MBAM (full $$ version) did not find rootkit

[Chuck_P]

My wife's XP PC started reporting phony virus infections and trying to get money for "XP Defender". Very common these days. MBAM found several infections including AVE.EXE and cleared them out. After that the phony alerts stopped. I decided to install full MBAM with real time scanning as a precaution. It began alerting me about blocked access attempts from IP addresses that were in Russia. I also found I could not connect to Windows Update or update Windows Security Essentials. A full MBAM scan taking several hours found nothing. I then tried TDSSKILLER which reported a rootkit infection on atapi.sys but failed to clean it on several attempts. I tried replacing atapi.sys from CD using Windows Recovery console. No help. At this point I was about ready to reformat the drive (all the data is backed up in 3 places) and start over but thought about all time it would take to reinstall all the apps. I then tried COMBOFIX. It reported the rootkit infection was in fact in iastor.sys and cleaned it out. Rebooted and all appears to be well. No more access alerts from MBAM, Windows Update and SE update work again. As a triple check I ran a scan with GMER and it found no problems.

Bottom line: With all the nasty malware out there you need several tools in your toolbox. Even though MBAM did not find the rootkit, the real time protection still proved very valuable in letting me know the PC still had a problem.

[noknojon]

Hello Chuck P ,Welcome to Malwarebytes.org

There is a chance that the infection was already there prior to installing, and Malwarebytes finding it -

If you would still like our experts to re-check it you can follow these directions and they will go over your system for you -

As we don't work on Malware removal or diagnostics in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thank You -

[DarkSnakeKobra]

Hi Chuck P and welcome to Malwarebytes'!

Please do not use COMBOFIX under any circumstances, unless you are being assisted on a malware removal forum. COMBOFIX is very powerful and without the right knowledge you can do major damage to your system. Plus it is under constant updates from the creator as one bad version can cause major problems.

[Chuck_P]

The infection was definitely there prior to installing MBAM. I was not aware of MBAM, Combofix, GMER or any other malware tools before my wife's PC was infected. I just went on the net and looked for solutions to the problem and figured it would be good learning experience. It was! I'm an I.T. Network Engineer but have never had to deal with malware before. Probably because I mostly use Linux at work.

As for the dangers of Combofix, I was not aware of that. However, since all the data on my wife's PC was fully backed up in multiple places I was prepared to reformat the drive and do a bare metal re-install if needed. Luckily, that was not necessary. Seems to be fine now.

Thank you for your comments. I now know where to go if I run into malware problems again.

Hi Chuck P and welcome to Malwarebytes'!

Please do not use COMBOFIX under any circumstances, unless you are being assisted on a malware removal forum. COMBOFIX is very powerful and without the right knowledge you can do major damage to your system. Plus it is under constant updates from the creator as one bad version can cause major problems.