Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Mother of All Infections


  • This topic is locked This topic is locked
59 replies to this topic

#1 bobpsmith

bobpsmith

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 15 October 2009 - 08:22 PM

I have a Bad@ss infection, it is similar to what is described on your home page under the topic "AntiSpy Protector 2009 + Rootkit = Big Trouble!" I believe my nephew downloaded GreenAV.exe and that is how I got it, but I don't know.

I got rid of GreenAV.exe manually along with a few others, but my Google search results were still hijacked. Something a bit more disturbing was also still happening, my AV software routinely crashed (well most of the time it crashed, but sometimes it didn't witch really confused me) and was unable to fix the problem.

I have downloaded a number of malware removal programs but the rootkit shuts all of them down and then takes away my permission telling me "Windows cannot access the specified device, path, or file. You may not have the appropriate premissions to access the item." Here is a list of all of them.

HijackThis (tried in safe mode and renaming)
Malwarebytes (tried in safe mode and renaming)
RootRepeal (tried in safe mode and renaming)
dds.scr

:( :(

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 15 October 2009 - 08:40 PM

Greetings bobpsmith and Welcome to the forums,

Please do the following:
Open your command prompt (start-->run...then type CMD and click OK") and paste the following then press your enter key:
@SC CONFIG EVENTLOG START= DISABLED
...you should receive a "Success" message returned. If so, try running mbam again and perform a manual update, then do a quick scan and post back THAT log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 15 October 2009 - 09:23 PM

Never even heard of that! Trying now.

#4 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 15 October 2009 - 09:29 PM

Windows cannot find '@SC'. Make sure you typed the name correctly, and then try again.

That is the error message I get when I enter "@SC CONFIG EVENTLOG START= DISABLED" in the run line. I am running Vista home premium if that means anything to you.

Thank you so much for the speedy reply BTW.

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 16 October 2009 - 06:32 AM

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 16 October 2009 - 08:28 AM

I might add, the instruction in post #2 should have yielded you a positive result. However, since I made the assumption that you were running Windows XP (still, the most widely used O/S on the web to date), the vital instruction to run the command in Administrative mode (for Vista) was overlooked.

In Windows Vista (as in Windows 7), to elevate the user status for running something in administrative mode is very simple. Right click on the executable file you want to run and select "Run as administrator". For this user session and for that particular program, the status is elevated above the limited user account. When you close the program however, the elevated privilege is removed and you would have to go through the above detailed steps once more if you wanted to run the program again with elevated status.

Just for future reference, you can change the status of any program you want to run in administrator mode (each time it runs) without having to run the entire system in the "Administrator" user account.

All shortcuts in Windows Vista (and Windows 7) have a special property that you can set that will allow the application to run as Administrator.

To set this property, just right-click on any shortcut, and click the Advanced button on the Shortcut page to get to the Advanced Properties dialog. You'll see a dialog with a checkbox for "Run as administrator"...check that box and click "Apply" and "OK". From then on, the application will always run as administrator if you use the shortcut to launch it. (You'll be prompted by UAC if you have it enabled).

Note...most Vista and 7 users know this but also forget on occasion so a gentle reminder is sometimes all it takes.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 16 October 2009 - 10:28 AM

I am at work so I am unable to try and run combo fix now, but I will do so when I get home. You assumed I was running XP, and I wish I was running XP. Alas, I bought at BestBuy so I was stuck with Vista, and let me tell you, it has been trying. I may have made a really dumb mistake last night in post #2 so I will have to double check that. I hope to let you know what happened around 7pm.

#8 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 16 October 2009 - 07:41 PM

When I tried #2 last night all I did is paste "@SC CONFIG EVENTLOG START=DISABLED" in the run box. This time I did it right, this is what happened.


C:\users\[my user name]>@SC CONFIG EVENTLOG START=DISABLED
DOS/32A -- Protected Mode Run-time Version 7.2
Copyright Supernar Systems, Ltd. 1996-2002
SC/32A fatal: DOS/32A environment variable is not set up properly
You need to reinstall DOS/32 Advanced DOS Extender on this computer

C:\users\THEMAT~1>


I am going to try doing the same in safemode.

Edited by bobpsmith, 16 October 2009 - 08:32 PM.


#9 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 October 2009 - 01:04 AM

I was able to turn off the eventlog through services.msc but it did no good. I tried to use combo fix but it crashed (no cmd like box came up) and now my desktop background is black (no other ill effects that I can tell at the moment).

This is a nightmare. There is an army of you guys :) that can raise the dead (computers) using diagnostic logs and other tools :( , but my problem it that this thing from hell shuts down every program that I throw at it :) .

