S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running

Hi,

Trying to figure out something. Do you have your Windows media available?
 
No. It's a laptop, and instead of install disks, it came with a system restore volume. I've got other XP disks, if you want me to replace a file. But the laptop has XP Media Center installed and I've only got copies of XP Pro - I think it will complain and abort if I try to do a restore with a different version of XP.
 
Hi,

XP pro media will do. Let's see if we'll need it or not. Let's try other thing first.

Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands:
  • c:
  • cd\
  • dir scecli.dll /s /a >c:\locations.txt

You should end up with locations.txt file in root of c: drive. Reboot back into normal mode and attach c:\locations.txt file to your reply.
 
All I got was-

=============================
Volume in drive C has no label.
volume Serial Number is 409D-676B
=============================

Then it killed the cmdline and cleared the access rights for CMD.EXE. Fortunately I was able to run taskmgr and launch explorere.exe, and reset the rights on CMD.EXE. But we need to be careful of doing anything else with CMD.EXE. If the virus clears the access rights on it and taskmgr or explorerer, then I'm really dead in the water (remember, if I use taskmgr to re-run a file that the virus has "locked", then the virus locks taskmgr too)
 
Hi,

Let's see if this works.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
scecli.dll
winnt32.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Another observation - I did a "dir /s /a" of each subfolder out of C:\ to see if anything else is being "protected" by the virus. Everything is accessible accept for C:\Windows\$hf_mig$ -- and everything in \$hf_mig$ appears to be accessible except for the suspect folder \{29F...}

I did a CACLS listing of \$hf_mig$, and everything looks normal for the \{29F...} folder, and it's shows a setting I'm not familiar with. The other folders' rights are all-

BUILTIN\Administrator:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F

but the \{29F...} folder's rights are-

Everyone:(OI)(CI)F
Everyone:(special access)
SYNCHRONIZE

The Everyone:(OI)(CI)F is how a zapped file shows after I've made it accessible again (I had changed the rights on the \{29F...} several days ago in an attempt to see what's in it), but I don't know what the (special access) and SYNCHRONIZE parts are from
 
sorry --

"I did a CACLS listing of \$hf_mig$, and everything looks normal EXCEPT for the \{29F...} folder, and it's shows a setting I'm not familiar with. The other folders' rights are all-"
 
Hi,

Please see if you are able to make SystemLook run with those instructions I posted above :)
 
SystemLook results

Nope - blocked by the virus. The window closed and the log didn't open. All the log shows is-


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:01 on 09/08/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

searching for "scecli.dll"
 
Hi,

Go to C:\Documents and Settings\All Users\Application Data folder and look for folders with pure digits (e.g. 23812491) in their names. Move each of these to your desktop.

Then try running SystemLook again.
 
Hi,

Please try this (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (make sure that you're in c:\windows folder before giving them):
  • [*]cd system32
    [*]dir scecli.dll > c:\amihere.txt
    [*]dir sceclt.dll > c:\amioriginal.txt
    [*]exit

Attach c:\amihere.txt and c:\amioriginal.txt files to your reply.
 
amihere.txt -- scecli.dll

Volume in drive C has no label.
Volume Serial Number is 409D-676B

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 181,248 scecli.dll
1 File(s) 181,248 bytes
0 Dir(s) 61,382,524,928 bytes free


amioriginal.txt -- sceclt.dll

Volume in drive C has no label.
Volume Serial Number is 409D-676B

Directory of C:\WINDOWS\system32

doing DIR of sce*.* in \system32, I only find scecli and scesrv
 
Hi,

It's almost midnight here and I have to be ready for upcoming work day. Let the system be untouched for now. I'll return with further instructions tomorrow.
 
Hi,

Please try this (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (make sure that you're in c:\windows folder before giving them):
  • [*]cd system32
    [*]dir netlogon.dll > c:\amihere.txt
    [*]dir ntelogon.dll > c:\amioriginal.txt
    [*]exit

Attach c:\amihere.txt and c:\amioriginal.txt files to your reply.
 
NETLOGON.DLL

Volume in drive C has no label.
Volume Serial Number is 409D-676B

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 60,416 netlogon.dll
1 File(s) 60,416 bytes
0 Dir(s) 61,427,986,432 bytes free


NTELOGON.DLL

Volume in drive C has no label.
Volume Serial Number is 409D-676B

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 407,040 ntelogon.dll
1 File(s) 407,040 bytes
0 Dir(s) 61,427,986,432 bytes free
 
You must log in or register to reply here.
Back
Top