Jump to content

Help with Rootkit.Mentil

Recommended Posts

Merged post

I apparently have a nasty virus on my work computer. I've been having problems with it since getting this "new" computer, and our IT guy at work (who is less of an IT guy and more of an engineer) seems to only be making the problem worse. His solution is to block yahoomail and gmail.

I ran the Kapersky TDSS killer a few days ago, and it found 6 viruses but is now finding nothing. I also ran the free scan through PC Tools Spyware Doctor, and it found a plethora of issues that none of the virus protection my company uses can find, but since this is my work computer and not my home computer I can't exactly pay for a year subscription to get rid of it. But through the Spyware Doctor scan, it found that there are 2 Rootkit.Mentil infections and a scarily high number (almost 2000) of tracking & spyware from those infections.

I didn't realize there was a still a problem with my computer until I started doing a google search, and whatever website I chose would take me to a random search engine that is clearly a virus.

Okay I'm currently using Windows Essentials, and I do have MBAM, as well as Advanced SystemCare 5. WE, ASC, and MBAM haven't found any of the things that Spyware-Doctor did.

Here is my latest report from MBAM Quick Scan:

Malwarebytes Anti-Malware


Database version: v2012.03.22.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

copy1 :: COPYONE [administrator]

3/22/2012 12:15:17 PM

mbam-log-2012-03-22 (12-15-17).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 239940

Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)


Here is my DDS scan:


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by copy1 at 14:04:48 on 2012-03-22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2020.778 [GMT -4:00]


AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}


============== Running Processes ===============


C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\svchost -k DcomLaunch


c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs




C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe


C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe


C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe

C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe





C:\Program Files\Microsoft Security Client\msseces.exe


C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe


C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\WOTraffic\WOTraffic.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\iMediaTouch\Production\MTP.exe

C:\Program Files\iMediaTouch\Production\OMTdb2x.EXE

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe



============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com/

uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"


mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [pdfFactory Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM

mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe

mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [iSTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [cfgbin] c:\documents and settings\all users\cfgbin.exe

dRun: [dplaysvr] %APPDATA%\dplaysvr.exe

dRun: [synclogon] c:\documents and settings\all users\Synclogon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1316813974765

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc.cab

TCP: Interfaces\{DF5ED57E-36B1-43C5-B666-A1A3551000E6} : NameServer =,,

TCP: Interfaces\{F5320189-CCE8-4D64-970B-4DAD31BC3330} : DhcpNameServer =

Notify: igfxcui - igfxdev.dll

Hosts: www.bing.com


============= SERVICES / DRIVERS ===============


R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-22 331880]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-22 342168]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-22 909728]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl8970073a;MpKsl8970073a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\MpKsl8970073a.sys [2012-3-22 29904]

R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-3-20 185560]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-9 913752]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-3-22 550864]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-1-26 132768]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-1 652360]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-3-22 402336]

R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-3-22 1117624]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-9-23 2656280]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-1 20464]

R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-3-22 56840]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-9-23 1691480]

S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [2011-9-23 174248]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-9-23 45056]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]


=============== Created Last 30 ================


2012-03-22 14:54:31 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\MpKsl8970073a.sys

2012-03-22 14:54:14 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\offreg.dll

2012-03-22 14:47:29 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\mpengine.dll

2012-03-22 13:45:40 -------- d-----w- c:\documents and settings\copy1\local settings\application data\Google

2012-03-22 13:44:53 767952 ----a-w- c:\windows\BDTSupport.dll

2012-03-22 13:44:53 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys

2012-03-22 13:44:52 2250704 ----a-w- c:\windows\PCTBDCore.dll

2012-03-22 13:44:52 1681360 ----a-w- c:\windows\PCTBDRes.dll

2012-03-22 13:44:52 149456 ----a-w- c:\windows\SGDetectionTool.dll

2012-03-22 13:44:15 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2012-03-22 13:44:15 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys

2012-03-22 13:44:14 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2012-03-22 13:44:11 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2012-03-22 13:44:11 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2012-03-22 13:44:10 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys

2012-03-22 13:44:04 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2012-03-22 13:43:58 -------- d-----w- c:\program files\PC Tools

2012-03-22 13:26:48 -------- d-----w- c:\documents and settings\copy1\local settings\application data\Threat Expert

2012-03-20 21:35:45 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-03-20 21:35:42 -------- d-----w- c:\program files\common files\PC Tools

2012-03-20 21:35:08 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2012-03-20 21:35:06 -------- d-----w- c:\documents and settings\copy1\application data\TestApp

