I am unable to show the hidden files! When I go into my computer, and select tools, I have only three options: Map network drive, disconnect netowrk drive, and synchronize. There is no folder options.
I went ahead and downloaded Malwarebytes' Anti-Malware, installed, and ran. It got to after I selected the drive to scan, hit ok, and then the program closed. Now it is acting as the other programs do, and will not run.
Hi,
Download attached zip file and extract it to the root of your c: drive (c:\). When done, go to c:\ and double-click extracted file. When done, try to run renamed ComboFix again.
Note: attached file is meant to be used only in this specific case. Using it in some other system may cause harm on the system.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Nothing seemed to happen when I ran the xp fix, and then when I tried to run combofix, still i get a progress bar, that fills then disappears. I'm now getting occasional popups of Internet Explorer. and i'm hearing sound when none should be playing at times as well.
Hi,
Trying to figure out something. Do you have your Windows media available?
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
hhmm. No, windows media player doesn't seem to work. VLC player still does.
Hi,
I meant if you have Windows OS media available, not Windows Media Player. Hopefully you have the disc.
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code::filefind scecli.dll winnt32.exe- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
I cannot find my windows disc. I know it's around here somewhere!
Here is the results of that scan:
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:38 on 09/08/2009 by Tim (Administrator - Elevation successful)
========== filefind ==========
Searching for "scecli.dll"
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 181248 bytes [12:00 14/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 14/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)
Searching for "winnt32.exe"
No files found.
-=End Of File=-
Hi,
Upload following files to Virustotal and post back the results or links to the results:
C:\WINDOWS\system32\dllcache\scecli.dll
C:\WINDOWS\system32\scecli.dll
We'll see if media is needed or not.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Ok, the first scan came back as such
File scecli.dll received on 2009.04.27 04:21:18 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.26 -
AntiVir 7.9.0.156 2009.04.26 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.26 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.25 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 -
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.27 -
Microsoft 1.4602 2009.04.27 -
NOD32 4035 2009.04.25 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.00.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.25 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1709 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -
Additional information
File size: 181248 bytes
MD5 : a86bb5e61bf3e39b62ab4c7e7085a084
SHA1 : 3a3535122da168a549d2007123e9ae06146f2002
SHA256: b88446e007153bb58c5ae867ac3fb4c46618bbaa5a152687201e0e81f881465a
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x13A0
timedatestamp.....: 0x4802A10E (Mon Apr 14 02:10:54 2008)
machinetype.......: 0x14C (Intel I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x24AA3 0x24C00 6.31 75ccde4c944fac9ba31428684259e699
.data 0x26000 0x1004 0x800 3.17 141a34aab3a9b14d8bcdefd0d1f66eba
.rsrc 0x28000 0x4CD8 0x4E00 3.39 d8af3d7fd867f90e31b01c3eeaa3009a
.reloc 0x2D000 0x1C04 0x1E00 6.60 c59f32ba39347a6c464fb77f1c1feb80
