Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Tool


  • Please log in to reply
4 replies to this topic

#1 skiing_hen

skiing_hen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 18 October 2009 - 11:02 AM

Okay, so I've been trying to fight off a security tool infection for about two days now. I have run Spyware Doctor several times now, and it always "fixes" the virus, but then as soon as I restart my computer the virus comes back. I've also tried downloading MalwareBytes' Anitmalware, but the virus keeps deleting the mbam.exe file, so I can't run it. I've tried renaming mbam-setup.exe, but that doesn't help. I've also tried starting my computer in safe mode, but safe mode won't work.

I would REALLY appreciate it if someone could help me out here!
Step-by-step instructions would be great, cuz I don't know a whole lot about computers...

Edited by skiing_hen, 18 October 2009 - 11:03 AM.


BC AdBot (Login to Remove)

 


#2 cablemole

cablemole

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 18 October 2009 - 11:57 AM

Hope someone can help I have the same problem. I'm running windows xp home.

#3 skiing_hen

skiing_hen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 18 October 2009 - 05:27 PM

Okay, so it seems like other people with this problem are being advised to run RootRepeal, so I did a scan with it.

Here's what the report says:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/18 17:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2279000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A84000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7C1E000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xEE702000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\HIBERFIL.SYS
Status: Locked to the Windows API!

Path: c:\documents and settings\end user\local settings\temp\~df4857.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\end user\local settings\temp\~df84da.tmp
Status: Allocation size mismatch (API: 802816, Raw: 16384)

Path: c:\documents and settings\end user\local settings\temporary internet files\content.ie5\idnmlpib\ads[4].htm
Status: Allocation size mismatch (API: 270336, Raw: 16384)

Path: c:\documents and settings\end user\local settings\temporary internet files\content.ie5\2fjkoesk\topic265259[1].htm
Status: Allocation size mismatch (API: 270336, Raw: 65536)

Path: c:\documents and settings\end user\local settings\temporary internet files\content.ie5\2fjkoesk\ads[8].htm
Status: Allocation size mismatch (API: 270336, Raw: 16384)

Path: c:\documents and settings\end user\local settings\application data\microsoft\internet explorer\recovery\active\{b6d922ef-bc26-11de-aa3f-0016369b8ed6}.dat
Status: Size mismatch (API: 423936, Raw: 413184)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25e27a6

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25df794

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25dff1e

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25e31f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25e342a

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25e412a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25e383c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25ded0a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xf25de384

==EOF==

Does this help anyone at all?

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:07:02 AM

Posted 20 October 2009 - 09:09 PM

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:07:02 AM

Posted 20 October 2009 - 09:11 PM

Cablemole
Please start your own topic to avoid confusion
Do not hijack other topics
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users