windbg48 is the Troj/NTRootK-BP Rootkit Driver
Administrator
windbg48 is the Troj/NTRootK-BP Rootkit Driver
Super Moderator
ack.. just scanned over most of the pages of this thread...
I think you could have backed up your files and re-installed Winblows a dozen times or so by now. ...and thats my suggestion. Save your pics, music, spreadsheets, game saves or whatever to CD, DVD or another harddrive(partition). Then format C: and reinstall Windows, its updates and all drivers and software.
Takes less time the dealing with some of these "bugs".
Guest Admin
I have to agree; even though it can be time-consuming, you could have reinstalled the OS and had everything up and running by now. Enough time has been spent trying to resolve this problem without any real forward progress. A:\ format C: /UOriginally Posted by knight0334
Senior Member
So very true... and yet, through the power of psychology, here I am, because, come on, I've spent so long on this now that to just give up here would be a waste! Of course, that's baloney, and I know it, but still. Stupid psychology.
Super Moderator
Actually, we've very nearly eradicated all visible signs of any infection you had. All that remains is the last 3 registry keys that are being a little stubborn in removing.
Once those keys are removed, other items of malware may become visible. We'll deal with those if necessary.
Download and unzip the attached FixReg.zip to your Desktop.
Reboot to Safe Mode.
Locate FixReg.bat, double-click to run the script.
Reboot to Normal Mode.
Post the following logs:
results.txt (C:\results.txt)
ISeeYouXP
Last edited by ShadowPuterDude; 05-24-2007 at 10:38 PM.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Super Moderator
LOL I know.. I've done same thing before..
Administrator
I feel the same way, Stck...Of course I have had to step back and let SPD take the reins here as I had reached my limit of knowledge, if you can call it that. I guess my feeling is, yes, virtually every piece of malware, viruses or trojans can "easily" be removed with a reformat, and yes, sometimes that may be the only answer if you are dealing with a severly corrupted system but if you can wipe it out using the tools available and the willingness to stick with it then give it a shot. If nothing else you pick up some knowledge, you gain confidence AND you really decide you aren't gonna let this happen again.
I will stick with something like this till the very end if the poster wants. I figure, that is what this board is here to do, I wouldn't be here if the standard answer was reformat. If it must be done, then it must be done but until all other avenues are exhausted I believe in trying them all.
High-Voltage Messiah
Agreed - That would have been my call (and I expressed that to Judy) had I been around for the first few posts.I have to agree; even though it can be time-consuming, you could have reinstalled the OS and had everything up and running by now. Enough time has been spent trying to resolve this problem without any real forward progress. A:\ format C: /U
By the time I saw the thread, they were well into it and seemed to be making some headway.
Looks like SPD has nearly eradicated all baddies
'Course, when dealing with rootkits a reformat is generally the best way to go because, as many have said, you can never really trust your system afterwards.....
A busier forum might have pulled the plug a long time ago, but, like most malware warriors, Judy and SPD probably enjoy the challenge!
Well Done Guys!
PP
Senior Member
Truly, it cannot begin to be expressed how much I appreciate the help that SDP and Judy and PP have given. It's immeasurable. There's no doubt I've learned a ton, so at least there's <i>some</i> benefit. I can almost read an HJT log now, and a whole bunch of other things.
In searching Google about this particular rootkit, I came across something called Sophos that claims to find and remove it. I'm not *touching* anything without explicit recommendation from this forum - especially something that no one's said despite the somewhat impressive popularity we seem to be gathering. The only reason I even mention it at all is that it says the IDE file (virus identity file) has only been around since May 2 of this year, so maybe it actually IS viable and just unknown because it's so new.
The new .bat doesn't seem to have done anything, based on my read of the results log, but that and ISeeYouXP are included here.
Super Moderator
Reply With Quote
