Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Activation request prevents Windows XP log-in


  • This topic is locked This topic is locked
18 replies to this topic

#1 calikris4u

calikris4u

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 13 October 2009 - 12:28 AM

My compaq presario laptop's running Windows XP, and recently when I booted and attempted to login, a message popped up stating "This copy of Windows must be activated w/ Microsoft before you can log on. Do you want to activate now?" If I click no, I get the login screen again. After searching the internet for symptoms, it seems like an insidious version of the Kardphisher trojan.

Subsequent boots in normal mode show a "This copy of windows is not activated" message in the lower-right corner of the login screen. Booting in Safe Mode works, but the same message is displayed in the corner of the desktop. I tried booting in Safe Mode with Networking, and get the same error message as on a normal boot -- only plain Safe Mode will boot.

Neither DDS or RootRepeal will run, even in Safe Mode, so garmanma (BC moderator) had me run Win32kDiag and a cmd prompt that produced a log.txt file...see logs below.

I can provide detail on how/when DDS and RootRepeal closed/failed, or list a variety of other virus-scan and recovery ploys I tried before running these logs, if the info will help. Otherwise, please let me know how to proceed!

Thanks,
Kristy

---------------------------------------
WIN32KDIAG LOG:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17F.tmp\ZAP17F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP304.tmp\ZAP304.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2006-02-28 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\profiles\Kristy\Kristy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\RarSFX0\RarSFX0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RarSFX1\RarSFX1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Finished!

---------------------------------------
LOG.TXT

Volume in drive C has no label.
Volume Serial Number is 78B9-7F69

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 05:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 05:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 50,116,558,848 bytes free
---------------------------------------

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 27 October 2009 - 12:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 27 October 2009 - 02:18 PM

I'm away from my laptop today and may not have time to run this tonight, but will post by tomorrow (Wed) night at the latest. Machine shouldn't have changed in any way since the logs I posted, as it's been unusable and sitting idle. Thanks, will post logs ASAP.

Kristy

#4 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 27 October 2009 - 11:22 PM

I downloaded OTL (on another machine and transferred to my laptop, running in Safe Mode, using a thumb drive) and opened/ran as instructed, but the program closed suddenly after scanning for a few seconds, and produced no reports.

Double-clicking the program icon again returned the error message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This is the same messages that appeared after I tried to run DDS and RootRepeal before my first post.

What now?

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 28 October 2009 - 08:47 AM

Hi,

sorry I overlooked the report from Win32kdiag. The malware is blocking OTL.

If you reconnect your flash-drive to your clean PC, make sure you keep your shift-key pressed while connecting, to make sure that the infection does not spread to your currently clean PC.

Afterwards please use Flash_Disinfector (on the clean PC) to vaccine your flashdrive against this kind of infection:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Afterwards please run the following on the infected PC:
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 29 October 2009 - 11:33 PM

Hi _temp_, here's the ComboFix log. I couldn't get McAffee totaly shutdown while in SafeMode, so I had to run ComboFix despite that.

---------------------
ComboFix 09-10-27.08 - Administrator 10/29/2009 21:07.1.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.820 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\run.log
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 04:14 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-12 03:26 . 2009-10-12 03:32 34816 ----a-w- c:\windows\system32\drivers\tatertot.scr.sys
2009-10-12 03:25 . 2009-10-12 03:25 42552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\windows\system32\drivers\NSS
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\program files\Norton Security Scan
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\program files\NortonInstaller
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-09 01:24 . 2009-10-09 01:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-04 18:38 . 2009-10-04 18:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 02:05 . 2009-09-24 23:23 0 ----a-r- c:\windows\win32k.sys
2009-09-28 20:07 . 2007-02-24 04:54 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-27 00:44 . 2007-08-20 18:38 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-24 22:58 . 2009-09-24 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-24 22:40 . 2009-09-24 22:40 -------- d-----w- c:\program files\NOS
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2007-03-22 03:19 . 2007-09-03 03:14 643072 -c--a-w- c:\program files\RipIt4Me.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-06 94208]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus C84 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"InstaLAN"="c:\program files\CenturyTel\Home Network Manager\HomeNetworkManager.exe" [2008-10-14 1127712]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.exe.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tatertot.scr.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/23/2008 5:21 PM 24652]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drivers\ADM8511.SYS [6/25/2007 2:16 PM 24745]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [2/28/2006 5:00 AM 14336]
S3 rootrepeal.exe;rootrepeal.exe;\??\c:\windows\system32\drivers\rootrepeal.exe.sys --> c:\windows\system32\drivers\rootrepeal.exe.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/11/2009 8:36 AM 356920]
S3 tatertot.scr;tatertot.scr;c:\windows\system32\drivers\tatertot.scr.sys [10/11/2009 8:26 PM 34816]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [8/16/2009 7:06 PM 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [8/16/2009 7:06 PM 24192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

2009-10-09 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-09 01:57]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x5u2cho0.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????N??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\combofix\CF12435.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-30 21:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 04:26

Pre-Run: 50,045,624,320 bytes free
Post-Run: 54,208,712,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CBB1BDFEA3403D17176D2606914A8F92

---------------------------
Thanks,
Kristy

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 30 October 2009 - 07:12 AM

Hi,

this looks pretty promissing.

