Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cant run malware or any .exe files


  • This topic is locked This topic is locked
18 replies to this topic

#1 dave44816

dave44816

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 06:40 PM

Sounds like I have a similar problem to others
Rootkit problem?

I had windows police pro, I manually deleted everything using this sites guidelines, think I got it all.
Now I cant run malware (mbam) nor can I rename it or run it in safemode
Help! at wits end here

Thanks in advance for any help you can provide

Inserting RootRepeal log posted in another topic here: http://www.bleepingcomputer.com/forums/t/255870/windows-police-pro-cant-open-any-exe-files/ Note that there is also a Combofix log there. ~ OB

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 17:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE1DA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D17000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7CBF000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED77F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF75BF000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_670.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_c9eocetm7fspzbk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_can1wpvha9fbcrq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ika07h91kxcbtie
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_p5sbhob4nszelok
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_p9bf9bpey6kelgw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_tcmr9wdbnuttzrh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\mary\local settings\temp\etilqs_akc9dzewrlowq6bfdy5y
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\mary\local settings\temp\etilqs_hfvmtdewd0m3jmatgvpy
Status: Allocation size mismatch (API: 8192, Raw: 0)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9ddfc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9dac80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f59f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f57a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f2280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f5f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f4180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f66f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9ddbe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f6540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9de190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9db440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f54e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee9f3080

==EOF==

Edited by Orange Blossom, 07 September 2009 - 06:47 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 07:19 PM

Hi, dave44816 :(

If you have Zone Alarm installed, please remove it.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 08:05 PM

Log file is located at: C:\Documents and Settings\Mary\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe


hope I did it correctly, doesn't seem right

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 08:25 PM

Log file is located at: C:\Documents and Settings\Mary\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe


hope I did it correctly, doesn't seem right

Check the file again. It will be completed when it states finished at the bottom of the report. The tool may still be scanning in the background.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 08:30 PM

Log file is located at: C:\Documents and Settings\Mary\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


took a little bit like you suggested

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 09:10 PM

Other than Zone Alarm, I don't see anything wrong.

How is it doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 09:16 PM

still can't open any .exe files, I get a message that says
"windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them."
Happens with spybot, malwarebytes (mbam), and a driver scanner.
these dont work in safe mode either.

is there a better free firewall that you like?

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 09:20 PM

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 09:38 PM

black box opens and heading says "C\windows\system32\cmd.exe"
in the box it says "junction is not recognized as an internal or external command, operable program or batch file"

did I do something wrong?


notepad is empty

Edited by dave44816, 07 September 2009 - 09:42 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 09:46 PM

Lets try this again.

Extract junction.exe. This time save it in the root directory (C:\ folder).
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the fix.bat file. The MSDOS window will be displayed. That is normal. Wait until a log file opens. Copy and paste or attach the content of it.

@ECHO OFF
cd c:\
junction -s c:\ >log.txt
start log.txt
del %0


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 September 2009 - 10:00 PM

tried it that several times, soon as I doubleclick on fix.bat the black log box appears briefly then disappears, the notepad opens and does nothing, named log.txt, no data
I'm sure I did it correctly as its spelled out
checking back on the desktop, fix.bat is gone now


going to bed now, won't be onuntil around 7 pm my time (central time)
thanks for your help so far

Edited by dave44816, 07 September 2009 - 10:35 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 07 September 2009 - 11:14 PM

Lets see if we can do this auto.

Download the enclosed folder. [attachment=30345:AutoScan.zip]Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. The MSDOS window will be displayed. That is normal. Wait until a log file opens. Copy and paste or attach the content of it in your next reply.

Edited by JSntgRvr, 08 September 2009 - 02:01 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 September 2009 - 06:48 AM

A quick reply before work today
I tired the new instructions and the following is whats going on:
I saw the MSDOS window for a split second, then notepad opens and its blank again(log.txt)
I see it doing something as the DOS window was full of data, but it appears for only a second.

Off to work, be back around 7pm tonight

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:55 AM

Posted 08 September 2009 - 02:03 PM

I made some modifications to the batch file and uploaded a new .zip folder. Remove the folders downloaded and extracted. Go back to Post #12 and download the modified copy.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 dave44816

dave44816
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 September 2009 - 06:36 PM

does the same thing, I can see the MSDOS window briefly and then it disappears
notepad log.txt is empty




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users