Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection, WinAntivirus Pro, Desot.exe, Skynet, Warning Wallpaper leftovers.


  • This topic is locked This topic is locked
5 replies to this topic

#1 Blankobl

Blankobl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Clinton, CT
  • Local time:08:02 PM

Posted 27 September 2009 - 03:45 PM

Hi. Thank you to Garmanma for getting me started and directing me here.
My problem is this. I thought I had removed the Winvirus Pro from a friend's computer. Desot.exe was next to go.
When I thought it was safe to go online to update antivirus programs, I was hit with Warning, Your'e in Danger Wallpaper. Got rid of that, thought I was done. But not so fast....
Now any .exe gives me a Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." and you also cannot rename, or delete the file.
With the advice and help of Garmanma, I was able to run a few logs, which he suggested I post here.
This was all I could get to run successfully.
I look forward to working with an expert who can help me with this.
:( Barb

Running from: E:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Mandy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()





Finished!

This is the log from Garmanmma's instruction to run...
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

Volume in drive C has no label.
Volume Serial Number is 1489-BCA6

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 23,022,333,952 bytes free

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 PM

Posted 14 October 2009 - 11:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Blankobl

Blankobl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Clinton, CT
  • Local time:08:02 PM

Posted 16 October 2009 - 01:25 AM

:( Good Morning, Fireman4it,
Thank you so much for picking up on my request for help with this. I will attach the latest dds files. They look a little different now than they did a few weeks ago. I have been busy. Armed with strategies by reading the posts of others, I attacked this computer. Throwing caution to the wind I used malwarebytes, SAS, Combofix (knowing I could lose but hoping for the best), sophos, spybot and ad-aware. I knew that the usual spyware removal tools were not going to help in this situation. Taking the information in the gmer log, I created a script and used the Avenger to delete the stubborn SKYNET registry entries, drivers and files. I think I killed the beast. I may have done more than that as I was alerted to onle last registry entry that I could not export, and added that to the avenger as well.
Things seem to be working well now and I had just dared to get this computer on my network to download AVG when you noticed me. But I would still appreciate a review from one of the BC team. Did I leave carnage behind? Are there bits and pieces to be tidied up? Did I miss something big?
You and your team do amazing things. For all of those who write for help there are probably thousands like me who use the advice you post and hope for the best. With patience (and a little luck), it works. Thanks again.
Barb

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:02 AM

Posted 20 October 2009 - 01:03 PM

Hello, Blankobl
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.



Can you please post me the Logfile from Combofix (C:\Combofix.txt) so I can have a look at it? But please do not run it again.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Blankobl

Blankobl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Clinton, CT
  • Local time:08:02 PM

Posted 22 October 2009 - 04:02 PM

Good Afternoon, Schrauber,

Thank you for taking on my request for help.
With the knowledge I gained from reading the posts for others, I did the best I could and gave the computer back to my friend on Saturday.
So I cannot post the log.
When I returned it, it was working well. As far as I can tell, we didn't lose any files, or programs.
This was a nasty infection. Mandy does not bank or shop online, but she does use Hotmail from her computer.
One of her friends received an email request for money from someone claiming to be Mandy stranded in Europe using that Hotmail account.
Mandy, herself is unable to access the account and was safely here at home the entire time. She has never been to Europe.

I uninstalled the combofix, reenabled the automatic Windows update, used JavaRa to uninstall the old Java and then reinstalled the newest Java version.
I put a file together for Mandy of spyware removal programs to run weekly. I also left the Spybot Teatimer on so that she can learn. I set her IE cookies to override, prompt and block.
Today is Thursday and so far, she is happy.
It took me three weeks to do what you could probably do in one evening. I learned much in the process.
It may be late, but I am delighted that you were willing to help.
May I ask for your assistance if the problem returns within the next few days?
Thank you again,

Barb

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:02 AM

Posted 22 October 2009 - 04:29 PM

Hi,

Sure, no problem :(. Since this issue appears to be resolved, I will close this topic now. When you need it reopened, please send me a pm with the topic link.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users