Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had/have Windows Police Pro, Malwarebytes won't complete scan, desktop gone


  • This topic is locked This topic is locked
41 replies to this topic

#1 elleon

elleon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 September 2009 - 02:13 AM

Hi,

I was directed to this forum, and told to skip to step 6 of the "Preparation Guide for use before posting a Hijack This log". I followed the directions for getting DDS to run, but I don't think it is running (the information screen never changed; waited at least 10 minutes).

Background info about my problem:
My computer had/has Windows Police Pro on it. I managed to get its main components off by following these directions (using OTM by OldTimer): http://www.myantispyware.com/2009/08/31/re...l-instructions/

However, when I try to scan using Malwarebytes, Malwarebytes stays open for ~1 minute before it spontaneously closes. It seems like I can run most programs on my computer; just not Malwarebytes (I wasn't able to run a bunch of things on my computer before removing the Police Pro main components, but the situation has since improved).

I have Windows XP. I am currently running everything from Windows Task Manager, b/c my desktop and start menu are completely gone (this happened after I got rid of the Police Pro main components and rebooted several times).

This is my RootRepeal log from just before trying the DDS run (Only "drivers" was selected for the scan, b/c RootRepeal would spontaneously close whenever I tried scanning everything):


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 01:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE325000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D97000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7E1B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rr.sys
Image Path: C:\WINDOWS\system32\drivers\rr.sys
Address: 0xED701000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7B7F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7079000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==



Thanks in advance for any help!

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 07 September 2009 - 06:23 AM

Hello, elleon.
Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Please note that I may have taken this log out of order. As a HJT trainee, I occasionally take logs out of order to further develop my skills. I have a balance of older logs (e.g. first come, first served) and fresh logs. If you are reading this and are still waiting, please be patient. Our volunteers are working as hard we as we can to help everyone.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean.
  • If at any point, you are not sure what I am asking for, please ask me and I can better communicate what I mean.
  • Please reply within 5 days of my last post or the thread will be closed. If you will be away or unable to reply, please let me know in advance so the thread is not closed. We have many folks waiting for help and it is not fair to keep an unresponsive thread open.
Thanks!

EDIT: BBcode

Edited by etavares, 07 September 2009 - 06:23 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 07 September 2009 - 10:53 AM

Hello, elleon.
Ok, you have a very nasty rootkit, but we should be able to remove it and get you access back to your programs. Please stick with me, even if your computer acts better...there's lots of collateral damage from this rootkit we need to fix.

The instructions below assume you can use the desktop. Please run via task manager. For the log files, please launch Notepad.exe from the taskmanager and do File -> Open to get the logs posted.

Download and run Win32kDiag:
Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it. A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post both the logs in your reply.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 September 2009 - 11:25 AM

Hi etavares!

Thanks so much for helping me!

My desktop is gone, so I have been doing everything from my Task Manager. Up until last night, I was able to go online using Firefox on my computer. However, when I tried to connect to the internet just now, I wasn't able to. Any address I type results in the following message from Firefox:

Server not found

Firefox can't find the server at www.bleepingcomputer.com

-Check the address for typing errors such as ww.example.com instead of www.example.com
-If you are unable to load any pages, check your computer's network connection.
-If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Try Again

#5 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 September 2009 - 03:15 PM

I ended up running win32kDiag.exe off a cd, and it worked. Is it safe for me to save the log onto a cd and put the cd into a different computer (will the new computer get infected?)?


I tried to also run peek.bat off a cd, but two windows popped up with the following messages:

window 1 (C:\Windows\system32\cmd.exe): "Access is denied."

window 2 (Log.txt): Windows cannot find 'Log.txt'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, then click Search."


EDIT:

I saved a copy of peek.bat from the CD onto my desktop, and was able to run it from there. I now have logs from both win32kDiag.exe and peek.bat. How might I get those logs to you if I cannot access the internet from my infected computer (is it safe to transfer the files using a flash drive or CD)?

