Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit or Malware?? Cant run spybot etc


  • Please log in to reply
5 replies to this topic

#1 blurt

blurt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 01 October 2009 - 04:01 AM

Hi
Well Ive spent almost all day on this and am now out of ideas. Pretty sure it is a rootkit related to a.exe or msa.exe. Spybot or Malwarebytes wont start and windows says I do not have appropriate permission to access these items.

Any guidance much appreciated.

Cheers
Andrew

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 01 October 2009 - 12:24 PM

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 blurt

blurt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 01 October 2009 - 07:45 PM

Hey thanks for your time!

Last night I ran fixpolicies.exe and this allowed Malwarebytes to run. It found trojan .dropper and repaired. I ran it again and no infection however Spygot and Superantispyware still wont start.

This is all Win32 reported. I guess I need more than this.

Running from: C:\Documents and Settings\Andrew\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Andrew\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe




Volume in drive C is S3A4238D001
Volume Serial Number is 7867-7320

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 22:00 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 22:00 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 22:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 10:12 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 10:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 10:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 10:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 10:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 10:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 10:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 10:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 10:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 215,080,976,384 bytes free


[1] 2004-08-04 22:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 10:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-14 10:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)





Finished!

Edited by blurt, 01 October 2009 - 07:49 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 01 October 2009 - 09:44 PM

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then right-click on the file and rename it to winlogon.exe.
  • If that still did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Note: If installation coninues to fail in normal mode, try installing and performing a Quick Scan in "safe mode". Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a safe mode scan, reboot normally, uninstall MBAM, then reinstall it and perform another Quick Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 blurt

blurt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 02 October 2009 - 12:50 AM

I can run Malwarebytes. It shows no infection however Spybot or Superantispyware will not run. "You do not have appropriate permissions to acess this item"

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 02 October 2009 - 06:32 AM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

Start a new topic and post your DDS log along with the Win32kDiag.txt and Log.txt reports in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If DDS will not run, then just post the results of the Win32kDiag.txt and Log.txt. Be sure to include a note that you tried to follow the Prep Guide but were unable to get DDS to run.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users