Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MBR Rookit ?


  • Please log in to reply

#1
thebouncer

thebouncer

    Member

  • Member
  • PipPipPip
  • 330 posts
I have a laptop computer that was acting fine until recently. It started earlier last week when I was on the internet suddenly I got a pop up from the COmputer Associates Etrust on my computer that a virus had been found. According to there description it is a PDF/CUE-2010-0188 Exploit. When you try to look it up on their website they tell you thee is no match (go figure).

I was able to find and remove a file on friday.
Lsass.exe located in C:\Documents and Settings\username\Application Data\SystemProc\
Registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"RTHDBPL"="C:\\Documents and Settings\\username\\Application Data\\SystemProc\\lsass.exe"

Virus Total reported this file here
http://www.virustota...e87b-1279294039

It is named several different things apparently though the most common name is Koobface.

I have tried running the following tools which will NOT run
Malwarebytes (runs but doesn't find anything)
Superantispyware
FSecure Blacklight (anti rootkit)
Sophos Antirootkit
Dr Web Cure it
Combofix
OTL (if I do the custom scan it comes up with an error (invalid flag [mp] must be numerical)

Internet Explorer and Firefox are hit and miss if I try to lookup Anti rootkit software all of the sudden I get timeouts and page cannot be displayed. Once that starts I have no choice but to reboot the pc. The computer will not reboot on its own and will not shut down on its own I have to hold the power button but it doesnt cause chkdisk to be initiated.

Other symptoms,
When typing in run box the letters come up very delayed.
Unable to access the control panel most of the time, also unable to access add/remove programs in control panel
Timeouts in Internet Explorer or it freezes or never lauches (firefox has the same the same problem)
Malwarebytes find nothing on the system
it was fowarding to the following sites (this seems to be resolved since removing the above mentioned file:
Yellowbook.com
http://websiteconfir...&...2&key=virus
http://web-search-ap...t...p?q=spyware
Won't allow anti virus or anti malware tools to run.
Cannot Load the Etrust Interface (uses Internet Explorer)
Internet Explorer is running in the background when the computer is first started before any websites are open...
I can't see anything in the log files

Anyone have any ideas?

I was going to try bootkit detector however I have a recovery partition and do not want to destroy that.


OK so even more problems...

Add/remove programs is showing up BLANK at times.
I have tried to run SFC /SCANNOW no hard drive activity no anything, status bar does not move.
I tried running Service Pack 3 again to see if if would fix possible broken files (no dice it starts the install but just sits there with inspecting system)
Whenever I now run Groupwise 7.x I get an error when I close it in ntdll.dll

Internet Explorer is freezing up on the website http://www.marketwatch.com whenever you try to get a quote or go to a different page other then the main page. Firefox doesn't have this problem.

I ran RootRepeal and the only thing it found was this
Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x86c2b020]
Process: System Address: 0x86f9a7ca Size: 159

Object: Hidden Code [ETHREAD: 0x86c5e020]
Process: System Address: 0x86f9a57c Size: 555

Object: Hidden Code [ETHREAD: 0x86ca3020]
Process: System Address: 0x86f9b57d Size: 1174

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86f9afc5 Size: 60

I don't know how to go further with this at this point.

I tried a windows repair install since copying and pasting was causing an error in ntdll.dll. Since the repair install the computer hangs on a black screen with the cursor for 5 minutes and then loads the desktop. The initial install did not go well either it came up to the please wait while windows starts and never finished so I had to hard reboot it.

Attached Files

  • Attached File  OTL.txt   90.56KB   47 downloads

Edited by thebouncer, 20 July 2010 - 09:26 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP