Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My PC is/was infected by Windows Police Pro...


  • Please log in to reply
6 replies to this topic

#1 Bent 00

Bent 00

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 13 September 2009 - 09:31 AM

Hello... This is my first post here at bleepingcomputer, and I honestly don't know much about this site, but I've usually been able to find a solution for most PC infections by reading posts from here via Google.

Now, however, I've got a newer PC virus/malware, and I don't know what to do with it! I was just on some gaming websites when my computer revved up, so I checked task manager, and saw two processes trying to run: "a.exe" and "b.exe." I ended both of them, but soon after that "Windows Police Pro" popped up. I knew what kind of malware it was, so I ended it in task manager and deleted its folder which had popped up in my C:/program files.

Those two processes kept coming back, though... I tried to run Malwarebytes, but it did not, and still will not work, even though I've reinstalled it several times. I even tried running the Fixexe.reg program, but it didn't seem to help. I can't even get Malwarebytes to start up unless I reinstall it, and then it only gets about four seconds into a scan before it closes abruptly. I ran "AdAware 2008" successfully, but it only picked up four things... I downloaded "Avast," and it did a long start-up scan, apparently getting rid of several of the infected files --- lots of filenames with "SKYNET" in them --- there was one .dll I "moved to chest" and one file I could do nothing but "ignore..." Now, Avast is installed, but fails to start up when I click on it. Ah, I also tried "PC Tools Spyware Doctor," but all it did was run a scan and ask for me to pay $30.00 for it to remove the malware. "Forget that," I said, and uninstalled it. I did look for the files it referenced in my C drive, but they didn't show up...?

I also ran "regscrub XP" and "CCleaner," but they didn't seem to help much either. After all that, I figured I'd try a system restore, but there were no restore points to click on in the wizard... Strange, because there were plenty of them the last time I restored, and I don't recall changing the settings of that.

Basically, where I stand now is: Windows Police Pro seems to be mostly gone (or just hiding, I can't tell anymore), but none of my antivirus programs are working. When I click on Malwarebytes or Avast (which I really know nothing about), I just get errors.

Will someone please help me get my computer back to normal? I've got to go back to college very soon, and this is the only computer I own... I'm supposed to do something with "hijackthis," right? I don't know what that is either...

Thanks in advance for any help! I'm keeping my PC running in safe mode for now... (is that necessary?)

- Bent 00, newb

Edited by The weatherman, 13 September 2009 - 09:39 AM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:23 AM

Posted 13 September 2009 - 09:47 AM

Welcome to BC

You need to run one or both or these two scans and you can then post in the HJT forum:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
------------------------------

1. Download Win32kDiag from any of the following locations and save it to your Desktop

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Bent 00

Bent 00
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 13 September 2009 - 10:04 AM

RootRepeal.exe isn't working for me... It worked a little when I first tried it, but it closed mid-scan, and now I "cannot access" it because I "may not have sufficient privileges" to run it again, even though I logged on as the admin in safe mode.

Here's the Win32kDiag.exe report:

---

Running from: C:\Documents and Settings\Administrator.BEN\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator.BEN\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25.tmp\ZAP25.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP26.tmp\ZAP26.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27.tmp\ZAP27.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29.tmp\ZAP29.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A.tmp\ZAP2A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B.tmp\ZAP2B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C.tmp\ZAP2C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP383.tmp\ZAP383.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP464.tmp\ZAP464.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92.tmp\ZAP92.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP98.tmp\ZAP98.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3ea50177a2be10fb0bceff8dd2031cad\3ea50177a2be10fb0bceff8dd2031cad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b44f92d024501badbb4a82ee6d9a4a42\b44f92d024501badbb4a82ee6d9a4a42

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee\McAfee Shared Components\Centralv3\Centralv3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 15:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 15:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 15:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^



Finished!

---

Does that help?

Edit: Thanks for your help so far --- but, well, I'm sitting here waiting for a response, and my computer is humming nonstop... I hate to rush anyone, but I've been up for nearly 24 hours and my computer might not be able to handle the strain for much longer... Does working in safe mode cause it to run so much?

Anyhow, just saying that the quicker the responses, the better. I'll respond practically immediately.

One more thing: Neither AdAware or Spybot S&D work anymore. It's like something realized I was using them and disabled them...

Edit 2: I was poking around the most recent files in my C drive, and I found this RootRepeal report. I guess it did finish after all? Anyhow, I found the suspicious file at the bottom (C:\WINDOWS\system32\drivers\SKYNETwksponib.sys) and put it in the Recycle Bin.

... Should I be poking around, or waiting for your response before I do anything else?

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/13 10:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7D2B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A6A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF78A3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7E26000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF82C6000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: SKYNETfwbwuypd
Image Path: C:\WINDOWS\system32\drivers\SKYNETwksponib.sys

==EOF==

Edit 3: I tried changing the name of a newly-installed Malwarebytes (to "zztoy"), and that let me start the program from the system folder, but it still closed out five seconds into the scan...

Edit 4: Hello...? Is anyone here? I've been waiting an hour and a half for a response... I'd really like to get my computer fixed ASAP.

Edited by Bent 00, 13 September 2009 - 11:36 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:23 AM

Posted 13 September 2009 - 12:21 PM

Hello.

