Jump to content

Can't Get Rid of Anti-Malware Doctor


Recommended Posts

  • Replies 97
  • Created
  • Last Reply

Top Posters In This Topic

That scan took a very long time. The log is below. Are we close to fixing it?

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-28 21:47:56

Windows 5.1.2600 Service Pack 3

Running: mpn7kvvn.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrdapow.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF75EEE22]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF75CFCDC]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF75CFECE]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF75EF610]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF75EF8C4]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF75EDB14]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF75EFD30]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF75EF0E2]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF75CF982]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2774 5 Bytes [DC, FC, 5C, F7, CE]

.text ntoskrnl.exe!_abnormal_termination + 10E 804E277A 2 Bytes [5C, F7]

init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF745C320]

.rsrc C:\WINDOWS\System32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF79D6E14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\system32\svchost.exe[576] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E9000A

.text C:\WINDOWS\Explorer.EXE[880] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[880] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[880] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PCTCore.sys (PC Tools KDS Core Driver/PC Tools)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 CLASSPNP.SYS (SCSI Class System Dll/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 87232D01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\kbdclass.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

The rootkit is still present.

This will fix the infection and possibly free up the blue screen.

Please go to Start > Run then type in cmd then hit the ok button.

In the black box that comes up please copy the text in bold below into the command prompt window and hit enter.

expand "C:\WINDOWS\i386\KBDCLASS.SY_" C:\KBDCLASS.SYS

If it works correctly you will see a 1 file(s) expanded message.

If you do not see that message then DO NOT PROCEED but rather stop and alert me to it.

Also check that there is actually a file named kbdclass.sys in the C:\ drive before rebooting into the Recovery Console.

=================================

Boot into Recovery Console as you did before and log on to the current installation.

When you get to the Recovery Console prompt, type ren C:\WINDOWS\System32\DRIVERS\kbdclass.sys kbdclass.vir and press "Enter".

At the next line type in this copy C:\KBDCLASS.SYS C:\WINDOWS\System32\DRIVERS\ and press Enter.

You should see a 1 Files(s) copied message if it works correctly.

After that has been done type in exit then it will restart the computer.

See then if you can boot normally into windows.

Link to post
Share on other sites

Here it is:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-29 22:58:54

Windows 5.1.2600 Service Pack 3

Running: 7gpcd94p.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrdapow.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF75EEE22]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF75CFCDC]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF75CFECE]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF75EF610]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF75EF8C4]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF75EDB14]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF75EFD30]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF75EF0E2]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF75CF982]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2774 5 Bytes [DC, FC, 5C, F7, CE]

.text ntoskrnl.exe!_abnormal_termination + 10E 804E277A 2 Bytes [5C, F7]

init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF745C320]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PCTCore.sys (PC Tools KDS Core Driver/PC Tools)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Ok at this point we are only dealing with the blue screen which is good.

I will need as much info as possible about it.

The stop code you gave me does it list a file below it?

Or a file name mentioned at all?

Does it blue screen as soon as you see the Xp screen or the Welcome screen?

Can you load into Safe Mode with networking or Just safe mode?

Does it blue screen in any other mode of Windows? ie afe mode with networking,Last known good configuration?

Try each of the different types of bootup and let me know the results.

Any other details would be helpful.

Link to post
Share on other sites

Hi,

Here's what I can tell you:

1. The stop code is below. No file or driver is listed. Nothing comes after the stop code.

STOP: 0x0000007E (OxC0000005,0x80599F19,0xF7B61690,0xF7B6138C)

2. The blue screen appears soon after the Windows xp logo appears on the screen - say 4-5 seconds.

3. I cannot load safe mode with networking. But I can load safe mode with command prompt.

4. I cannot load safe mode with Last known configuration.

5. I cannot load in Directory services restore mode.

6. As it's loading drivers in safe mode with networking, it crashes after loading windows system32 drivers mup.sys.

7. Recovery console opens without problems in safemode.

I think that I've tried all the different options. Let me know if there's more info I can give you.

T

Ok at this point we are only dealing with the blue screen which is good.

I will need as much info as possible about it.

The stop code you gave me does it list a file below it?

Or a file name mentioned at all?

Does it blue screen as soon as you see the Xp screen or the Welcome screen?

Can you load into Safe Mode with networking or Just safe mode?

Does it blue screen in any other mode of Windows? ie afe mode with networking,Last known good configuration?

Try each of the different types of bootup and let me know the results.

Any other details would be helpful.

Link to post
Share on other sites

Ok please do the following.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    atapi.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 20:20 on 31/05/2010 by Administrator (Administrator - Elevation successful)

========== Filefind ==========

Searching for "atapi.*"

C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [02:59 04/08/2004] [02:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [21:03 21/05/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\i386\ATAPI.SY_ --a--c 47242 bytes [17:33 03/09/2003] [12:00 31/03/2003] 4A425C994A72B0C6D7D19171A83EB78E

C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [17:43 03/09/2003] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--- 86912 bytes [17:43 03/09/2003] [12:00 31/03/2003] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-

Link to post
Share on other sites

Ok reboot into the Recovery Console as you did before.

