5 replies to this topic

[handbanana]

Hi all. I've have symptoms of some nasty malware. McAfee is able to find NTOSKRNL-Hook (though error messages pop up trying to get me to abort the scan). McAfee has not been able to eliminate the problem.

I downloaded Malwarebytes and it installs, but the setup program freezes before it would (I assume) prompt me to start malwarebytes immediately. Attempts to run mbam.exe (including renaming this file) have failed.

I have read through these instructions but I wanted to seek guidance before running RootRepeal.

[Maniac]

Greetings and Welcome .

If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:

• Total-Security (FakeAlert)
  
• av360 (Fakealert)
  
• CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
  
• SystemSecurity

If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?

And post your logs in a new topic here:
Malware Removal - HijackThis Logs

Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.

I hope I was helpful. Good luck and safe surfing.

[remy]

I tried all the options listed here including RootRepeal and all failed-still could not run mbam.exe. After each option, it gets more difficult to run the others. Google Desktop did find files UAC* in windows/system32 but could not remove them manually.

[remy]

I have some additional information. Just like handbanana McAfee also found NTOSKRNL-Hook and claimed to have removed it.
Finally got to run mbam.exe by uninstalling and reinstalling (paid version). Had to rename the setup file to winlogon.exe for it run as well as the mbam.exe.

mbam found some stuff and removed them but said it could not remove all them and will try to do so at restart. But still having same problem with running mbam.exe without renaming.

Subsequent runs of mbam returns the following:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

When click to fix, rerun still returns infections.

[remy]

Another finding: My last scan was better. I was able to run mbam.exe w/o renaming. This time it was only left with:
C:\WINDOWS\system32\uacinit.dll that it could not remove (to remove on reboot but it does not).

When I run rootRepeal I get:
Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.
Got this msg several times than got:
13:08:05: Warning - could not read Windows kernel using raw-disk reading!
13:08:07: Could not find module file on disk!
13:08:09: Could not find module file on disk!
13:08:10: Could not find module file on disk!
Tried all the Options up to High Level
Trying to Scan Files gives the same: Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.

Can this be used or anything else I can use to remove these UAC files. Goolgle Desktop sees 3 UAC files but they are .dll extensions under Windows\system32.

Also, every 30 minutes or so IExplorer is launched in the background (see it in Process Explorer) and plays audio advertisement!

Please help!

[remy]

Ok. Now mbam.exe won't run again unless renamed. Don't know what else to do!!!!!
I have so many apps I use on this machine, reformating and reinstalling will be a beast.