There has got to be someone with a good idea, something, :) because this thing is driving me stark raving mad. :(

#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 17 October 2009 - 08:55 AM

DOS/32A -- Protected Mode Run-time Version 7.2
...indicates to me that you did not open the command prompt in "Administrative" mode. The Protected Mode relates to the UAC in windows vista.

Regardless, I see you got the idea in spite of the fact that I forgot to edit the command I posted for windows vista...I had a brain lapse thinking I was still working on an XP machine. Happens when we work multiple logs at the same time. My fault, not yours.

Is your black screen just the background? Is all else ok...ie, start button, task bar etc. all present?

Edit added:
Also, I should ask...when you ran combofix, did you right-click on it and select "Run as administrator? or did you just double-click it?

Edited by 1972vet, 17 October 2009 - 08:56 AM.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 October 2009 - 09:44 AM

DOS/32A -- Protected Mode Run-time Version 7.2
...indicates to me that you did not open the command prompt in "Administrative" mode. The Protected Mode relates to the UAC in windows vista.

So to do this I have to find cmd.exe and then open as administrator?

Is your black screen just the background? Is all else ok...ie, start button, task bar etc. all present?

Yes, task bar, start button, system tray and icons are all fine. The background is black (for all users) and I am unable to change it through the vista "personalize" menu. In the "personalize" menu all the previews are just large .jpg icons.

Bob SAID: Also, I should ask...when you ran combofix, did you right-click on it and select "Run as administrator? or did you just double-click it?

Both actually, first I just double clicked and a small bar (about 2 inches across) came on the screen, filled up (90 seconds or so) and then disappeared. At this point I waited for 10 to 15 minutes and after nothing happened I remembered and ran as administrator. The small bar came up and this time it took a long time to fill (about 20 minutes) and then just sat there for another 45 minutes. After that I rebooted into safe mode and tried it there, at that point combo fix behaved like it did the first time i.e., filling quickly and then disappearing.

bobpsmith SAID: I was able to turn off the eventlog through services.msc but it did no good.


Is this what the command should have done? Because this did nothing that I could tell (all antimalware still crashes and then takes away my permission to run it).

Just a quick question, how rare is my case, where the malware kills all anti-malware programs and takes away permissions?

Edited by bobpsmith, 17 October 2009 - 09:46 AM.


#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 17 October 2009 - 10:44 AM

Is this what the command should have done?
Yes.
Just a quick question, how rare is my case, where the malware kills all anti-malware programs and takes away permissions?
Not so rare anymore. This infection has been showing up more and more lately.

Instruction from post #2

Please do the following:
Open your command prompt (start-->run...then type CMD and click OK") and paste the following...

...should have been worded quite differently for you I see.

To have done that correctly (In Vista), one would have done the following:
click start-->all programs-->accessories, scroll to the command prompt, right click on it and select "Run as administrator".

The whole thing now is a moot point, since you have already stopped the eventlog service. I just thought I'd explain that better so you can understand how to run command prompt in administrator mode.

We need to carry on a bit differently. Please download the Win32kDiag.exe tool from the following location and save it to your desktop:
http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 October 2009 - 08:49 PM

Thanks for the info, not only am I fixing my computer, I'm getting smarter. I just ran Win32kDiag.exe, and it went ALL THE WAY THROUGH (!!!!! :( ), at one point it paused for about 5 minutes, I thought for sure this had gone the way my last eight gillion tries had went (I even started to write a new post telling you how it failed), but it turned out to be the first thing that worked in 2 months :( . Here is the log.

Running from: C:\Users\The Matrix Gang\Desktop\Win32kDiag.exe

Log file at : C:\Users\The Matrix Gang\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

...
...

(THE FILE WAS TO LONG SO I MADE IT AN ATTACHMENT, hope thats OK)

...
...

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe

[1] 2009-04-11 01:28:11 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-11 01:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()



Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe

[1] 2009-04-11 01:28:11 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-11 01:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()



Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

[1] 2009-04-11 01:28:11 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-11 01:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()





Finished!

I just can't get over the fact that something FINALLY WORKED!!!!

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:44 AM

Posted 18 October 2009 - 09:26 AM

Click on Start->Run, and copy-paste the following command in Bold text into the "Run" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be another log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents back here on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 bobpsmith

bobpsmith
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 18 October 2009 - 09:35 AM

Is this the same one that I put on my last message? Or it this a different one that will replace the on my desktop now?

P.S. I am not on the infected computer now so I should get this on 7pm ish (is that to late?).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users