Posted 15 October 2010 - 08:23 AM
I had a virus on the system and have been running several virus cleaning programs to begin with. A bunch of mshta , svchosts, and iexplorer processes would be running even if I didn't have internet explorer running. I started off with Housecall. Then I ran HijackThis to get rid of anything that was internet related. Hijack this could not remove some of the entries in the registry including MKetcyra.com in the HKLM\...\Run. When I looked in the registry, I didn't see this entry. I did clean out the multiple areas of Run/RunOnce in the registry manually.
The MKetcrya.com also appears in HKUS\S-1-5-18\...\Run, but I don't know the full path to look in there.
After this, I ran SuperAnti Spyware. I'm now working with the root remover, RootRepeal, but I'm less familiar with root kits. I disconnect from the network when not needing it. I also run anything in safe mode that I can. I have not used ComboFix for this yet, but have used it in the past to work on other computers brought to me.
After running RootRepeal report (everything checked), I get:
ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2010/10/14 23:00
Program Version: Version 126.96.36.199
Windows Version: Windows XP Media Center Edition SP3
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA3617000 Size: 749568 File Visible: No Signed: -
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA2AC5000 Size: 49152 File Visible: No Signed: -
Status: Allocation size mismatch (API: 1736704, Raw: 1732608)
Status: Locked to the Windows API!
Path: c:\documents and settings\hp_administrator\local settings\temp\~df6aac.tmp
Status: Allocation size mismatch (API: 73728, Raw: 0)
Path: c:\documents and settings\hp_administrator\local settings\temp\~dfb4f9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aee3678 Size: 2441
Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae26588 Size: 607
I will delete the temp files, but should I also delete these stealth objects and drivers? Do I do this manually or through Root Repeal?
Thank you for any help and suggestions!