Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm one of the lucky infected...


  • Please log in to reply
18 replies to this topic

#1 aunty thrax

aunty thrax

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 03:50 PM

Alright, I've been lurking here for a while, and I'm reading all of these threads with people having the "UAC" virus, where every program that could possible destroy the virus or malware gets shut down, and then we all get this annoying little message saying we don't have permission to access the file on the system, blah blah blah. I'm sure you're all familiar with it by now.

Anyway, I can't figure out what to try and do, so I registered and made my own topic. I tried a shotgun approach, after reading other threads with the same issue, going on to use Rootkit Repel or whatever, Dr. Web, and a host of others, I give up. I need someone to guide me through this.

Hijackthis, Spybot, Adaware, they all close. AVG will run, but it does nothing for me.

I'm running XP, dunno what SP, maybe 2? I don't update Windows much.

I guess I'll wait to be told what to run, then what logs to post.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 PM

Posted 08 August 2009 - 05:30 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Please run Root Repeal, here are the instructions in case you need them:


Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#3 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 05:38 PM

Bandwidth limit, I can't get it right now. As soon as I can, I will. Thanks.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 PM

Posted 08 August 2009 - 05:40 PM

Your welcome. The site must either be very busy or it is under a Denial of Service attack. It should be back up soon.
Computer Pro

#5 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 05:51 PM

Okay, it wouldn't work, I got Root Repeal, and none of the steps allowed it to run. It crashed, even in safe mode. I did a process explorer and saved it in safe mode, here's what was running:


Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 152 Windows NT Session Manager Microsoft Corporation
csrss.exe 200 Client Server Runtime Process Microsoft Corporation
winlogon.exe 224 Windows NT Logon Application Microsoft Corporation
services.exe 268 Services and Controller app Microsoft Corporation
svchost.exe 416 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 488 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 532 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 280 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1264 Windows Explorer Microsoft Corporation
procexp.exe 1500 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ctfmon.exe 1580 CTF Loader Microsoft Corporation


I can't even understand how this thing stops me, even in safe mode. Must be one nasty, new virus or piece of malware.

#6 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 05:53 PM

And just for the heck of it, here are my processed running right now, in normal mode:

Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 668 Windows NT Session Manager Microsoft Corporation
csrss.exe 732 Client Server Runtime Process Microsoft Corporation
winlogon.exe 756 Windows NT Logon Application Microsoft Corporation
services.exe 800 Services and Controller app Microsoft Corporation
svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1028 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1224 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 2404 Windows Security Center Notification App Microsoft Corporation
wuauclt.exe 3372 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 1288 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1452 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1712 Spooler SubSystem App Microsoft Corporation
AOLacsd.exe 428 AOL Connectivity Service AOL LLC
AppleMobileDeviceService.exe 520 Apple Mobile Device Service Apple, Inc.
avgwdsvc.exe 576 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 1660 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
mDNSResponder.exe 696 Bonjour Service Apple Computer, Inc.
jqs.exe 1064 Java™ Quick Starter Service Sun Microsystems, Inc.
MA_CMIDI_Inst.exe 1116 MA_CMIDI USB MIDI Installer Service
nvsvc32.exe 1348 NVIDIA Driver Helper Service, Version 175.19 NVIDIA Corporation
HPZipm12.exe 1528 PML Driver HP
svchost.exe 1812 Generic Host Process for Win32 Services Microsoft Corporation
ViewpointService.exe 1916 ViewMgr Viewpoint Corporation
ViewMgr.exe 3564 ViewMgr Viewpoint Corporation
iPodService.exe 2700 iPodService Module Apple Inc.
alg.exe 2808 Application Layer Gateway Service Microsoft Corporation
lsass.exe 812 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 2044 Windows Explorer Microsoft Corporation
SOUNDMAN.EXE 400 Realtek Sound Manager Realtek Semiconductor Corp.
rundll32.exe 436 Run a DLL as an App Microsoft Corporation
iTunesHelper.exe 460 iTunesHelper Module Apple Inc.
realsched.exe 504 RealNetworks Scheduler RealNetworks, Inc.
ctfmon.exe 380 CTF Loader Microsoft Corporation
firefox.exe 1600 Firefox Mozilla Corporation
procexp.exe 708 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
rundll32.exe 512 Run a DLL as an App Microsoft Corporation

#7 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 05:54 PM

I also tried running CCleaner to clear my registry and other stuff, just to see. Doesn't seem to help. Uch.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:44 PM

Posted 08 August 2009 - 07:18 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#9 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2009 - 07:43 PM

Every time I try to run it, it gives me the fabled blue screen. Any ideas of where to go now? Gonna try disconnecting from the internet and doing all the other stuff you said at the bottom, as I haven't done that yet, but is the blue screen of death a common issue with using the ARK scan?

Also, the BSOD crash report said "REGISTRY ERROR"

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:44 PM

Posted 08 August 2009 - 07:47 PM

Download: http://oldtimer.geekstogo.com/TFC.exe

1. Save it to your desktop.
2. Open the file and close any other windows.
3. It will close all programs itself when run, make sure to let it run uninterrupted.
4. Click the Start button to begin the process.
5. Once it's finished it should reboot your machine, if not, do this yourself.


Try this and see if it helps to get a rootkit scan to work?
Chewy

No. Try not. Do... or do not. There is no try.

#11 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2009 - 12:22 AM

Did that, still BSOD when I try to run to ARK.

This thing is virulent.

#12 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2009 - 01:49 PM

No more ideas, guys? Should I just try a system restore?

Edited by aunty thrax, 09 August 2009 - 06:44 PM.


#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:44 PM

Posted 09 August 2009 - 07:04 PM

Try a system restore
Chewy

No. Try not. Do... or do not. There is no try.

#14 aunty thrax

aunty thrax
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2009 - 07:06 PM

Sadly, system restore is turned off, so it won't even let me do that now. Wow.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:44 PM

Posted 09 August 2009 - 07:12 PM

I expected as much

Besides waiting , we only have a few options

1. Back up your data and reload the computer

2. Post the DDS scan in our HJT forum and wait for a reply(they are backedup), it might be a few days or over a week.

3. Attempt a rescue boot CD, this is quite dangerous as it will delete infected system files
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users