Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With infection


  • This topic is locked This topic is locked
26 replies to this topic

#1 Iowa Hawkeye

Iowa Hawkeye

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 10 November 2009 - 12:58 AM

This will take some time to explain but will try and shorten it. I first realized I had a problem when my google searches were being redirected to another website other than the one I chose. I will list some of my utilities I have for spyware, malware, adware. I have Spyware Dr. full version, Super anti-spyware Pro, Malwarebytes. I have Comodo anti-virus/firewall suite. It's hard for me to remember exact events that I did but to make a long story short none of my spyware programs would work. Malwarebytes would updated and start but it would abruptly stop and the scan page would disappear. I would try to launch it again and I would get this error: Windows cannot access specified device, path or file. You may not have appropriate permission. This happened with all my scanners. I have my computer set for my administrator rights. I have uninstalled and downloaded and reinstalled all these scanners a few times each. Tried them in safe Mode without any success. Another forum wanted me to download Hijack This and do a scan, save and post a log. I downloaded HJT, launced it and it started to scan but abruptly stopped and scan box disappeared. I was was told to try and rename Malwarebytes. Didn't work. I was instructed to download and do a scan with Combofix. I did and same results. It would start, stop and disappear. I was noticing a lot of activity (activity light on my computer) so I opened Comodo which shows what activity is running. It was something called b.exe. I had no idea what this was so I did a search and found out it was an infection. Next, I used a online scanner (Panda) and it found Trj/Zlob and Generic Trojan but it couldn't clean them. I think I finally did a scan with Comodo (which I should have done first) and it found some things and I quarantined them. I did another Panda scan last night and Zlob didn't show up but the Generic Trojan did. I have been advised to reformat due to not being able to run HJT so they could see what I had or if I still had it. One other thing that was strange. Combofix's Icon would just disappear from my desktop after I tried to run it without success. The HjT icon changed also I can't remove it from my desktop. Anyway, I thought I would post here so you can tell to reformat too. :(

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:22 PM

Posted 10 November 2009 - 08:27 AM

Hello! :(
My name is Sam and I will be helping you.


It's possible that you may have a virut infection, in which case formatting may be your only option. But we can try a few things and see what we can do.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


======================


Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 10 November 2009 - 09:39 PM

Hi Sam. Thanks for trying to help. Strange, when I go to download at the mirror links, I get 404-not found on two and the third goes to what looks like a Spanish language web site. I can't tell which is Combofix download. Is there a regular web site for Combofix?

Edited by Iowa Hawkeye, 11 November 2009 - 03:02 AM.


#4 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 10 November 2009 - 09:55 PM

I finally found a good download for ComboFix. I renamed like this, Combo-Fix.exe, before downloading it. I shut off firewall and anti-virus program then launched Combo-Fix.exe. It didn't scan, instead error: Windows cannot access Specified device, path or file. You may not have appropriate permission. This is same error I get when trying to run any of the scan programs. I didn't download GMER until I heard back from you to go ahead.

Edited by Iowa Hawkeye, 11 November 2009 - 03:02 AM.


#5 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 November 2009 - 05:23 AM

I think I better go ahead and format. I was playing a game this morning and it quit. My desktop background theme went away and replaced by Windows blue background. Also got a error message saying Windows has encountered critical problem and will log off in one minute. Didn't say what the problem was. It rebooted and came back to Windows blue desktop background and got same error again. This time I did a System Restore three days back. I got my original desktop background back. Then Windows had a problem solver box popped up and said ATI Catalyst was missing a driver and to to their website and download the driver I guess. I went to ATI web site but I have no idea what driver it is I need or how to find out. So lots of things going on and not many good. I didn't get anymore of those errors but something is not right. Anyway, let me know what you think.

#6 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 November 2009 - 07:09 AM

I started thinking, which is bad for me, but wondered after doing a system restore if it was like XP where you needed to disable it when you did a anti-virus scan or something like that. Anyway, I did another full scan with Comodo and it found seven infections. I quarantined them all. I couldn't tell if they were elevated risk or not. I could possibly post them here if you want. I hope I didn't mess up your plans but with out Combofix log I didn't figure it would hurt anything. I think the hurt has already been done. Let me know what you think.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:22 PM

Posted 11 November 2009 - 08:53 AM

System restore doesn't need to be turned off for Combofix.

Please download and run Win32kDiag:
Also go ahead and run Gmer and post that log for me.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 November 2009 - 10:17 AM

Sorry Sam. I did the W32.Diag. and GMER but the log was too long to post for Gmer. Need instructions on how to post it. I think the W32.Diag will fit so I will post it. The W32.Diag never did say it was finished it just stopped. I waited several minutes but it never continued.

Running from: C:\Users\Milt\Desktop\Win32kDiag.exe

Log file at : C:\Users\Milt\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21B3.tmp\ZAP21B3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP456B.tmp\ZAP456B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D78.tmp\ZAP7D78.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-11-07 00:46:34 12 C:\Windows\bthservsdp.dat ()

Edited by Iowa Hawkeye, 11 November 2009 - 10:23 AM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:22 PM

Posted 11 November 2009 - 08:34 PM

Hold off on Gmer for now.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


====================


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 November 2009 - 10:19 PM

I am going to assume that what I am to copy and paste into "RUN" is between the quotation marks at least that's what I did.

Running from: C:\Users\Milt\Desktop\win32kdiag.exe

Log file at : C:\Users\Milt\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21B3.tmp\ZAP21B3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP456B.tmp\ZAP456B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D78.tmp\ZAP7D78.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-11-07 00:46:34 12 C:\Windows\bthservsdp.dat ()

I will download and run and post peek.bat next.

#11 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 November 2009 - 10:26 PM

Here is peek.bat log. Not to get ahead or undermine you but after the GMER scan I got a warning that said something had been modified and at the end there were some entrees that were in red. I wish I had copied the warning down but I didn't.

Volume in drive C is OS
Volume Serial Number is 6E88-329A

Directory of C:\WINDOWS\System32

04/11/2009 12:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

04/11/2009 12:28 AM 592,896 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 61,952 cngaudit.dll
3 File(s) 832,000 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 03:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 03:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 01:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 12:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 03:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 01:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 12:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
10 File(s) 3,119,616 bytes
0 Dir(s) 86,902,366,208 bytes free

#12 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 12 November 2009 - 02:59 AM

Sam, I am going to have to reformat. My computer keeps rebooting itself after getting error message, "Windows has encountered critical problem and will close in one Minute". I am using safe mode to access internet and write this. Just wanted to let you know. If I get it back without getting error I will let you.

#13 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 12 November 2009 - 03:11 AM

OK, I guess I am back to somewhat normalcy. After restarting out of safe mode it went back to desktop with no errors. I am a little bit afraid something is going to happen I won't be able to get to the internet.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:22 PM

Posted 12 November 2009 - 08:15 AM

Keep in mind that we are dealing with a serious infection here, so you should try to minimize the use of this computer as much as possible.

I am going to assume that what I am to copy and paste into "RUN" is between the quotation marks at least that's what I did.

No that's incorrect. You need to copy the entire line of bolded blue text below.

"%userprofile%\desktop\win32kdiag.exe" -f -r


====================


Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\cngaudit.dll | C:\WINDOWS\system32\cngaudit.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 12 November 2009 - 08:46 AM

Avenger Log. I am going to be away from computer soon but will check back later today. I understand no unnecessary usage of computer. Thanks

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\cngaudit.dll|C:\WINDOWS\system32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by Iowa Hawkeye, 12 November 2009 - 09:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users