Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by WindowsProtectionSuite


  • This topic is locked This topic is locked
30 replies to this topic

#1 Ilwuen

Ilwuen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 01 October 2009 - 02:52 PM

Esteemed staff of professionals,

I have two very odd and alarming problems. Whenever I try to enter into a google domain(google, gmail), the page won't load and instead throws me the following error message:

"The connection was reset

The connection to the server was reset while the page was loading.

* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web."

This happens with all browsers. Chrome throws the following error message:

"This webpage is not available.

The webpage at http://www.google.com/ might be temporarily down or it may have moved permanently to a new web address.

More information on this error
Below is the original error message

Error 101 (net::ERR_CONNECTION_RESET): Unknown error."


I can't enter www.bing.com either and a yahoo search results in the same error message although I can enter www.yahoo.com. It just doesn't throw the error until I click on search. The only search engine that is currently working seems to be www.altavista.com! All other domains work normally so far.

About two weeks ago I got the "Windows System Suite" malware on this same computer. I got rid of it by the Malwarebytes' Anti-Malware program.

The second alarming problem I have is that I can't open my Task Manager. Could these problems be related? I've heard that many malware close the Task Manager as soon as it is opened.

I have Malwarebyte AntiMalware and AVG licensed (paid) version installed.

I know a thing or two about software and generally take a good care of my computer. I regularly clean registry, defrag disk&registry and run virus scans. These problems I'm having certainly seem alarming, so I am contacting you in hope to find a solution to this.

--------------------------------------------------------------------------------------------------------------------------------------------------------
EDIT:

I think I have now pin pointed the problem using Spybot Search&Destroy. Spybot found "WindowsProtectionSuite" with 12 malware entries. SuperAntispyware and Malwarebytes Anti-Malware were both unable to find it. Could that be cause of all my problems? Anyhow, Spybot was unable to remove the problem. It gives the following error message when I push the "Fix" button:

"Unexpected error in fixing problems (Cannot create file "C:\Windows\system32\drivers\etc\hosts". Access is denied)"

Now, HijackThis gives the following error message when performing a scan :

"For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HjackThis may NOT be able to fix this.

If this happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad "C:\Windows\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot."


After clicking ok, HijackThis completes the scan pointing out these 12 lines from the 'hosts' file:

O1 - Hosts: ::1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

Now, I tried to do as the HijcakThis error message told me to do and remove those lines manually. Incidentally, after removing those lines and pushing "save", notepad gives the following error message:

"Cannot create the C:\Windows\system32\drivers\etc\hosts file"

What do I have to do to remove WindowsProtectionSuite and those lines from the 'hosts' file?

For comparison, you can find my 'hosts' file and right after that a 'healthy' hosts file as an attachment. You can also find my HijackThis log.

Every day, more symptoms seem to arise. Now, some of the features of my add-ons for firefox have been permanently disabled(no more "undo close tab"). Also, firefox now disables cookies by itself, no matter how many times I check the "allow cookies" box. Even during a session. This results in spontaneous log offs from facebook etc.

Also, spybot's "immunize" feature is only able to protect 4 targets and leaves roughly 100000 targets unprotected.

What is also odd is, that I haven't been experiencing any pop-ups from WindowsProtectionSuite as I should be.


I appreciate immensely any help given to me on this problem that so vexes me,

Regards,

Ilwuen

Attached Files


Edited by Ilwuen, 02 October 2009 - 06:59 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 02 October 2009 - 04:20 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 03 October 2009 - 01:35 AM

Sam,

Thank you very much for your time and concern! Just before you replied, after tens of hours of studying, I finally found this thread: http://www.bleepingcomputer.com/foru...252666-15.html, which provided me with a partial solution. So, I downloaded "unlocker" and force-changed the name of the "hosts" file, then edited out the reported O1 lines and saved it as "hosts" again. Now it looks exactly like the "healthy" hosts file I had attached in the OP.

The one and only problem that remained is, that task manager still refuses to open. Everything else seems to have been fixed by this simple editing of the hosts file. Now I ran a full scan with Malwarebytes Anti-Malware, SUPERanstispyware, Spybot S&D and AVG. None of them could find problems anymore.

So, could it be that the some residual corruption was left behind from the removal? What should I do to get the task manager work again and to remove the remaining corruption?

I huge thanks,

Ilwuen

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 03 October 2009 - 09:33 AM

I would still like to see the logs that I requested so I can verify that there's still not an active infection causing the problems. Once we have determined that then we can move on to troubleshooting any other issues that you're still having, such as task manager.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 03 October 2009 - 01:24 PM

I would still like to see the logs that I requested so I can verify that there's still not an active infection causing the problems. Once we have determined that then we can move on to troubleshooting any other issues that you're still having, such as task manager.


Okay, I ran both scans as you requested. OTL came up with two logs: Extras.Txt and OTL.Txt. Both are attached. RootRepeal ran for a few seconds and resulted in an error message, which is saved in the RootRepealError file. It is attached. The log is saved as RootRepealLog and attached.

Thanks for your aid,

Ilwuen

P.S. Here is the RootRepeal log copypasted as well:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/03 21:22
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x92C62000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA5141000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd.sys
Image Path: C:\Windows\System32\Drivers\sptd.sys
Address: 0x8268A000 Size: 958464 File Visible: - Signed: -
Status: Hidden from the Windows API!

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1404 Status: Locked to the Windows API!

