Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit left over after Windows Police Pro Infection


  • This topic is locked This topic is locked
30 replies to this topic

#1 Jon C.

Jon C.

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 19 September 2009 - 08:23 PM

Hello.
I was directed here from the virus and malware removal forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/256671/no-desktop-after-windows-police-pro-infection/ ~ OB It seems I have a nasty rootkit infection left over after an infection of Windows Police Pro on a Windows XP machine. I think I got rid of the virus, but lots of damage remains... My desktop is missing, and no Icons appear upon login. I can get task manager up and run limited programs from there, including regedit. Most removal tools are killed in their tracks before they get very far. I was able to obtain the following Win32diag and RootRepeal logs, but if I try anything that scans files, it is killed off. I am somewhat computer literate, and I can at least follow directions, so I ask for any help you guys can provide !

OK I got Root Repeal to scan everything except files, and Win32diag ran OK. Here are the logs:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 16:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA99B6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CB9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7DA1000 Size: 2560 File Visible: No Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: tatertot.com.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.com.sys
Address: 0xA8CAD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7A3F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA9A1E000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 16:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACfa9e.tmpqqykut.dll]
Process: svchost.exe (PID: 960) Address: 0x009a0000 Size: 217088

Object: Hidden Module [Name: UACwoxktarvyq.dll]
Process: svchost.exe (PID: 960) Address: 0x00bf0000 Size: 65536

Object: Hidden Module [Name: rotscxfcmetepx.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 53248

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x86e66c78 Size: 905

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86e64350 Size: 2051

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8721dcb0 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8721dc38 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8721dbc0 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8721fe00 Size: 455

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8721fd88 Size: 575

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8721fd10 Size: 695

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8721fc98 Size: 815

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8721fc20 Size: 935

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8721fba8 Size: 1055

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87221b20 Size: 1249

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87221aa8 Size: 1369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87221a30 Size: 1489

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x872219b8 Size: 1609

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87221940 Size: 1729

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x872218c8 Size: 1849

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87221850 Size: 1969

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x872217d8 Size: 2089

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87221760 Size: 2213

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x872d1020 Size: 1661

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x872d1438 Size: 613

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x872d13c0 Size: 733

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x872d1348 Size: 853

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x872d12d0 Size: 973

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x872d1258 Size: 1093

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x872d11e0 Size: 1213

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x872d1168 Size: 1333

Hidden Services
-------------------
Service Name: rotscxjnkxyqxo
Image Path: C:\WINDOWS\system32\drivers\rotscxvnsswemr.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACxgkucvghsu.sys

==EOF==

Running from: D:\Win32kDiag.exeLog file at : C:\Documents and Settings\Lab\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\explorer.exe[1] 2007-06-13 06:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)[1] 2007-06-13 05:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)[1] 2004-08-04 02:56:49 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)[1] 2008-04-13 19:12:19 1033728 C:\WINDOWS\explorer.exe ()[1] 2008-04-13 19:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\ftpcache\ftpcacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\InCD\InCDMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Internet Logs\Internet LogsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCHMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\NewsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEMMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\TempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8c6322a455d51e8a1346db4713089043\8c6322a455d51e8a1346db4713089043Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9de5dbc7caed13f6a2349c5fdc61cdb6\9de5dbc7caed13f6a2349c5fdc61cdb6Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a2850ba2c561d0bfb4e8c8fd3f9bf263\a2850ba2c561d0bfb4e8c8fd3f9bf263Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\d346b7396358ac7bd3dcc0e62b35367dMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\RegisteredMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Start Menu\Programs\Family Tree Maker\Family Tree MakerMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Adobe\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1003\S-1-5-21-515967899-1383384898-839522115-1003Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1005\S-1-5-21-515967899-1383384898-839522115-1005Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\8L5YR75Y\8L5YR75YMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcomMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\5BKVGM57\5BKVGM57Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sysMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\eventlog.dll[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\MachineMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\GroupPolicy\User\UserMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeysMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ѕуstem\ѕуstemMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Тasks\ТasksMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google ToolbarMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\TGFi\TGFiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2Mount point destination : \Device\__max++>\^Finished!

Edited by Orange Blossom, 20 September 2009 - 10:44 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 06 October 2009 - 08:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 06 October 2009 - 07:13 PM

Thank you so much for getting back to me. I was getting ready to format and start from scratch, but I don't want to loose some things that are on the computer. Just to recap, I got a virus, Windows Police Pro, and it took almost total control of my computer. I am able to at least bring up task manager and run some items from there, but I have no access to the desktop. I can also bring up registry editor from task manager. I deleted directories and removed items in the registry that I found that were related to Windows Police Pro, but that is as far as I could get. It seems to be root-kitted, I see "b.exe" and "svchast" and other things running that should not be, so I don't even think I got rid of all of Police Pro. Of course most items that I try to run are killed immediately, especially anti-virus programs.

