Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msb.exe, msa.exe, b.exe


  • This topic is locked This topic is locked
60 replies to this topic

#1 BrandonThompson

BrandonThompson

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 10 November 2009 - 04:57 PM

Hi there.

It looks like I am infected with several of the above problems. I cannot get HJT, RootRepeal, or DDS to run (RootRepeal and DDS run for a few seconds, then shut down). I have tried RKill as well, it does not help.

I constantly get a message telling me that I cannot access various programs because I do not have the privileges to do so. This includes the add/remove programs utility in the control panel.

After doing a lot of reading about this thing online, I read that I could create a win32diag, which may be able to help the gurus diagnose and fix my problem. So I did that. Here is the log:

Starting up...
Running from: C:\Documents and Settings\Brandon\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Brandon\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe


I will wait to hear from you. Thanks!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 16 November 2009 - 07:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 17 November 2009 - 06:19 PM

Thanks. I have disconnected the infected computer from the internet to prevent further problems. If I use a flash drive and transfer the win32K text file to my mac (infected computer is a pc) so I can post it, will my mac be safe?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 17 November 2009 - 07:24 PM

Yes, transferring text files is okay and were a flash drive to get infected it would not be able to infect a Mac. :(

Edited by m0le, 17 November 2009 - 07:25 PM.

Posted Image
m0le is a proud member of UNITE

#5 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 18 November 2009 - 11:41 AM

When I try to run Win32kDiag it runs for about five minutes, then shuts down with a windows error message that says the application cannot be completed. File is infected. Please run antivirus software.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 18 November 2009 - 07:31 PM

Please run Rkill which will hopefully then allow you to run the Win32diag file.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
If it does run successfully then please attempt to run the Win32diag file again. :(
Posted Image
m0le is a proud member of UNITE

#7 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 19 November 2009 - 01:27 PM

Can't run rkill either.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 19 November 2009 - 04:24 PM

Did you download rkill.exe or one of the others with a different extension (such as rkill.scr)?

Try this batch file please

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 19 November 2009 - 06:15 PM

I tried each of the rkill programs. I got the same error message with each of them: "WARNING. Application cannot be executed. The file is infected. Please activate your antivirus software."

Believe it or not, I get the same error message when I try to open notepad.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 19 November 2009 - 07:00 PM

Nasty security system rogue, this kills known tools and all .exe files. Let's try and loosen the grip a little

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 20 November 2009 - 10:23 AM

All right, something that actually worked! I got the message "error deleting file," so I ran the program again as directed. I got the same error message when running it the second time, so I ran it a third. Same error message that third time, so I figured a fourth time wouldn't do any good.

I will be out of town this weekend after noon central on Friday, returning on Monday morning, so please don't think everything is fixed if you don't hear from me until then!

Log follows:

exeHelper by Raktor
Build 20091120
Run at 09:11:11 on 11/20/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process b.exe
Killed process a.exe
Killed process winupdate86.exe
Checking for bad files...
Deleting file C:\WINDOWS\temp\b.exe
Deleting file C:\WINDOWS\temp\a.exe
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\temp\svchost.exe
Deleting file C:\WINDOWS\temp\winlogon.exe
Deleting file C:\WINDOWS\temp\taskmgr.exe
Deleting file C:\WINDOWS\msb.exe
Deleting file C:\WINDOWS\system32\lsm32.sys
Deleting file C:\WINDOWS\system32\opeia.exe
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Error deleting C:\WINDOWS\system32\BtwSrv.dll
Deleting file C:\WINDOWS\fonts\services.exe
Deleting file C:\WINDOWS\system32\winupdate86.exe
Checking for bad registry entries...
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced Virus Remover
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091120
Run at 09:11:54 on 11/20/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Error deleting C:\WINDOWS\system32\BtwSrv.dll
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 20 November 2009 - 05:08 PM

Finally. ExeHelper should allow us to run the batch file now.

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.

Enjoy your weekend. :(
Posted Image
m0le is a proud member of UNITE

#13 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 23 November 2009 - 01:51 PM

When I click on the peek.bat icon, it does not create a log. The desktop icons disappear briefly, then my active desktop is disabled and that is it. No log.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 23 November 2009 - 06:47 PM

Can you try running Rkill now. Exehelper should have stopped the process that kills the running of tools like that now.

Instructions below for reference:

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Posted Image
m0le is a proud member of UNITE

#15 BrandonThompson

BrandonThompson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 23 November 2009 - 06:49 PM

I will run it now. Will you be around for awhile, I can stay at my office and try to actually make some progress if we can communicate back and forth relatively quickly...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users