Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protection System


  • Please log in to reply
3 replies to this topic

#1 Mikelloc

Mikelloc

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 26 September 2009 - 04:03 PM

Hey all, I've ran into a huge problem... My aunt dropped off her family computer yesterday and I've been working on it for a few hours now and to say the least I'm completely stumped. There's this fake anti virus program called Protection System which does it's thing, I'm sure you know all about it. Anyway, I've done a few hours worth of research, read countless "fix it" articles and forum post and nothing has worked yet. At this point I need to rest my eyes and my mind and ask you all for your help.

The biggest problem is no programs that could solve the problem or aid in solving the problem work. The real anti virus was disabled and broken, malwarebytes wouldn't install so I renamed it, it then installed halfway before freezing. I played around with that for a while and I got it to install. Couldn't run the program after that, so I renamed the that. It finally opened but as expected the scan shut the program down. After it crashed during the scan malwarebytes was completely inoperable, couldn't even delete it with out a restart. At that point I had enough, I was preparing to post a topic in the "HijackThis Logs and Virus/Trojan/Spyware/Malware Removal" forum but after several attempts it appears that not even your DDS Tool works. I'm just so frustrated right now...

To clear a few things up. I've been trying everything in and out of safe mode, same results. Also, all the games on the computer appear to work, iTunes works, Quickbooks work, AIM works. I'm pretty sure every programs starts and runs on this computer except the ones stated above. hmmmmm, so three shortcuts just appeared on the desktop, pornotube.com, nudetube.com and youporn.com.... Great.

I wish I knew more, the computer was dropped off at my house while I was at work with a sticky note on it. -Anti Virus disabled -Fake software -Turns on/off sporadically.

I don't know much about this kind of stuff, but any opinions or suggestions would be light years ahead of where I'm at now...



Thank You Very Much
-Mike


Edit* This dude and I appear to be having the same problem http://www.bleepingcomputer.com/forums/t/259519/mix-of-viruses-infected-my-computer/


We Need to check for Rootkits with RootRepeal
1.Download RootRepeal from the following location and save it to your desktop.
◦Direct Download (Recommended)
■Primary Mirror
■Secondary Mirror
■Secondary Mirror
■Secondary Mirror
◦Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

■Primary Mirror

■Secondary Mirror

■Secondary Mirror
◦Rar Mirrors - Only if you know what a RAR is and can extract it.

■Primary Mirror

■Secondary Mirror

■Secondary Mirror
2.Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
3.Open on your desktop.
4.Click the tab.
5.Click the button.
6.Check all seven boxes:
7.Push Ok
8.Check the box for your main system drive (Usually C:), and press Ok.
9.Allow RootRepeal to run a scan of your system. This may take some time.
10.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

Did exactly what you said. It loads the "initializing" screen then it: Blue Screened twice, froze once, and is currently lagging up the computer pretty bad. I'll edit the post to let you know the results.


I read in other posts they have people using Win32kDiag, for the sake of time I'm going to run that next, see if it works than post those logs. If you need me to do something different just reply.



edit* The forth scan also crashed. So far Win32kDiag is working, and there appears to be more strange process running now than there was 2 days ago...

Here is my Win32kDiag Log...


Running from: C:\Documents and Settings\Steele\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Steele\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E6.tmp\ZAP1E6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{DD6BB04E-636D-4D52-BC09-0E71CD967909}\{DD6BB04E-636D-4D52-BC09-0E71CD967909}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 03:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[2] 2004-08-04 03:56:50 743936 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP470\A0042577.exe (Microsoft Corporation)

[2] 2004-08-04 03:56:50 743936 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP470\A0043272.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\CACHE\CACHE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\MAIL\MAIL

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\NEWS\NEWS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SECURITY\SECURITY

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SYSTEM\SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}$TEMP$\{60204BB3-7078-4F70-8F69-68297621941C}$TEMP$

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$TEMP$\{981FB688-E76B-4246-987B-92083185B90A}$TEMP$

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\eb650291aacf974adcca182c38353485\eb650291aacf974adcca182c38353485

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP470\A0042215.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP470\A0043559.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP470\A0044883.dll (Microsoft Corporation)

[1] 2002-08-29 07:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WSMM\Logs\Logs

Mount point destination : \Device\__max++>\^



Finished!









Thank You Very Much For Your Help.

Now that you were successful in creating a log you need to post it in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that this log was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck

BC AdBot (Login to Remove)

 


m

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:53 PM

Posted 01 October 2009 - 10:16 AM

Hi Mike,

do you still have your aunt's PC and do you still need help?

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 Mikelloc

Mikelloc
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 October 2009 - 10:27 AM

Help would be appreciated. Yes, Thank You.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:53 PM

Posted 01 October 2009 - 10:40 AM

Hi,

the infection shown by the rootrepeal log is rather comlicated to deal with and needs the assistance of a HJT-Team member.
Therefore, I would like you to post a new topic in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that these logs were all you could get to run successfully.

Please post back with a link to that new topic in your next reply, I will then pick you up there and help you to clean up your PC.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users