Our office e-mail network had previously been identified and blacklisted by Barracuda as spaming. When communicating with barracuda I learned that there had only been one spaming attempt made in the last 30 days. Barracuda said they would change our status, conditionally remove us from the blacklist, and monitor our e-mail. To try to remove the source of the spaming, I downloaded the latest version of MBAM and began to check our computers. MBAM was downnloaded to a flash drive, installed and updated one at a time on each computer. So far, some have had a few malware items to remove, some none, and one that I am now stuck on will not install and/or update. It seems to install (ie it puts the shortcut on the desktop) but it will not open the program. I then loacated "MBAM wont install or will not run.(TDL2 Rootkit-WinNT.Alureon), TDSS/Sen/UAC/kungsf/SKYNET/H8SRT/4DW4R3/_VOID/PRAGMA+ others listed" <http://forums.malwarebytes.org/index.php?showtopic=12709>. Following the guidance there, I downloaded, installed and ran Rootrepeal. The log follows: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/10/15 16:19 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ I did not locate a "what to do next" topic for this but did locate the following post/reply, so I am posting a new topic as indicated. Thanks in advance of the help. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ "Rootkit versus malwarebytes, root kits Feb 1 2010, 11:51 PM Post #1 New Member Group: Members Posts: 2 Joined: 20-May 09 Member No.: 13,970 Hello everyone! I think my system has a really nasty root kit installed. I have tried to use rootrepeal however it did not find anything other then hiberfil.sys which I beleive is part of Widows. I can't run MWB or HighJackThis as well. They just shut down when you try to run them. Even after you rename them. Not sure what else to try. Does anyone have any suggestions? Any help would be great! -------------------- CYA =========== REPLY =========== yardbird Feb 1 2010, 11:58 PM Post #2 Hi! We don't work on Malware removal in the general forums. Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here. <http://forums.malwarebytes.org/index.php?showforum=7> One of the expert helpers there will give you one-on-one assistance when one becomes available. After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
