Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit issue, sites blocked, various removers/scanners failed

  • This topic is locked This topic is locked
2 replies to this topic

#1 joecool1029


  • Members
  • 3 posts
  • Local time:07:23 AM

Posted 22 June 2010 - 03:18 PM

Hi this is my first post on here, I've been battling the worst rootkit I've seen in a long time and need some help. It's a work system with *alot* of programs installed. Originally this came up as a Vundo infection and of course all its friends. Some of the programs I've run to try to fix this.

- Bitdefender (uninstalled now due to horrible corruption from rootkit, useless anyway, did not detect anything wrong even though files submitted to their db came back postitive)
- MBAM (cleaned some things up, now I get clean scans)
- Vundofix (cleaned off most vundo crap, Combofix got more)
- GMER (originally detected rootkit activity, managed to disable the file causing it)
- HijackThis (looked at logs, I'm no pro but didn't see anything off in here after cleanups with the above and below, will include a log if asked)
- ComboFix (read explanation below)

I have attached a Combofix log (I know, not supposed to run unless asked, but I had tried just about everything and Combofix was the only one that seemed to remove anything, though problems persist after reboot). If needed I can provide logs as needed.

The file that's the biggest pain has been C:\Windows\System32\magnstat.dll, it is definitely an executable virus that likes to grab hold of many programs that are run, especially Combofix, which it will only let run once renamed and will cause it to run *very* slow.

Thanks in advance

** EDIT: I also disabled all programs from starting at startup, to make life a little easier.
** EDIT2: Attaching HJT log. It did complain about some error on a file being accessed, so unsure if it's complete.
** EDIT3: SDFix finished, log attached.
** EDIT4: Ran Combofix again, I hand deleted a file C:/WINDOWS/System32/drivers/xxumds.sys we'll see if that was it. Wasn't locked but combofix did not see, Virustotal said it was IEBOOOT with like 32 hits. Will attach new combofix log in a few.
** EDIT5: I think I got all of it, I won't know until I go back tommorow to finish the job. Will post a request to close this if that's the case.

Attached Files

Edited by joecool1029, 22 June 2010 - 07:26 PM.

BC AdBot (Login to Remove)


#2 joecool1029

  • Topic Starter

  • Members
  • 3 posts
  • Local time:07:23 AM

Posted 24 June 2010 - 12:28 AM

Bump for delete. Problem solved. Thank you.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:09:23 PM

Posted 24 June 2010 - 12:33 AM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users