Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Swine Flu has attacked my computer!!!


  • This topic is locked This topic is locked
11 replies to this topic

#1 tait

tait

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 30 October 2009 - 05:20 PM

i was helped by garmana in the "am i infected what do i do?" forum and he told me to post a log created by peek.dat and a log created by "DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt" Here are the two logs

when running the peek. bat this is what was in log

Volume in drive C is Enterprise-C
Volume Serial Number is 7CC6-8478

Directory of C:\WINDOWS\System32

04/22/2009 01:21 AM 175,616 scecli.dll

Directory of C:\WINDOWS\System32

04/22/2009 01:21 AM 561,152 netlogon.dll

Directory of C:\WINDOWS\System32

04/22/2009 01:20 AM 61,952 cngaudit.dll
3 File(s) 798,720 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03

04/22/2009 01:20 AM 12,288 cngaudit.dll
1 File(s) 12,288 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7100.0_none_a900dabd2e31405b

04/22/2009 01:21 AM 175,616 scecli.dll
1 File(s) 175,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7100.0_none_6eaaafa48d0fb9a0

04/22/2009 01:21 AM 561,152 netlogon.dll
1 File(s) 561,152 bytes

Total Files Listed:
6 File(s) 1,547,776 bytes
0 Dir(s) 209,295,450,112 bytes free



When running the cmd prompt code this is what it produced in its log file
Volume in drive C is Enterprise-C
Volume Serial Number is 7CC6-8478

Directory of C:\Windows\System32

04/22/2009 01:21 AM 175,616 scecli.dll

Directory of C:\Windows\System32

04/22/2009 01:21 AM 561,152 netlogon.dll
2 File(s) 736,768 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7100.0_none_a900dabd2e31405b

04/22/2009 01:21 AM 175,616 scecli.dll
1 File(s) 175,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7100.0_none_6eaaafa48d0fb9a0

04/22/2009 01:21 AM 561,152 netlogon.dll
1 File(s) 561,152 bytes

Total Files Listed:
4 File(s) 1,473,536 bytes
0 Dir(s) 209,295,372,288 bytes free





What i have noticed is that Firefox will crash when opened and spybot will not open either. Internet Explorer will randomly open with ad like websites. Every once in a while AVG free will pop up saying virus blocked and is usually a program called b.exe, rundll32.exe, crss.exe, pr taskeng.exe

When i opened rkill it said "info: no tasks running with the specified criteria" then it printed "the operation was completed successfully" 6 times. I then opened dds and a blank cmd screen flashed on then off leaving no notepad documents. Then i tried root repeal when i open the program it says "FOPS - DeviceIoControl Error! Error code = 0xc0000024 Extended Info (0x000000e4)" then i clicked ok and followed the instructions on how to scan. Then when i click scan it says "could not initialize driver! Please contact the author!" i click ok then another error pops up saying Error dumping SSDT )0xc0000024)! i click ok then another error appears attempt to read from address: 0x00000004 i click ok and then another error DeviceIoControl Error! Error code = 0x0 then when i click ok it closes. Thank you so much for your time!

I am running on 32bit Windows 7 ultimate the evaluation copy build 7100. If you need to know anything else please let me know. Any help is much appreciated! Thank you for your time!

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 06 November 2009 - 12:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 tait

tait
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 07 November 2009 - 11:13 AM

the combofix.exe did not run. A progress bar appeared after i opened it but then nothing came up. As stated in my previous posts i am running windows 7 ultimate the evaluation copy build 7100. Garmana helped me in a previous post and said some of the log creating programs were incompatible with windows 7. Once again i greatly appreciate your time.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 07 November 2009 - 11:35 AM

Hi,

sorry I missed that part somehow.
please run Malwarebytes instead:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

And please provide a log from OTL:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 tait

tait
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 07 November 2009 - 12:53 PM

I installed Malwarebytes Anti-Malware and when I performed the scan the application closed and when I tried to re-open it, it said I do not have appropriate permissions to access the application. Thanks again for your time!