I was poking around the most recent files in my C drive, and I found this RootRepeal report. I guess it did finish after all? Anyhow, I found the suspicious file at the bottom (C:\WINDOWS\system32\drivers\SKYNETwksponib.sys) and put it in the Recycle Bin.


You need to return that file to it's original location. While it is a bad file, if it isn't dealt with correctly it could cause you some serious problems (for example, your computer no longer starting)


I've been waiting an hour and a half for a response... I'd really like to get my computer fixed ASAP.

An hour and a half is not a very long wait at all. Please remember that all the helpers here are volunteers whose only motivation to post here is their desire to help those plagued with malware. We are few in number, we all have lives and responsibilities outside of BleepingComputer, and we receive hundreds of requests for help every day.

That being said, I'll gladly point you in the direction of your next step. Unfortunately it's going to involve a lot of waiting.

***************************************************

You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Due to the nature of this infection it is likely that you will be unable to run traditional scanning utilities or run a full scan with RootRepeal as directed in the Preparation Guide linked above. If this is the case, you should still create your new thread in the HJT forum, but instead of DDS and full RootRepeal logs you should post your partial RootRepeal log (the one you posted), as well as the log generated by Win32kDiag.

Sorry we couldn't do more for you here; they'll be able to help in HJT.

Please note that once you have created your topic in HJT, do not "bump" or reply to it! This will cause you to be moved back down the waiting list as cases are typically handled on a first come, first served basis. You should expect to wait approximately 12-14 days for a reply. As I mentioned earlier, the sheer number of requests for help create a huge backlog that takes the HJT Team a while to work through. Rest assured though that once a team member reaches your case, you will be getting assistance from one of the best malware removal teams on the Internet. For free.

If you have any questions before creating your new topic, feel free to ask. :thumbsup:

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Bent 00

Bent 00
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 13 September 2009 - 01:40 PM

You need to return that file to it's original location. While it is a bad file, if it isn't dealt with correctly it could cause you some serious problems (for example, your computer no longer starting)

Okay, I restored "SKYNETwksponib.sys" to where I found it. Should I restore these files I recycled as well? I thought they were suspicious mainly because their "last modified" date coincided with the time I got the malware.

CONFIG.NT - NT File - 4 KB
FNTCACHE - DAT File - 284 KB
nvapps - XML Document - 20 KB
SKYNETjwsfoews.dll - 20 KB
SKYNETkcfxjpvx - DAT File - 108 KB
SKYNETrmpxgflo - DAT File - 4 KB
wba.dbl - DBL File - 4 KB

An hour and a half is not a very long wait at all. Please remember that all the helpers here are volunteers whose only motivation to post here is their desire to help those plagued with malware. We are few in number, we all have lives and responsibilities outside of BleepingComputer, and we receive hundreds of requests for help every day.

That being said, I'll gladly point you in the direction of your next step. Unfortunately it's going to involve a lot of waiting.


Ah, I'm sorry --- the forums I'm used to aren't nearly this busy. I don't mind waiting... As long as there's a good chance I can clear this malware off my computer. How bad is it at this point...?

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Okay, I posted the new topic at this address:

http://www.bleepingcomputer.com/forums/t/257373/help-me-remove-a-rootkit-leftover-from-a-windows-police-pro-infection/

If you have any questions before creating your new topic, feel free to ask.

Just two more little questions --- I also posted these in the new thread, but the sooner I get 'em answered, the better:

Should I keep booting my computer into safe mode until this is all settled? And is it normal for my computer to be making so much noise like it is now? Does safe mode cause that?

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:23 AM

Posted 13 September 2009 - 02:10 PM

Ah, I'm sorry --- the forums I'm used to aren't nearly this busy. I don't mind waiting... As long as there's a good chance I can clear this malware off my computer. How bad is it at this point...?


That's okay. :thumbsup: While it's too soon to know for sure, I would say that this infection should be removable for the most part. To keep you aware though, here's some information regarding some of the qualities of the infection on your machine.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:This machine can still be cleaned but we can't guarantee that it will be 100% secure. Only way to do that is to wipe the drive and reinstall the OS.

***************************************************

Should I restore these files I recycled as well? I thought they were suspicious mainly because their "last modified" date coincided with the time I got the malware.

CONFIG.NT - NT File - 4 KB
FNTCACHE - DAT File - 284 KB
nvapps - XML Document - 20 KB
SKYNETjwsfoews.dll - 20 KB
SKYNETkcfxjpvx - DAT File - 108 KB
SKYNETrmpxgflo - DAT File - 4 KB
wba.dbl - DBL File - 4 KB


Yes. the malware will be easiest to remove it remains untouched until a HJT Team member gets a look at it.

***************************************************

Should I keep booting my computer into safe mode until this is all settled? And is it normal for my computer to be making so much noise like it is now? Does safe mode cause that?


If it's possible, I would refrain from using the infected computer as much as possible. Use another computer to access the internet. If you don't own one, many public libraries and universities offer Internet-capable computers for public use. If you have to use the infected computer, you should remain in Normal Mode if possible. Ironically, you're safer in Normal Mode than you are in Safe Mode with Networking.

As far as the noise goes, it's not caused by Safe Mode. It could be caused by a number of different things, but is likely due to your computer having to work much harder than normal because of the strain the malware puts on the system.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:23 AM

Posted 13 September 2009 - 05:57 PM

Thank you Blade
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users