Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010


  • Please log in to reply
9 replies to this topic

#1 janet0527

janet0527

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 02 January 2010 - 06:39 PM

Antivirus Pro 2010 has got me good. I am posting from another computer, as the infected one is disconnected from the network (and thus the internet) for fear of transmitting something over my network to other computers. Maybe I'm paranoid? Can it do that? The infection seems to be getting progressively worse. At first, task manager was disabled through Windows, but from the command line I could still get to it. Now, I can't run it from the command line. I also can't run tasklist, which worked for awhile, but now returns an error "ERROR: The RPC server is unavailable." Also, within Windows I no longer have a visible task bar. I can't boot in safe mode. I want to get help, but don't know where to start. I was able to get the dds.scr and RootRepeal.exe files on there by burning them to a CD from my good computer and then copying them to the infected one (I had to do it from a command prompt because copying in Explorer is disabled), but I can't run either one. When I run dds.scr, it starts but then the window just closes up and poof, it's gone. I tried renaming it thinking maybe it wouldn't detect it to kill it under a different name, but I got the same result. I then tried running RootRepeal.exe and thought I was going to at least get that, but after about 10 seconds of scanning, it also was apparently killed. I don't even know where to start now. Help?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:30 AM

Posted 02 January 2010 - 11:27 PM

Welcome to BC
Let's see if we can get something to run
Can you bring up Task Manager using Ctrl + Shift then ESC?

Here are 2 other options to try instead of DDS. Hopefully one will work
We have a couple of other tricks

:flowers:
Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
==================================

:thumbsup: If that one doesn't work try this one
Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 janet0527

janet0527
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 03 January 2010 - 11:09 AM

1) I can't run task manager using Ctrl-Shift-ESC - it tells me it has been disabled by the administrator. I can't run it from the command line as taskmgr either - same message.
2) I can't run tasklist from the command line - I get "ERROR: The RPC server is unavailable." (this used to work).
3) I can't run Internet Explorer - it starts to open then immediately closes.
4) I downloaded Firefox to another computer and burned it to a CD, then installed it on the infected computer. This runs, but I can't get to the internet. I have no idea if the infection is causing this, or if I have anti-virus software or firewall blocking it - with no task bar and no ability to run task manager that I can figure out, I don't know what's running or how I would disable it.
5) I downloaded both files refereneced - RSIT.exe and runscanner.exe - burned to CD and then installed on the infected computer as instructed. As first, RSIT.exe seemed to be running, but then after maybe a minute of scanning the window closed up. Now when I try to run it again I get a message "Windows cannot access the specified device, path, or file. You may not have thre appropriate permissions to access the item." (I am logged on as administrator.) I searched for a log hoping maybe it wrote something, but no. I tried to run it directly from the CD thinking it couldn't adjust permissions on that file, but again it starts and then does nothing. Anyhow the instructions say I have to have an internet connection, which I don't.
6) runscanner.exe behaved the same way - seemed to be running fine but then just disappeared. I now get the same message as what I'm getting above for RSIT.exe if I try to rerun it. I also tried to run this again directly from the CD, but again it just closed up after seeming to be running successfully for a couple of minutes.

#4 janet0527

janet0527
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 03 January 2010 - 05:37 PM

I've got a little more info - I did find a partial log from RSIT that it put in it's own folder, but I have no way of copying the content up here as of yet, as it won't allow me to write files to the CD burner, I can't get to the internet, and I don't want to even try putting the computer on the network with anything else running on it to try copying files (plus it probably won't work). I say "partial" because it says "HijackThis download failed" so I'm assuming there is content missing. I noticed a registry key listed:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DusableTaskMgrt=1

I was able to run regedit, modified it to a 0, exported and imported it, and voila, I can now run task manager. That's great progress, except I don't know enough about what's running to know what I can safely kill in hopes of being able to successully run the diagnostic tools and be able to copy the log files to a CD that I can then read from another computer to post for assistance.

I guess I can just try randomly killing processes and see what happens? Maybe I'll get lucky and worst case I'll have to reboot? Would you suggest that?

Is there any way to get on the phone with someone because of this weird condition where I can't post any log content? If so send me an IM with a number and times I could call. That would be fabulous.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:30 AM

Posted 03 January 2010 - 08:16 PM

Is there any way to get on the phone with someone because of this weird condition where I can't post any log content? If so send me an IM with a number and times I could call. That would be fabulous.