Please run the following script with Combofix:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\win32k.sys
c:\windows\system32\drivers\tatertot.scr.sys

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.exe.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tatertot.scr.sys]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Driver::
rootrepeal.exe
tatertot.scr


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Afterwards please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

And finally please run junction.exe:
We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please post back the log from Combofix, Win32kdiag and junction in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 01 November 2009 - 11:06 PM

Here's the ComboFix log:

ComboFix 09-10-27.08 - Administrator 11/01/2009 19:22.2.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.816 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\drivers\tatertot.scr.sys"
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tatertot.scr.sys
c:\windows\win32k.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ROOTREPEAL.EXE
-------\Service_rootrepeal.exe
-------\Service_tatertot.scr


((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-10-30 04:14 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-12 03:25 . 2009-10-12 03:25 42552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\windows\system32\drivers\NSS
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\program files\Norton Security Scan
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\program files\NortonInstaller
2009-10-09 01:57 . 2009-10-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-09 01:24 . 2009-10-09 01:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-04 18:38 . 2009-10-04 18:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 20:07 . 2007-02-24 04:54 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-27 00:44 . 2007-08-20 18:38 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-24 22:58 . 2009-09-24 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-24 22:40 . 2009-09-24 22:40 -------- d-----w- c:\program files\NOS
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2007-03-22 03:19 . 2007-09-03 03:14 643072 -c--a-w- c:\program files\RipIt4Me.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-30_04.21.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2009-11-02 03:02 71060 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-11-02 03:02 441124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-06 94208]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus C84 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"InstaLAN"="c:\program files\CenturyTel\Home Network Manager\HomeNetworkManager.exe" [2008-10-14 1127712]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 1:22 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 1:22 PM 72944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/23/2008 4:21 PM 24652]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drivers\ADM8511.SYS [6/25/2007 1:16 PM 24745]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [2/28/2006 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 1:22 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/11/2009 7:36 AM 356920]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [8/16/2009 6:06 PM 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [8/16/2009 6:06 PM 24192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

2009-10-09 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-09 01:57]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x5u2cho0.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 19:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????N??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\combofix\CF1861.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-11-02 19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 03:41
ComboFix2.txt 2009-10-30 04:26

Pre-Run: 54,218,469,376 bytes free
Post-Run: 54,173,650,944 bytes free

- - End Of File - - 3032692957D07FCAA4E43FC63439DECF

-------------------------------------------------------------------------------

...and the Win32kdiag log:

‘™ÝRunning from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
Removing all found mount points.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17F.tmp\ZAP17F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17F.tmp\ZAP17F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP304.tmp\ZAP304.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP304.tmp\ZAP304.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2006-02-28 04:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\profiles\Kristy\Kristy
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\profiles\Kristy\Kristy
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

-----------------------------------------------------

...and the Junction log (even I can tell this one isn't good)...I'm attaching it as well:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\38dd172c051b9828ee\amd64: Access is denied.

Failed to open \\?\c:\\38dd172c051b9828ee\i386: Access is denied.

Failed to open \\?\c:\\b76692858e1c812941dcad98c565098d\%temp%dd_msxml_retMSI.txt: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Kristy: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\OTL.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\RootRepeal.exe: Access is denied.

.Failed to open \\?\c:\\Documents and Settings\Administrator\My Documents\RootRepeal.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Administrator\My Documents\again\RootRepeal.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Administrator\My Documents\again2\rootrepeal.exe.exe: Access is denied.

.Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51136909dedd8670225bba2d31221794_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\542c4baf01bd04c60920a9b489ce32e3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f0f70f0732000f49bbd024777887e44_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85a5535705c1e1f0c8707c0517ea9dc7_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\914f257c680bd9cfe39889ca0d7f7044_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\98e208c01e2ed7d6e6d0c299475d21a3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d90a009eef4d777473db25f1121c620b_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f292aaef32cb994ad5cfff5de0489769_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.

. ... ... ... ... ... ... ... ..Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\Setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{385979FE-DC4F-4140-8EAD-A59625000D72}\Setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{5A8D3524-79DB-11D5-99D1-00010256D40E}\setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{8FDD2A92-9F75-4706-B8C2-08499A9863E6}\Setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{B745C947-0436-41D8-80AE-5EBE3967EA02}\setup.ilg: Access is denied.

Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{F7E8082A-8FF7-42B3-A604-59CCABF2A593}\Setup.ilg: Access is denied.

. ... Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.

Failed to open \\?\c:\\Program Files\McAfee\VirusScan Enterprise\scncfg32.exe: Access is denied.

... ... .Failed to open \\?\c:\\Program Files\ODYSSEY\Software Hand Book 4.6.zip: Access is denied.

.. ... ..Failed to open \\?\c:\\SDFix\backups\catchme.log: Access is denied.

. .Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.

.. ... ... ... ... \\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

... ... ... ..Failed to open \\?\c:\\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe: Access is denied.

. ... ... ... ... ...
-----------------------------------------------

Thanks,
Kristy

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 02 November 2009 - 04:53 AM

Hi,

let's tackle the feedback from junction:

We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\McAfee\VirusScan Enterprise\scncfg32.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\OTL.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\My Documents\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\My Documents\again\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\My Documents\again2\rootrepeal.exe.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.
Please let me know if you are now able to remove RootRepeal from My Documents and Desktop.

Please also run another scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 02 November 2009 - 01:42 PM

Hi,

When you say to let you know if I can "remove RootRepeal from My Documents and Desktop," you mean for me to just try to delete the copies that are saved there? All those copies were multiple attempts on my part to get it to run...once one copy seized up it wouldn't open again so I'd install a fresh one.

Also, the "here" link you provided (for the Malewarebytes updated definitions) was dead...and I know I'll need that file because my stupid laptop won't boot in safe mode w/ networking (can't go online) right now.

Thanks,
Kristy

#11 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 November 2009 - 01:01 AM

Hi,

I figured out that the Malwarebytes definitions link is probably dead because the latest version's so new. So...the lines of code each said 'OK' afterward, and when done I was able to delete all 3 copies of RootRepeal. I then emptied the trash.

Malwarebytes found NO problems, here's the report:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/2/2009 9:53:48 PM
mbam-log-2009-11-02 (21-53-48).txt

Scan type: Quick Scan
Objects scanned: 97700
Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


But, I still can't login to Windows except in plain old Safe Mode...

Kristy

Edited by calikris4u, 03 November 2009 - 12:47 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 03 November 2009 - 04:56 PM

Hi,

could you try to create a new account and log into that one in normal mode for me? The account that is blocked to you is Kristy?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 November 2009 - 10:00 PM

Hi, I logged into Safe Mode, created a new account, and rebooted in normal Windows. I got the same error message when I tried logging in with the new account, as well as the (always present) Guest account: "This copy of Windows must be activated w/ Microsoft before you can log on. Do you want to activate now?"

Sigh.

Edited by calikris4u, 03 November 2009 - 10:01 PM.


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:27 AM

Posted 05 November 2009 - 10:03 AM

Hi,

please download swxcacls.exe and save it with that name on your desktop.

Open Notepad and copy/paste the code box below into a new text file.
@echo off
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51136909dedd8670225bba2d31221794_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\542c4baf01bd04c60920a9b489ce32e3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f0f70f0732000f49bbd024777887e44_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85a5535705c1e1f0c8707c0517ea9dc7_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\98e208c01e2ed7d6e6d0c299475d21a3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d90a009eef4d777473db25f1121c620b_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f292aaef32cb994ad5cfff5de0489769_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt
"%userprofile%\Desktop\swxcacls.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\914f257c680bd9cfe39889ca0d7f7044_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c">>log.txt

log.txt
  • Save the file as query.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "query.bat" and double-click on it to run. (It is important that you run the script from the Desktop and that you save swcalcs.exe onto your Desktop as well!).
  • It will open a text file, please copy the content in your next reply.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 calikris4u

calikris4u
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 05 November 2009 - 11:39 PM

Hi, here's the query/swxcacls log:

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51136909dedd8670225bba2d31221794_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
Folder: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Read and Write This Folder/File Only
KRISTYLAPTOP\Administrators
Allowed Full Control This Folder/File Only

No Auditing set

Owner: Administrators (KRISTYLAPTOP\Administrators)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\542c4baf01bd04c60920a9b489ce32e3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f0f70f0732000f49bbd024777887e44_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85a5535705c1e1f0c8707c0517ea9dc7_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\98e208c01e2ed7d6e6d0c299475d21a3_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d90a009eef4d777473db25f1121c620b_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f292aaef32cb994ad5cfff5de0489769_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\914f257c680bd9cfe39889ca0d7f7044_ef06c986-7fdf-42cc-a5a6-9ad41a56fc6c

Access is denied



Feels like we're going in circles, but then again what do I know...what's next?
Kristy

Edited by calikris4u, 05 November 2009 - 11:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users