Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous Errors, Security Issues, Malware Suspected


  • Please log in to reply
14 replies to this topic

#1 Doppelbok67

Doppelbok67

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 September 2009 - 01:30 PM

Hi. I have an Athlon 64 Dual Core 6000+ with 2 Gigs memory. The other night I was updating XP Pro SP2 with a number of updates including the Microsoft NET updates, and it looks like I accidentally let in some malware through my firewall. I noticed a file 'b.exe' that was in a subfolder in C:\documents and settings\. I didn't notice anything else, and was able to delete it, I think, since it no longer appears in the Task Manager or Startup.

I can boot into Windows but I'm having serious problems so I think the malware is still there.

In Normal Mode:
I get the following errors on boot up:

1. nvsvc32.exe - The exception Privileged Instruction (0 x c0000096) occurred in the application at location 0 x 0012ffbc.
2. runservice.exe - The exception unknown software exception (0 x c000001e) occurred in the application at location 0 x 00408064.
3. nSvcLog.exe - The exception Illegal Instruction. An attempt was made to execute an illegal instruction. (0 x c000001d) occurred in the application at location 0 x 00417de0.
4. loctlSvc.exe - The instruction at "0 x 0012ff9c" referenced memory at "0 x ffffffff". The memory could not be "read".
5. dwwin.exe - The exception Privileged Instruction (0 x c0000096) occurred in the application at location 0 x 30038bb3.
6. WLService.exe - The exception Privileged Instruction (0 x x0000096) occurred in the application at location 0 x 0040f005.
7. ADService.exe - The instruction at "0 x 0042cb31" referenced memory at "0 x 7c816f90". The memory could not be "written".
8. amd_dc_opt.exe - The instruction at "0 x 0013ff9f" referenced memory at "0 x 001314b1". The memory could not be "written".
9. ADUserMon.exe - The exception Illegal Instruction. An attempt was made to execute an illegal instruction (0 x c000001d) occurred in the application at location 0 x 0042837f.
10. ctfmon.exe - The exception Illegal Instruction. An attempt was made to execute an illegal illegal instruction (0 x c000001d) occurred in the application at location 0 x 00405cce.

I do not have any sound, nor do I have internet access. My Avast Anti Virus has been disabled. I also have Zone Alarm Pro but it's unknown if that is having issues, due to not having internet access. I can't do any file searching in Windows. If I make an attempt to open up Spybot or my Avast Free Anti Virus, I get the following error: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

If I right click on the Desktop and select Properties, I get a rundll32.exe error as well as:
dumprep.exe - The instruction at "0 x 007ff9c" referenced memory at "0 x 0007ff9c". The memory could not be "written".
I also get anywhere from one to a number of dwwin.exe errors.

I attempted to run HJT from it's own folder, then off the desktop, and then by changing it's name, and each time I get dwwin.exe errors.

In Safe Mode:
I cannot access anti-virus or Spybot in either user or administrator mode (I am the only user and have given myself full access). Just like in Normal mode, I cannot run HJT and get dwwin.exe errors.

Sorry for not being able to post any logs, and thanks so much for your assistance!

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 15 September 2009 - 01:54 PM

Hello and :thumbsup: to BleepingComputer.

Let's see what we're looking at here.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the "Drivers" tab, and then click the Posted Image button.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 September 2009 - 08:23 AM

Hi, and thanks again for your reply and all your assistance so far. I wish I could reply faster but unfortunately the machine is at home and I can only reply from work, so when I'm home in the evening I try what you recommend.

That said, it's as I feared. I couldn't run RootRepeal thanks to dwwin.exe errors. I tried copying it from my flash drive to my desktop, tried renaming it, and also tried in safe mode (Administrator). No go.

I was, however, able to get a portion of an Avast anti-virus scan run, so I started scanning the C: drive. In a subfolder in Documents and Settings, it told me I had a Win95.K trojan. The interesting thing is that I can't find anything on the internet about that, so I wonder if it was a false positive? I sent it to the chest but then Avast closed down without completing a scan on C:.