At the command prompt type in the following coomands and hit enter after typing each bolded line.

ren C:\Windows\system32\drivers\atapi.sys atapi.vir hit Enter.

expand C:\cmdcons\ATAPI.SY_ C:\Windows\system32\drivers\ /y hit Enter.

You should see 1 files expanded message and it it will say atapi.sys.

Then type in exit and reboot into normal windows and let me know how it goes.

Link to post
Share on other sites

I made the changes below without problem, but I still get a blue screen error, at the same place as before.

T

Ok reboot into the Recovery Console as you did before.

At the command prompt type in the following coomands and hit enter after typing each bolded line.

ren C:\Windows\system32\drivers\atapi.sys atapi.vir hit Enter.

expand C:\cmdcons\ATAPI.SY_ C:\Windows\system32\drivers\ /y hit Enter.

You should see 1 files expanded message and it it will say atapi.sys.

Then type in exit and reboot into normal windows and let me know how it goes.

Link to post
Share on other sites

I made the changes below without problem, but I still get a blue screen error, at the same place as before.

T

Ok reboot into the Recovery Console as you did before.

At the command prompt type in the following coomands and hit enter after typing each bolded line.

ren C:\Windows\system32\drivers\atapi.sys atapi.vir hit Enter.

expand C:\cmdcons\ATAPI.SY_ C:\Windows\system32\drivers\ /y hit Enter.

You should see 1 files expanded message and it it will say atapi.sys.

Then type in exit and reboot into normal windows and let me know how it goes.

Link to post
Share on other sites

Ok is there any possibility you can get your hands on an xp disk?

We will surely need it to repair this computer.

Your system files are missing and I think that is what is causing the issues.

See if you can borrow one or get one and let me know.

Link to post
Share on other sites

No it is not possible to do that unless you can purchase one or take it somewhere but basically it needs a repair installation to replace the missing corrupted drivers.

You can order one through the manufacturer of the computer or borrow one from a friend.

Link to post
Share on other sites

I have a Fujitsu Restore disk that allows me to restore the original contents of the C: drive. Could I use that? Perhaps this might delete everything though?

T

No it is not possible to do that unless you can purchase one or take it somewhere but basically it needs a repair installation to replace the missing corrupted drivers.

You can order one through the manufacturer of the computer or borrow one from a friend.

Link to post
Share on other sites

Okay, it looks like I'll be able to borrow one. What do I do when I get it? I don't have an activation key because XP was pre-loaded. Will I need one? Will I be able to use the one that comes with the disk I'm borrowing?

By the way, Fujitsu tells me that if I use my Restore disk, all my files will be cleaned off.

Thanks,

T

Link to post
Share on other sites

Yes it has to be the same version of XP.

If you used your restore disk then yes it would want you to reformat.

At this point that option would not be that bad because of the damage done to the system overall.

You can burn your items to a cd or transfer the items you wish to keep over to a flash drive to back up the items before reformat.

Let me know though if you can get a xp pro disk.

Link to post
Share on other sites

Hi,

I used the restore disk, reformatted, and reinstalled everything. It took a little while, but in the end my system is much faster than before, so perhaps it was all worth it in the end.

I just wanted to thank you for all your help. I very much appreciate having this forum for assistance.

I'm thinking of purchasing the pro version of anti-malware bytes, if it would help prevent such infections in the future. Does it give real time protection?

Thanks again,

T

Yes it has to be the same version of XP.

If you used your restore disk then yes it would want you to reformat.

At this point that option would not be that bad because of the damage done to the system overall.

You can burn your items to a cd or transfer the items you wish to keep over to a flash drive to back up the items before reformat.

Let me know though if you can get a xp pro disk.

Link to post
Share on other sites

I just wanted to thank you for all your help. I very much appreciate having this forum for assistance.
You are welcome :)
I'm thinking of purchasing the pro version of anti-malware bytes, if it would help prevent such infections in the future. Does it give real time protection?
Yes it does it has an Ip address blocking feature that protects against malware domains (it is very effective) and it protects against malicious file execution.

Also as a paid member you get free tech support.

But most of all you need a good antivirus shield most paid for versions have better protection.

I use Kaspersky because it has very good behavioral detection of malicious activity and it is a very good blocker of malicious download etc....

But being that it is an internet security suite it bogs down my system.

The antivirus alone is much better than most out there and would run lighter than running the suite.

By I am biased to it since I use it.

But running a good antivirus and real time mbam will be a very good combo to fight of malware.

Just my 2 cents worth.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.