Jump to content

rootkit blocks download of MBAM

Recommended Posts

1. I am infected with a rootkit. It is a link redirector. I am running XP-sp3. Trend-Micro virus and rootkit scans found nothing. RootkitBuster and RUBotted found nothing.

2. GMER found several entries which do not belong, but does not offer to remove them. From previous experience, only Ntfs, Fat, Ip, Tcp, Udp, and Rawip (all Trend Micro) are normal. GMER lists the name "P0T0L0-3" (with zeroes) in several places; which is new to this system (and looks like leet-speak?). The GMER logs are attached.

**important note**

3. When trying to download MalwareBytes from CNET, I get a 401-style error message "502 Proxy Error". I can download anything else from CNET except MBAM.

4. I found and installed the random-named MalwareBytes installer (thank you miekiemoes). After a sucessful installation, the update process failed with the folowing err message:

"MalwareBytes' Anti-Malware

An error has occurred. Please report this error code to our support team.

PROGRAM_ERROR_UPDATING(12029, 0, WinHttpSendRequest)"

Probably the rootkit again. So I ran it non-updated. Mentioned it was 16days old. It found one unrelated problem, and quarantined it. I rebooted, ran it again, and it did not find this infection. However another GMER scan shows the same problems. Both MBAM logs are attached.

5. Before running DDS, I downloaded Defogger, but it says "You must be an Administrator to use Defogger"; however control-panel/users-accounts says I am an admin. I ran DDS without running defogger first. The DDS log is attached.

AT this point I will appreciate some direction. I thank you in advance.






Link to post
Share on other sites

Hello kcantrel! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please post Attach.txt .

Link to post
Share on other sites

Hi Borislav. the DDS' attach.txt is attached.

List of unusual software I run:


"IGFX****" came on the system in 2007

"IXOS**** " came on the system in 2007

"MS Visual Studio .net 2.0"

"Visual basic 5.0"


Siemens' "Application Consistency Checker", ""CAT", "CFOR", "Maxum", "Maxbasic", "Siemens LogCollector", "Siemens Card OS"

Things that are strange to me

"System Tool2011" i should not have anything "2011"

"vcredist_x86" may be ok, i just do not recognise


Link to post
Share on other sites

System Tool is a rogue application.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include these log(s):

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites

Just a lucky guy. :)

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

MBAM successfully updated after removing the rootkit. MBAM download from CNET is also no longer blocked. MBAM found nothing.


Malwarebytes' Anti-Malware 1.50


Database version: 5342

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

12/17/2010 8:17:27 AM

mbam-log-2010-12-17 (08-17-27).txt

Scan type: Quick scan

Objects scanned: 165129

Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.