Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro


  • Please log in to reply
5 replies to this topic

#1 antonior

antonior

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 13 September 2009 - 06:51 AM

Windows Police Pro guide didnt work for me, the file i download didnt let me open it up cause of the problem :thumbsup:
my pc is windows XP media center edition 2005.
so i really need help on fixing this, and my McAfee security center have scan the file after i got it tho but cant do anything else about it :flowers: since i need to view details but i cant see it
when i try run any programs it give me errors
i try run fixtm and it gave me the error of "registry editor has been disabled by adminstrator"
i also try dds and it ask me if i want to run it, i click yes(run) then the error show up as "windows cannot find 'cmd'. make sure you typed the name correctly, then try again. to search for the fire, click start button, then click search."
also the error i get when i try open things is this
"c:\PROGRA~1\mcafee\mcshell.exe" i get this error about 4 times and i click okay on it
while i got that error i also got
svchost.exe error which have an debug, send error report and fix it button, i click debug and nothing happen and then send error report nothing happens. then when i click it brings up the window police pro x.x

am also sorry for editing this so much

Edited by antonior, 13 September 2009 - 12:43 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 14 September 2009 - 07:41 AM

Hi antonior, and :thumbsup: to Bleeping Computer!

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 antonior

antonior
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 19 September 2009 - 09:59 AM

sorry that i havent been able to respond been busy.
I also try run my PC in safe mood with no network and deleted the program like that. Then restart it to do a virus scan, seem like it work but i have been lately having my virus scan on demand with errors and what not.. but i have done what u said about the rootrepeal report and here it is

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 09:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5D31000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA61E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E38F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\rotscxbisrgvnk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxcdjmwhtj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxepewstll.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxltoqxwbt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxpkltfqxo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxpyargftq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxetixrvmico.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_nxcaxxqoes8lkm0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\rotscxbcqtxsbgpu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxcrhrcooxrp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxctmxgudcow.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxdaftjvvqcl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxdxetirewqo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxeudddtgqhp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxgweofalbix.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxjdsgtjfvqh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxjppsqbhuay.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxjybllfbckh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxnromsjxvpi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxoncayffgmx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxpxphyjptvr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxqohvmlksyq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxrkvuhrbhlb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxswtcqbilxq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxtuxppyeyow.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxukblegooka.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxwynhvnekqw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxxaqygqkjoa.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\rotscxxjnhckpjfm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\rotscxmphqixns.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: rotscxpyargftq.dll]
Process: svchost.exe (PID: 1072) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: rotscxetixrvmico.tmpll]
Process: Explorer.EXE (PID: 2972) Address: 0x10000000 Size: 32768

==EOF==

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 19 September 2009 - 11:20 AM

IMPORTANT NOTE: One or more of the identified infections is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Due to a few new nasty rootkit variants we are no longer allowed to remove rootkits in this forum. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 antonior

antonior
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 28 September 2009 - 06:14 AM

have started doing the steps but couldnt finish :thumbsup: have posted tho about problem i had doing it

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 28 September 2009 - 06:33 AM

Hi there, I saw the topic.

please try the following steps to generate a log to post in the topic you have created in the HJT forum. DO NOT POST IT HERE, INSTEAD POST IT IN THE TOPIC YOU HAVE IN THE HJT FORUM!!!!!!

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in the topic you created in HJT forum:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by elise025, 28 September 2009 - 06:34 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users