Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All Security Scanners Have Been Rendered Ineffective


  • This topic is locked This topic is locked
7 replies to this topic

#1 dmcmaster

dmcmaster

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 17 December 2009 - 07:12 AM

I have had Eusing Free Registry Cleaner, Adaware (Free Edition), SuperAntiSpyware, Spybot Search & Destroy, McAfee AntiVirus 2010, and CCleaner installed on my computer. Recently all of the scan functions except CCleaner have been made useless. By that I mean that when I try to do a scan, the scan starts but after a brief time the screen goes black and I'm back on my desktop. Consequently, I can't identify whatever has infected my system and also can't get rid of it. It seems that I've picked up some unwanted software that protects itself better than anything that I've previously encountered. I am running Windows XP Home Edition Version 2002 with Service Pack 2. I found this website when doing a search using the names of the products listed above and adding "scan disabled". Also two names to which Windows has alerted me are Worm.Win32.NetSky and TrojanSPM/LX. I would appreciate any help. Thank you.

Edited by dmcmaster, 17 December 2009 - 07:15 AM.


BC AdBot (Login to Remove)

 


#2 MABER

MABER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 18 December 2009 - 10:30 AM

Id suggest booting into safe mode with networking and running Malwarebytes.
let us know if this works

#3 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:07:11 PM

Posted 18 December 2009 - 10:48 AM

by anychance has Task manager also been disabled?
Microsoft Certified Desktop Support Technician

#4 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 18 December 2009 - 11:10 AM

MATTSPCHELP

Yes, it is. When I try to use it I get an "Application cannot be executed. File is infected. Please activate your antivirus software." message. I also cannot get into safe mode, so the suggestion from the post before yours cannot be tried. Immediately after windows loads, I get a screen warning from windows that I've been infected with the Worm.Win32.NetSky virus and later on another screen comes on telling me that I have also gotten the TrojanSPM/LX virus. It seems like anytime I try to do any type of virus scan, something causes it to shut down. I also have had my background theme changed to a general warning that I've been infected with a virus. I was able to get the following from a program called GMER.exe

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-18 05:41:31
Windows 5.1.2600 Service Pack 2
Running: gmer_1.exe; Driver: C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\agldapod.sys


---- System - GMER 1.0.15 ----

Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) ZwCreateKey [0xF749AC8E]
Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF749AD13]
Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) ZwOpenKey [0xF749AC10]
Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF749A999]
Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) IoCreateFile
Code 4ac6d28a3cbbc27057cba00b20c92ea2.sys (ckmd/Noves Inc) NtQueryDirectoryFile
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [416] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [592] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [880] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [948] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1020] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1112] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1348] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1580] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1804] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2476] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\4ac6d28a3cbbc27057cba00b20c92ea2.sys (*** hidden *** ) [BOOT] 4ac6d28a3cbbc27057cba00b20c92ea2 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4ac6d28a3cbbc27057cba00b20c92ea2&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=4ac6d28a3cbbc27057cba00b20c92ea2&path=system32\4ac6d28a3cbbc27057cba00b20c92ea2.sys&wmid=03003&idate=2009-12-13 23:02:52:546&last_download_time=2009-12-13 23:5:52.953&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@ImagePath system32\4ac6d28a3cbbc27057cba00b20c92ea2.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@DisplayName 4ac6d28a3cbbc27057cba00b20c92ea2
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Group szldgp
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\4ac6d28a3cbbc27057cba00b20c92ea2\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4ac6d28a3cbbc27057cba00b20c92ea2&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=4ac6d28a3cbbc27057cba00b20c92ea2&path=system32\4ac6d28a3cbbc27057cba00b20c92ea2.sys&wmid=03003&idate=2009-12-13 23:02:52:546&last_download_time=2009-12-13 23:5:52.953&first_skip=1
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Tag 1
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@ImagePath system32\4ac6d28a3cbbc27057cba00b20c92ea2.sys
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@DisplayName 4ac6d28a3cbbc27057cba00b20c92ea2
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2@Group szldgp
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\4ac6d28a3cbbc27057cba00b20c92ea2\Security@Security 0x01 0x00 0x14 0x80 ...

#5 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:07:11 PM

Posted 18 December 2009 - 02:53 PM

Ok , heres what you do , go to C:\Windows\System32 and copy tskmanager.exe to your my documents

you then rename it to explorer.exe and then you look for program thats may be all numbers

eg :

1324437254.exe

if you find it you want to end the proccess and try and open malware bytes again ,

if however you didnt find the 1324437254.exe file dont worry , we can always attack it from another angle
Microsoft Certified Desktop Support Technician

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:11 PM

Posted 18 December 2009 - 03:29 PM

Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [416] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [592] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [880] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [948] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1020] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1112] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1348] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1580] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1804] 0x35670000
Library \\?\globalroot\Device\__max++>\9493839C.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2476] 0x35670000

You have a very persistent rootkit

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

You will also be instructed to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck

Edited by garmanma, 18 December 2009 - 03:45 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 20 December 2009 - 09:39 AM

MATTSPCH

Taskmanager has been disabled. The message says it can't be executed, file infected, activate your antivirus.

#8 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 21 December 2009 - 09:11 AM

To MATTSPCHELP and all others who have contributed,

I have been advised by tetonbob at TechSupportForm that it is not wise to have a problem worked on by more than one help center and that I should choose among those that I may be using. I appreciate all of your help, however, at TechSupportForm, success is starting to show and all of the things that I have been advised to try on this forum have been blocked by the virus. I have to follow the trail of progress, however, that is certainly not to say anything against the quality of your forum. I understand that these viruses are many and varied and can be attacked from a multitude of angles, some which are successful and others which are not successful. Thank you very much for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users