Jump to content

Rootkit impossible to remove


Recommended Posts

Last week my brother asked for my help because "his laptop wouldn't start" showing a BSOD when you tried to boot.

He hasn't used an AV for more than a year despite mi several warnings.

Obviously I performed a MBAM scan and it found 47 infections, most of the "harmless" trojans, but there's a nasty Vundo variant that won't go away. It's there after every reboot.

I performed 4 MBAM scans, both on normal and safe mode. 2 SAS scans (normal and safe). 1 Avira scan. 1 Kaspersky AVP Tool scan. Still there.

I used HijackThis and AVG anti-rootkit. I thought I had beaten this nasty, but MBAM says it's still there.

I waited a few days for new definitions, but still no luck. Last time I tried was 4 days ago. I scanned with MBAM, selected "Remove all selected" and rebooted. After that I scanned again, so I could save 2 logs, so you could maybe see what's going on. Logs are in spanish, but I think they are very straightforward to understand.

Here is the MBAM log for the 1st scan:

Malwarebytes' Anti-Malware 1.40


Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:


Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.


Please download Combofix from one of these locations:


I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe


  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofix.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:


Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:


Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a log file located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

BTW, a new version of MBAM was released v 1.41

Uninstall MBAM v 1.40

Next, download Malwarebytes' Anti-Malware (MBAM) version 1.41 to your desktop from:






Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, UNcheck the following two options:

  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware

  • Click Finish.
  • Close MBAM and rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\notepad.exe"
  • Now relaunch MBAM from the Windows Start Menu or by double-clicking notepad.exe in the MBAM folder.
  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post the MBAM v 1.41 log.

I would like to collect some infected file samples of anything that MBAM is unable to remove so the next definition updates will include complete coverage for those threats. I'll let you know what samples I need and how you can submit them - thanks in advance!

Link to post
Share on other sites

Ok, here is the log from the Gmer "quick" scan.

GMER - http://www.gmer.net

Rootkit quick scan 2009-09-14 18:13:38

Windows 5.1.2600 Service Pack 2

Running: gxmiwbj6.exe; Driver: C:\DOCUME~1\KINGVA~1\CONFIG~1\Temp\aujasnkj.sys

---- System - GMER 1.0.15 ----

SSDT spax.sys ZwEnumerateKey [0xF750ECA2]

SSDT spax.sys ZwEnumerateValueKey [0xF750F030]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 4417c335.sys

Device \FileSystem\Ntfs \Ntfs 84F891F8

Device \Driver\Tcpip \Device\Ip 4417c335.sys

Device \Driver\Tcpip \Device\Tcp 4417c335.sys

Device \Driver\Tcpip \Device\Udp 4417c335.sys

Device \Driver\Tcpip \Device\RawIp 4417c335.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\4417c335.sys (*** hidden *** ) [sYSTEM] 4417c335 <-- ROOTKIT !!!

Service C:\WINDOWS\System32\drivers\5ba3cbde.sys (*** hidden *** ) [sYSTEM] 5ba3cbde <-- ROOTKIT !!!

Service C:\WINDOWS\System32\drivers\ba1f2c63.sys (*** hidden *** ) [sYSTEM] ba1f2c63 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Make sure you can view hidden files and folders

You have an infected copy of a Windows system file called beep.sys which we have to replace with a clean version. To that end, I have attached a zipped XP beep.sys file to this reply. You will have to download and extract as follows - making absolutely sure the file is unzipped to the proper folder that I have given you instructions to unzip it to:

1. Download the attached file beep.zip to your root directory C:\

2. Unzip beep.zip to C:\beep.sys

3. Very Important:Using Windows Explorer, verify that the file C:\beep.sys exists - before moving on to the next step.

We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk, Windows Updates or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture below, drag CFScript.txt into ComboFix.exe (fixme.exe)


This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.












C:\beep.sys | C:\WINDOWS\System32\drivers\beep.sys

C:\beep.sys | C:\windows\system32\dllcache\beep.sys












c:\documents and settings\Administrador\Men


Link to post
Share on other sites

How is the computer running now?

Disable active protection.

Please repeat the quick ARK rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the quick scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQuick.txt and post it in your next reply.

You may now re-enable any active protection you disabled before performing the scan.


Did you get a prompt to upload files when Combofix ran and did you respond?

I need you to see if these two files are present using . You must have viewing of hidden files and folders enabled:

c:\documents and settings\Administrador\Men

Link to post
Share on other sites

While I review your logs, can you do me a favor and submit some files so we can include them in our database.

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:


Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:


Then click 'Send File'

Please do the same for these files:

C:\Qoobox\Quarantine\C\Documents and Settings\King Valenzuela\Men

Link to post
Share on other sites

Thanks very much but can I ask you to upload these five zipped driver files, as well. I would very much appreciate it!

To make it easier, just create a folder on your desktop and move or copy all the following drivers into it:






Then zip it up to create drivers.zip

Then go to my submission page here:


and upload drivers.zip which contains the above five drivers to my malware submission channel please.

Link to post
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.