Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No desktop after Windows Police Pro infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Jon C.

Jon C.

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 10 September 2009 - 12:41 PM

Hello All
I was recenty struck with Windows Police Pro on my home Windows XP machine. I was running Webroot Anitvirus, but that didn't stop it. I have been able to partly remove the monster, but now my system boots to my desktop background with no Icons or Start menu. I can get task manager to run, and run some small programs from there. Explorer refuses to start, as well as any virus removal tools. They show in task manager, but never seem to execute. I sometimes see "b.exe" pop up in processes. Safe mode behaves much the same way. I have access to the internet from a 2nd computer, and the two are networked, so I can download programs from the good one to the bad one. Is there any hope ?
Jon

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:59 AM

Posted 11 September 2009 - 08:24 PM

Welcome to BC
It is not a quick process, But it's fixable

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 12 September 2009 - 08:23 PM

Thanks for helping me Mark.
I tried your suggestion, but was unsucessful. I ran RootRepeal and got an error on startup "Invalid PE Image". I clicked the "x" on the error notification, and it started normally. I think the error may actually be a false one from whatever is infesting the computer. I started the scan as you directed, but it runs a few seconds and the gets killed off while scanning C:. I tried in safe mode as well with the same result.

I will be traveling this week, so I won't have access to my 'puter to work on it. If I don't reply, please don't delete me, I am still very interested in getting through this. It will probably be Friday before I will get another shot however.

Thanks again,
Jon

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:59 AM

Posted 13 September 2009 - 04:47 PM

I'll be here You might want to look at this tutorial in the meantime
http://www.bleepingcomputer.com/virus-remo...dows-police-pro
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 18 September 2009 - 12:19 PM

OK,
I am back and ready to spend some time getting rid of this thing. I read the tutorial, and got as far as running Malwarebytes. I got it installed, but some component of the virus will not allow it to run. Some programs will run, some will run a little while and then get killed, and others not at all....

Jon

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:59 AM

Posted 18 September 2009 - 07:27 PM

On your Desktop, rename Rootrepeal.exe to tatertot.scr and try it
You can also just select Drivers to scan

Also try:


1. Download Win32kDiag from any of the following locations and save it to your Desktop

Rename it like you did with Root repeal

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
--------------------------------------
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 19 September 2009 - 04:47 PM

OK I got Root Repeal to scan everything except files, and Win32diag ran OK. Here are the logs:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 16:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA99B6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CB9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7DA1000 Size: 2560 File Visible: No Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: tatertot.com.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.com.sys
Address: 0xA8CAD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7A3F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA9A1E000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 16:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACfa9e.tmpqqykut.dll]
Process: svchost.exe (PID: 960) Address: 0x009a0000 Size: 217088

Object: Hidden Module [Name: UACwoxktarvyq.dll]
Process: svchost.exe (PID: 960) Address: 0x00bf0000 Size: 65536

Object: Hidden Module [Name: rotscxfcmetepx.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 53248

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x86e66c78 Size: 905

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86e64350 Size: 2051

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8721dcb0 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8721dc38 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8721dbc0 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8721fe00 Size: 455

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8721fd88 Size: 575

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8721fd10 Size: 695

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8721fc98 Size: 815

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8721fc20 Size: 935

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8721fba8 Size: 1055

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87221b20 Size: 1249

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87221aa8 Size: 1369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87221a30 Size: 1489

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x872219b8 Size: 1609

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87221940 Size: 1729

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x872218c8 Size: 1849

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87221850 Size: 1969

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x872217d8 Size: 2089

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87221760 Size: 2213

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x872d1020 Size: 1661

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x872d1438 Size: 613

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x872d13c0 Size: 733

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x872d1348 Size: 853

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x872d12d0 Size: 973

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x872d1258 Size: 1093

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x872d11e0 Size: 1213

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x872d1168 Size: 1333

Hidden Services
-------------------
Service Name: rotscxjnkxyqxo
Image Path: C:\WINDOWS\system32\drivers\rotscxvnsswemr.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACxgkucvghsu.sys

==EOF==

Running from: D:\Win32kDiag.exeLog file at : C:\Documents and Settings\Lab\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\explorer.exe[1] 2007-06-13 06:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)[1] 2007-06-13 05:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)[1] 2004-08-04 02:56:49 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)[1] 2008-04-13 19:12:19 1033728 C:\WINDOWS\explorer.exe ()[1] 2008-04-13 19:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\ftpcache\ftpcacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\InCD\InCDMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Internet Logs\Internet LogsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCHMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\NewsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEMMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\TempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8c6322a455d51e8a1346db4713089043\8c6322a455d51e8a1346db4713089043Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9de5dbc7caed13f6a2349c5fdc61cdb6\9de5dbc7caed13f6a2349c5fdc61cdb6Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a2850ba2c561d0bfb4e8c8fd3f9bf263\a2850ba2c561d0bfb4e8c8fd3f9bf263Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\d346b7396358ac7bd3dcc0e62b35367dMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\RegisteredMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Start Menu\Programs\Family Tree Maker\Family Tree MakerMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Adobe\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1003\S-1-5-21-515967899-1383384898-839522115-1003Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1005\S-1-5-21-515967899-1383384898-839522115-1005Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\8L5YR75Y\8L5YR75YMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcomMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\5BKVGM57\5BKVGM57Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sysMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\eventlog.dll[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\MachineMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\GroupPolicy\User\UserMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeysMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ѕуstem\ѕуstemMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Тasks\ТasksMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google ToolbarMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\TGFi\TGFiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2Mount point destination : \Device\__max++>\^Finished!

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:59 AM

Posted 19 September 2009 - 07:07 PM

You have a nasty rootkit that needs special treatment from the HJT team

Now that you were able to produce a log you need to post it in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that this log was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:59 AM

Posted 20 September 2009 - 10:44 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/258836/rootkit-left-over-after-windows-police-pro-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users