Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection disabling all removal/security tools


  • Please log in to reply
3 replies to this topic

#1 Armodeus

Armodeus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 November 2009 - 08:10 PM

In the past whenever I've had a problem, I always been able to find a resolution by searching other threads dealing with similiar problems but I'm afraid this one has me completely stumped. Here are the details:

System:
Windows XP 2002 home edition, SP3
2.0G Celeron processor, 768 mb RAM
System restore has been turned off by the infection for at least 2 weeks now. No restore points exist and trying to turn system restore back on doesn't work.
Initial infection was approximately 3 weeks ago, obvious processes were L.exe and msa.exe
Beginning today, ctrl+alt+del does nothing, process exlorer refuses to open

Prior to this, McAfee was on a normal weekly scan schedule and I would also run Malwarebytes 2 to 3 times a month to catch anything McAfee missed. This system seemed to work very nicely until this last bit of virus got onto my system.

Now, McAfee, Malwarebytes, SuperAntispyware and Hijack this all refuse to run in either normal or safe mode. All exhibit the same symptoms, specifically the hourglass figure appears for several seconds, then disappears, but program doesn't launch. All programs mentioned have been removed and reinstalled both in regular and safe mode with no difference in behavior. In addition I have also tried using rkill immediately prior to attempting to run all of the above application, no difference in behavior. I've also tried fresh installs of Malwarebytes with the both the installer and exe file renamed to mb.exe, then mb.scr, all failed to run the program. Until today McAfee would load at startup, but couldn't update, now it doesn't load at all. All attempts by Windows to load the latest security patch fails as well.

To be honest I would simply throw in the towel, reformat the hard drive and go with a fresh install of XP at this point, but my daughter loaned our installation disk to a friend and it's not been seen since. All attempts to find a local shop to either purchase another copy or have them reformat/reload XP for me have proved unsuccessful and I simply cannot afford to replace with an all new computer until after the first of the year. Until today I was able to keep the system functional through the use of process explorer, but since it has ceased working I can no longer utilize that.

So, any hopes of getting this thing back to normal functionality? In any event I appreciate your time and efforts both in regards to this current issue and for all the guidance I've gotten in solutions others have gotten from similiar problems in the past.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:53 AM

Posted 23 November 2009 - 08:17 PM

Try running this application first and then mbam right afterwards

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer or you will have to run it again

=================================

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Armodeus

Armodeus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 23 November 2009 - 11:18 PM

Thank you garmanma. It took a couple tries but I finally got this:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/23 23:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_IdeChnDr.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_IdeChnDr.sys
Address: 0xEC199000 Size: 90112 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys
Address: 0xB8ACE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xEFC86000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7822000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACoixpybslvs.dll]
Process: svchost.exe (PID: 820) Address: 0x10000000 Size: 73728

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 1512) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 2488) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 3864) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 3992) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: explorer.exe (PID: 2204) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 3436) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACtlvuqxonku.dll]
Process: Iexplore.exe (PID: 3344) Address: 0x10000000 Size: 49152

==EOF==

Additionally, after I had posted this I noticed a message had popped up on rootrepeal that said "unable to read registry. contact author!"

As always I appreciate your time and efforts on this.

Edited by Armodeus, 23 November 2009 - 11:22 PM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:53 AM

Posted 24 November 2009 - 08:25 PM

UACtlvuqxonku.dll
You have a persistent nasty rootkit infection
The best and recommended fix is to wipe the drive and reinstall the OS
If that is not an option, follow these instructions. Please remember it will take time for a HJT team member to respond


Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users