Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39

Thread: Nasty infestation. No Anti Virus will run. (Inactive)

  1. #11
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    That's fine, it should only takes a second.
    If we are lucky, that should allow Combofix to run now.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  2. #12
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Hi.

    I'm telling you that it shut it down the command box before I could verify to commit the command. It didn't run, it didn't generate any log, it is still doing the same thing.

  3. #13
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    I'm sorry if I am not being clear.

    I did as you said, and it didn't allow me to verify the command. When the command prompt opened, it then shut quickly without me being able to type 'y' or even see anything.

    Now, I re-ran the combofix, which you renamed cleanme.exe, and it did the same thing as it has been doing.

    Let me know if you need more info.

    Thanks!!

  4. #14
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Your logs show that you have at least two rootkits and at least one other infection ...they all prevent removal tools from running

    This may take several tries, so please be patient.

    Please try the following.

    Click start > run then copy/paste the following into the run window

    cacls C:\windows\system32\cmd.exe /G Owner:F

    Press enter.

    A cmd window should come up asking you if you are sure, type 'y' then hit enter.

    try to run Combofix again.


    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If requested, please reboot
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    Last edited by katana; 2009-08-08 at 14:44.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  5. #15
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Thanks for the follow-up!!

    I tried what you said many, many times and neither comboFix nor MalwareBytes will run. The cacls command didn't seem to make any difference whatsoever. ComboFix has the task bar look like it completes...then there are some hourglasses, then it dies.

    MalwareBytes will install and update, but very shortly after starting to run, it dies as well with the permissions changing to say "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I attempt to change the permissions, there is no security/permissions tab.

  6. #16
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Katana...

    Here is some more info that may be of use.

    When comboFix attempts to run..watching task manager it appears to die while n.pif is running or immediately after it runs.

    While I am in safe mode, this issue persists. I have seen it kill programs while I am in safe and trying to scan (previously did this). When windows launches, a winword.exe process runs - I'm almost sure that shouldn't be happening.

    Here are the only processes running in safe when this still happens:
    taskmgr.exe
    svchost.exe
    explorer.exe
    svchost.exe
    svchost.exe
    svchost.exe
    lsass.exe
    services.exe
    winlogon.exe
    csrss.exe
    smss.exe
    system
    system idle process

    It appears to be attached to these processes.
    What other info can I provide to assist you with the next steps?

    Thanks again!!!!

  7. #17
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    I've not abandoned you, I'm doing some research
    Did you try the second Cacls instruction I posted, it was different from the first.

    You don't happen to know where you got this infection do you ?

    Please try the following


    Download and Run RSIT
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.
      ( They can also be found in the C:\RSIT folder )
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  8. #18
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Hi Katana. Thanks for being persistent.

    No, I don't know from where it reared. I got some stuff off Ares a little while back for my cousin's wedding and it very well may have showed from there. I don't keep it open and use it rarely.

    I did run the other calcs command, many times before trying ComboFix & mbam, and had the same symptoms. At least when I ran the last command, the cmd prompt did open and ask me y/n.

    Ok, I ran the RSIT and it got a little ways then was killed. Same scenario...permission denied now. It did save a little bit in the log file, which I am attaching below. As a sidenote, the two .jobs under windows/tasks are associated with a.exe and b.exe, I know that for sure. I found it in the event log associating those keys with those programs.

    Just an opinion here, this infection is very efficient. My system is showing no signs of an issue. Running very fast. But when anything runs that appears to search certain areas or look like a Malware scanning program, it is nailed to the wall. Never seen anything work this well and not show any adverse symptoms at the system level.

    Here is the log that was captured:


    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Owner at 2009-08-08 11:18:53
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 8 GB (8%) free of 95 GB
    Total RAM: 1918 MB (77% free)


    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\WGASetup.job
    C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
    C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
    IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-22 73728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212}]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
    "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
    "ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
    "Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
    "eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
    "hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
    "HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ares"=C:\Program Files\Ares\Ares.exe [2008-12-16 887808]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pevsystemstart]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\pevsystemstart]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.sys]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows"
    "C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE"="C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
    "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
    "C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
    "C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
    "C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
    "D:\setup\HPZNUI01.EXE"="D:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
    "D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
    "C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
    "C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
    "C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65a12071-04f5-11de-9d93-0014a51fe469}]
    shell\AutoRun\command - F:\wd_windows_tools\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7430667-d3ac-11dd-9d87-0014a51fe469}]
    shell\AutoRun\command - E:\wd_windows_tools\WDSetup.exe


    ======List of files/folders created in the last 1 months======

    2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
    2009-08-08 11:18:53 ----D---- C:\rsit
    2009-08-08 09:14:36 ----D---- C:\32788R22FWJFW
    2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2009-08-08 08:51:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
    2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
    2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
    2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
    2009-08-07 11:32

  9. #19
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    One more thing I should note for your info moving forward.

    When this started happening, I recall Acrobat trying to open something and getting some notices - when I had not opened any pdf or Acrobat files. Also saw something in Re to Flash. Not sure what it was, but I was not using anything at the time that required the Flash Player.

  10. #20
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    It certainly is efficient, annoyingly so !!
    You don't have an install disc do you ?
    It may be easier if we can install the recovery console

    You posted a list of files that were running, let's see if we can get Combofix to run by renaming it as one of those


    Click start > run then copy/paste the following into the run window

    cacls C:\windows\system32\cmd.exe /G Owner:F

    Press enter.

    A cmd window should come up asking you if you are sure, type 'y' then hit enter.

    Download Combofix from the link below. Save it to your desktop.

    Link 1

    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click the file & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..
    Last edited by katana; 2009-08-09 at 00:47.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •