Jump to content

Rootkit.0access infection or false positive

Recommended Posts


I am new here and am trying to figure out whether MB gave me a false positive or my computer has a rootkit virus. MB has given me false positives in the past, but I have always been able to verify these online, but am coming up with nothing for this new catch.

I experienced a problem while trying both to save a webpage and while attempting to browse files to upload at a site that I regularly use. Basically the browser kept hanging up or slowing way down each time after the file window appeared. I killed the browser and reloaded. The same thing occurred. I killed it again. Then I defragged my hard drive and optimized the registry and rebooted. The same thing occurred again. I thought the website was having problems, so I decided to do something else. I clicked on an MHT file that I had previously saved and the browser crashed while opening the file. I tried a few more times with the same result. I turned off javascript for the browser and disconnected from the internet and the file still crashed the browser. I rebooted again. After the desktop appeared I received a message that my touchpad was turned off due to another device trying to access the settings (or having been installed); however, the touchpad worked just fine and had not been deactivated. I looked at the hardware settings under device manager and only one touchpad was showing installed. At that point, I loaded MB, updated the settings and then scanned my drive. The following file was reported as infected: C:\WINDOWS\$hf_mig$\KB957097\SP3GDR\mrxsmb.sys (Rootkit.0access) -> No action taken. I did not take any manual action since this is a system file. Maybe I should have gone ahead since it is located in the XP installation directory. Since it is not in the system folder, I think it may be a false positive and the other problems were caused by temporary OS instability. I searched for information about Rootkit.0access and all I could find were "true" infections and no reported false positives for the mrxsmb.sys file. I referred to the following MB page and backed up my registry with ERUNT as well as backing up the registry with the XP restore function.:


I then ran TDDSKiller which found 13 suspicious objects, medium risk. 12 are UnsignedFile.Multi.Generic and 1 is reported as a TDSS File System. The instructions in the MB topic indicated that these files should be skipped. Now I am wondering if I should run ComboFix as I am still not totally convinced this is a false positive, especially since it is reported as a rootkit and no one else is reporting false positives. So I wondered what an expert's opinion would be in regard to it being a false positive or a real infection. I have a clone backup of my system and can reinstall it. However, I want to remove the virus first before attempting that. I have 2 OS on the same hard drive on 2 different partitions. I can switch to the other to reinstall the first partition by simply marking the other partition as the active partition and rebooting. If this is a real infection, I am a little concerned that the rootkit might have infected the other partition. I doubt it will help, but I deleted the drive letter of the 2nd partition for now. I have attached a zip with the mbam, tdskiller, and dds logs (with some comments), the suspected infected file: mrxsmb.sys, and a screenshot of all the mrxsmb.sys found on my computer with modified and created dates. The file with the created date of today is a copy I made to upload.


During the time period preceding the reported infection, I cannot recall doing anything that might have put my computer at risk except for perhaps using the following proxy. When I was finished with the proxy I clicked on the "clear cookies" button which only clears the proxy cookies. Maybe it did something else. It might be worth checking if this website is infected, but I am not sure how to do it.:


So what should I do next. I am hoping to take care of this tonight as I have some work I need to get done. Thanks for reading.

Link to post
Share on other sites

I ran Combofix: The first time the computer turned off when it got to a certain stage. CF made it at least to stage 30. I was not watching when it happened. It may be that the laptop overheated as I cool it with an external fan that I accidentally pulled back a little too far. However, it did not feel like it overheated. I suppose that I should have restored the system before trying to run CF a 2nd time, but I did not.

The 2nd time CF completed just fine. The main log file is pretty short and there is nothing noted about viruses or security concerns. I checked the Qoobox Quarantine directory and there are a number of files that were quarantined. How do I tell if any of the are a real concern or just false positives? I looked at a couple of files that look just fine to me: win.ini.vir, FFSJ.cfg.vir. Not that I know that much about it. Some of these files came on my computer when it was new. And MS works came from a valid installation. So I think many of these files will need to be restored.:

2012-09-11 08:02:59 . 2012-09-11 08:02:59 680 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Sonic RecordNow!.reg.dat

2012-09-11 08:02:58 . 2012-09-11 08:02:58 628 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-HP Component Manager.reg.dat

2012-09-11 07:39:50 . 2012-09-11 07:57:23 10,513 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-09-11 07:27:11 . 2012-09-11 07:49:21 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-07-07 10:20:15 . 2010-07-07 10:20:15 404 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\OBE\WINDOWS\win.ini.vir

2007-12-07 14:37:14 . 2007-12-07 14:37:14 3,059,200 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET17.tmp.vir

2007-12-07 01:07:14 . 2007-12-07 01:07:14 615,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET10.tmp.vir

2007-12-07 01:07:14 . 2007-12-07 01:07:14 659,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SETF.tmp.vir

2007-12-07 01:07:13 . 2007-12-07 01:07:13 474,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET11.tmp.vir

2007-12-07 01:07:13 . 2007-12-07 01:07:13 1,494,528 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET12.tmp.vir

2007-12-07 01:07:13 . 2007-12-07 01:07:13 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET13.tmp.vir

2007-12-07 01:07:13 . 2007-12-07 01:07:13 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET15.tmp.vir

2007-12-07 01:07:13 . 2007-12-07 01:07:13 449,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16.tmp.vir

2007-12-07 01:07:12 . 2007-12-07 01:07:12 16,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET18.tmp.vir

2007-12-07 01:07:12 . 2007-12-07 01:07:12 1,023,488 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1F.tmp.vir

2007-10-11 03:17:14 . 2010-05-27 22:39:50 573 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\OBE\Application Data\FFSJ\FFSJ.cfg.vir

2004-08-07 13:04:50 . 2004-08-07 13:04:50 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir

2003-02-21 07:16:08 . 2003-02-21 07:16:08 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir

2003-02-21 06:42:22 . 2003-02-21 06:42:22 348,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir

2003-02-20 21:09:18 . 2003-02-20 21:09:18 77,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir

2003-02-20 21:08:32 . 2003-02-20 21:08:32 2,482,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir

2003-02-20 21:06:24 . 2003-02-20 21:06:24 155,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir

2003-02-20 21:06:20 . 2003-02-20 21:06:20 282,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir

Link to post
Share on other sites

You have replied into your own thread before getting the 1st reply from a helper.

And you are breaking a number of good safe practices, one of them is to not use Combofix on your own.

and you did not post a fresh DDS log.

You need to start over. I am closing this thread.

Let me suggest, if you're an MBAM customer, you contact the consumer help desk here

Otherwise, Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Follow this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post there the contents of MBAM scan log & the DDS logs

Don't post your logs here. Once you have made the 1st post, Stop and await a reply from an authorized helper.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.