Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please Virus infection


  • Please log in to reply
7 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:03:36 PM

Posted 31 August 2009 - 01:37 PM

my system was attacked by Anrivirus Pro i believe i am getting Wnidows Police popups and i cant run any anti virus programs, it disabledd Malware antivirus and Avira, i cant do a restore at all, it has disabled all programs that do that

please help

I cant run Hijack this either. and i cant run or re install either MBam or Spybot

i had to fight re directs to get here ..please help asap

my system info is in the file here.

ony change is i added more RAM up to 3 GB
========================

UPDATE: i was able to find and delete two elements that had been installed, one called wscsvc32.exe that was generating popups to buy an antivirus software and swamping my browser and another called braviax.exe ...i dont know what it did but it appeared after the attack. My Avira tried to stop it, it keps giving me warnings of a backdoor trojan attack and i kept sending them to the quaranteen but somehow it got thru.

now i cant run any program, get to system restore, it says the settings were changed by Group decisioni and to contact the system administrator. I cant use Avira because i get an error saying the liscence is not valid. I will keep trying ..but await orders.

I tried running the two programs that do logs on the hijackthis thread but neither will work, i get an error that says...

C:\WINDOWS\system32\cmd.exe/ k dds.cmd or for whatever program i try to run, i get that error.

some programs will still run after i get those error notices, i got error alerts for almost all the programs on my computer at start up today....but some wont..like the anti virus programs wont run at all, and i dont think word pad or note pad will run at all.

Edited by CrisGer, 31 August 2009 - 02:47 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:36 PM

Posted 31 August 2009 - 03:55 PM

Hello.

Let's see what we're looking at here.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:03:36 PM

Posted 03 September 2009 - 01:47 PM

Blade thank you so much for your kind reply. It might have worked but i gave up, and sent for my local tech who has helped me in the past, it took him 2 days and multiple scans with combofix and other cleaners but he got the main culprits off, there was a root kit and a backdoor, and the system is clean he says, there was also a nasty redirect working hidden in the event log of IE. so far, the system seems stable, it shut down once since its return and has tried to check the disk on my E drive but i dont do it, because that is only my backup drive and so disk errors wont matter there.

but i can run scans now to check the system if you so advise? what do you reccomend at this point? I do very much appreciate the reply but i had to give up, after cleaning out the two active programs i found. for the viruses disabled everyting on the system, and i coiuld not work with it. any suggestions most welcome.

i will run the root scan now and post the log

UPDATE:

I just tried to run the scan and when i clicked on the system scan (it ran a driver scan fine) system crashed Blue Screen and this was the debug report, will try again:)


Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini090309-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553fc0
Debug session time: Thu Sep 3 13:15:55.703 2009 (GMT-6)
System Uptime: 0 days 2:12:57.330
Loading Kernel Symbols
................................................................................................................................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {ffffffe0, 2, 0, 80533923}

Probably caused by : ntkrnlpa.exe ( nt!ExpScanGeneralLookasideList+1b )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffe0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80533923, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: ffffffe0

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: b8517ca8 -- (.trap 0xffffffffb8517ca8)
ErrCode = 00000000
eax=00000000 ebx=0000b47e ecx=0000002c edx=00000000 esi=00000000 edi=ffa30000
eip=80533923 esp=b8517d1c ebp=b8517d2c iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!ExpScanGeneralLookasideList+0x1b:
80533923 8b56e0 mov edx,dword ptr [esi-20h] ds:0023:ffffffe0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 80533923 to 80540683

STACK_TEXT:
b8517ca8 80533923 badb0d00 00000000 00000000 nt!KiTrap0E+0x233
b8517d2c 80533e88 8055b4f0 8055b4e8 8053c298 nt!ExpScanGeneralLookasideList+0x1b
b8517d38 8053c298 00000000 8b0738b8 00000000 nt!ExAdjustLookasideDepth+0x32
b8517dac 805c6160 00000000 00000000 00000000 nt!KeBalanceSetManager+0x88
b8517ddc 80541dd2 8053c210 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpScanGeneralLookasideList+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffe0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80533923, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: ffffffe0

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: b8517ca8 -- (.trap 0xffffffffb8517ca8)
ErrCode = 00000000
eax=00000000 ebx=0000b47e ecx=0000002c edx=00000000 esi=00000000 edi=ffa30000
eip=80533923 esp=b8517d1c ebp=b8517d2c iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!ExpScanGeneralLookasideList+0x1b:
80533923 8b56e0 mov edx,dword ptr [esi-20h] ds:0023:ffffffe0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 80533923 to 80540683

