Viruses, Spyware and...

Fun times with Windows Police Pro.

Thread Solved

Last »

•

Join Date: Oct 2009

Posts: 37

Reputation: Asezat is an unknown quantity at this point

Solved Threads: 0

Asezat

Offline

Light Poster

#11

Oct 20th, 2009

I copied that exact command into the prompt, twice, and each time it said "The system cannot find the file specified". Logit.txt did appear, but it was empty.

•

Originally Posted by PhilliePhan

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

I'll try whatever you think will work.

•

Join Date: Dec 2006

Posts: 1,017

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 49

PhilliePhan PhilliePhan is offline

Offline

Central Scrutinizer

#12

Oct 20th, 2009

•

Originally Posted by Asezat

I'll try whatever you think will work.

We should probably try burning the tools onto a non-rewritable disk (not the ISOs, just the disk of tools). That way, we can use command line to copy them to desktop. Let me know if that is workable.

I am a little reluctant to try the flash drive just yet - I am fairly certain the malware has replaced the legit eventlog.dll and once we deal with that, we can make some headway with tools on the desktop. We just need to get them on there.

What happens when you type the following command at the prompt:

dir /s %windir%\eventlog.dll

Note it is dir <space> /s <space>%windir%\eventlog.dll

If error there, try:
sc stop "eventlog" ENTER

What happens?

If error there, try:
sc config "eventlog" start= disabled ENTER

What happens?

PP

Last edited by PhilliePhan; Oct 20th, 2009 at 7:56 pm. Reason: Nothing important

In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP

•

Join Date: Oct 2009

Posts: 37

Reputation: Asezat is an unknown quantity at this point

Solved Threads: 0

Asezat

Offline

Light Poster

#13

Oct 20th, 2009

I'm not sure if I have any non-rewritable CD's at the moment. I actually spent the best part of an hour looking earlier on, because I thought I did.

Of the three comands, the first gives the "system cannot find the file" response.

The second gives "[SC] ControlService FAILED 1052: The requested control is not valid for this service."

The third: "[SC] ChangeServiceConfig SUCCESS".

•

Join Date: Dec 2006

Posts: 1,017

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 49

PhilliePhan PhilliePhan is offline

Offline

Central Scrutinizer

#14

Oct 20th, 2009

•

Originally Posted by Asezat

The third: "[SC] ChangeServiceConfig SUCCESS".

Good - that's what I thought. It can't be stopped, but it can be disabled.

At the prompt, type sc query "eventlog" and tell me what the State is.
If it is still running, we'll need to reboot and then repeat the query to make sure it is not running.
('course, I am assuming this is replaced file - usually it is, but there have been others)

Then, let's try to copy FindWPP and Win32kDiag.exe to the desktop again. If you can't copy and paste, try the copy command.

Assuming external drive is, say, G:\ the command would be:
copy G:\Win32kDiag.exe "%userprofile%\desktop"
copy G:\FindWPP.zip "%userprofile%\desktop"

Obviously, if not G:\ , you'll need to change accordingly.

Let's see how that works.

Sorry about the delay - doing 10 things at once here

Last edited by PhilliePhan; Oct 20th, 2009 at 8:26 pm. Reason: The Usual.....

•

Join Date: Oct 2009

Posts: 37

Reputation: Asezat is an unknown quantity at this point

Solved Threads: 0

Asezat

Offline

Light Poster

#15

Oct 20th, 2009

The state initially was "4 RUNNING", after a reboot it's "1 STOPPED".

I've just tried to copy the files off the CD normally again, the whole thing froze before I even could get into the CD, this time. When I cleared it, Explorer crashed and forced another reboot.

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

•

Join Date: Dec 2006

Posts: 1,017

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 49

PhilliePhan PhilliePhan is offline

Offline

Central Scrutinizer

#16

Oct 20th, 2009

•

Originally Posted by Asezat

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

Well . . . crap. It's not making things easy, is it?
-- You did change the source directory to the correct letter (probably D or E:\), right? (sorry - gotta check)

Try to copy them from the flash drive.

If that does not work, let's go ahead and try to run combofix from the flash drive. You'll not be able to update it, but run it anyway - If it runs, post the log.

PP

•

Join Date: Oct 2009

Posts: 37

Reputation: Asezat is an unknown quantity at this point

Solved Threads: 0

Asezat

Offline

Light Poster

#17

Oct 20th, 2009

I did initially have the wrong source directory letter >.> but I fixed it before I made the post.

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

•

Join Date: Dec 2006

Posts: 1,017

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 49

PhilliePhan PhilliePhan is offline

Offline

Central Scrutinizer

#18

Oct 20th, 2009

•

Originally Posted by Asezat

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

-- Can you RightClick on it and Run as Administrator?

-- Did you try command prompt?
type %userprofile%\desktop\win32kdiag.exe ENTER

-- Can you RightClick and extract the FindWPP folder from the ZIP to the desktop?

PP

•

Join Date: Oct 2009

Posts: 37

Reputation: Asezat is an unknown quantity at this point

Solved Threads: 0

Asezat

Offline

Light Poster

#19

Oct 20th, 2009

I can run Win32Diag as admin, but it first says that it can't get the desktop directory, and then "error: could not create log file <13>". Then it shuts itself down.

Yep, it let me extract FindWPP.

•

Join Date: Dec 2006

Posts: 1,017

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 49

PhilliePhan PhilliePhan is offline

Offline

Central Scrutinizer

#20

Oct 20th, 2009

•

Originally Posted by Asezat

Yep, it let me extract FindWPP.

OK - Run RunThis.bat in the FindWPP folder and see if it runs. If the log pops up, save it to the desktop. Put it on the re-writable disc to transfer it, if possible.

PP

Last edited by PhilliePhan; Oct 20th, 2009 at 9:43 pm.