Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Protection System' virus


  • Please log in to reply
6 replies to this topic

#1 scouttrevor

scouttrevor

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 20 October 2009 - 06:10 PM

Hello

This is the first time I've had a virus so I'm a little new to the technical terms and am trying to follow the advice given on this forum.
(BTW - the advice has been v clear and easy to follow - thanks!!)


I have had the 'Protection System' virus since yesterday (the one that masquarades as an anti-virus). I havent accepted anything nor bought it but it keeps putting distasteful shortcuts on my desktop, has cut me off from the internet, disabled some of my own scanware and keeps putting up pop-ups pushing me to buy it.

I read your threads and tried to install the Malwarebyte' Anti-Malware but it won't run and closes after 5 seconds. I then ran a CD with AVG as suggested on one of the threads. After this ran, I still was unable to run the Malware software - even in safemode.

I am using my friends computer and have downloaded the DDS screen saver and have managed to run it on this (healthy) PC and obtain the log files with ease. On my PC I have tried several times and rebooted, but no logs are being produced. Indeed after some time of trying - even that welcome message isnt displayed and it just closes without warning.

I dont really know where to go from here. Im not overly technical so I dont know if there is somewhere I should be looking to start with. Any help would be much appreciated.

PS I am running on Vista.

Thanks

Edited by The weatherman, 20 October 2009 - 06:18 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:02 AM

Posted 21 October 2009 - 08:41 PM

Welcome to BC

:trumpet:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==========================

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 scouttrevor

scouttrevor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 23 October 2009 - 01:12 PM

Hello Garmanma

Thanks for your detailed reply.
I tired to run Rootrepeal but kept getting kicked off. I was trying to get back into the system to try the rename way of running it, but unfortunately I cannot even get into the system now. When I boot up I get a 'window activation' window with the message
'An unauthorized change has been made to Windows'
Windows has discovered a change that will result in limited windows functionality. Use the link below to find out how to fix windows.

I then have 2 options:
1) learn more on-line
2) close.

I click on 1 and am sent to the Microsoft website (even though I cant get any other websites). Microsoft then runs a validation test which I fail (which I shouldn't as this is a genuine Vista installation) and it needs me to run a few steps starting with navigating from the start menu -but now I don't even see that! So I'm pretty stuck as to where to go next!

Any ideas very welcome!!

(PS I can still get into safemode but from here I cannot run the Rootrepeal.exe from here.)

Thanks.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:02 AM

Posted 23 October 2009 - 07:08 PM

Try the other 2 in safe mode
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 scouttrevor

scouttrevor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 24 October 2009 - 04:15 AM

Hi Mark,

Here we go:

Win3kdiag -

Running from: C:\Users\SaloniNew\Desktop\Win32kDiag(3).exe

Log file at : C:\Users\SaloniNew\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22DC.tmp\ZAP22DC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62D8.tmp\ZAP62D8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7AEC.tmp\ZAP7AEC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP862F.tmp\ZAP862F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9482.tmp\ZAP9482.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD480.tmp\ZAPD480.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6AF.tmp\ZAPD6AF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4F1.tmp\ZAPE4F1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\CSC\v2.0.6\pq



ERROR OCCURRED!

------------------------------

Windows Version: Windows Vista SP1

Exception Code: 0xc0000005

Exception Address: 0x00ab2525

Attempt to write to address: 0x00000000

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

And log.txt -

Volume in drive C has no label.
Volume Serial Number is C844-D06E

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

11/04/2009 07:28 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

11/04/2009 07:28 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\Windows\System32

18/01/2008 23:36 177,152 scecli.dll

Directory of C:\Windows\System32

18/01/2008 23:35 592,384 netlogon.dll
2 File(s) 769,536 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

02/11/2006 10:46 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

18/01/2008 23:36 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

02/11/2006 10:46 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

18/01/2008 23:35 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 3,045,376 bytes
0 Dir(s) 5,723,410,432 bytes free


I hope this makes more sense to you than it does to me!

Have a great weekend and, as always, thank you.

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:02 AM

Posted 24 October 2009 - 07:27 PM

The scans show a rootkit infection


Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 scouttrevor

scouttrevor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 26 October 2009 - 07:30 AM

Hi Mark

Thank you so much for your help.

Much much appreciated




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users