Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware blocking everything


  • This topic is locked This topic is locked
41 replies to this topic

#1 vr6ownzu

vr6ownzu

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 11 December 2012 - 05:15 AM

Computer is an old Compaq running XP. 2.8 ghz celeron with 80 Gb drive, 512mb memory. This has a ton of old photos and files I must save. Start menu and taskbar are gone. Internet access is completely blocked. Firefox opens but no internet. