Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP malware, cannot access tools


  • Please log in to reply
5 replies to this topic

#1 SMallbirdie

SMallbirdie

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:00 PM

Posted 27 October 2009 - 07:28 PM

I'm having a serious problem with my PC. (For the record I have disconnected it from everything but the printer and am currently on my laptop) I'm running WindowsXP Home edition, and I'm 99% sure I've got the SP3, 100% sure I've got at least SP2. I use Mozilla Firefox for most of my internet needs, although sometimes I use IE for things not supported by Firefox such as PCPitStop's test center. The computer is used by my husband, myself and our roommate. With both of them being 100% male, I'm almost certain one of them has accidentally downloaded something from a dirty site (even though I've warned both of them not to accept ANYTHING, EVER!) :thumbsup:

Backstory- I returned from work today at about one o'clock (PST), my husband says computer is off due to a 15 minute power outage (wonderful). He tells me that he was on Firefox today at about 10:30-ish, and after he closed the window he cleared the private data (I have it set to ask to be cleared when Firefox is closed) and after he clicked the clear data now button an antivirus firewall thing (his words) came up and filled the screen. It was shortly after that that we lost power. This confused me because non of my anti-anything programs come up unannounced. I turned the computer on, first things first I tried to log into the admin account, but it wouldn't load and the computer froze. Double wonderful. I do a hard reset and try to log onto the guest account, which I do successfully. First thing I notice is the nasty links on the desktop, youporn.com, porntube.com and nudetube.com.

Immediately an IE page opened up (since I didn't initiate it I closed it before it could load) as well as a strange program popped up the looked like a virus scanner, SecurityTool. It's icon is a blue shield with two gears. Having seen phony scanners before, i just said wtf? and closed it down. Then I started getting bubbles on my task bar tray:
"Security Tool Warning sndvol32.exe (or ccsetup223.exe, or scvhost.exe, or whatever other program I've recently tried) is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using sndvol32.exe to connect to remote host."
"Your PC is still infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid the theft of your credit card details. Click here to activate protection."
"Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs. Click here to remove it immediately with Security Tool."

Even though it says Security Tool, it comes from the blueshield icon of SecurityTool, not the Windows Security shield.

Checking the properties of the SecurityTool shortcut that had appeared on the desktop, I found that the target is C:\DocumentsandSettings\AllUsers\ApplicationData\06615927\06615927.exe

It was created at 9:59 am this morning, which is strange to me since my roommate left for work at 7:30, my husband didn't wake up until 10:30, and I was at work until 1pm.

After closing the windows, my desktop blanked out to blue- no icons, no picture, just the task bar. Next step was to try and run my CCleaner- I open it from the start menu and get the error "C:\Program Files\CCleaner\CCleaner.exe Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

Hmm. So I decide to try reinstalling CCleaner, just to see what happens. It tells me I have to be logged in as an administrator (oops, I forgot I limited the guest account), so I log off and try to log in under the admin account, and success, it worked this time! So I reinstall CCleaner it in the same place and get the error that it cannot open the location (sorry I didn't copy the exact error, I didn't think this problem would be so tough I needed help!). So I try to install with the name CCleaner2, and it works. I open the CCleaner, hit analyze, it starts, and immediately closes. Crap. I try again, renaming the installation folder Help (I need it!) and try again. Same results, it installs, opens, then closes.

I try everything I've got, Ad-Aware, HiJackThis, SpyBot, AVG... nothing opens, much less works. I cannot even access the Task Manager. I tried booting the computer in SafeMode but all I get is this error:
“We apologize for the inconvenience, but Windows did not start successfully." I can, however, start Windows normally.

I've been searching online for help here on my laptop for a while, and after ignoring the PC's repeated popups demanding that I remove the infections the PC suddenly went to a blue screen with white letters. Here is what is said, exactly. The grammatical errors are left in place.

A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: SPCMDCOM.sys
PAGE_FAULT_IN_NONPAGED_AREA
In this is the first time you've seen this Stop error screen restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware of software is properly installed. If this is a new installation, ask your hardware or software manufacturer for nay windows updates you might need.
If problems continue, disable or remove and newly installed hardware or software. Disable BIOS memory options such as your caching or shadowing. if you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.
Technical information:
*** STOP: oxoooooo5o (0xFD3094C2, 0x00000001, 0xFBFE7617, 0x00000000)
***SPCMDCON.SYS - Address FBFE7617 base at FBFE5000 DateStamp 3d6dd67c

((Grammatical errors on the page:
Windows not capitalized
"In this is the first time...", In not If
"...any new hardware of software..." of not or
"...manufacturer for nay windows updates" nay not any
"...or shadowing. if you need..." If not capitalized))

The errors are a dead giveaway that it's not a legit screen. After pounding the heck out of Ctrl+Alt+Del I got the comp to reset.

(After typing most of this post out I relogged in on the PC to find that the SecurityTool no longer automatically appears, some (apparently) random artwork from an image file I have has shown up on the desktop, there is still no desktop image, and unfortunately my anti-malware programs still will not run. I cannot even access CCleaner’s installation file anymore.)

I'm sorry this is so long, I just wanted to give all the information I could think of. If there's some information I'm missing, or something you think I could try please let me know!
Thank you!
~Shyla

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 27 October 2009 - 08:02 PM

Hello and welcome. Let's run these. Hopefully after the first we can run the next and youe desktop will be back.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again


If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SMallbirdie

SMallbirdie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:00 PM

Posted 27 October 2009 - 08:15 PM

Hi, and thanks for the reply
I can't drag the Rkill file onto the grey desktop, it just gives me a black circle/slash. Running it from the flash drive, a DOS box appeared then vanished leaving behind ncmd.cfxxe and pev.exe.Trying to run ATF-Cleaner.exe opened a box about 2x6 inches large before immediately vanishing. The computer then gave me the phony blue screen again and promptly reset itself. I also tried running Malwarebytes from the flash drive, I get a split second of an hourglass cursor (as happens with every other anti- program I try) and nothing else.
I'm sorry, I really wish I could say more but nothing is happening.

Edited by SMallbirdie, 27 October 2009 - 08:22 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 27 October 2009 - 08:55 PM

Please try this


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SMallbirdie

SMallbirdie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:00 PM

Posted 27 October 2009 - 09:33 PM

I think I'm gonna cry :thumbsup:

I couldn't drag the file onto the desktop (it doesn't exist as a regular desktop anymore) but I did drag it into the desktop folder.
This is all I get. The DOS box only opens for a second, then closes. I can't even open the notepad from the pc, it closes it instantly.

It first ran for only a split second, so I did a few repeat runs of it and this is the longest file I've gotten.



Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB955839\KB955839

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956802\KB956802

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB958690\KB958690

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB960225\KB960225

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB967715\KB967715

Mount point destination : \Device\__max++>\^

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 27 October 2009 - 10:06 PM

Any way you can do that drag thing with RKill It should fix the desktop that the malware is killing.

Or try this.

Open Task Manager (Ctrl + Alt + Del) and go to File >> New Task (Run...) >> type explorer.exe >> Enter


Then, do a search for your explorer.exe via your search function..

You may find the copy of explorer.exe via either of below locations..

C:\WINDOWS\ServicePackFiles\i386\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

Just choose either one of them and copy/paste it to C:\WINDOWS folder..


There is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

I know you said HJT/DDS won't run but it may if RKill works.

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users