Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protection System Rootkit needs to be removed


  • Please log in to reply
7 replies to this topic

#1 elbarracho

elbarracho

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 13 September 2009 - 11:30 AM

Hello and thank you for your time. It seems like there is a rootkit out there reeking havoc and I have become an unwitting statistic. This pest will not let me run a malwarebytes scan nor will it let me run a rootrepeal, it simply reboots the whole system when I try rootrepeal,even in safe mode. I get bogus "Security Center Alerts" and bogus messages urging me to buy Protection System antivirus software. Please help! Additionally, I receive various messages telling me about bugs that have been detected with a scan that I never initiated.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:44 PM

Posted 14 September 2009 - 07:26 AM

Hi elbarracho,

Download and run Win32kDiag:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 14 September 2009 - 11:24 AM

Elise,thank you for your time. Not sure if this is what you wanted, but this is what I got:



Running from: C:\Documents and Settings\pinky\Desktop\Security\Win32kDiag.exe

Log file at : C:\Documents and Settings\pinky\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:44 PM

Posted 14 September 2009 - 12:09 PM

Yes that was the information I wanted to see. Luckily you havent been infected with that particular rootkit, that why the log is so short.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • If mbam-setup will not run, rename it to winlogon.exe
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to winlogon.exe.
  • Double-click on winlogon.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on winlogon.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

NOTE, if you are still not able to run the program even after renaming the file, click Start > Run and push the browse button. Locate the renamed file and open it this way. Alternatively you can try this in safe mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 14 September 2009 - 01:51 PM

I must admit to succumbing to a small degree of frustration. I cannot get the malware bytes to boot up, even after I changed the name. Any suggestions?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:44 PM

Posted 14 September 2009 - 02:30 PM

Sorry, I digged a bit into it, and it appears that Protection System (which is a rogue AV program), has found an effective way to avoid an MBAM scan.

So... lets try to find a work around.

Please download Process Explorer and unzip it to your desktop.

Double-click on Procexp.exe and accept the license agreement.

You will now see a list of processes. Please look for this process psystem.exe, right click on it and select Kill Process. Close ProcessExplorer after doing so.

Now, try to re-run MBAM immediately.

If you do not see the above mentioned process, click File > Save as and save the text file. This will be located in the same folder as Procexp.exe. Post the contents of procexp.txt (or however you named the file) here. Do not attempt to run MBAM now, since we need to identify the process first.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 14 September 2009 - 06:00 PM

I could not find the aforementioned file. Here is the text:

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 632 Windows NT Session Manager Microsoft Corporation
csrss.exe 688 Client Server Runtime Process Microsoft Corporation
winlogon.exe 712 Windows NT Logon Application Microsoft Corporation
services.exe 756 Services and Controller app Microsoft Corporation
svchost.exe 916 Generic Host Process for Win32 Services Microsoft Corporation
unsecapp.exe 1360 WMI Microsoft Corporation
wmiprvse.exe 1584 WMI Microsoft Corporation
Playlist.exe 3096 Roxio AudioCentral Media Manager Playlist Roxio, Inc.
svchost.exe 1244 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1380 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2340 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 1428 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1712 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1852 Generic Host Process for Win32 Services Microsoft Corporation
AAWService.exe 236 Ad-Aware Service Application Lavasoft
AAWTray.exe 3408 Ad-Aware Tray Application Lavasoft
spoolsv.exe 316 Spooler SubSystem App Microsoft Corporation
svchost.exe 468 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 512 Apple Mobile Device Service Apple Inc.
mDNSResponder.exe 528 Bonjour Service Apple Inc.
retrorun.exe 676 Retrospect Dantz Development Corporation
svchost.exe 1048 Generic Host Process for Win32 Services Microsoft Corporation
MsPMSPSv.exe 1136 WMDM PMSP Service Microsoft Corporation
CALMAIN.exe 1300 Canon Camera Access Library 8 Canon Inc.
alg.exe 1552 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2104 iPodService Module Apple Inc.
lsass.exe 768 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1344 Windows Explorer Microsoft Corporation
PDVDServ.exe 1968 PowerDVD RC Service Cyberlink Corp.
RxMon.exe 2004 Roxio AudioCentral Media Manager Tray App Roxio, Inc.
AGRSMMSG.exe 2028 SoftModem Messaging Applet Agere Systems
rundll32.exe 2036 Run a DLL as an App Microsoft Corporation
Keyhook.exe 2060 SiS Compatible Super VGA Keyboard Daemon Silicon Integrated Systems Corporation
Apoint.exe 2184 Alps Pointing-device Driver Alps Electric Co., Ltd.
jusched.exe 2228 Java™ Platform SE binary Sun Microsystems, Inc.
jucheck.exe 3104 Java™ Update Checker Sun Microsystems, Inc.
OneTouch.exe 2244 Maxtor OneTouch Detection Maxtor
MXOALDR.EXE 2352 Maxtor MXO Auto Loader Application Cypress Semiconductor
hpwuSchd2.exe 2432 Hewlett-Packard Product Assistant Hewlett-Packard Co.
apdproxy.exe 2628 Adobe Photoshop Album Starter Edition 3.0 component Adobe Systems Incorporated
winampa.exe 2856
iTunesHelper.exe 2904 iTunesHelper Module Apple Inc.
msmsgs.exe 2960 Windows Messenger Microsoft Corporation
bcont.exe 2980 SupportSoft Container SupportSoft, Inc.
DevDtct2.exe 3456 Device Detector 2 OLYMPUS Corporation
hpqtra08.exe 3576 HP Digital Imaging Monitor Hewlett-Packard Co.
NkbMonitor.exe 3712 PictureProject Monitor Nikon Corporation
firefox.exe 2612 Firefox Mozilla Corporation
IEXPLORE.EXE 272 Internet Explorer Microsoft Corporation
procexp.exe 3580 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ApntEx.exe 3552 Alps Pointing-device Driver for Windows NT/2000/XP Alps Electric Co., Ltd.
IEXPLORE.EXE 2156 Internet Explorer Microsoft Corporation

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:44 PM

Posted 15 September 2009 - 03:09 AM

The process isnt showing itself in the list. For that reason I am afraid I cannot help you any further here.

You will need help from the malware removal team. I would like you to start a new thread and post a DDS logHERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

NOTE - If you are not able to produce a DDS log, please let me know. Do NOT post a log here!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users