Name: NtCreateKey Status: Hooked by "Lbd.sys" at address 0xf860887e #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "IPVNMon.sys" at address 0xf831525d #: 173 Function Name: NtQuerySystemInformation Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xf879a1a0 #: 247 Function Name: NtSetValueKey Status: Hooked by "Lbd.sys" at address 0xf8608bfe ==EOF==

Attached Files

  • Attached File  ark.txt   3.03KB   5 downloads

Edited by SifuMike, 11 September 2009 - 09:47 PM.
displayed for ease of reading


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:52 PM

Posted 11 September 2009 - 09:41 PM

Hello mutiger,

You have a nasty rootkit on this computer.
What antivirus program are you running?

Download and run Win32kDiag:Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

Edited by SifuMike, 11 September 2009 - 09:42 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:52 PM

Posted 26 September 2009 - 02:12 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users