Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus


  • Please log in to reply
11 replies to this topic

#1 Nuggets

Nuggets

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 03 December 2009 - 03:36 PM

I'm new to bleeping computer, so I apologize if I'm in the wrong area. I have some experience with virus removal, but this one's got me stumped. It seems to have done something that shutsdown antivirus software.

I downloaded and then attempted to run the DDS tool and the RootRepeal Log tool. They (and all software I've tried...Malware-bytes, Super-Antispyware, Windows Defender and Malicious Software Removal, also tried to backup with Cobian, etc...) seem to install fine, but after starting them, they get a short way into the process, then the process stops and closes with no indication of what's happened. Sometimes the new programs appear in program files, sometimes not. Usually if I try to run the program again, an error message appears that says "Windowsw cannot access the specified device, path or file. You may not have the appropriate permissions to access the file". This happens even in safe mode.

One other note...this appears to have started with a google redirect virus.

Thanks

Edited by Nuggets, 03 December 2009 - 04:57 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 06 December 2009 - 06:49 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Nuggets

Nuggets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 14 December 2009 - 11:24 AM

Redownloaded and installed Malwarebytes. Downloaded and ran Rkill...seemed to work. Then tried to run Malwarebytes. Same results. Scan timed for about 4 secs, then shutdown. A second attempt to run scan resulted in the same error message posted previously. Sorry for the delay in doing this...it's a process computer and I couldn't mess with it for a period...have a significant window for troubleshooting now. Thanks.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 14 December 2009 - 04:40 PM

Download a new version of Malwarebytes and save it to your desktop. Rename the mbam-setup.exe file to explorer.exe

Also download a new version of rkill.

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the rkill file to run it. Then install Malwarebytes by double-clicking the renamed explorer.exe file on your desktop.

Do NOT open Malwarebytes after if installs. First rename this file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe to explorer.exe. Then double-click the renamed file to run Malwarebytes. Update the definitions and try running a quick scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Nuggets

Nuggets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 15 December 2009 - 11:59 AM

Same results. Malwarebytes ran for about 4 sec then stopped followed by acess denid by permissions.

Renamed just the mbam.exe to explorer.exe....leave the rest of the path the same as before, right?

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

to

C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe

#6 Nuggets

Nuggets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 15 December 2009 - 02:49 PM

renamed files explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mabm.exe

to

C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe

ran new rpkill then ran renamed malware bytes. Same results...ran about 4 sec then stopped. Tried again with same error message.

Edited by Nuggets, 15 December 2009 - 04:10 PM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 15 December 2009 - 04:21 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 16 December 2009 - 01:08 AM

If RootRepeal won't run try this:

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Nuggets

Nuggets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 16 December 2009 - 03:56 PM

Rootrepeal did not run...refer to first post.

After running Anti-Rootkit, there were no files recommended for removal.

This is the sarscan log:


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 12/16/2009 at 14:32:29 PM
User "SDIC" on computer "1610WWSERVER"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Error parsing raw registry hive S-1-5-21-3149964490-2574241707-732037635-1006_Classes. Registry scan may not be
supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\f5ce3558cdad2d0de1884dee71734a4a\update\update.exe
Hidden: file C:\WINDOWS\system32\MRT.exe
Hidden: file C:\Documents and Settings\SDIC\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file C:\Documents and Settings\SDIC\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file C:\Documents and Settings\SDIC\Desktop\RootRepeal.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Hidden: file C:\RECYCLER\S-1-5-21-3149964490-2574241707-732037635-1006\Dc129\MsMpEng.exe
Hidden: file C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Hidden: file C:\RECYCLER\S-1-5-21-3149964490-2574241707-732037635-1006\Dc122\MsMpEng.exe
Hidden: file C:\dd4d8314f8f0a1b7cc12d0023558\mrt.exe
Hidden: file C:\WINDOWS\system32\wbem\wmiprvse.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe
Stopped logging on 12/16/2009 at 14:56:36 PM

Edited by Nuggets, 16 December 2009 - 04:00 PM.


#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 16 December 2009 - 04:11 PM

Insert your Windows XP CD into the CD drive, and then restart the computer. Click to select any options that are required to start the computer from the CD drive if you are prompted. When the "Welcome to Setup" screen appears, press R to start the Recovery Console. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER. Type these commands:

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\WINDOWS\system32
exit


When your computer boots back into Windows immediately run a quick scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Nuggets

Nuggets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 16 December 2009 - 06:02 PM

Should I boot in safe mode?...er...I'll try without that...if it doesn't work I'll try it in safe...let you know. Thanks.

Edited by Nuggets, 16 December 2009 - 06:04 PM.


#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 16 December 2009 - 06:49 PM

If you mean after you copied the file over in the Recovery Console - just boot into Normal Mode, there is no need for Safe Mode at this stage.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users