Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV2010 and a rootkit that has taken over security


  • Please log in to reply
2 replies to this topic

#1 dpcsit

dpcsit

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 21 December 2010 - 08:39 AM

This started when my son downloaded AV2010, managed to get rid of it, but there appears to be some form of rootkit running that changes the security of any application that attempts to scan.

For instance Hijackthis will run for a second and stop, same for malwarebytes or any other app. Microsoft Security Essentials has it's service stopped and it will not restart, if I reload the application it will download updates and seem fine right up until I start a scan then after it appears to hit an area it suddenly goes red-x.

I checked the security and it removes all users and admins from the security on the file so you can not execute or even rename it, the only security left on it is from everyone and that group does not show up in any security list.

The ONLY thing I managed to get to run before it dies is viperrescue but even after it executes it gets nailed by the security change so it will not run a second time.

It seems to indicate a rootkit but does not seem to clean it, the scary thing is when it ran it sounded like the harddrive clicked off and back on several times as though it had dropped power for an instant.

The threat item it lists is c:\windows\system32\drivers\vbma25fc.sys giving an ID of Trojan.win32.olmarik.agn

RKILL says it removes \\.\globalroot\Device\svchost.exe\svchost.exe but if I run RKill again it says the same even in safemode.

I am starting this thread is I can not find anyone who seems to have cleaned a PC once it reaches this state of operations, most threads I find die after a few posts and my assumption is the person either took it in and had it reformatted or reformatted it themselves.

I would really like to see this beast killed once and for all!

Thanks for any help!

Edited by dpcsit, 21 December 2010 - 08:43 AM.


BC AdBot (Login to Remove)

 


#2 dpcsit

dpcsit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 21 December 2010 - 08:41 AM

Oh I forgot to add that networking does not run in safe mode at all, there is not even a listing of a network device when in safe mode so I have to download and put things on a CD to get it into the pc if I have to work in safemode.

Also GMER will freeze up and I have to reboot the pc.

Edited by dpcsit, 21 December 2010 - 08:46 AM.


#3 dpcsit

dpcsit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 27 December 2010 - 01:36 PM

Since I've had no input from anyone here I assume that I did not post correctly, I will say that as far as I can tell nobody has been able to kill this thing, all threads simply die after awhile.

I managed to get XP reinstalled and have partial control over the pc, I removed the group everyone and that has taken some of the teeth out of the rootkit it seems, gmer ran but the pc shutsdown because of it or the rootkit.

Is there a way to scan for rootkits etc if I move the drive to D as I have loaded an old drive to use with the cleaning?

Any suggestions on what tools to run would be a great help as the security reset has been tramatic to the operating of the pc.

So I know the virus rootkit is still there I still can not clean it at all even after a windows reload.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users