Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protection System infection, and probably something worse


  • Please log in to reply
6 replies to this topic

#1 Gizank

Gizank

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 October 2009 - 11:34 PM

Hello, and thank you for reading my tale of woe. Some of my understanding may be incorrect, and some of my memory may be faulty; I apologize for that. This happened about a month ago, but after banging my head against it for several days, I just took the thing off-line and resorted to using my laptop all the time. I've forgotten some of what I have tried to run or do, but I think I can relate the most significant aspects. Most things I tried either failed to run or had no effect and I reversed them.

I know how I got infected and won't be doing those particular things again.

PC in question: Windows XP Pro SP3, Norton Anti-V Corporate, System and apps installed on separate partitions, Boot from D:\. Please ask about anything I have forgotten to include.

My desktop PC started to get wacky, with this Protection System fake virus/spyware/fake software taking over. It has the system tray item and many random pop-ups. Google search results were mis-directing. Desktop shortcuts to porn and Protection system being generated on startup. General mayhem. In the process of trying to fix things I disabled a process called "##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##" and most of this behavior stopped.

Some other things make me think there's something else going on. I can't run/install Malwarebytes, rootrepeal, combofix, and some others. Combofix Blue-screened the few times I tried to run it. Renaming things made no difference. Malwarebytes just plain fails to run after an incredibly long install time, but it shows up in Process Explorer.

No volumes show up in Disk Manager.

At this point, I'm considering re-installing Windows, but I'm worried I'll have to format both my drives and start really clean, which I'd rather have the machine running well enough to archive my stuff with my burner instead of moving things around on a thumb drive or something equally painful.

For the most part, I'll use my laptop to d/l apps I need and move them with a thumb drive. If I need to put the PC online, I will, but I'd prefer to not expose it to the internet any more until it's clean.

Any help would be greatly appreciated.

**edit** I will try to respond as quickly as possible, but I'm on-call this week and may be tied up.

Edited by Gizank, 09 October 2009 - 11:37 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:21 AM

Posted 11 October 2009 - 08:49 PM

:trumpet:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:flowers: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.


==================================


:thumbsup:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Gizank

Gizank
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 14 October 2009 - 09:43 PM

Hello!

Thank you for responding. I performed the tasks you asked. Win32Diag.txt encountered an error of some sort, as you'll see in the log file. Peek.bat created an empty log.txt file. I used the code you included and saved my own peek.bat, and again, an empty log.txt file. I will gladly run these again, if you have any changes you want me to make. Of course, I'm on-board for whatever you think I should run.

Thanks again! I will try to respond more quickly in the future.


Here are the results of the first two steps:




Running from: D:\Documents and Settings\Gizank\Desktop\Win32kDiag.exe

Log file at : D:\Documents and Settings\Gizank\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...





Finished!






=========================





Volume in drive D is sYs73m
Volume Serial Number is F864-5EFA

Directory of D:\WINDOWS\$NtServicePackUninstall$

2004-08-04 03:56 AM 180,224 scecli.dll

Directory of D:\WINDOWS\$NtServicePackUninstall$

2004-08-04 03:56 AM 407,040 netlogon.dll

Directory of D:\WINDOWS\$NtServicePackUninstall$

2004-08-04 03:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of D:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:12 PM 181,248 scecli.dll

Directory of D:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:12 PM 407,040 netlogon.dll

Directory of D:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of D:\WINDOWS\system32

2008-04-13 08:12 PM 181,248 scecli.dll

Directory of D:\WINDOWS\system32

2008-04-13 08:12 PM 407,040 netlogon.dll

Directory of D:\WINDOWS\system32

2008-04-13 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 10,280,202,240 bytes free

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:21 AM

Posted 15 October 2009 - 06:53 PM

See if either one of these scans will work



Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.

=========================================

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Gizank

Gizank
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 16 October 2009 - 05:56 PM

Mark,

Thanks again for the help!

I'm getting prepared to do all this, but one question occurred to me which may save some time or a re-run. At this point, I'm pretty sure the problem happened more than a month ago. (The computer has sat unused during this time.) Should I change the default setting in RSIT to something greater than 1 Month?

Thank you!

Jake.

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:21 AM

Posted 17 October 2009 - 04:37 PM

Go ahead and try the default
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Gizank

Gizank
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 24 October 2009 - 02:45 PM

Mark,

I appreciate your time and help.

I can barely get the machine to start up now, and my level of patience with trying to avoid a wipe and re-install has dissolved. I copied anything I didn't want to lose from my system partition, which is pretty much a few text files I had saved directly to the desktop, and am going to wipe the system partition and do a fresh install of Windows. I will also wipe the partition I use for applications and games after I get Windows working and make note of which things I want to re-install. I am pretty confident this will get me back to Happyland, and if not it will at least give me a stable chance to backup everything I want to keep and wipe all my drives/partitions.

I will be much less apt to wander aimlessly around ill-advised web neighborhoods in the future--and more likely to keep reliable restore points, too.

Thanks again for your help. My schedule just isn't making this a smooth process, and now with it refusing to boot windows the vast majority of times, I have decided to route myself around the whole process.

Sorry to waste your time, but I do appreciate you volunteering to help.

Take care,

Jake.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users