Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Infection

  • This topic is locked This topic is locked
1 reply to this topic

#1 WrinkledCheese


  • Members
  • 59 posts
  • Local time:01:58 PM

Posted 23 February 2012 - 11:33 AM

Hello everyone,

I have a tricky infection. I've run various tools with some success.
I've run the PandaAV Safe CD, this is what my boss uses and I don't believe in it's effectiveness as I have found housecall.trendmicro.com to provide a more effective tool, and that's not even that great.

So I went looking for the latest version of ComboFix, this is my go-to tool. I find it very useful in fixing and finding all sorts of problems. I use this usually in conjunction with exeHelper.com, HijackThis, GMER and possibly others I can't think of right now. I have an issue with a particular system and I can't get a lot of things to work. For example, ComboFix will not run:
c:\combofix\attrib.3xe is not a valid Win32 application.
When I run DDS it seems to run fine, but the Notepad logs don't appear and I don't know where to look for them, and from what the program tells me, it doesn't create any permanent files, IE logs. Running Notepad on it's own works fine. I can't take any screen shots because paint fails to execute. If I go into event viewer I can see thousands of software and security errors however, I can't open them to find out any details, IE the errored application name/location and possibly some useful information. In using the system I don't detect any hardware errors. I am able to run Spinrite but I doubt there are any hard disk errors.

I'm not sure what I should do at this point. I ran GMER and didn't find anything interesting except maybe a missing file.

GMER - http://www.gmer.net
Rootkit scan 2012-02-23 12:32:17
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400JB-00ENA0 rev.05.03E05
Running: yh6dri7l.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\pxtdqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore@DisableSR \t 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)


#2 WrinkledCheese

  • Topic Starter

  • Members
  • 59 posts
  • Local time:01:58 PM

Posted 23 February 2012 - 01:07 PM

I think I resolved my issue. I expanded sfc.exe from the CD and ran that, because of the missing procexp113.sys GMER reported. After that ComboFix started working. I believe that someone already removed a virus which left some of the OS in a corrupted state. I think I should be able to take it from here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users