2012-03-20 21:28:51 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-19 16:20:45 602112 ----a-w- c:\windows\system32\SET1B6.tmp

2012-03-19 16:20:45 55296 ----a-w- c:\windows\system32\SET1B5.tmp

2012-03-19 16:20:45 105984 ----a-w- c:\windows\system32\SET1B0.tmp

2012-03-19 16:20:44 916992 ----a-w- c:\windows\system32\SET1AE.tmp

2012-03-19 16:20:44 247808 ------w- c:\program files\internet explorer\SET1C0.tmp

2012-03-19 16:20:44 2000384 ----a-w- c:\windows\system32\SET1BA.tmp

2012-03-19 16:20:44 12800 ------w- c:\program files\internet explorer\SET1BF.tmp

2012-03-19 16:20:43 184320 ----a-w- c:\windows\system32\SET1BB.tmp

2012-03-19 16:20:43 1212416 ----a-w- c:\windows\system32\SET1AF.tmp

2012-03-19 16:20:42 5979136 ----a-w- c:\windows\system32\SET1B4.tmp

2012-03-19 16:19:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-19 16:19:57 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-19 16:19:10 726528 ----a-w- c:\windows\system32\SET1A6.tmp

2012-03-19 16:18:34 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-03-13 18:51:02 -------- d-----w- c:\documents and settings\copy1\application data\webex

2012-03-13 17:58:48 366 ----a-w- C:\cc_20120313_135847.reg

2012-03-13 17:56:46 366 ----a-w- C:\cc_20120313_135644.reg

2012-03-13 17:50:04 366 ----a-w- C:\cc_20120313_135002.reg

2012-03-09 16:16:52 2284 ----a-w- C:\cc_20120309_111650.reg

2012-03-09 14:51:54 -------- d-----w- c:\windows\system32\winrm

2012-03-09 14:51:54 -------- d-----w- c:\windows\system32\GroupPolicy

2012-03-09 14:51:47 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2012-03-09 14:50:21 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-03-09 14:37:08 -------- d-----w- c:\documents and settings\all users\application data\IObit

2012-03-09 14:37:00 -------- d-----w- c:\documents and settings\copy1\application data\IObit

2012-03-09 14:36:52 -------- d-----w- c:\program files\IObit

2012-03-08 18:45:36 2433024 ------w- c:\windows\UNNMP.exe

2012-03-08 18:43:14 106496 ----a-w- c:\windows\system32\TwnLib20.dll

2012-03-08 18:43:13 364544 ------w- c:\windows\system32\TwnLib4.dll

2012-03-08 18:43:12 476320 ------w- c:\windows\system32\ImagXpr7.dll

2012-03-08 18:43:12 471040 ------w- c:\windows\system32\ImagXRA7.dll

2012-03-08 18:43:12 262144 ------w- c:\windows\system32\ImagXR7.dll

2012-03-08 18:43:12 1568768 ------w- c:\windows\system32\ImagX7.dll

2012-03-08 18:43:10 38912 ------w- c:\windows\system32\picn20.dll

2012-03-08 18:43:04 155648 ----a-w- c:\windows\system32\NeroCheck.exe

2012-03-08 18:41:43 6994 ----a-w- C:\cc_20120308_134142.reg

2012-03-08 18:41:30 65472 ----a-w- C:\cc_20120308_134128.reg

2012-03-08 17:59:49 -------- d-----w- c:\windows\pss

2012-03-08 17:56:10 684 ----a-w- C:\cc_20120308_125609.reg

2012-03-08 17:51:37 366 ----a-w- C:\cc_20120308_125135.reg

2012-03-08 15:42:40 332 ----a-w- C:\cc_20120308_104238.reg

2012-03-08 15:42:21 10818 ----a-w- C:\cc_20120308_104219.reg

2012-03-08 15:33:50 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-03-08 15:33:50 -------- d-----w- c:\windows\system32\wbem\Repository


==================== Find3M ====================


2012-03-16 12:40:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

2012-02-01 19:14:14 1170 ----a-w- C:\cc_20120201_141410.reg

2012-02-01 19:13:54 225580 ----a-w- C:\cc_20120201_141346.reg

2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-26 19:32:38 8413 ----a-w- c:\windows\system32\drivers\osaio.sys

2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys


============= FINISH: 14:05:21.03 ===============

Link to post
Share on other sites

  • 2 months later...

Hello adleisia and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.


Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt

how the PC is running now?


Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.


Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


In your next reply, please include:

  • TDSSKiller logfile
  • C:\ComboFix.txt
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.