SSDT
-------------------
#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0x928ff0b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x848781e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x848751e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x848771e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x86d05790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_CREATE]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_CLOSE]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_POWER]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: usbuhci藢І晖呁殈蛙, IRP_MJ_PNP]
Process: System Address: 0x86ceb790 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CREATE]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CLOSE]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_POWER]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_PNP]
Process: System Address: 0x848761e8 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_CREATE]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_CLOSE]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_CLEANUP]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: netbt迟, IRP_MJ_PNP]
Process: System Address: 0x8fdfc790 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_CREATE]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_CLOSE]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_POWER]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЍ牡瑫퀀趟 , IRP_MJ_PNP]
Process: System Address: 0x86d931e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x848731e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x85ca6790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_CREATE]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_CLOSE]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_READ]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_WRITE]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_QUERY_EA]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SET_EA]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SHUTDOWN]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_CLEANUP]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SET_SECURITY]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_POWER]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_SET_QUOTA]
Process: System Address: 0x90fea790 Size: 121

Object: Hidden Code [Driver: mrxsmb㤐ꁍЏ䵆捦捅䡰, IRP_MJ_PNP]
Process: System Address: 0x90fea790 Size: 121

==EOF==

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 03 October 2009 - 04:49 PM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O33 - MountPoints2\{25c8c6c8-e7ad-11dd-a8a9-001b245595a2}\Shell\AutoRun\command - "" = dll32.exe
    O33 - MountPoints2\{25c8c6c8-e7ad-11dd-a8a9-001b245595a2}\Shell\open\command - "" = dll32.exe
    O33 - MountPoints2\{abbc1708-b8c1-11dd-9305-cd58b1414d3c}\Shell\AutoRun\command - "" = F:\dll32.exe -- File not found
    O33 - MountPoints2\{abbc1708-b8c1-11dd-9305-cd58b1414d3c}\Shell\open\command - "" = F:\dll32.exe -- File not found
    O33 - MountPoints2\{beccc5bb-3e75-11de-a139-001b245595a2}\Shell\AutoRun\command - "" = boyedt.com
    O33 - MountPoints2\{beccc5bb-3e75-11de-a139-001b245595a2}\Shell\open\Command - "" = boyedt.com
    O33 - MountPoints2\{db634561-1b32-11de-b3a9-001b245595a2}\Shell\AutoRun\command - "" = G:\em8tqm.cmd -- File not found
    O33 - MountPoints2\{db634561-1b32-11de-b3a9-001b245595a2}\Shell\open\Command - "" = G:\em8tqm.cmd -- File not found
    O33 - MountPoints2\{dfeacec5-4ea3-11de-b21d-b4d6a6a43571}\Shell\AutoRun\command - "" = RECYCLER\S-1-6-21-2534576401-1844291947-600103340-1263\explorer.exe
    O33 - MountPoints2\{dfeacec5-4ea3-11de-b21d-b4d6a6a43571}\Shell\open\command - "" = RECYCLER\S-1-6-21-2534576401-1844291947-600103340-1263\explorer.exe
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

==================


Check here for a possible solution to your task manager issue.
http://www.vistax64.com/tutorials/103275-t...le-disable.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 04 October 2009 - 01:04 AM

Here they are. Task manager still doesn't open.

Cheers,

Attached Files



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 04 October 2009 - 09:53 AM

Check to verify that this file is present.

C:\Windows\System32\taskmgr.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 04 October 2009 - 10:58 AM

Check to verify that this file is present.

C:\Windows\System32\taskmgr.exe


It is present. Double clicking it results in the same event: the windows "loading" symbol appears for less than a second and then nothing happens.

EDIT: Enabling the task manager through the guide in the link you provided didn't work. My task manager is shown everywhere as it should, it just doesn't do anything when I click it.

Cheers,

Edited by Ilwuen, 04 October 2009 - 11:05 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 05 October 2009 - 06:54 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    taskmgr.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 05 October 2009 - 08:47 AM

Here it is:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:44 on 05/10/2009 by Ramin (Administrator - Elevation successful)

========== filefind ==========

Searching for "taskmgr.exe"
C:\Windows\System32\taskmgr.exe --a--- 163840 bytes [05:13 27/08/2008] [07:33 19/01/2008] EF8AE178FAE3C5F97E383753EB1DF3BA
C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.0.6000.16386_none_122b6d31ac48dff3\taskmgr.exe --a--- 163840 bytes [08:47 02/11/2006] [09:45 02/11/2006] D826545F1051D3675E7FC8AA27858C97
C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.0.6001.18000_none_14622f2da933f0c7\taskmgr.exe --a--- 163840 bytes [05:13 27/08/2008] [07:33 19/01/2008] EF8AE178FAE3C5F97E383753EB1DF3BA

-=End Of File=-

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 05 October 2009 - 05:50 PM

Try opening each of these files to see if the same thing occurs.

C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.0.6000.16386_none_122b6d31ac48dff3\taskmgr.exe
C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.0.6001.18000_none_14622f2da933f0c7\taskmgr.exe



If so, then we need to look for a policy that is denying taskmanager. What do you know about these?

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 06 October 2009 - 08:01 AM

The same thing occurs. I have to admit that I know nothing about those. What are they?

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 06 October 2009 - 06:42 PM

They are user account controls.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    TaskMgr
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Ilwuen

Ilwuen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 07 October 2009 - 07:33 AM

You already asked me to download that program. I ran the code you requested and attached is the log.

Regards,

Attached Files


Edited by Ilwuen, 07 October 2009 - 07:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users