Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiVirus Infected, Error messages when I click(WindowsXP)


  • Please log in to reply
7 replies to this topic

#1 jd1085

jd1085

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 10 September 2009 - 12:37 PM

Windows XP

Hey,

I hope you could help me out. I believe the problem started when I called Tech Support for my router and the guy needed me to disable Windows FireWall in order to help. Well the router got fixed and all was well but I didn't immediately enable Firewall again and a couple of hours later I was on the internet and my computer shut down.

A Blue screen saying it was for safety. When I turned it back on I find something called Windows Police Pro (which I never heard of) telling me that the computer is being attacked. I don't trust it but It wont let me close the window either, so I click the icon for my own AntiVirus(Symatec) and a message tells me that it has been infected. I try again and there's a window saying

Error
"C:\Program Files\Symantec AntiVirus\SymCorpUI.exe"

I then went to Control Panel to see if I can remove the program but when I click 'Add/Remove Programs' I get another error message: "C:\Windows\system32\rundll32.exe"
C:\Windows\system32\shell32.dll.Control_RunDLL
C:\Windows\system32\appwiz.cpl

I turn it off and on again and there are more and more error messages. In Control Panel when I click Firewall another error message. Before posting this I read through these forums and tried to scan the computer with Dr. Web CureiT but after dowloading it, when I click it , I get an error message:
"C:\Documents and Settings\My Documents\Downloads\drweb-cureit.exe

I'm lost, don't even know where to start....

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:20 AM

Posted 11 September 2009 - 08:19 PM

Welcome to BC

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 jd1085

jd1085
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 17 September 2009 - 04:05 PM

Im on another computer now(laptop), my infected one no longer lets me connect to the internet

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:20 AM

Posted 17 September 2009 - 07:09 PM

Do you have a thumb drive or a CD burner?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 jd1085

jd1085
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 27 September 2009 - 02:58 PM

I have a thumb(flash?) drive

#6 jd1085

jd1085
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 07 October 2009 - 08:43 PM

Ok I was finally able to open rootrepeal. I just had to uncheck a box on a message screen before it opened

Edited by jd1085, 07 October 2009 - 09:07 PM.


#7 jd1085

jd1085
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 07 October 2009 - 08:54 PM

I saved Rootrepeal on a thumbdrive and finally i'm able to scan the computer. I'll have the report up in a bit

Edited by jd1085, 07 October 2009 - 09:03 PM.


#8 jd1085

jd1085
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 07 October 2009 - 09:17 PM

Here it is, sorry for delay and thanks for the help so far,

OOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 21:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8A48000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7688000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\rotscxaspqrncf.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\rotscxikpylwse.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\rotscxqhwfchpu.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\perflib_perfdata_c8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\SYSTEM32\DRIVERS\rotscxwmexcxnk.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\jose\Local Settings\Temp\rotscximtfhqpxtd.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\jose\Local Settings\Temp\rotscxxnsretgorv.tmp
Status: Invisible to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a4eee90

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a3e1cc8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a4faae0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a387fb0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a542120

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a66c048

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a1e40f8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a532a10

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a66fe50

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a387548

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a3f1a08

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a36d0a8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8a4dd318

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a61db90

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a395238

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a395110

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a4ad3a8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a3e4660

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a3f1dc0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a2340a8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a395490

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a1e6108

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3f7440

Stealth Objects
-------------------
Object: Hidden Module [Name: rotscxikpylwse.dll]
Process: svchost.exe (PID: 940) Address: 0x10000000 Size: 53248

Hidden Services
-------------------
Service Name: rotscxetbvtvps
Image Path: C:\WINDOWS\system32\drivers\rotscxwmexcxnk.sys

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x89ea52f0

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users