Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


mbam & other anti-malware apps killed by rootkit infection

  • Please log in to reply
1 reply to this topic

#1 andygreene


  • Members
  • 2 posts
  • Local time:11:50 AM

Posted 30 September 2009 - 10:08 PM

Please let me know if I have not posted this in the correct area. If so, please let me know where i should post.

I have read as much of the instructions and "read before..." posts as I could find here.


complete URL's typed into IE or FireFox are redirected to a google search results page that looks legit, however clicking on the search results sends me to a crappy search engine with completely different results that are sponsored.

URL's clicked from emails or going to a favorites page from the start menu would not open any browser.

If I went to a norton.com, symantic.com, or other site to research the infection, my browser would immediately close. I made copies of iexplore.exe and firefox.exe with new names and was able to start the browsers that way. However, the search hijack symptom remains.

I notice that firefox is very slow, much slower than usual. It was difficult or impossible to use drop down menus on web pages with the mouse (down arrow worked) and clicking between browser tabs was also tough.

Opera Browser, Chrome browser and Safari Browser seemed unaffected, however Chrome just began to randomly close tabs this afternoon. I unistalled it and will re-install.

Every time Internet Explorer starts (Now from "copy of iexplore.exe) I see a window that warns me that IE is running in compatability mode. Firefox also warns me that it is no longer my default browser (i start it from a "copy of firefox.exe".

I downloaded the following tools to attempt to clean the infection:

malwarebytes - This updated it's database and started the scan. It was shut down after 3-9 seconds and the executable program file was made unaccessable.

adaware by lavasoft. - This updated it's database and started the scan. It was shut down immediately and the executable program file was made unaccessable.

Spybot search and destroy - This updated it's database and started the scan. It was shut down immediately on scan start and the executable program file was made unaccessable.

Hijackthis - It was shut down after a few seconds and the executable program file was made unaccessable.

I tried to re-install each of the above programs a few times, even changed the names of the executable files.

I tried to re-install these after starting in SafeMode.

I found a program called b.exe that was running and killed the process. It started up again right away. Repeated this a few times. This would restart after each restart

b.exe was referenced in the registry with a key called PopRock in the Run folder. I changed file name b.exe to b.exe.Q and changed the registry key to an invalid path.

I have symantec anti virus, I ran it, but it found nothing. I downloaded AntiVir and ran it, also found nothing.
I downloaded and ran hitmanpro and it found nothing. I ran a Linux Kaspersky Labs rescue disk and after a 5 hour scan, it found nothing.

The browser hijack symptoms persist.

I even pulled the hard drive from my pc intending to pop it into an enclosure and check it from another computer, but I found that it has a 1.8" HD and I have no way to connect the little bleeping thing to anything else.

I was able to download and run RootkitRevealer and generate and save a log.

I have unistalled chrome and firefox. Please let me know if I should download and re-install these browsers, or if you recommend a different path. Many thanks in advance.

BC AdBot (Login to Remove)


#2 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:12:50 PM

Posted 18 October 2009 - 12:22 PM

Hello andygreene

Welcome to Welcome to BleepingComputer :(
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users