One other thing... I noticed that the executable SpyBotSD.exe seems to be hidden in the 'Spybot - Search and Destroy' program subfolder. Just thought I'd mention that in case it helps you.

Ready to try anything else you can think of.

#4 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 September 2009 - 08:29 AM

Oh, I should also add that I have no problems opening up Task Manager, msconfig, and regedit. Thanks!

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 16 September 2009 - 06:58 PM

Please save this file to your desktop. Double-click on it to run a scan. It will likely take some time to run, so do not assume it has stalled. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

~Blade


In your next reply, please include the following:
Win32kDiag log

Edited by Blade Zephon, 16 September 2009 - 06:58 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 18 September 2009 - 01:08 PM

Sorry for the delay.

No luck running Win32kdiag in either normal or safe mode. I get a dwwin.exe error each time.

:thumbsup:

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 22 September 2009 - 02:05 AM

Sorry for the delay in my response. Is formatting this machine an option for you? (ie. do you have a Windows XP CD).

Let's try doing this next.

Let's run the Windows System File Checker utility

You will need your XP CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC
Then click File.. then New Task(Run)
In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.


Let me know what happens, and how your computer behaves after running the utility.

Edited by Blade Zephon, 22 September 2009 - 02:06 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 23 September 2009 - 08:19 AM

It's funny you mention the SFC... I was going to try that next after reading some articles and posts on it.

The SFC ran successfully, but it looks like it found nothing out of place because it never asked for my CD.

Unfortunately, all my problems were still there after I rebooted, so not one thing was fixed.

...beginning to lose hope and the dreaded word "reformat" is flashing in front of my eyes... :thumbsup:

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 25 September 2009 - 02:36 PM

...beginning to lose hope and the dreaded word "reformat" is flashing in front of my eyes...

Honestly, if reformatting is a viable option for you it may be the easiest solution. Something has caused some serious problems with your OS.

***************************************************

Are you able to run DDS.scr?

If it successfully runs, it will produce logs. Do Not post them here. Simply let me know if the program runs or if you get an error.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 September 2009 - 09:04 PM

No luck. The instruction window opens up and then I get the dwwin.exe error.

#11 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 September 2009 - 09:22 AM

I forgot to add that I also got a WREGS.exe and EDS.exe error along with the other error.

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 29 September 2009 - 10:06 AM

I'm going to be perfectly honest here. There are some very serious issues with this machine. I would strongly recommend that you format; it will be the easiest course of action.

There's a couple other tools we can try. . . but I doubt any of them would be able to work either.

Sorry I don't have better news :thumbsup:

~Blade

Edited by Blade Zephon, 29 September 2009 - 10:06 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 September 2009 - 11:58 AM

Well, you tried... thanks! All the trouble seemed to start once I installed a number of windows updates for the quarter. I don't know if somehow the installation got hosed and my registry was corrupted, or if I really do have malware causing these issues. I guess at this point it won't hurt to at least try a windows repair -- can't hurt things more than they already are, right? If that doesn't work, then I'll have to wipe the drive, reformat and reinstall windows.

The sad thing is I have four other drives, two internal and two external, which will have orphaned programs as a result, and it will take quite a while to reinstall all those programs. Ugh.

One last question -- My boot drive has three partitions right now, C, D, and E. If I have to reformat, is there a way I can just reformat the C boot partition, and leave the D and E drive partitions intact?

:thumbsup:

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:01 AM

Posted 29 September 2009 - 12:15 PM

If I have to reformat, is there a way I can just reformat the C boot partition, and leave the D and E drive partitions intact?

Safest practice would be to format all three partitions. If you have malware, with some infections there is a possibility that it could survive the reformat by hiding out in another partition. Assuming you're just dealing with system issues though simply reformatting the system partition should suffice. However. . . since none of the scans are working I can't rule out malware.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Doppelbok67

Doppelbok67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 02 October 2009 - 01:27 PM

Well, again, thanks for all your help and advice! I'll roll the dice and hope for the best.

I'll go ahead and close this thread now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users