I tried dds.scr as instructed, but it get killed before it even starts up good. Note that the way that I am running items now is by copying them from another computer onto a network share, and then running them from task manager.

Please let me know if you have further suggestions, and thanks again !

Jon

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 07 October 2009 - 06:19 PM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 07 October 2009 - 08:40 PM

Got it !
Immediate notification set...

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 08 October 2009 - 02:07 AM

Hello again.

This machine is seriously infected.

If you can't get internet access on the infected computer, transfer the file from one that you can. Then follow the rest of the instructions below.
  • Download Win32kDiag from any of the following locations and save it to your Desktop.<-- It must be saved to your desktop!!!
  • Run this command from the Command Prompt
    • Click on Start then Run
    • Type cmd in to the area to the right of Open:
    • Click OK
    • In the Command Prompt window that opens, copy and paste the Bold text below (quotation marks included):
      • "%userprofile%\desktop\win32kdiag.exe" -f -r
  • Press the Enter key on your keyboard.
  • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on renamed.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
Win32kDiag.txt
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 08 October 2009 - 09:11 PM

OK, that was a pretty bumpy ride ! Here is what happened:
1. I ran Win32kDiag (log below)
2. I ran Combofix as renamed.exe and then it got interesting...

It started OK, but after a couple of minutes a dialog box appeared that said Combofix has detected rootkit activity and needs to reboot the machine. I clicked on O.K.

After the reboot and log-on, I got a notice from Windows that "Files required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Professional CD now"

I did nothing, as combofix had restarted. I saw an error in the Combofix window, "grep is not recognized and an internal or external command, operable program, or batch file."

After another couple of minutes, the taskbar and destop came up ! I haven't seen them in a long time... BUT THEN

A new program came up that I had never seen before "Security Tool" It did a scan, trying to look like legit antivirus software. It looks a lot like "Windows Police Pro" that I have seen before...

A warning came up "The installation has been damaged. Please reinstall the product. (105)" I believe this came from my legit virus software, Webroot Antivirus.

The desktop went away... I looked for Combofix.txt while I still could, but I was unable to locate it in C:/ , in the desktop directory, or anywhere else. "Security Tool" keeps saying that some trojan is stealing my credit card numbers using a keylogger in xxxx file.

The taskbar went away... Task manager went away... Now only "Security Tool" is on the screen and nothing else.

Task manager no longer works. I get a very quick message if I try to invoke it. "Task manager has been disabled by your administrator."

A nasty virus indeed... I may be toast now, but let me know what you think !


Running from: C:\Documents and Settings\Lab\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Lab\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\InCD\InCD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\InCD\InCD

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Internet Logs\Internet Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Internet Logs\Internet Logs

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8c6322a455d51e8a1346db4713089043\8c6322a455d51e8a1346db4713089043

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8c6322a455d51e8a1346db4713089043\8c6322a455d51e8a1346db4713089043

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9de5dbc7caed13f6a2349c5fdc61cdb6\9de5dbc7caed13f6a2349c5fdc61cdb6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9de5dbc7caed13f6a2349c5fdc61cdb6\9de5dbc7caed13f6a2349c5fdc61cdb6

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a2850ba2c561d0bfb4e8c8fd3f9bf263\a2850ba2c561d0bfb4e8c8fd3f9bf263

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a2850ba2c561d0bfb4e8c8fd3f9bf263\a2850ba2c561d0bfb4e8c8fd3f9bf263

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\d346b7396358ac7bd3dcc0e62b35367d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\d346b7396358ac7bd3dcc0e62b35367d

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Start Menu\Programs\Family Tree Maker\Family Tree Maker

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Start Menu\Programs\Family Tree Maker\Family Tree Maker

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1003\S-1-5-21-515967899-1383384898-839522115-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1003\S-1-5-21-515967899-1383384898-839522115-1003

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1005\S-1-5-21-515967899-1383384898-839522115-1005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1383384898-839522115-1005\S-1-5-21-515967899-1383384898-839522115-1005

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\8L5YR75Y\8L5YR75Y

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\8L5YR75Y\8L5YR75Y

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcom

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\5BKVGM57\5BKVGM57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\5BKVGM57\5BKVGM57

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\Last Active

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\Last Active

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\system32\ѕуstem\ѕуstem

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ѕуstem\ѕуstem

Found mount point : C:\WINDOWS\system32\Тasks\Тasks

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Тasks\Тasks

Found mount point : C:\WINDOWS\Temp\7zS1.tmp\7zS1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\7zS1.tmp\7zS1.tmp

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Found mount point : C:\WINDOWS\TGFi\TGFi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TGFi\TGFi

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 09 October 2009 - 07:19 PM

Hello again.

