Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 EvilMCLMM

EvilMCLMM

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 10 September 2009 - 07:30 PM

I decided to run a couple of programs on my laptop that were supposed to help "tweak" my system and make it run faster/smoother (TuneUP Utilities 2009 & lolo memory mechanic from Crucial). Since running these programs I've noticed issues on bootup, whenever I restart my computer I get this following message on a blank screen;

"Checking file system on C:
The type of file system is NTFS.
Cannot open volume for direct access.
Windows has finished checking the disk
......."


My bootup time has increased quite a bit and my system is very sluggish for a few minutes after logging in. I'm no longer able to use Windows Update, whenever I try I get the following error code: 80070422 (I've followed the steps HERE but nothings worked)

Also I've noticed three new processes running on my system that didn't used to show up on the Task Manager list, they are;
#1. unsecapp.exe (Description: Sink to rec...) (location: C:\Windows\System32\wbem)
#2. WmiPrvSE.exe (Description: WMI Provi...) (Right clicking for properties or location doesn't work)
#3. System (Description: NT Kernel ...) (same as above, right clicking for more info doesn't work)

I've run MalwareBytes, AVG free, and ESET NOD32 online scanner, they all claim that my system is clean. However as I've decribed above, I'm having a lot of brand new issues that that seem to suggest otherwise. Also, when I ran HijackThis I got the following error:
"For some reason your system denied write access to the Hosts file. If any hijacked domains are in the file, HijackThis may NOT be able to fix this."


**I've made a post in the "Am I infected? What do I do?" area of the forum already, and I was told to post here by one of the moderators**


Please help :(

Attached Files


Edited by EvilMCLMM, 10 September 2009 - 07:36 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:52 PM

Posted 26 September 2009 - 12:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 27 September 2009 - 04:41 AM

The issue is still unresolved, the "description of problems" and the DSS logs are covered in the first post.

Looking forward to getting my computer back in shape, Thanks

Edited by EvilMCLMM, 27 September 2009 - 04:41 AM.


#4 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 29 September 2009 - 09:18 AM

****Update****

As of September 29th at 0945, my computer is no longer able to be run on anything other than "safe mode"... and I cannot get it to connect to the internet on "safe mode with networking".

If I try to start windows normally the laptop auto shuts off during the bootup process right after that weird NTFS message I mentioned in my 1st post... I could really use some help here folks

***Update****

I'm sorry for bumping the thread with this post but I needed to pass on this information, plus I've been waiting patently for nearly 20days now

Edited by EvilMCLMM, 29 September 2009 - 09:23 AM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 05 October 2009 - 10:01 AM

Hi EvilMCLMM,

Sorry for the delay. I am farbar. I am going to assist you with your problem if you are still there.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Since the description of the problem might now be outdated please tell me about the current condition of your computer and we will take it from there. Tell me if the issues you mentioned are partially resolved or there are additional issues you have not mentioned. Tell me also whether you can boot normally or not and if the errors you got at boot up still exist.

#6 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 October 2009 - 04:17 PM

Hello Farbar,

Thank you for coming to my assistance. I'd like to apologize in advance for making things more difficult, as I've recently made a few changes to my system.

I tried like hell to refrain from making any changes to my system, however the problem that occurred on the 29th sent me scrambling for a fix. I used a .reg file I made on another laptop to manually roll back some of the tweaks that the offending programs did to my system. Turns out that my computer wasn't turning off by itself after bootup, instead the monitor was turning its self off due to some issue with my graphics card (odd because I hadn't messed with those settings). So while still confined to safemode I deleted my display drivers and installed the latest ones off my thumbdrive.

As of right now I seem to have fixed this one issue, and found a temporary fix for my WiFi connection issue. The windows wireless service and the connection diagnosis thingy for keep auto disabling themselves during reboot for some reason (can't seem to stop this from happening).

Other than the new information posted above, the current situation is:

whenever I turn on or restart my computer I get this following message on a blank screen;

"Checking file system on C:
The type of file system is NTFS.
Cannot open volume for direct access.
Windows has finished checking the disk
......."