Edited by elleon, 07 September 2009 - 03:28 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 07 September 2009 - 05:36 PM

Hi elleon-

As long as you only save the TXT files from those two tools to CD, you are fine. To be safe, once you copy them to the CD, hold down Shift as you load it into your clean computer....hold it down for 10-15 seconds or so. That will prevent the CD from auto-running anything.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 07 September 2009 - 05:58 PM

I just tried writing the files to the CD, but my computer doesn't recognize my CD as being in the drive. I know these CDs work, b/c I have used them with my computer in the past. Any suggestions for what to do?

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 08 September 2009 - 07:57 AM

Hi elleon-

First, try this:
  • Launch Firefox.
  • Go to Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver if it is checked.
  • OK your way out of that menu, then try to go to a website.
Are you able to get online now from the infected computer after making that change?

If not, do you have a flashdrive we can use to transfer those files? If so, please do this first on your clean computer to help prevent the spread of infection:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Please let me know.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 08 September 2009 - 10:27 PM

Hi etavares,

No proxy was checked, so I didn't do anything there.

I tried using my flashdrive, but my computer doesn't seem to do anything/recognize it when I stick it in. From the task manager, I went to File>New Task (Run...). In the "Create New Task" window, I went to "Browse">My Computer. Under My Computer, I see the C (local disk), D (local disk) and E (CD) drives, but no F drive, where the flashdrive should show up.

Any other suggestions?

Also every time I boot up or my computer goes into standby and I have to turn it back on, it seems like my computer loses another function (e.g. first my desktop disappeared, then its ability to connect to the internet was lost, now firefox cannot even open)... Is there any way to stop that from happening? I'm worried it won't be long before I can't do anything with my computer.

EDIT:

I don't know if this works, but I took pictures of the logs using my camera (I don't know if you go through the logs by eye or computer/some other means, so I don't know if the pictures are usable/helpful....but I'm getting desperate and thought I'd give it a try :P). The files are too large for me to upload here though. If you think you could actually use the photos, is there another way I can get them to you?

Edited by elleon, 08 September 2009 - 11:52 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 09 September 2009 - 09:25 AM

Hi elleon

For these logs, a readable picture will work great. Great idea. :(

You can use megaupload or another file sharing site to upload the files, then you can post a link here.

Once I see that, we can break the back of the rootkit. It changes the permissions of programs to prevent you from running them. We can reverse that, provided we can get a couple other tools onto that machine.

Edited by etavares, 09 September 2009 - 09:25 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 09 September 2009 - 03:15 PM

Hi etavares,

Great!! Glad to hear that will work. Here is the link to the files: http://www.megaupload.com/?d=T3QK2D04

The peek.bat log is captured in one picture (labeled peekbatlog). The Win32kDiag log was much longer, so I captured it in multiple pictures (labeled winlog1, winlog2, winlog3...etc). They are all in order. Several lines of the log were too long to fit on the screen, so I had to take one picture, scroll over, and then take a second. Pictures labeled "a" are the left side of the line, and "b" are the right side of the line (These are pictures 7a&b, 8a&b, and 20a&b.). The blue highlighted line at the top of each photo is the last line from the previous shot.

Thanks so much, and let me know if I need to retake any pictures for a better shot, or if there's anything else I can/should do!

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 09 September 2009 - 06:16 PM

Hello, elleon.
Where did you save win32kdiag.exe? This assumes you saved it to the desktop of your infected computer. Please adjust accordingly. That information was cut off in the picture of the logs you provided

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

Note the switches after the filename, these are critical.


Next, please do this:
  • From the task manager, run cmd.exe from c:\windows\system32\cmd.exe. This will launch a Command Prompt window (looks like DOS).
  • Type in the exact command listed below. note the space after copy, the space after eventlog.dll and the space after C:\
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

For the below, please adjust as needed given the state of your system. E.g. download via your clean computer, extract/save to CD, run from CD on infected computer, take pictures of the logs if you can't get them off the computer. (Try at the end of these instructions)
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

(If you can't get it to copy into the windows directory, please launch cmd.exe again. navigate to the directory you saved junction.exe in, then type
junction -s c:\ >log.txt&log.txt& del log.txt and it should work.