STACK_TEXT:
b8517ca8 80533923 badb0d00 00000000 00000000 nt!KiTrap0E+0x233
b8517d2c 80533e88 8055b4f0 8055b4e8 8053c298 nt!ExpScanGeneralLookasideList+0x1b
b8517d38 8053c298 00000000 8b0738b8 00000000 nt!ExAdjustLookasideDepth+0x32
b8517dac 805c6160 00000000 00000000 00000000 nt!KeBalanceSetManager+0x88
b8517ddc 80541dd2 8053c210 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpScanGeneralLookasideList+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffe0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80533923, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: ffffffe0

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: b8517ca8 -- (.trap 0xffffffffb8517ca8)
ErrCode = 00000000
eax=00000000 ebx=0000b47e ecx=0000002c edx=00000000 esi=00000000 edi=ffa30000
eip=80533923 esp=b8517d1c ebp=b8517d2c iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!ExpScanGeneralLookasideList+0x1b:
80533923 8b56e0 mov edx,dword ptr [esi-20h] ds:0023:ffffffe0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 80533923 to 80540683

STACK_TEXT:
b8517ca8 80533923 badb0d00 00000000 00000000 nt!KiTrap0E+0x233
b8517d2c 80533e88 8055b4f0 8055b4e8 8053c298 nt!ExpScanGeneralLookasideList+0x1b
b8517d38 8053c298 00000000 8b0738b8 00000000 nt!ExAdjustLookasideDepth+0x32
b8517dac 805c6160 00000000 00000000 00000000 nt!KeBalanceSetManager+0x88
b8517ddc 80541dd2 8053c210 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+1b
80533923 8b56e0 mov edx,dword ptr [esi-20h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpScanGeneralLookasideList+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+1b

Followup: MachineOwner
---------

kd> lmvm nt
start end module name
804d7000 806cf580 nt (pdb symbols) c:\symbols\ntkrnlpa.pdb\30B5FB31AE7E4ACAABA750AA241FF3311\ntkrnlpa.pdb
Loaded symbol image file: ntkrnlpa.exe
Mapped memory image file: c:\symbols\ntkrnlpa.exe\4802516A1f8580\ntkrnlpa.exe
Image path: ntkrnlpa.exe
Image name: ntkrnlpa.exe
Timestamp: Sun Apr 13 12:31:06 2008 (4802516A)
CheckSum: 00204E7E
ImageSize: 001F8580
File version: 5.1.2600.5512
Product version: 5.1.2600.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlpa.exe
OriginalFilename: ntkrnlpa.exe
ProductVersion: 5.1.2600.5512
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

========================================
SECOND UPDATE:


I was able to scan two of the categories but both Files and Hidden Services caused crashes, files just crashed with no blue screen and Hidden services crashed with a blue screen saying a Page Fault in a Non Page area, here is the bug report on that crash, and I will attach the reports i was able to get ...what should we try now?

i could not figure out how to attach scans so here is a link to download a RAR of them:

http://www.filefront.com/14458565/scans.rar

Hidden Services Scan crash


Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini090309-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553fc0
Debug session time: Thu Sep 3 13:30:46.296 2009 (GMT-6)
System Uptime: 0 days 0:05:24.922
Loading Kernel Symbols
..............................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e1816046, 1, 8052896d, 1}


Could not read faulting driver name
Probably caused by : ntkrnlpa.exe ( nt!RtlClearBits+41 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1816046, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8052896d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS: e1816046

FAULTING_IP:
nt!RtlClearBits+41
8052896d 200a and byte ptr [edx],cl

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: b84ffc04 -- (.trap 0xffffffffb84ffc04)
ErrCode = 00000002
eax=007702fe ebx=c8c02000 ecx=b84ffc7f edx=e1816046 esi=007702f7 edi=00000007
eip=8052896d esp=b84ffc78 ebp=b84ffc80 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!RtlClearBits+0x41:
8052896d 200a and byte ptr [edx],cl ds:0023:e1816046=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 8051cc4f to 804f8cb5