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 07 November 2009 - 03:07 PM

Hi,

that doesn't sound good. Please give me a moment to read up on your previous thread.

regards _temp_

Edited by _temp_, 07 November 2009 - 03:10 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 08 November 2009 - 06:37 AM

Hi,

let's try to get a closer look at your problem.

Please run OTL again and use the following settings:
  • Check Scan All Users.
  • For Processes choose none.
  • For Modules choose none.
  • For Services choose none.
  • For Drivers choose none.
  • For Standard Registry choose none.
  • For Extra Registry choose none.
  • For Files Created Within choose none.
  • For Files Modified Within choose none.
  • Under Custom Scans/Fixes paste:
    %systemdrive%\* /s /r
  • Finally hit Run Scan and wait for the log to open.
  • Please post the content of the log into your next reply.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 tait

tait
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 12 November 2009 - 12:30 AM

the file is 7MB and locks up my browser when i try to paste it all and the max upload attachment size is 512K

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 12 November 2009 - 07:09 AM

Hi,

can you please upload the file to a hoster like for example file-upload.de and give me the link.

Please also try to download win32kdiag once more:

Download and run Win32kDiag:regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 tait

tait
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 12 November 2009 - 10:39 AM

I tried to run Win32kDiag again but it still gives me errors then closes but it did leave a short text document, this is what it left

Running from: C:\Users\Tait\Desktop\trythis.exe

Log file at : C:\Users\Tait\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEF11.tmp\ZAPEF11.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\CSC\v2.0.6\pq



ERROR OCCURRED!

------------------------------

Windows Version: Windows Vista SP0

Exception Code: 0xc0000005

Exception Address: 0x01112525

Attempt to write to address: 0x00000000


here is the link for the OTL text file
http://www.webfilehost.com/?mode=viewupload&id=8058667

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 12 November 2009 - 06:25 PM

Hi,

I was utterly convinced, that we had already done the following step.:( But obviously, we haven't. Please try to do the following:

Booting into the Windows 7 WinRE Environment using Windows7 disk

Please insert your Windows 7 installation media into your CD-Rom/DVD drive and reboot your computer. During the reboot and at boot up you should see Press Any key to Boot from CD/DVD.... If you see that please press any key to continue and continue and follow the next set of instructions on "Using the Windows7 CD Disk to Access the Windows7 WinRE Environment". If not, please follow the next set of instructions on "How to Configure the System to Boot from CD/DVD" and then follow the steps to "Using the Windows 7 CD Disk to Access the Windows7 WinRE Environment ".

How to Configure the system to boot from CD/DVD

Some machines will automatically attempt boot from the CD if a CD is inserted, if that is the case, please skip the instructions below...
  • Please reboot your machine or turn it on (Without the CD)
  • As soon as the BIOS is loaded begin tapping tapping the F2 or F12 or perhaps F9, F10 or F11 (try all of them if unsure, starting with F2)
  • Different Machines have different keys.
  • This will bring up the configuration options, please use your arrow keys to go to the Boot Tab.
  • In the Boot tab, there should be instructions on your right-hand side on how to move your CD/DVD as the top or First Priority
  • After you have moved CD/DVD at the top/first priority, please make sure you SAVE AND EXIT <- Important
  • It will now exit with Configuration settings saved.
Using the Windows 7 CD Disk to Access the Windows 7 WinRE Environment
  • Insert the Windows 7 disk in your computer.
  • Restart your computer so you are booting off of the CD.
  • During the reboot and boot up you will get a message saying: "Press any key to boot from CD", press Enter on your keyboard.
  • Select your language options, Time and Keyboard and press Next
  • At the next prompt select the repair options.
  • Select your Operating System (Windows 7; the main one) from the list, and then press Next
  • Now press the Command Prompt option.
  • Enter the following code line by line one at a time and pressing enter on your keyboard on each line.
  • Wait for each command to be completed before continuing with the next one.
    copy C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll
    C:\WINDOWS\System32\cngaudit.dll
  • Press the Restart button Posted Image and remove your Windows 7 disk from the DVD drive. Windows should now begin to load.
If Windows 7 boots up successfully, please run a scan with peek.bat again. Please also try to run win32kdiag again.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:20 AM

Posted 20 November 2009 - 06:10 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users