( 11 imports )
> advapi32.dll: LsaSetDomainInformationPolicy, ImpersonateLoggedOnUser, RevertToSelf, GetNamedSecurityInfoW, SetNamedSecurityInfoW, GetSecurityDescriptorDacl, AllocateAndInitializeSid, LsaRemoveAccountRights, RegDeleteKeyW, ConvertStringSidToSidW, LsaLookupSids, OpenSCManagerW, EnumServicesStatusW, LsaClose, FreeSid, LsaOpenPolicy, LsaLookupNames2, LsaQueryInformationPolicy, LsaQueryDomainInformationPolicy, LsaFreeMemory, OpenServiceW, QueryServiceConfigW, QueryServiceObjectSecurity, CloseServiceHandle, RegOpenCurrentUser, ReportEventW, DeregisterEventSource, RegisterEventSourceW, OpenThreadToken, OpenProcessToken, DuplicateToken, CheckTokenMembership, EqualSid, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW, RegEnumKeyExW
> kernel32.dll: lstrcmpiW, lstrcpyW, lstrcatW, FormatMessageW, LoadLibraryW, GetProcAddress, FreeLibrary, GetEnvironmentStringsW, GetPrivateProfileStringW, Sleep, GetModuleHandleW, ReadFile, WideCharToMultiByte, WritePrivateProfileSectionW, WritePrivateProfileStringW, GetEnvironmentVariableW, GetTickCount, DeleteFileW, CopyFileW, GetFileAttributesW, GetPrivateProfileIntW, lstrlenW, CompareStringW, CreateFileW, LocalReAlloc, GetVolumeInformationW, GetDriveTypeW, GetFileSize, SetFileAttributesW, ExitThread, FreeLibraryAndExitThread, CreateThread, LeaveCriticalSection, WaitForSingleObject, EnterCriticalSection, GetCurrentThreadId, QueueUserWorkItem, InitializeCriticalSection, DeleteCriticalSection, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LocalFree, GetLastError, LoadLibraryExA, CloseHandle, GetCurrentProcess, GetCurrentThread, WriteFile, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, CreateDirectoryW, GetSystemWindowsDirectoryW, GetComputerNameExW, GetComputerNameW, GetSystemDirectoryW, ExpandEnvironmentStringsW, SetLastError, GetPrivateProfileSectionW, LocalAlloc, SetFilePointer
> msvcrt.dll: wcsncmp, _wcsupr, wcsncat, wcschr, wcscat, swprintf, _vsnwprintf, wcsstr, _except_handler3, _resetstkoflw, wcscpy, _wcsnicmp, wcsncpy, wcslen, _wcsicmp, _wfindfirst, fclose, _wfopen, _adjust_fdiv, malloc, _initterm, free, __2@YAPAXI@Z, __3@YAXPAX@Z, __CxxFrameHandler, _wtol, _itow, _wfindnext, towlower, _findclose, memmove
> netapi32.dll: NetLocalGroupAddMembers
> ntdll.dll: RtlNtStatusToDosError, RtlGetControlSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlFreeSid, RtlAllocateAndInitializeSid, RtlMapGenericMask, RtlGetAce, NtAdjustPrivilegesToken, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, NtQuerySystemTime, RtlCopySid, RtlLengthSid, RtlSubAuthoritySid, RtlSubAuthorityCountSid, RtlIdentifierAuthoritySid, NtQueryInformationToken, RtlGetNtProductType, RtlLengthRequiredSid, RtlFreeUnicodeString, RtlConvertSidToUnicodeString, RtlInitUnicodeString, RtlValidSid, RtlTimeToSecondsSince1980, NtQueryObject, RtlLengthSecurityDescriptor, RtlMakeSelfRelativeSD, RtlRandomEx, RtlImageNtHeader, RtlFreeHeap, RtlAllocateHeap, RtlEqualSid
> ole32.dll: CoCreateGuid, CoInitialize, CoCreateInstance, CoMarshalInterThreadInterfaceInStream, CoInitializeEx, CoGetInterfaceAndReleaseStream, CoUninitialize
> oleaut32.dll: -, -, -, -, -, -
> rpcrt4.dll: RpcBindingSetAuthInfoW, I_RpcExceptionFilter, RpcBindingFree, NdrClientCall2, RpcStringFreeW, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrServerCall2
> setupapi.dll: SetupFindNextLine, SetupGetFieldCount, SetupGetStringFieldW, SetupFindFirstLineW, SetupGetLineCountW, SetupOpenInfFileW, SetupCloseInfFile, SetupGetIntField, SetupGetMultiSzFieldW
> user32.dll: wsprintfW, LoadStringW
> userenv.dll: ProcessGroupPolicyCompletedEx
