Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows police pro, cant open any .exe files


  • This topic is locked This topic is locked
4 replies to this topic

#1 dave44816

dave44816

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 September 2009 - 12:30 PM

My daughter managed to get windows police pro off one of the socialnetwork sights.
I followed some other links here and removed everything manually I think.
I have downloaded Malware (MBAM) and can't open it
It scans for 1 or 2 seconds then closes, when I try to open it - it says that windows cannot open it, i may not have the appropriate permissions to access it.
I tried to rename the mbam.exe and it wont do it, says access denied

Laptop seems to work, but any .exe programs wont open

BC AdBot (Login to Remove)

 


#2 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 September 2009 - 01:30 PM

ran combofix and got this

ComboFix 09-09-06.06 - Mary 09/07/2009 10:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.460 [GMT -7:00]
Running from: c:\documents and settings\Mary\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mary\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\iCheck
c:\windows\Installer\28b6fc.msp
c:\windows\Installer\28b714.msp
c:\windows\Installer\42440.msi
c:\windows\Installer\56268f.msp
c:\windows\Installer\562746.msp
c:\windows\Installer\56275d.msp
c:\windows\Installer\56831.msi
c:\windows\Installer\56837.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\bennuar.old
c:\windows\system32\dddesot.dll
c:\windows\system32\desote.exe
c:\windows\system32\FM20(2).DLL
c:\windows\system32\FPWwyGgh.ini
c:\windows\system32\FPWwyGgh.ini2
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\logon.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\rfpmxdui.ini
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\wispex.html
c:\windows\Tasks\cgkvbnwh.job
c:\windows\Vwindm.dll
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 16:55 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 16:55 . 2009-09-07 17:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 16:55 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 16:44 . 2009-09-07 16:44 -------- d-----w- c:\program files\EMCO
2009-09-07 15:59 . 2009-09-07 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-09-07 15:59 . 2009-09-07 15:59 -------- d-----w- c:\program files\Uniblue
2009-09-07 15:59 . 2009-09-07 15:59 -------- d-----w- c:\documents and settings\Mary\Application Data\Uniblue
2009-09-07 15:57 . 2009-09-07 15:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-09-07 02:32 . 2009-09-07 15:22 806432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-07 02:32 . 2009-09-07 15:22 19744 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-07 00:45 . 2009-09-07 15:22 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-07 00:45 . 2009-09-07 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-07 00:44 . 2009-09-07 00:44 -------- d-----w- c:\documents and settings\Mary\Local Settings\Application Data\Downloaded Installations
2009-09-06 16:11 . 2003-10-16 06:42 324608 ----a-w- c:\windows\unSpySweeper.exe
2009-09-06 16:11 . 2009-09-06 16:11 -------- d-----w- c:\program files\Webroot
2009-09-06 14:24 . 2009-09-06 14:24 -------- d-----w- c:\documents and settings\Mary\Application Data\Malwarebytes
2009-09-06 14:24 . 2009-09-06 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 14:13 . 2009-09-06 14:13 -------- d-----w- C:\_OTM
2009-09-06 14:05 . 2009-09-07 17:58 -------- d--h--w- c:\windows\PIF
2009-08-15 10:05 . 2009-08-15 10:05 -------- d-----w- C:\c3e43be838e60b1d06c16427
2009-08-15 10:04 . 2009-09-07 17:58 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-13 05:17 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 15:48 . 2005-05-22 11:34 -------- d-----w- c:\program files\SpywareBlaster
2009-09-07 02:32 . 2009-09-07 02:32 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-07 02:32 . 2009-09-07 02:32 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-07 00:46 . 2005-03-16 22:05 45376 -c--a-w- c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 06:17 . 2004-08-10 18:51 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-09-06 05:29 . 2008-10-06 05:48 -------- d-----w- c:\program files\Audible
2009-08-15 16:21 . 2009-01-29 23:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 16:21 . 2008-06-21 17:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 16:21 . 2008-06-21 17:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 19:37 . 2008-06-21 00:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 02:15 . 2009-07-31 02:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-29 10:09 . 2009-07-27 18:51 -------- d-----w- c:\program files\McAfee
2009-07-27 22:30 . 2009-06-10 04:41 -------- d-----w- c:\program files\AIMTunes
2009-07-27 22:30 . 2008-10-06 05:40 -------- d-----w- c:\program files\Creative
2009-07-27 18:51 . 2009-07-27 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-27 18:51 . 2009-07-27 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-27 18:51 . 2009-07-27 18:51 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-27 18:19 . 2009-07-27 18:19 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-27 18:19 . 2005-03-09 12:51 -------- d-----w- c:\program files\Java
2009-07-26 23:40 . 2009-07-06 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-26 23:40 . 2009-07-06 18:36 -------- d-----w- c:\program files\Yahoo!
2009-07-26 23:40 . 2009-07-06 18:37 -------- d-----w- c:\documents and settings\Mary\Application Data\Yahoo!
2009-07-26 23:39 . 2005-03-09 12:56 -------- d-----w- c:\program files\MUSICMATCH
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-10 18:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 18:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-08-10 19:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 18:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-27 148888]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-09 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 16:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/21/2008 10:53 AM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 4:30 PM 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/27/2009 11:51 AM 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/7/2008 1:17 AM 24652]
S1 d86bde53.sys;d86bde53.sys;\??\c:\windows\System32\drivers\d86bde53.sys --> c:\windows\System32\drivers\d86bde53.sys [?]
S1 ldn5682;ldn5682;\??\c:\windows\System32\drivers\ldn5682.sys --> c:\windows\System32\drivers\ldn5682.sys [?]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [3/21/2005 2:10 PM 53120]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2/10/2006 5:27 PM 45840]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2598626531-220111515-672709021-1006Core.job
- c:\documents and settings\Mary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-24 08:58]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2598626531-220111515-672709021-1006UA.job
- c:\documents and settings\Mary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-24 08:58]