Due to the above message I've tried to use "Chkdsk" to scan for harddrive errors or corruption, however "Chkdsk" refuses to work (I'm using the ms-dos command prompt)

My bootup time has increased and my system is very sluggish for a few minutes after logging in. Plus overall speed and performance has taken a noticeable hit.
I'm still not able to get Windows Update to work, whenever I try I get the following error code: 80070422

Still notice above mentioned three processes running on my system that I never noticed before;
#1. unsecapp.exe (Description: Sink to rec...) (location: C:\Windows\System32\wbem)
#2. WmiPrvSE.exe (Description: WMI Provi...) (Right clicking for properties or location doesn't work)
#3. System (Description: NT Kernel ...) (same as above, right clicking for more info doesn't work)

Plus another process that I noticed a couple weeks ago is "spoolsv.exe" which refuses to deactivate regardless of my efforts

I've again run MalwareBytes, AVG free 8.5, and ESET NOD32 online scanner, which continue to say my system is clean. Everything on my computer started going downhill after I downloaded and used those two "tweak program", which is why I believe that I've been infected with some kind of bug(s).


If you need me to re-do any or all of my "logs" please let me know and I will do so. I promise that I will not make anymore changes to my system unless directed to do so by you, and again I apologize for making this process more complicated.

Edited by EvilMCLMM, 07 October 2009 - 10:25 AM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 06 October 2009 - 05:02 PM

Thanks for the feedback.
  • Do I understand correctly that you are still not able to boot to normal mode and don't have internet connection?

  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Now please reboot the computer and tell me of any changes and give me feedback about the first question.


#8 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 07 October 2009 - 10:28 AM

I can boot into normal mode now, and can get the internet working (although its a hassle because windows wireless service is disabled on startup).

I'm not sure what that regfix.reg file did but my system seems to have become more unstable, I'd like to use my system restore to try and undo it if thats okay with you.

Edited by EvilMCLMM, 07 October 2009 - 10:32 AM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 07 October 2009 - 12:22 PM

That regfix has no effect on the system stability. It sets Windows check disk to its original value. So you should not get the error at boot and be able to initiate a chkdsk. Basically by setting it to its default value the chkdsk will not run any more unless you initiate it. So the fix doesn't load anything to have any effect on the system.

You may use system restore or anything you like as this is not malware related and it is more appropriate to seek assistance on a technical forum.

Edited by farbar, 07 October 2009 - 12:30 PM.


#10 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 07 October 2009 - 01:33 PM

Hmm, okay

Just seemed a bit odd as my monitor flickers on & off several times during boot up and during the password log in screen, which is something that didn't happen prior to using the regfix.

But perhaps you are right and the issues I'm having with my system are software/hardware related, but what about the suspicious task processes (WmiPrvSE.exe, unsecapp.exe, System, and spoolsv.exe), the windows update error, and my computer auto disabling my WiFi?

I don't want to waste your time or anyone elses, I just want to make sure my system is truly clean of virus's, rootkit's, malware, etc etc

I was directed to this part of the forum by a moderator ( boopme ) on the "am I infected? what do I do?" area after my 1st time discussing these issues on BleepingComputer. If it turns out I was directed here in error and my issues aren't from infection then I'll seek help elsewhere and you may lock the thread.

Regards,
Evil

Edited by EvilMCLMM, 07 October 2009 - 01:38 PM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 07 October 2009 - 04:20 PM

Hi again Evil,

You have already run MalwareBytes, AVG free, and ESET NOD32 online scanner. All indicating a clean system.
I have also gone through all your logs including the rootkit scanner log and saw nothing bad on them.
The processes you mention are all legit processes.
The error you mention Hijackthis gave you, was due to the fact that on Vista machines programs don't have administrative privileges unless you right-click and run them as administrator. If you run Hijackthis that way it will give you no error.
The reason you couldn't update Windows might have other reasons than infection. You mentioned those problems started to show up after using the utilities you mention. That is also the case with disabling your WiFi.
boopme directing you here was not an "error". He directed you here to let check and rule out the possibility of being infected by a member of Hijackthis team and that is what we did here after looking into those logs. It would help you to concentrate on system problem instead of looking for malware and disabling or removing legit processes and services on suspicious. I'm sorry anyway for any inconvenience we have caused.

Best Regards,
Farbar

#12 EvilMCLMM

EvilMCLMM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 07 October 2009 - 09:27 PM

Hey no worries :(

Thank you for looking into this for me, and informing me on what needs to be addressed.

Take it easy,
Evil

Edited by EvilMCLMM, 07 October 2009 - 09:28 PM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 08 October 2009 - 01:03 AM

You are welcome.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users