( 1 exports )
> DeltaNotify, DllRegisterServer, DllUnregisterServer, InitializeChangeNotify, SceAddToNameList, SceAddToNameStatusList, SceAddToObjectList, SceAnalyzeSystem, SceAppendSecurityProfileInfo, SceBrowseDatabaseTable, SceCloseProfile, SceCommitTransaction, SceCompareNameList, SceCompareSecurityDescriptors, SceConfigureConvertedFileSecurity, SceConfigureSystem, SceCopyBaseProfile, SceCreateDirectory, SceDcPromoCreateGPOsInSysvol, SceDcPromoCreateGPOsInSysvolEx, SceDcPromoteSecurity, SceDcPromoteSecurityEx, SceEnforceSecurityPolicyPropagation, SceEnumerateServices, SceFreeMemory, SceFreeProfileMemory, SceGenerateGroupPolicy, SceGenerateRollback, SceGetAnalysisAreaSummary, SceGetAreas, SceGetDatabaseSetting, SceGetDbTime, SceGetObjectChildren, SceGetObjectSecurity, SceGetScpProfileDescription, SceGetSecurityProfileInfo, SceGetServerProductType, SceGetTimeStamp, SceIsSystemDatabase, SceLookupPrivRightName, SceNotifyPolicyDelta, SceOpenPolicy, SceOpenProfile, SceProcessEFSRecoveryGPO, SceProcessSecurityPolicyGPO, SceProcessSecurityPolicyGPOEx, SceRegisterRegValues, SceRollbackTransaction, SceSetDatabaseSetting, SceSetupBackupSecurity, SceSetupConfigureServices, SceSetupGenerateTemplate, SceSetupMoveSecurityFile, SceSetupRootSecurity, SceSetupSystemByInfName, SceSetupUnwindSecurityFile, SceSetupUpdateSecurityFile, SceSetupUpdateSecurityKey, SceSetupUpdateSecurityService, SceStartTransaction, SceSvcConvertSDToText, SceSvcConvertTextToSD, SceSvcFree, SceSvcGetInformationTemplate, SceSvcQueryInfo, SceSvcSetInfo, SceSvcSetInformationTemplate, SceSvcUpdateInfo, SceSysPrep, SceUpdateObjectInfo, SceUpdateSecurityProfile, SceWriteSecurityProfileInfo
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 3072:nfIJ7eaZiV7kZ1zgdzbjn3pRl44O2Wi1qqBi/B5tetnFwT8nS:nfuwV7Ezgtn37q4Dcr/AnFwTv
PEiD : -
RDS : NSRL Reference Data Set
-
Then the second scan came back only with this,
0 bytes size received / Se ha recibido un archivo vacio
Hi,
Next, I'll need you to make some preparations since I'm going to ask you to disconnect system from network (= to pull network cable off). I recommend you print/save these instructions so that you can access them while disconnected from network (or you may read instructions thru your other system if you have more than this we're currently cleaning).
Before disconnecting, do the following two (2) steps:
1. Make sure you have Malwarebytes' Anti-Malware setup file ready. If it isn't on your machine anymore, download it again.
2. Download combofix from any of these links and save it renamed to Desktop:
Link 1
Link 2
When you have Malwarebytes' Anti-Malware setup file and renamed ComboFix file on your desktop, disconnect the machine from network.
========To be done offline begins==========
1. The next steps to follow will need to be done in safe mode with command prompt (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands carefully (if anything turns up with these, please stop and note the error down and let me know):
- c:
- cd\
- ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir
- copy C:\WINDOWS\system32\dllcache\scecli.dll C:\WINDOWS\system32\scecli.dll
While still being disconnected from network, reboot back into normal mode.
Do next two things only if safe mode with command prompt -part went without issues, otherwise report what problem you had:
a) Run Malwarebytes' Anti-Malware (MBAM) with full scan and let it delete its findings.
b) Run ComboFix.
========To be done offline ends==========
When done, post back MBAM & ComboFix logs.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Posting Permissions
