30 replies to this topic

[marktreg]

I ran a quick scan and MBAM fould two files which needed a reboot to remove.

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

After rebooting, I ran another quick scan and MBAM found these same two files again. I rebooted again and ran another quick scan afterwards, but MBAM found these same two files once again.

I was in a hurry and didn't really want run ComboFix. So I decided to boot the computer with an ERD Commander disk and delete the two files manually. But when I did this I could not find these two files on the disk. I couldn't understand why I could not see these two files under a Windows PE environment. I always assumed that a Windows PE environment would 'unhide' everything.

So then I decided to run ComboFix. ComboFix ran perfectly with no problems at all. But after rebooting and running another quick MBAM scan, MBAM found these same two files once again. I then booted with ERD Commander again, and once again I could not find these two files on the disk. How is this possible?

I thought I was dealing with a well known 'Goldun' trojan which a combination of MBAM and ComboFix should easily remove. But now I'm not so sure. I also still can't understand why I can't see these two files under a Windows PE environment.

Am I missing something obvious here? Or should I just go ahead and post the logs in the HijackThis forum for the experts to look at?

EDIT: I have just booted the computer with a linux live cd as well, and I still cannot see the files. Weird!

[MAM]

Have you an acces on this Files ?

If, Yes check it here: http://www.virustotal.com/ you can see now, if you are have Malware or not.

And post the log here again.

Do this too, Read before reporting a false positive! ---> http://www.malwareby...?showtopic=3228 Maybe a Falseposetive...

Try it please, and report here again.

Good Luck !

MAM

[srtools1980y]

My small brain suggests you to run a full (through) scan of all the drives of your system with your av & mbam.

[marktreg]

No, I don't have access to these files. That is the problem. MBAM is finding them, but cannot delete them. And I cannot see these files either in Windows, Windows Safe Mode, or even under a Windows PE or linux environment. I cannot understand it. I think I think I will post the logs in the HijackThis forum for the experts to look at.

[prairie dog]

marktreg, on Sep 6 2009, 12:41 PM, said:

No, I don't have access to these files. That is the problem. MBAM is finding them, but cannot delete them. And I cannot see these files either in Windows, Windows Safe Mode, or even under a Windows PE environment. I cannot understand it. I think I will post the logs in the HijackThis forum for the experts to look at.

Thats what i would do

[marktreg]

srtools1980y, on Sep 6 2009, 06:41 PM, said:

My small brain suggests you to run a full (through) scan of all the drives of your system with your av & mbam.

I must admit that I haven't performed FULL scans with AV or MBAM yet. I will do this before I go any further.

[MAM]

You can make a onlinescan this Kaspersky than you will, http://www.kaspersky.com/virusscanner but he can not delete Malware, he can only display, a infection this Malware or not. And belive me it takes a long time....

Or make a scan this GMER, ---> http://www.gmer.net/ please hold you knits on the instruction...

Or use Stinger, an run a scan, ----> http://vil.nai.com/vil/stinger/

Ok post a HijackThisLog in the expert section too, and see whats going on.

Ok i think i can not realy help in this issue, my skills are to slight.

I hope i understand this.

MAM

[srtools1980y]

Do it patiently.
O

[MAM]

srtools1980y, on Sep 6 2009, 05:53 PM, said:

Do it patiently.
O

Do you mean me ?

MAM

[marktreg]

Thanks for the help, guys. I think the problem was that I wanted to get it fixed too quickly. And then when I couldn't see the files, even under a Windows PE environment, I just didn't know what was happening.

I will run some FULL scans and see what happens then.

All the best,

Mark.

[MAM]

Have you realy no acces to the Files, path, ----> C:\Windows\System\System32.... ???

MAM

[control]

Rootkits can't be found in windows explorer because the files are hidden You should try RootRepeal

[marktreg]

MAM, on Sep 6 2009, 07:03 PM, said:

Have you realy no acces to the Files, path, ----> C:\Windows\System\System32.... ???

MAM

I really have no access. MBAM is telling me that I have these two malware files present on my computer.

C:\WINDOWS\system32\drivers\mrxdavv.sys
C:\WINDOWS\system32\kwave.sys

But I cannot see them, even if I use a WinPE or linux boot disk to look at the drive. Weird, isn't it?

[marktreg]

control, on Sep 6 2009, 07:06 PM, said:

Rootkits can't be found in windows explorer because the files are hidden You should try RootRepeal

You are completely correct. But I have yet to find a rootkit that is able to hide its files after booting the computer into a WinPE or linux environment. And that what I'm using to try to find these files. I seriously cannot understand it.

[MAM]

Best Free Rootkit Scanner/Remover ---> http://www.techsupportalert.com/best-free-...ner-remover.htm

BlackLight ---> http://www.f-secure.com/en_EMEA/products/t...ies/blacklight/

RootKit Unhooker ---> http://www.antirootk...it-Unhooker.htm

IceSword ----> http://www.antirootk...re/IceSword.htm

That is only a bursa of hints, and i have no experience this it.

MAM

[marktreg]

Once again, thanks for the help guys. But, if the files are protected/hidden by a rootkit, I should be able to unhide/unprotect them by booting the computer with a WinPE or linux boot disk. But when I do this, I still cannot see the files. I don't understand why I cannot see the files when I do this.

[MAM]

A last advice from me to you, Rescue CD 3.01, ----> http://www.f-secure.com/linux-weblog/2008/...d-301-released/ please build such on a clean System, are not successfully this the F-Secure rescue CD 3.01, search in the "aunt" googel for a good rescue CD.

MAM

[srtools1980y]

MAM

I didn't mean you.

Message (do it patiently) is meant for marktreg.

I just googled C:\WINDOWS\system32\drivers\mrxdavv.sys &
C:\WINDOWS\system32\kwave.sys

But nothing useful.

Anyhow let marktreg finish the full scan.

marktreg

Don't worry. Experts are here to resolve your problem.

[MAM]

Please try the Tool´s in my posting #15 !!!

MAM

[MAM]

srtools1980y, on Sep 6 2009, 06:30 PM, said:

MAM

I didn't mean you.

Message (do it patiently) is meant for marktreg.

I just googled C:\WINDOWS\system32\drivers\mrxdavv.sys &
C:\WINDOWS\system32\kwave.sys

But nothing useful.

Anyhow let marktreg finish the full scan.

marktreg

Don't worry. Experts are here to resolve your problem.

Ok, thanks for your replay, that was my fault, misunderstanding.

MAM