That's fine, it should only takes a second.
If we are lucky, that should allow Combofix to run now.
That's fine, it should only takes a second.
If we are lucky, that should allow Combofix to run now.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Hi.
I'm telling you that it shut it down the command box before I could verify to commit the command. It didn't run, it didn't generate any log, it is still doing the same thing.
I'm sorry if I am not being clear.
I did as you said, and it didn't allow me to verify the command. When the command prompt opened, it then shut quickly without me being able to type 'y' or even see anything.
Now, I re-ran the combofix, which you renamed cleanme.exe, and it did the same thing as it has been doing.
Let me know if you need more info.
Thanks!!
Your logs show that you have at least two rootkits and at least one other infection ...they all prevent removal tools from running
This may take several tries, so please be patient.
Please try the following.
Click start > run then copy/paste the following into the run window
cacls C:\windows\system32\cmd.exe /G Owner:F
Press enter.
A cmd window should come up asking you if you are sure, type 'y' then hit enter.
try to run Combofix again.
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Last edited by katana; 2009-08-08 at 13:44.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Thanks for the follow-up!!
I tried what you said many, many times and neither comboFix nor MalwareBytes will run. The cacls command didn't seem to make any difference whatsoever. ComboFix has the task bar look like it completes...then there are some hourglasses, then it dies.
MalwareBytes will install and update, but very shortly after starting to run, it dies as well with the permissions changing to say "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I attempt to change the permissions, there is no security/permissions tab.
Katana...
Here is some more info that may be of use.
When comboFix attempts to run..watching task manager it appears to die while n.pif is running or immediately after it runs.
While I am in safe mode, this issue persists. I have seen it kill programs while I am in safe and trying to scan (previously did this). When windows launches, a winword.exe process runs - I'm almost sure that shouldn't be happening.
Here are the only processes running in safe when this still happens:
taskmgr.exe
svchost.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process
It appears to be attached to these processes.
What other info can I provide to assist you with the next steps?
Thanks again!!!!
I've not abandoned you, I'm doing some research
Did you try the second Cacls instruction I posted, it was different from the first.
You don't happen to know where you got this infection do you ?
Please try the following
Download and Run RSIT
- Please download Random's System Information Tool by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
- Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Hi Katana. Thanks for being persistent.
No, I don't know from where it reared. I got some stuff off Ares a little while back for my cousin's wedding and it very well may have showed from there. I don't keep it open and use it rarely.
I did run the other calcs command, many times before trying ComboFix & mbam, and had the same symptoms. At least when I ran the last command, the cmd prompt did open and ask me y/n.
Ok, I ran the RSIT and it got a little ways then was killed. Same scenario...permission denied now. It did save a little bit in the log file, which I am attaching below. As a sidenote, the two .jobs under windows/tasks are associated with a.exe and b.exe, I know that for sure. I found it in the event log associating those keys with those programs.
Just an opinion here, this infection is very efficient. My system is showing no signs of an issue. Running very fast. But when anything runs that appears to search certain areas or look like a Malware scanning program, it is nailed to the wall. Never seen anything work this well and not show any adverse symptoms at the system level.
Here is the log that was captured:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-08 11:18:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 8 GB (8%) free of 95 GB
Total RAM: 1918 MB (77% free)
======Scheduled tasks folder======
C:\WINDOWS\tasks\WGASetup.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-22 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ares"=C:\Program Files\Ares\Ares.exe [2008-12-16 887808]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pevsystemstart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\pevsystemstart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE"="C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"D:\setup\HPZNUI01.EXE"="D:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65a12071-04f5-11de-9d93-0014a51fe469}]
shell\AutoRun\command - F:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7430667-d3ac-11dd-9d87-0014a51fe469}]
shell\AutoRun\command - E:\wd_windows_tools\WDSetup.exe
======List of files/folders created in the last 1 months======
2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
2009-08-08 11:18:53 ----D---- C:\rsit
2009-08-08 09:14:36 ----D---- C:\32788R22FWJFW
2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-08 08:51:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
2009-08-07 11:32
One more thing I should note for your info moving forward.
When this started happening, I recall Acrobat trying to open something and getting some notices - when I had not opened any pdf or Acrobat files. Also saw something in Re to Flash. Not sure what it was, but I was not using anything at the time that required the Flash Player.
It certainly is efficient, annoyingly so !!
You don't have an install disc do you ?
It may be easier if we can install the recovery console
You posted a list of files that were running, let's see if we can get Combofix to run by renaming it as one of those
Click start > run then copy/paste the following into the run window
cacls C:\windows\system32\cmd.exe /G Owner:F
Press enter.
A cmd window should come up asking you if you are sure, type 'y' then hit enter.
Download Combofix from the link below. Save it to your desktop.
Link 1
- You must download it to and run it from your Desktop
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click the file & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply
- Re-enable all the programs that were disabled during the running of ComboFix..
Last edited by katana; 2009-08-08 at 23:47.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY