September 28th, 2005 05:46 PM
thanks zenger but nothing came up when I searched for that value data.
i'll be back in an hour i wanna take a nap lol
September 28th, 2005 07:01 PM
Personally, I'd consider a reformat. But then, I like reformatting my machine fairly regularly anyway
\"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
Phillip Toshio Sudo, Zen Computer
Have faith, but lock your door.
September 28th, 2005 07:36 PM
Yeah, Wolfrune, you're a glutton for punishment.
According to what I've found on the net, pacisoft is a startup infection, so there is something in the registry referencing that folder location and looking for a startup or startup config file. Hijackthis may miss it.
If safemode won't get you where you want to go, you might want to look at the Windows version of UltimateBootCD (http://www.ubcd4win.com/) and try to analyze the registry and file system from that. It is possible that the infection is hiding registry keys or other things from you even in Safemode.
September 28th, 2005 08:50 PM
Here one prog that can find hiden registry entries
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
Hope evrything that left......
// too far away outside of limit
September 28th, 2005 09:53 PM
ok root kit revealer identified some hidden files, and that folder was 1 of them. here look at the gif screen shot i took for u Sir Babis http://www.boredinnc.net/ftp/Webpage/revealer.gif
u see that mpestfat9.sys file in system32 folder ? hmm i cannot seem to locate it even when revealing hidden files. so how do i go about deleting that i wonder? noticed the date time stamp on the reg keys and the sys file and the folder all correspond to 9-27-05. seemingly these r are all culprits, but mysteriously evading my hand of wrath.
i downloaded the ultimate boot cd off that page, but i am not gonna use that just yet until i know what i am doing. thanks.
oh by the way i managed to delete those windows services detected on the Root kit scan by going into the registry and manually deleting them.
thanks all again for help
September 29th, 2005 07:32 AM
Could you send that .sys file, i wish to study it.
September 29th, 2005 06:03 PM
would if i could
i would if i could, but it's not visible so the thing is i dunno how to do that. it's deemed ghostware as opposed to spyware. i am waiting on sir babis to try to help me figure out how i can manipulate the file. he helped me locate it thus far so that's half the battle, but if i can manage to manipulate the file somehow yeah i can send it to u.
i tried to type in attrib -a -h -r -s c:\windows\system32\mpestfat9.sys
but it says file not found.
September 29th, 2005 07:22 PM
What you are describing sounds a lot like the description from the SANS ISC handler about a week ago:
About the only way you are going to get to the Registry and file system and nail these bad boys is to boot from a CD that allows you to edit the hidden registry keys, and the hidden file system stuff. The boot CD I pointed you to will do that. BTDT, got the t-shirt.
Use the ISO to burn a CD and boot to it. Very straightforward.
September 29th, 2005 08:03 PM
I got one ide that may be can work.
Export whole registry to some file and then file try to file that file name in the extracted file.
Then create own registry file that will remove it.
here some examples about how you do export:
1) you can use regedit )) start->run->regedit
2) you can use console )) copy and insert in text file and save it filename.bat then run it may work
reg export HKLM HKLM.reg
find HKLM.reg "Unismith"
if errorlevel == 0 start /w wordpad HKLM.reg
reg export HKCU HKCU.reg
find HKCU.reg "Unismith"
if errorlevel == 0 start /w wordpad HKCU.reg
reg export HKCR HKCR.reg
find HKCR.reg "Unismith"
if errorlevel == 0 start /w wordpad HKCR.reg
reg export HKU HKU.reg
find HKU.reg "Unismith"
if errorlevel == 0 start /w wordpad HKU.reg
reg export HKCC HKCC.reg
find HKCC.reg "Unismith"
if errorlevel == 0 start /w wordpad HKCC.reg
::--------en of bat.file---------
3) how to create regfile that will remove regkey
3.1) remove reg value
this will remove value "InfoTip" in key "someK"
3.2) remove key
this will remove "someK" key
// too far away outside of limit
September 30th, 2005 02:56 AM
I fixed my problem because;
I jus made a crucuial discovery of an error i made. i was looking in the wrong directory for mpestfat9.sys seemingly i was thinking it was located in C:\WINDOWS\SYSTEM32, but it was in fact located in C:\WINDOWS\SYSTEM32\DRIVERS
by deleting the sys file i was able to also delete unismith folder in safe mode and boot up successfully in normal mode. sorry for all the fuss.
also these 3 hidden registry directorys do not show up anymore when i scan
with rootkit revealer. so problem is fixed 100%
thanks all for help especially sir babis for the rootkit revealer program. it proved to be invaluable.