Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run ANY anti-spyware (spybot, HJT) BAD INFECTION!!!!


  • This topic is locked This topic is locked
10 replies to this topic

#1 lola69

lola69

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:19 PM

Posted 29 August 2009 - 07:43 PM

My pc has a serious STD or something!! I can't run spybot nor can I run HJT to even create a log!! I once tried running combofix however,despite trying to find PC Tools Anti-Virus on my pc to delete it, I can't find it. Combofix would not even run any further!! I only used this program after an IT guy at work suggested it. (my bad). My pc has been booting with an invalid boot.ini file forever and I am sure I don't have the microsoft windows recovery console. I don't even have the cd so reinstalling windows is not an option. No online scanners will work. Something has infected my pc so badly that I am ready to give up groceries just to buy a new one. Please help.........anyone!!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 29 August 2009 - 08:55 PM

Hi lola69,, I am moving this to the Am I Infected from XP for now.

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were [u][b]
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lola69

lola69
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:19 PM

Posted 29 August 2009 - 10:15 PM

Thank you for trying to help me but after I got past the disclaimer screen and it started to scan, the entire thing disappeared. I have NO log file to post. ARGGHH!!!

I ran the program from the downloads box in Firefox. I then tried double clicking it from the desktop and it said I did not have permission and that it couldn't find the specified path.

Laura

Edited by lola69, 29 August 2009 - 10:21 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 29 August 2009 - 10:24 PM

You are very welcome, I have seen this before and it's a :thumbsup: .. Lets' try these.

If you cannot get DDS to work, please try this instead.

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then reply back here.


Or try this

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lola69

lola69
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:19 PM

Posted 29 August 2009 - 10:38 PM

Ok, the problems just keep on piling up here! When I first started rootrepeal (the other option was way too confusing), I got a pop up window that said, "Could not read the boot sector. Try adjusting the disk access level in the Options dialog." After clicking ok several times, I managed to get to options and tried setting it to High. After clicking all seven boxes and 'c' drive, the scan performed however, the last pop-up I received said, "Could not read system registry. Please contact the author."

Here is the log that it did create although, I honestly don't know how complete it is.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 23:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xF1E25000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A63000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\windows\system32\drivers\rootrepeal.sys
Address: 0xB96DB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\windows\win32k.sys:1
Address: 0xF7847000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\windows\win32k.sys:2
Address: 0xF75FF000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UAC28cb.tmprxgafj.dll]
Process: svchost.exe (PID: 876) Address: 0x009c0000 Size: 217088

Object: Hidden Module [Name: UACuthwbxspac.dll]
Process: svchost.exe (PID: 876) Address: 0x00970000 Size: 77824

Object: Hidden Module [Name: UACwtkdtudjhn.dll]
Process: svchost.exe (PID: 876) Address: 0x00cf0000 Size: 73728

Object: Hidden Module [Name: kbiwkmxexnkbxm.dll]
Process: svchost.exe (PID: 876) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: UACuthwbxspac.dll]
Process: Explorer.EXE (PID: 516) Address: 0x00bb0000 Size: 77824

Object: Hidden Module [Name: kbiwkmmqpfwopa.dll]
Process: Explorer.EXE (PID: 516) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: kbiwkmmqpfwopa.dll]
Process: firefox.exe (PID: 272) Address: 0x01080000 Size: 28672

==EOF==

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 29 August 2009 - 10:48 PM

Ok lolo69,we may get a break here.. Rerun Rootrepeal. This time select only the FILES tab along the bottom.
Post that log. Thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 lola69

lola69
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:19 PM

Posted 29 August 2009 - 10:53 PM

LOL.......not so fast! I tried to run rootrepeal again and I got this message, "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them." I then attempted to delete the program so I could download it again and try your suggestion but it flat out told me that it could not be deleted. Access is denied. Make sure that the disk is not full or write-protected and that the file is currently not in use."

Oh, one more interesting thing happened that I forgot to mention. After I got as far as my last step, an icon called settings for Nero (green circle with arrow) appeared on my desktop. The fun never ends.

Edited by lola69, 29 August 2009 - 11:03 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 29 August 2009 - 11:11 PM

I knew this would happen.. Like I said I have seen this.. there are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team. Unfortunately my dear you have it.
Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

Please post your rootrepeal log here, HijackThis Logs and Virus/Trojan/Spyware/Malware Removal,with a link to this thread. name your topic win32k.sys Rootkit.

Edited by boopme, 29 August 2009 - 11:12 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lola69

lola69
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:19 PM

Posted 30 August 2009 - 09:23 AM

Ok I started the new post in the forum you suggested with the topic but I don't know if the topic link worked. I could barely start a browser today so I am pretty sure the virus is spreading like wildfire!!

Again, many thanks for trying to help me........I have a feeling I might have to get used to eating Kraft dinner for the next few months lol.

Edited by lola69, 30 August 2009 - 09:24 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 30 August 2009 - 09:48 AM

Hello again this is where we part as an HJT tech will take you from here. It looks good there http://www.bleepingcomputer.com/forums/t/253639/win32ksys-rootkit/
and I added the link.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 PM

Posted 30 August 2009 - 03:57 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users