Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit Issue from Windows Police / Advanced Antivirus


  • Please log in to reply
2 replies to this topic

#1 LouALOH

LouALOH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 September 2009 - 12:22 PM

Hello and thanks so much for all you do... Will try to summarize current problem...

I'm a IT VB.Net and SQL Server developer so of course I work on family / friends / neighbors computers because of course we know all this stuff :-(

Anyway... Computer is a Dell laptop running Win XP Home with SP 2 and McAfee... It appears that some kind of software call RebateInformer was downloaded - looks highly suspcious when you see things like "Get 1,000s of Rebates" in help copy... Using BleepingComputer info, successfully took the first steps to removing Windows Police Pro and Advanced AntiVirus which both appear to have originated very shortly after the RebateInformer install. Will have a serious chat with neighbor since I just got rid of Anti Virus 2009 on this same machine a month ago (using SuperSpyware, Malware Bytes, SDFix instructions from Bleeping Computer posts).

Current issue is that while it appears most of it has been removed, there are still registry entries for a AntipyProex service which I can't seem to remove (access denied) from the registry (although I did get rid of the executables the registry pointed to svchasts and desote.exe.

I still think there is something going on... I don't know how to remove the AntipyProex windows service, I note that I cannot boot to safe mode without a blue screen, chkdsk comes back with cannot get direct access to volumne, defrag won't work... and if you kick off a McAfee scan that also forces a BSOD...

Would you take a shot at helping me finish this cleanup? If so then how should we proceed?
I've run Malware Bytes and gotten clean results but these other issues still point to a rootkit out there...

Thanks,

Lou

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 14 September 2009 - 03:51 PM

Moved from HJT to a more appropriate forum. Tw

#3 LouALOH

LouALOH
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 14 September 2009 - 08:04 PM

Looks like we will be able to just close this...

I worked with RootRepeal this evening and removed a number of rotscx* dll files and an sys file called rotscxxgippimx.sys and one called nkh8762.sys in the drivers folder. A reboot and malware scan later, the malware now could see the registry entries and removed those as well.

Now I can run chkdsk, safe boot boot, and defrag...

An additional run of rootrepeal shows only dump_atapi.sys dump_WMILIB.sys and rootrepeal.sys as drivers and no hidden locked files (other than the sqlite and other mcafee normal things...

Once again thanks for what all of you do at bleepingcomputer. It's infuriating that these sites can literally actually charge innocent users money for infecting their machines with this garbage. Two of my adult kids, who virtually ntever have had issues because they are safe surfers, both got snagged by these things recently.

The machine doesn't BSOD anymore and malware looks clean. McAfee doesn't hang anymore and seems to be back in business.

All the BSOD's were a bit scarey going through this one, but I think the good guys won this time thanks to your website.

Regards,

Lou




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users