We are all volunteers and hardly anyone has a set time as to when they are by the computer
Open the Applications window of Task Manager and end all tasks
Start a new task and typeexplorer.exe That should give you back your Desktop
Do you have a thumb drive you can use instead of burning a bunch of disks?
Once we can get a log, we're going to send you to another section

This scan should work

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 janet0527

janet0527
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 04 January 2010 - 02:25 AM

- I'm using CDs instead of a thumb drive because I'm ultra paranoid about transfering something from the infected computer to the one I'm using to download and post stuff. It sucks, but fortunately I do have a large stack of them. So far this is how I have downloaded the diagnostic tools on a working computer and moved them to the infected computer. Drag and drop in Explorer doesn't work, nor does copy/paste, but from the command line the copy command seems to be working. The problem with this approach is when I do finally get a log that I want to post, I have no way to get it from the infected computer back to the one I'm using to post here. If I use a thumb drive, am I at risk of transfering the infection to my working computer?

- The OTC.exe scan does exactly what the others did - seems to work for a minute and then the window just closes up. There's something running that is killing off almost anything I start running.

- When you said to kill all tasks through the Applications window on Task Manager, I only have known applications running (command window, explorer, regedit) though I did make one mistake probably. I killed the Antivirus Pro 2010 application, but I probably should have chosen "Go to Process" and then I could have chosen "End Process Tree" to kill all the processes that came from there. Now that I don't have the parent process running anymore, I don't know which processes are child processes that should be killed. Did you mean for me to kill everything through the Processes window (which I haven't done)? I can try that or try rebooting and more properly killing Antivirus Pro 2010 once it's back, but I'm a little afraid to reboot because it seems like each time I reboot it does additional damage (like things that worked previously don't work anymore). That hasn't exactly happened every time I've rebooted, but then again maybe it has - honestly not sure.

- Yeah I figured getting on the phone with someone would be unlikely but I had to ask and you can probably see why I did.

- I don't know if this helps, but I went back to RootRepeal and as long as I do *not* check Files for the scan, it will run, but I don't have a way to get the log back to my working computer to post here. Like I said above, I'm afraid to use a thumb drive and transfer something to my working computer - I'm hoping to get to the point on the infected computer where I can get to the internet and thus get to the forum to cut and paste content into these posts. It's a pretty short file - 5 drivers are listed and I can see from comparing the log file to the Drivers window in RootRepeal that it lists the ones where the files are not visible. Those listed are:
C:\WINDOWS\System32\Drivers\dump_atapi.sys
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
C:\WINDOWS\system32\drivers\rootrepeal.sys
C:\WINDOWS\win32k.sys:1
C:\WINDOWS\win32k.sys:2
Below that in the log under SSDT is this:
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a2348d8

#7 janet0527

janet0527
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 04 January 2010 - 02:50 AM

If I run Quick Scan instead of Run Scan with OTL.exe, it completes and produces OTL.Txt and Extras.Txt. I'm not sure what's *not* included by doing Quick Scan, and per my previous post I don't know of a safe way to get the log files to my working computer to post. =( Suggestions? Suggestions on a way to diagnose getting to the internet from the infected computer so I can post the log? Suggestions on what to look for in the log? BTW, I think the date I got infected was back on October 10 and one thing Quick Scan seems to do is change File Age to 14 days.

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:30 AM

Posted 04 January 2010 - 07:15 PM

I'm using CDs instead of a thumb drive because I'm ultra paranoid about transfering something from the infected computer to the one I'm using

I hate to tell you this, but you can transfer a virus with a CD

When you said to kill all tasks through the Applications window on Task Manager, I only have known applications running

This is how an infection spreads, it latches on to a legitimate Microsoft file and hides

Download this to the working computer, plug in a thumb drive and run it

Please download
Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
======================

You can then download the OTL log to your thumb drive safely

You will need to use the log and start a new topic in our HJT forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

Just be sure to tell them that you could not run any of the other tools.
Add a link to this thread

The HJT team is extremely busy, so There can be a wait of up to 2 weeks. Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 janet0527

janet0527
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 04 January 2010 - 07:22 PM

I can't transfer anything the way I'm using the CDs, because I'm only writing the diagnostic tools from the working computer to CD, then putting them in a read-only drive on the infected computer to copy the diagnostic tools from - nothing gets written to the CD from the infected computer. With a thumb drive, I'll be going back and forth, which really scares the hell out of me even with the flash_disinfector you reference below. Is there no way to get additional assistance without providing the log content directly in the posts? Can you help me diagnose why I can't get to the internet from the infected computer? Any other suggestions at all that don't involve bringing any media from the infected computer to my nice clean and primary one that I will be completely screwed if I infect? =( ??

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:30 AM

Posted 05 January 2010 - 05:35 PM

Al I can suggest that you do is to reformat the computer and reinstall the OS
Sorry
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users