STACK_TEXT:
b84ffb8c 8051cc4f 00000050 e1816046 00000001 nt!KeBugCheckEx+0x1b
b84ffbec 8054051c 00000001 e1816046 00000000 nt!MmAccessFault+0x8e7
b84ffbec 8052896d 00000001 e1816046 00000000 nt!KiTrap0E+0xcc
b84ffc80 806306f4 b84ffce0 007701f7 007702f7 nt!RtlClearBits+0x41
b84ffca8 80631d2d e354ab60 b84ffce0 e354ad84 nt!HvpFlushMappedData+0xca
b84ffd28 806323f6 e354ab60 00000000 e354ab60 nt!HvpDoWriteHive+0x1db
b84ffd40 80628bce e354ab01 8055b0fc 80550ca0 nt!HvSyncHive+0x88
b84ffd5c 80621a1b 00000000 8b077020 00000000 nt!CmpDoFlushAll+0x6c
b84ffd74 80534c02 00000000 00000000 8b077020 nt!CmpLazyFlushWorker+0x51
b84ffdac 805c6160 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
b84ffddc 80541dd2 80534b02 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!RtlClearBits+41
8052896d 200a and byte ptr [edx],cl

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!RtlClearBits+41

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

FAILURE_BUCKET_ID: 0x50_W_nt!RtlClearBits+41

BUCKET_ID: 0x50_W_nt!RtlClearBits+41

Followup: MachineOwner
---------

kd> lmvm nt
start end module name
804d7000 806cf580 nt (pdb symbols) c:\symbols\ntkrnlpa.pdb\30B5FB31AE7E4ACAABA750AA241FF3311\ntkrnlpa.pdb
Loaded symbol image file: ntkrnlpa.exe
Mapped memory image file: c:\symbols\ntkrnlpa.exe\4802516A1f8580\ntkrnlpa.exe
Image path: ntkrnlpa.exe
Image name: ntkrnlpa.exe
Timestamp: Sun Apr 13 12:31:06 2008 (4802516A)
CheckSum: 00204E7E
ImageSize: 001F8580
File version: 5.1.2600.5512
Product version: 5.1.2600.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlpa.exe
OriginalFilename: ntkrnlpa.exe
ProductVersion: 5.1.2600.5512
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.


thanks for any help...

Edited by CrisGer, 03 September 2009 - 02:43 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:36 PM

Posted 03 September 2009 - 05:52 PM

Hello.

I can understand the feeling of helplessness and frustration that led you to have your PC cleaned by a technician. At the same time though, having done this is going to make it much more difficult for the helpers here to know what's going on now, not to mention how to fix it. This is because we do not know what the tech did, how thorough he was, etc.

We can give it a shot, but I think your best bet is to let the same technician look at it again. My two major suspicions are either

A.) There are still pieces of malware left that are causing problems, or
B.) There is some system damage present caused either by the malware or an improper removal.

***************************************************

Also. . . you mentioned that the tech found both a rootkit and a backdoor trojan. You should be aware that you cannot be certain that they are completely removed unless you format the drive and reinstall the OS. Computers that have been compromised by this type of malware shouldn't be used for sensitive work unless the drive is formatted. Here's some information on this subject.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed this kind of malware. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:***************************************************

So, you have several options to choose from. You can:
  • attempt to receive assistance with your remaining issues here. Since we're limited in what tools we can run in the AII forum, this will likely result in you being referred to the HJT forum for in-depth analysis. There is a large backlog in the HJT forum due to the limited staff and huge numbers of requests for help. With the way things are right now, you should probably expect to wait between 10 and 14 days after posting your logs in the HJT forum before a helper gets to you (This is merely a guess based on current trends, the wait time could easily be shorter or longer than this). As I stated before, since you've had some serious undocumented work done to this computer the extent of what we can do is somewhat limited. The possibility exists that the helpers in the HJT forum might not even be able to help you. It's not that I or the other helpers don't want to help; there is just a limit to what can be done in these situations without actually sitting in front of the machine.
    :thumbsup:
  • Reformat the computer. This is the safest, most surefire, and likely the most cost-effective path toward a fully functional computer. You will be able to back up your personal data before the reformat (within some guidelines), and we can provide information on reformatting and reinstalling so that you can do this yourself and not have to spend money having a tech do it. The only requirement of this is that you must have either a Windows disk or, if Windows came pre-installed from the manufacturer, a recovery/reinstallation disk provided with the computer. <--This is my recommended course of action.
    :flowers:
  • Have the tech that cleaned your computer attempt to diagnose and repair your remaining issues. In this situation the technician has several advantages over us. He knows what has been done to your computer during the cleaning. He also has the luxury of working with the machine directly. He also will be able to provide help much more quickly than us. Obviously the biggest downside here is payment, as well as the possibility that the tech will be unable to successfully repair your computer (no offense to him of course, I'm just being realistic). If reformatting is not an option for you, this is my recommended course of action.
Please let me know which of these paths you wish to pursue. Also, if you have any questions feel free to ask. :trumpet:

