AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
Hi, I know I should know better but I downloaded a game from Piratebay and guess what ! Win32 trojan. AVP tried to remove but it kept replicating and I ended up with about 10 hits. Finally removed. Malwarebytes could not find any trace. Now I find everyday I have a scheduled upload job that my firewall blocks. I guess I have a rootkit. I tried to get into safe mode to run malwarebytes but F8 doesn't work. Running windows xp 32 bit. Anyone have a boot to kick me.
any help to figure out how to get into safe mode appreciated. tks
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
Speak-pkhq
Title: Sheep's bane
Posts:
9,159
Registered:
Jul 7, '02
Extended Info (if available)
Real Post Cnt: 8,993
User ID: 695,362
|
Subject:
Trojan rootkit help
|
f8 should still work, just spam it during the post.
if you can burn a cd, boot from http://support.kaspersky.com/viruses/rescuedisk and run the scan. cant hurt!
-----signature-----
|
|
Link to this post
|
AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
|
will burn disk from work, tks
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
Seffrid
Title: Ancient One
Posts:
13,210
Registered:
Dec 21, '01
Extended Info (if available)
Real Post Cnt: 12,930
User ID: 567,791
|
Subject:
Trojan rootkit help
|
|
If you have a basic spare keyboard try booting up into safe mode with that connected, some of the more complex keyboards don't respond before Windows has loaded.
-----signature-----
(none)
|
|
Link to this post
|
AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
ok will try the other keyboard. I tried to make the boot disk but my writer at work won't recognize disk ! Anyway I came home early (dentist!) I checked task manager there is an upload to occur every 4 hours
C:\WINDOWS\system32\rundll32.exe "C:\Program Files\Microsoft Fix it Center\MatsApi.dll",RetryDataUpload
Also a config task also to run every 4 hrs
C:\WINDOWS\system32\rundll32.exe "C:\Program Files\Microsoft Fix it Center\MatsApi.dll",RunCollectConfigurationInfo
Likewise, while I was typing this I had a request from Mozilla to upload a plugin command-plugin.exe
This bad baby doesn't give up and has all the tricks.
thank you private firewall 7.0
I may have to reinstall.......Dumb me.
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
Seffrid
Title: Ancient One
Posts:
13,210
Registered:
Dec 21, '01
Extended Info (if available)
Real Post Cnt: 12,930
User ID: 567,791
|
Subject:
Trojan rootkit help
|
|
Have you tried a system restore?
-----signature-----
(none)
|
|
Link to this post
|
AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
|
yes, tried system restore, it never works, always fails. says unable to restore?
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
Greybear1andonly
Posts:
????
Registered:
????
Extended Info (if available)
Real Post Cnt: 0
User ID: 0
|
Subject:
Trojan rootkit help
|
|
Gonna sound dumb, I know, but Uninstall the Microsoft Fix It Center, which is a real program.
-----signature-----
|
|
Link to this post
|
Ah-Schoo
Title: Fuzzy Caterpillar of Friendliness
Posts:
71,317
Registered:
Aug 11, '00
Extended Info (if available)
Real Post Cnt: 68,974
User ID: 39,247
|
Subject:
Trojan rootkit help
|
I've had good luck with safe mode, then combofix, and then malwarebytes. (I haven't run into that particular one yet though.)
-----signature-----
.
Opinion = fact. Anecdote = proof. Political label more important than either of those.
Welcome to ACF, where debate goes to die.
.
"fascist totalitarian secular progressive Zionist intellectually challenged Christian puppets." - Aerlinthina
|
|
Link to this post
|
Greybear1andonly
Posts:
????
Registered:
????
Extended Info (if available)
Real Post Cnt: 0
User ID: 0
|
Subject:
Trojan rootkit help
|
ComboFix
RootKitRevealer
Kaspersky Rescue CD 10
-----signature-----
|
|
Link to this post
|
AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
Thanks,
No luck with safe mode, will try kasp disk again tonight.
Combofix found these programs in last month which maybe weird?
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-15 00:42 . 2012-02-15 00:42 -------- d-----w- C:\$AVG
2012-02-04 00:27 . 2010-05-16 10:00 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPPA4.DLL
2012-02-04 00:27 . 2010-05-16 10:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPDA4.DLL
2012-02-04 00:27 . 2010-05-16 10:00 277504 ----a-w- c:\windows\system32\CNMLMA4.DLL
.
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
Greybear1andonly
Posts:
????
Registered:
????
Extended Info (if available)
Real Post Cnt: 0
User ID: 0
|
Subject:
Trojan rootkit help
|
I would get rid of AVG.
-----signature-----
|
|
Link to this post
|
Lithium_Power
Title: I want my icon back....
Posts:
8,214
Registered:
Dec 6, '01
Extended Info (if available)
Real Post Cnt: 8,111
User ID: 534,650
|
Subject:
Trojan rootkit help
|
Greybear1andonly posted:
Gonna sound dumb, I know, but Uninstall the Microsoft Fix It Center, which is a real program.
This
-----signature-----
|
|
Link to this post
|
-Mithan-
Title: VNBoard Admin
Posts:
1,000,060,379
Registered:
Mar 1, '00
Extended Info (if available)
Real Post Cnt: 56,880
User ID: 13,156
|
Subject:
Trojan rootkit help
|
Reformat.
Done.
-----signature-----
I survived to the end and got nothing out of it, but hey.
|
|
Link to this post
|
Ookane
Title: Moderator
Posts:
7,677
Registered:
Oct 15, '02
Extended Info (if available)
Real Post Cnt: 7,539
User ID: 727,456
|
Subject:
Trojan rootkit help
|
-Mithan- posted:
Reformat.
Done.
Just refresh your PC - http://blogs.msdn.com/b/b8/archive/2012/01/04/refresh-and-reset-your-pc.aspx
Oh wait, Win8 is not out yet 
-----signature-----
WoW - Lightbringer server
For the HORDE!!!
|
|
Link to this post
|
AgzntOrange2
Posts:
2,323
Registered:
Nov 20, '08
Extended Info (if available)
Real Post Cnt: 2,323
User ID: 1,338,127
|
Subject:
Trojan rootkit help
|
|
tks all the help I seem to be ok now.
-----signature-----
http://img.photobucket.com/albums/v324/Lynea/BugsMaroon.jpg Maybe Mormons are secret Muslims (same number of letters and starts with M and ends with S) I think I solved some conspiracy theory...
|
|
Link to this post
|
The_Korrigan
Title: Scrub Buster
Posts:
21,660
Registered:
Jul 17, '01
Extended Info (if available)
Real Post Cnt: 21,292
User ID: 255,861
|
Subject:
Trojan rootkit help
|
|
I hope everyone who deactivated his firewall because it was "annoying" (don't laugh, I had customers like that!) has read this!
-----signature-----
SWTOR: 50 Jedi Shadow (Tank), 50 Sith Marauder (Annihilation).
LOTRO: Lifetime account, playing very casually.
WoW: Both accounts canceled for now.
GW2: Future Warrior.
|
|
Link to this post
|
Ashmaele
Title: Pastor of Muppets
Posts:
19,662
Registered:
Jan 15, '02
Extended Info (if available)
Real Post Cnt: 15,903
User ID: 612,352
|
Subject:
Trojan rootkit help
|
|
Please do not use combo fix if you don't know what you're doing
-----signature-----
I had a dream. It was an incredible dream. When I awoke, I had a huge mess to clean up. 
|
|
Link to this post
|
