[markdala]

First time to post to this site, somewhat tech savy.

When I first got this infection I had popup for PCHEALTH app which stated I had a infection and needed to clean it by downloading their program, which I did not do. I tried running several tools to remove viruses but they all seem to start to run then quit with no log files and the next time I try to run a window comes up and says 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them'.

Currently I can boot in normal mode but everything takes 20 to 30 minutes to come up. I am currently in safe mode with networking.

I started to follow the Malware cleaning guide, but could not preform most of the steps for the above reason. I was able to get a log file from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/24 08:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6D93000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A4B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6696000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78DB000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF714B000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf757387e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7573bfe

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACykridudqpq.sys

Currently I can only run in Safe mode as normal mode is too slow.
Any help would be greatly appreciated.

[Advertisements]

Welcome to GeeksToGo!

My name is SiriusBlack and I'll be helping you today.

As I am still in training all of my posts have to checked by an expert so there may be some delay between replies.

Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother.

• Please have patience, logs take time to properly research so I will not be able to reply immediately.
• Make sure that you are set to receive an email when I do reply to this topic, this will ensure that you don't miss any replies.
• There are no silly questions so please just ask! Better safe than sorry.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, just ask!
• Make sure you reply to this thread only, do not start new topics.

Please read my posts completely before following the instructions.

[SiriusBlack]

Welcome to GeeksToGo!

My name is SiriusBlack and I'll be helping you today.

As I am still in training all of my posts have to checked by an expert so there may be some delay between replies.

Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother.

• Please have patience, logs take time to properly research so I will not be able to reply immediately.
• Make sure that you are set to receive an email when I do reply to this topic, this will ensure that you don't miss any replies.
• There are no silly questions so please just ask! Better safe than sorry.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, just ask!
• Make sure you reply to this thread only, do not start new topics.

Please read my posts completely before following the instructions.

[markdala]

Thanks, I'll be awaiting your instructions.

[SiriusBlack]

Hello, markdala

Please download Win32kDiag to your desktop.
Double-click on Win32kDiag to run it.
A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log file called Win32kDiag.txt should be located on your desktop. Please post that.

[markdala]

while waiting for a reply I did some things on my own and I think I got the Rootkit and viruses removed.
Here's what I did.
In safe mode i ran combofix..it showed I had a rootkit and needed to reboot, so I did.
I went back in to safe mode and ran combofix again..found rootkit and wanted another reboot which I did.
Back in safe mod, I did some searching in the 'Run' key and found 2 suspicious entries to run on startup, so I found the files and deleted them and the run keys.
Ran CCleaner and deleted temp files, etc.with that.
Rebooted back into safe mod.
Ran combofix again and let it delete what it found, rebooted again i safe mode.
ComboFix made log.
I rebooted into normal mode and ran Symantec AV which found and deleted a few viruses.
I then saw your reply and ran Win32Diag and here is the log:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()





Finished!

I then installed SP3 and updated Symantec AV to SEP11 with Firewall.

What should I do to make sure all files have been deleted?

[SiriusBlack]

Hello, markdala

Do not run any other tools on your own, it may cause harm to your system and make our work harder than it already is. Also, tell me how is your computer running now, can you boot in Normal Mode?

1)

Please open the run dialogue by going to Start -> Run. Copy and paste the code below into the text box, and press OK

"%userprofile%\desktop\win32kdiag.exe" -f -r

• You will see a new file named "Win32kdiag.txt" on your desktop. Open it with notepad and post the contents in your next reply.

2) To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.