Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - WinXP [Moved]


  • This topic is locked This topic is locked
4 replies to this topic

#1 Pacs

Pacs

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 23 September 2009 - 05:54 AM

Hi! I'm new here and it looks like there are some very knowledgeable people here. I know this isn't the introduction thread, though. I volunteered to take a look at a co-workers laptop when he said he was having a little trouble with it. I guess I didn't know what I was getting myself into. Willing to try whatever it takes to work with you guys, but a lot of features/menus on the infected pc are locked out or not available (Internet Explorer, System Restore tab, can't access folder options, ect). Since IExplorer is not working on the infected machine I have been copying files to a removable drive between a clean pc and the infected, scanning in between. Here is where I stand....


Went through the steps mentioned on this and also on other forums.

Got DDS on the infected machine and it opened but quickly closed itself out.

RootRepeal runs, but after it initializes I get "Error - invalid PE image found!". Ignoring the error and proceeding to scan on first attempt lead to a blackscreen/system lock up. Second time the scan started and then the application closed by itself. Now when I try to run it I get "Windows Cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". Which is the same message as IExplorer and a few other programs now.

ComboFix starts but encounters the "rootkit detected" and requests a machine reboot that just ends with the same prompt each time.

So far I haven't been able to pull any log files.
What next? Thanks.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:18 PM

Posted 24 September 2009 - 08:08 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:18 PM

Posted 25 September 2009 - 03:25 PM

USE THIS ONE

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Pacs

Pacs
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 28 September 2009 - 09:32 PM

Can close topic. Talked the owner into a reformat of the hard drive. I went ahead and Zero'd it out. I would have liked to pursue this. I never worked with anything like a rootkit before. Any idea when the training program opens back up?

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:18 PM

Posted 29 September 2009 - 06:47 PM

Any idea when the training program opens back up?

There is no set time period. You just have to keep checking back
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users