Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected- I've hit a wall


  • Please log in to reply
8 replies to this topic

#1 JerseyITGuy76

JerseyITGuy76

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:37 PM

Posted 18 May 2012 - 01:56 PM

I'm working on a user's Windows 7 PC here, & I've hit the proverbial brick wall. He came to us because he had suddenly lost his network connection. I checked his physical connections, both at the PC and the data jack in the wall. They were both fine. I also noticed that the icon on his desktop for Computer had changed. The odd thing was that he could get out to the local network, just not the internet. I tried to load my USB flash drive to run MBAM & a couple of other things, but it wasn't recognizing that the drive was even there.

I was able to run MBAM in safe mode & it found "Exploit.Drop.2" which I had it clean. I've run 2 more MBAM scans since then, as well as a SuperAntiSpyware scan, a scan in our anti-virus (McAfee corporate), RKill, TDSS Killer, & they have all come up clean. However, I am unable to run any .exe files unless I'm in safe mode. If I try, I get "The specified service does not exist as an installed service."

HELP!!!! I've had this machine for 2 days & am getting beyond frustrated!!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:37 PM

Posted 18 May 2012 - 07:51 PM

Welcome aboard Posted Image

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

========================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

======================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 JerseyITGuy76

JerseyITGuy76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:37 PM

Posted 21 May 2012 - 09:56 AM

OK... here's the BootKit log:
***************************************

Bootkit Remover
© 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0cbf3400
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
1863 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
**********************************************************************
**********************************************************************
Here's the aswMBR log:
**********************************************************************


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-21 10:27:46
-----------------------------
10:27:46.343 OS Version: Windows x64 6.1.7601 Service Pack 1
10:27:46.343 Number of processors: 4 586 0x2A07
10:27:46.359 ComputerName: KWINSALES3 UserName: IT Admin
10:27:47.794 Initialize success
10:28:04.143 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-6
10:28:04.143 Disk 0 Vendor: SAMSUNG_HD204UI 1AQ10001 Size: 1907729MB BusType: 3
10:28:04.158 Disk 0 MBR read successfully
10:28:04.158 Disk 0 MBR scan
10:28:04.158 Disk 0 Windows 7 default MBR code
10:28:04.158 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 200 MB offset 2048
10:28:04.174 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1907524 MB offset 417690
10:28:04.189 Disk 0 scanning C:\Windows\system32\drivers
10:28:08.479 Service scanning
10:28:18.604 Modules scanning
10:28:18.604 Disk 0 trace - called modules:
10:28:18.619 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
10:28:18.619 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007cbd060]
10:28:18.619 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa80076f0580]
10:28:18.619 5 ACPI.sys[fffff88000f8f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-6[0xfffffa8007709060]
10:28:18.619 Scan finished successfully
10:29:49.911 Disk 0 MBR has been saved successfully to "I:\Adware removal-cleaning tools\alaros cleanup\MBR.dat"
10:29:49.926 The log file has been saved successfully to "I:\Adware removal-cleaning tools\alaros cleanup\aswMBR.txt"

********************************************************************************
********************************************************************************
GMER found nothing, & the .log file is blank, so no point in posting that. For the record, I had to run these in safe mode, as they would not run when booted up normally. Just making you aware of that, as I don't know if it has any bearing on the findings.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:37 PM

Posted 21 May 2012 - 06:43 PM

So far I don't see much there.

Let's see about .exe and internet connection.

Download FixExec.exe to your desktop.
Double click on downloaded file to run the fix.
When the program has finished, it will generate a log on the desktop called FixExec.exe.
Post the log in your next reply.

NOTE. If for any reason you're not able to execute FixExec.exe rename it to FixExec.com, FixExec.pif or FixExec.scr.

===============================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 JerseyITGuy76

JerseyITGuy76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:37 PM

Posted 22 May 2012 - 08:40 AM

I am unable to run FixExec with any of those extensions. I'm going to try running both in Safe Mode to see if it does anything.

#6 JerseyITGuy76

JerseyITGuy76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:37 PM

Posted 22 May 2012 - 09:13 AM

OK... so I ran both in safe mode. Here are the results:
*************************************************************************
FixExec


FixExec by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about FixExec can be found at this link:
http://www.bleepingcomputer.com/download/windows/utilities/fixexec

Program started at: 05/22/2012 09:43:56 AM in x64 mode.
Windows Version: Windows 7

Checking for processes to terminate before fixing executable associations.
* No processes found to kill.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

* HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!

* HKLM\Software\Classes\.com\\@ has been changed to ComFile!
* HKLM\Software\Classes\.com\\@ was reset to comfile!


Program finished at: 05/22/2012 09:44:00 AM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

*******************************************************************************
*******************************************************************************
FSS log

Farbar Service Scanner Version: 17-05-2012
Ran by IT Admin (administrator) on 22-05-2012 at 09:47:45
Running from "C:\Users\IT Admin\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

PlugPlay Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:37 PM

Posted 22 May 2012 - 10:33 AM

Any change regarding .exe in normal mode?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 JerseyITGuy76

JerseyITGuy76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:37 PM

Posted 22 May 2012 - 11:20 AM

Sadly no.

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:37 PM

Posted 22 May 2012 - 11:40 AM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users