2009-09-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-02-11 00:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5087b249-ac47-4897-8f37-9f2c703d081a} - c:\windows\system32\mbgrhw.dll
BHO-{A45BE255-F2E1-489C-B07A-BBF50757EFD9} - c:\windows\system32\hgGywWPF.dll
HKLM-Run-COMODO Firewall Pro - c:\program files\COMODO\Firewall\cfp.exe
Notify-cbXNETMD - cbXNETMD.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-07 11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 18:13

Pre-Run: 15,792,578,560 bytes free
Post-Run: 18,019,151,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

273 --- E O F --- 2009-09-02 10:00


any help would be appreciated, thank you

#3 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 September 2009 - 02:31 PM

Combo fix allowed me to start windows in safe mode, but the results are the same, can't run malware in safe mode either, I get the same message
"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item

#4 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 September 2009 - 05:16 PM

root repeal log if it helps


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 17:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE1DA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D17000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7CBF000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED77F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF75BF000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_670.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_c9eocetm7fspzbk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_can1wpvha9fbcrq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ika07h91kxcbtie
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_p5sbhob4nszelok
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_p9bf9bpey6kelgw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_tcmr9wdbnuttzrh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\mary\local settings\temp\etilqs_akc9dzewrlowq6bfdy5y
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\mary\local settings\temp\etilqs_hfvmtdewd0m3jmatgvpy
Status: Allocation size mismatch (API: 8192, Raw: 0)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9ddfc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9dac80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f59f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f57a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f4180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f66f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9ddbe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f54e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3080

==EOF==

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:06 PM

Posted 07 September 2009 - 06:51 PM

Hello,

I see that you posted a topic in the HiJack This forum here: http://www.bleepingcomputer.com/forums/t/255974/cant-run-malware-or-any-exe-files/ I have pasted in the RootRepeal log from above into that topic there.

Please note that ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014


Because you have a topic posted in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users