Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malignant virus or rootkit, please help!


  • This topic is locked This topic is locked
8 replies to this topic

#1 azn_elf

azn_elf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 23 September 2009 - 07:35 AM

Hello there,
First off, I appreciate all your help and efforts, and would like to thank you guys for showing up. I have a possible rootkit or virus that was at the main page by Lawrence Abrams.
The situation stands as this: I am unable to run any kind of anti-malware or anti-virus programs. They would get terminated automatically and I would be told that I did not have the proper access to execute the program (I'm an administrator). I have tried changing the filenames of the anti-malware and anti-virus programs but the virus :( just adapts and shuts it down nor has uninstalling and reinstalling the programs work. :( I'm in big trouble.

Here is a layout of my system:
Windows XP (no disk) Professional SP2 32-bit (Administrator)
Programs: AVG Free, Spybot S&D, Malware bytes' AntiMalware

Attached Files



BC AdBot (Login to Remove)

 


#2 azn_elf

azn_elf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 23 September 2009 - 09:46 AM

Bad news, I now can not access explorer.exe. I am operating from my laptop, please help!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 24 September 2009 - 08:02 PM.


#3 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:10 PM

Posted 10 October 2009 - 08:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#4 azn_elf

azn_elf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 14 October 2009 - 07:41 PM

Hello, I have not been able to resolve the problem, I ask for your assistance. As I know of, this virus will not allow me to run any anti-virus or anti-malware programs. I have been unable to scan my system as this virus will automatically terminate any programs it detects, and will block access to it. It is quite annoying to be the administrator and be locked out... by locked out, I will be denied access, and a message box appears saying " Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Strangely enough, explorer.exe will not run either, causing me to navigate with task manager.

So I cannot my desktop and anti-virus/malware programs.

Removal of the virus has not been possible to me. I have tried common methods such as renaming the .exe files of the anti-virus/malware programs, in addition to uninstalling and re-installing the said programs while changing the names of the setup files. I have even installed a different anti-virus program hoping that the virus would not be able to adapt to the change. The programs will crash mid-scan (after a clean install) and deny me access the next time I try to run it. It is still denying me access to this day.

As for the program that was provided, it suffered a similar fate. Using task manager I ran both programs only to have them crash/close mysteriously. I ran them again and received the same response, notepad did not open either. :( This occurred after I turned off my internet connection, my anti-virus cannot run so I have no results. :(
This is getting complicated, I appreciate your help.

-Azn_Elf

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 16 October 2009 - 10:09 PM

Hello azn_elf,

My name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



1. You have mentioned that you were operating with your laptop, did you mean that you are using a different computer to access Bleeping computer? If yes, we need to prevent the clean computer from getting infected so please do the following:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.




2. Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.


3. We Need to check for Rootkits with RootRepeal[*]Open Posted Image on your desktop.
[*]Click the Posted Image tab.
[*]Click the Posted Image button.
[*]Check all seven boxes: Posted Image
[*]Push Ok
[*]Check the box for your main system drive (Usually C:), and press Ok.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.
[/list]

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 azn_elf

azn_elf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 19 October 2009 - 10:14 AM

Volume in drive C has no label.
Volume Serial Number is A022-883A

Directory of C:\WINDOWS\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 02:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 02:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\WINDOWS\System32

01/20/2008 10:24 PM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

01/20/2008 10:24 PM 592,384 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 05:46 AM 11,776 cngaudit.dll
3 File(s) 781,312 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 05:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/20/2008 10:24 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/20/2008 10:24 PM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 2,332,672 bytes
0 Dir(s) 191,645,970,432 bytes free

#7 azn_elf

azn_elf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 19 October 2009 - 10:19 AM

There has been a development which I wish to notify you of. I took my computer in to get formatted two days ago... I am wondering if there are preventive measures I can take on my 'clean' computer when I get it back?

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 19 October 2009 - 10:28 AM

Hi,

Thank you for letting us know that you already reformatted. That's the best choice for a heavily infected computer. :(

Now that your computer is clean, please take the time to read below to secure your machine and take the necessary steps to keep it Clean :(


Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.
Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system.
I recommend that you visit the link above and apply the SP3 patch.

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

How to prevent Malware: by miekiemoes


With regards,
~ Semp :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 19 October 2009 - 11:00 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users