It appears that this infection is being stubborn. Let's try a different approach.

Reboot your computer in "Safe Mode" using the F8 method.
To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Make sure you choose the option without networking support.

Go to Start>Run. Type the following bolded text exactly as given into the Run box and hit enter.sc config eventlog start= disabled
After that reboot your computer back into Normal Mode.

***************************************************

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
~Blade


In your next reply, please include the following:
Log from Junction.exe

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 09 October 2009 - 09:43 PM

OK,
I do not have access to the start button, even in safe mode, so I could not follow the direction exactly... I do have access to task manager from the administrator account in safe mode however. Using task manager > run > cmd I was able to execute the command to disable the event log, but upon a reboot to normal mode I log in as a different user (with administrator privs. However I run into the problem that task manager is disabled for that account by the malware, and I cannot run junction.exe (or anything else). I just have a blank screen.

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 10 October 2009 - 06:49 AM

Hello Jon C.
  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter:
    • copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\WINDOWS\system32\eventlog.dll
  • You will get a message asking if you want to overwrite a file. Push Y and hit "Enter" to proceed.
  • The command should then show 1 file(s) copied.
  • At the next prompt type the following bolded text, and press Enter:exit
Windows will now begin loading. Do the desktop and taskbar appear now? Please report back letting me know if this worked, and then we'll proceed from there. :(

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 10 October 2009 - 08:16 PM

I did not have Recovery Console installed, so I booted from the XP CD instead to execute your instructions. I was able to do it, but now unfortunately the system now gets to the point where it says "Windows is starting up " and reboots. It does this over and over. I guess it caused a startup problem ? Should I try "Last Known Good Configuration"?

Jon

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 11 October 2009 - 10:52 AM

Hello.

Yes, please try the Last Known Good Configuration optioon. If this works, STOP, and report back letting me know. If you are still unable to boot, proceed with the following instructions.

***************************************************
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
At the command prompt, type the following bolded lines exactly as given. Press Enter between each line. Note: The Recovery Console may return responses for some of the lines. If a response is returned, please note both the returned text and the line which generated the return, and report it back to me here.disable eventlog
del C:\WINDOWS\system32\eventlog.dll
disable rotscxjnkxyqxo
disable UACd.sys
exit

If there is an error when executing disable rotscxjnkxyqxo and disable UACd.sys tell us about it but exit the recovery console and reboot anyway.

Try to boot Windows normally now. If that fails, try booting in Safe Mode. If that fails as well, report back and let me know, and we'll work from there.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 11 October 2009 - 09:27 PM

Hello,
Last known good did not work, so I followed the directions as outlined.
disable eventlog yielded the message "The registry entry for eventlog was found. The eventlog service is already disabled."

disable rotscxjnkxyqxo yielded the message "The registry for the rotscxjnkxyqxo service was found. The service currently has start_type SERVICE_SYSTEM_START Please record this value. The new start_type for this service has been set to SERVICE_DISABLED. The Computer must be restarted for the changes to take effect. Type EXIT if you want to restart the computer now.

disable UACd.sys yielded a similar message as above.

When Windows booted, CHKDSK ran and corrected 2 minor problems. The system then booted, and we are now back to where we were before. No desktop or start menu, taskmanager disabled. Safe mode is the same.

Thanks,
Jon

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:10 AM

Posted 12 October 2009 - 04:25 PM

Hello.

Glad to hear we've got you booting again :(

In Normal Mode, are you able to launch Task Manager using Ctrl+Shift+Esc? If yes, please try the next step in Normal Mode. If no, please use Task Manager in the Admin profile of Safe Mode like you did earlier. If you are no longer able to access Task Manager in this way please let me know.

***************************************************

From the Task Manager, under File menu select New Task (Run ...) type in explorer and press Enter. This should cause your desktop and Taskbar to reappear. Let me know if this is successful.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Jon C.

Jon C.
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 13 October 2009 - 01:37 PM

Here are the results:
I am unable to access task manager in normal mode on any account, including administrator. (I tried administrator by logging in "classic mode".
I still have access to task manager in administrator safe mode, but trying explorer gave me the a large error box titled "Explorer", with the error message: " Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Jon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users