Infected with rootkit please help

May 11, 2010 at 01:21:06
Specs: Windows XP
Hello, my computer is infected with a rootkit, I tried Combofix to fix it, but after a reboot it's still there, Combo still detects rooltkit activity, and I got random redirections from IE and Opera, and sometime a new tab to these random sites opens itself.

I'm considering a reformat, but the MBR seems to be affected as well, how am I going to remove it without a repartitioning? Thank you ver much for you help!

See More: Infected with rootkit please help

May 11, 2010 at 01:24:10

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88912EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77ecb8
\Driver\atapi -> atapi.sys @ 0xba7107b4
\Driver\iaStor -> iaStor.sys @ 0xba67778c
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xba4f7ba0
PacketIndicateHandler -> NDIS.sys @ 0xba4e6a0b
SendHandler -> NDIS.sys @ 0xba4fab31
user & kernel MBR OK


Report •

May 11, 2010 at 01:28:31

You can take help of "Sophos Anti-Rootkit" application which is a Free rootkit detection and removal tool.
To download Anti-Rootkit application proceed to the following link:

Thank you :)

Report •

May 11, 2010 at 01:31:24
Thank you for your quick response, I have tried the roolkit buster from trend micro, it detected nothing, but I'll try the Sophos when I get home, thanks.

Report •

Related Solutions

May 11, 2010 at 13:55:49
sorry, Sophos didn't work either. Not even rewriting the MBR with fixmbr command works. It's probably the sinowal thing, which seems to be very hard to detect and remove.

I'm going to buy a new drive, copy my files and then use my nuclear weapon, low level format, on the infected one. Nothing survive that, damn the russian hackers.

Report •

May 11, 2010 at 20:54:13
You could also try Kaspersky Anti Virus 2010 and do a deep scan. It worked wonders with a nasty as hell virus I had a few months ago.

Report •

May 12, 2010 at 00:11:36
Thanks for the tip! I'll try Kaspersky later, it is indeed nasty as hell! Also the rescue CD from them seems to be helpful too, it has to be the Russians I guess. OK, these two will be my last options before the final nuke!

The good thing out of this is that I decided to order a Intel SSD for the system and a normal HDD for backups.

Report •

May 12, 2010 at 12:42:02
Wow, I am impressed! The Kaspersky Rescue CD cleaned it up! It was not the sinowal but an other nasty stealth rootkit, Still the kaspersky CD made it so easy to remove it!

I recommend everyone who has problems of random redirections form google search results, or when windows defragmentation can't move certain file, but can't find the virus, to download the Rescue CD image, burn to a CD, boot from it and let Kaspersky do it's things. Under the infected windows it's very hard to detect some rootkits.

Thanks for the tips! Now I can close all those tabs about rootkits.:-) And I'm going to test my SSD in a few days.

Report •

Ask Question