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Also, try running DDS.

In your reply, please post the following (or pictures if you can't get off yoru computer):
  • log from win32kdiag
  • log from the Avenger
  • log from Junction
  • Finally, a DDS log if it will run.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 11 September 2009 - 11:23 PM

Hi etavares,

Sorry for taking so long to respond.

Good news:

1. The win32kDiag scan was successfully completed. Pictures of the log are here: http://www.megaupload.com/?d=6GWLS66R

2. cmd.exe ran successfully. Got the "1 file(s) copied" message.


Bad news: I tried to run Avenger, but I don't think it worked (A log was generated; pictures are included in the link above). I tried to follow the steps you gave me, but when I clicked "yes" in the "Are you sure you want to execute the current script?" window, I got a message saying:

Error: Invalid script. A valid script must begin with a command directive.

This happened even though I typed the following text exactly (I couldn't copy/paste, b/c the infected computer has no internet access):

Files to move:
C:\eventlog.dll C:\WINDOWS\system32\eventlog.dll



More Bad news: I no longer have access to task manager, and I have no Junction or DDS log yet. I was getting ready to run Junction when my computer took a turn for the worse. First my task manager window disappeared. Then my desktop came back for a couple minutes, with Windows Antivirus popups. Desktop disappeared again. Another Windows Antivirus thing appeared (This time Windows Advanced(?) Antivirus or something?). I can't access Task Manager at all anymore (No Start bar, no desktop, no clock on the bottom right. Tried ctrl+alt+del...got a message saying administrator did not allow access. Tried ctrl+alt+del again, and no window came up).

There is nothing left on my computer screen, except for Antivirus popups.

Can anything be done at this point? :(

Edited by elleon, 12 September 2009 - 12:23 AM.


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 12 September 2009 - 12:08 PM

Hello, elleon.

Ok....let's try something different.

Lets run the Kaspersky Rescue Disk which uses Linux to load its anti-virus, so bypasses Windows. Print out this post, as you will be not be able to view these instructions while carrying out this fix

On a clean computer, download Kaspersky Rescue Disk ISO file

Burn the Kaspersky Rescue Disk ISO image to a CD using CD/DVD burning software and ensure it is a bootable CD. You may need a burning tool like ISO Recorder to do this...be sure to get the version for the operating system you'll be creating the disk on.

For a good tutorial on burning an ISO image to disk, have a read of this post.

When done, insert the Bootable Kaspersky Rescue Disk CD into the CD ROM on the infected computer and boot the computer by loading CD ROM media first.

A DOS screen will load initially. Hit Enter to start booting the DOS Kaspersky AntiVirus.

Posted Image

The program will start to load, and will give you a choice of languages. Pick your language, and hit Enter

A Kaspersky AntiVirus 2009 GUI will be appear after a short while. Do not start a scan yet.

Posted Image
  • Click the Update tab, then on the Update now button
  • When the update is complete, click on the Settings button
  • Under Scan, set Security level to High and On detection to Disinfect \delete if it cannot be disinfected
  • Under Threats and exclusions, click the Settings tab, and ensure everything is checked
  • Click Apply then OK to return to the program
  • Click the Scan tab
  • Check all drives including Disk boot sectors
  • Click Start scan
    • The scan can take a long time, so please be patient and allow it to run to completion.
  • When the scan has completed, click the Reports button
  • Save the report to your C: drive as KAV2009.txt
  • Now remove the CD and reboot the computer into Windows.
  • Navigate to your C: drive, and post me the KAV2009.txt as an attachment in your next reply.
To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post.

Edited by kahdah, 12 September 2009 - 02:11 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 elleon

elleon
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 12 September 2009 - 01:12 PM

Hi etavares,

A couple things:

The first link (Kapersky Rescue Disk ISO File) doesn't work.

And by "Boot by loading CD ROM media", do you mean I just put the special bootable CD in my computer, then turn my computer on, and then wait for the DOS screen to show up?

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users