~Blade

Edited by Blade Zephon, 03 September 2009 - 05:53 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:03:36 PM

Posted 03 September 2009 - 07:17 PM

thanks Blade, i am game to reformat. how do i back it up? i have never done this before. I do an a extrnal hard drive that i got for such needs, and can do a save to it, i have one complete system save from several months ago, and with your help can save my current data.

and this woudl be a good thing for me to learn

and ys, i do have the system disk.

but before we do that, is there a scan we can run to try to see what might be amiss? i can also ask Marcell, the tech, who is very knowledgeable and helpful, about what he ran, i know he ran Combfix three times, then worked with Malware Antivirus to find any infections that remained. There was one persistent re direct that lurked in the Event Log of IE, as I mentioned. He did offer to do a re install if we needed to, and from the scans being unable to complete that is an option, which would restore my system to working order of several months ago.

so my immeidate question is can we scan to see why that driver may be causing problems? it seems to be the same one and it might either be missing, from all the cleaning or defective and maybe if we remove it, it may solve the prolem....

ntkrnlpa.exe is an authentic part of Windows Home Edition and I have Windows Pro so i am puzzled why it is cauising a problem on my system. It should theoretically not be there. I see others have had problems with it online from scannig for posts..

this was from a tech about this item:

> > NTKRNLPA.EXE: Is a Microsoft Windows Application.
> C:\WINDOWS\system32
> C:\Windows\Driver Cache\i386
> C:\Windows\ServicePackFiles\i386 =
> C:\Windows\Driver Cache\i386\driver.cab
> C:\Windows\Driver Cache\i386\sp1.cab
> C:\Windows\Driver Cache\i386\sp2.cab
> C:\Windows\ServicePackFiles\i386\sp2.cab
> C:\Windows\SoftwareDistribution\SelfUpdate\123444c f7557..=
> C:\Windows\SoftwareDistribution\SelfUpdate\123444c f7557..\sp2.cab
> You can see if you have these and if you cn't find it in one of these
> locations then copy it to that location.
> c:\windows\system32\ntkrnlpa.exe

and

Been a while since this topic was up, but I just encountered this
problem myself.
Apparently it surfaced after removing an external disk without using
the "Safely remove hardware" thingy, and told me it had an I/O problem
of some sort (0xc00000e9.) I booted up with an ubuntu live cd and used
bash to search and replace all instances of the file with one from a
working vista installation. Got through the problem with ntkrnlpa.exe,
but it was just replaced with missing/corrupted ntfs.sys instead.
It wasn't in most of the folders listed here, but in a bunch of what
seemed like update folders of some sort.
Guess I'll just have to backup all my files using ubuntu and then
format and reinstall vista, as I haven't found any other solutions.

edit: of course I tried to do the same thing with ntfs.sys also ;)
(sudo find /media/System/Windows -iname ntkrnlpa.exe -type f -exec cp
[folder with working file]/ntkrnlpa.exe {} \; if anyone needs it)

sounds like i may be missing that file from one of those locations.

If you dont mind trying to help with things aer they are, i am willing to do what i can using the error logs to hunt for a fix.

if that does not work, i am open to consideirng a re install, but i have a ton of programs that i am studying, i am a game researcher and i would have to do a lot of re intstalling

the best second option to a immediate fix may be a system restore using Marcell and the external back up i have.

will wait for your advice.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 03 September 2009 - 08:20 PM

Hello it appears you have corrupy files from partial or in/ complete malware removal.
Reformatting

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

I suppose you may get a fix with running
sfc /scannow

You will need your XP CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:03:36 PM

Posted 03 September 2009 - 08:43 PM

ok, i will run that first. I am listening carefully to you about reformatting and may indeed do that. I very much appreciate the help thanks again.

on with the job on the scan :thumbsup:

thanks again
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 03 September 2009 - 08:49 PM

Ok, good let us know. If you do have to format we have some pointers also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users