Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help rootkit????

  • Please log in to reply
No replies to this topic

#1 John Booth

John Booth

  • Members
  • 3 posts
  • Local time:02:59 PM

Posted 01 March 2011 - 01:11 AM

This is my first post at this website. Forgive me in advance for any of my shortcomings. I am at the end of my rope. Here is the history:

I did a search on Google "is it legal to take a picture in public?" I clicked on the first hit .. to a website called


The website performed properly with no problems. Later, I had reason to revisit the site and this time I got redirected to a different site. A small window opened "Caution. Your computer is infected. Click continue to scan your computer" or something to that effect. I knew better than to click continue but the entire browser was locked up .. could not close, minimize, or click on any browser controls. Had to end task on the browswer (IE8). I immediately did a full scan with Microsoft Security Essentials and it came up clean. I tried SEVERAL other scanning products .. all clean. I (probably foolishly) tried it again and got the same thing. This time, I ACCIDENTALLY clicked on CONTINUE .. and I got a browser window loading up with warnings of several infections .. and THEN a file started to download. I clicked save file, and saved it to my desktop. I scanned it with several products as well as my entire system. No detections.

I formatted my entire hard drive and did a Dell System restore from CDs. Tried the site .. loaded fine. I continued installing personal software .. trying the site as I went along. Loaded just fine. Got my system all 'rebuilt' and boom, .. the site has started redirecting again tonight.

I downloaded Trendmicro Rootkitbuster BETA and when I ran it, I got a Blue screen .. comdemning tmrkb.sys which I believe to be a driver from Rootkitbuster. I did a scan AGAIN with HITMAN PRO3 and it gave a 'warning' about tmrkb.sys as being 'SUSPICIOUS'. It did not offer to remove it . only IGNORE it. I do not know how to get rid of it (other than just delete it from C:\WINDOWS\system32\drivers, which I have not done). I found someone in the TrendMicro forum complaining about the same BSOD problem with the product .. but he did not get any help with it.

My MAIN question is .. do I have an infected software product I am installing or what is going on? I understand rootkits are the hardest to 'track down' .. I just don't know how I am getting infected .. if I am infected at all. I have scanned with DOZENS of products .. nothing finds any problem with any software product I have.

Is the problem coming from visiting that website? I cannot figure out what the 'virus' vector is .. simply going to www.legalandrew.com or from some infected program I am installing from my sofware library.

I keep seeing 'If you get a rootkit, best to format and reinstall' and I have done that .. about 3 dozen times .. truly. Is it one (or more) items from my s/w library?? I don't have a problem reformatting and 'reinstalling' but it keeps coming back .. always from www.legalandrew.com.

I hope I have explained this well. This has been going on for two weeks. I have done everything I can think of to prevent this from happening. Right now, .. I am back to square one except NOW, I have this tmrkb.sys 'problem'.

XP Home SP3. Thank you in advance for any help you can give.

Edited by Orange Blossom, 01 March 2011 - 09:57 PM.
Moved to AII for initial assistance. ~ OB

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users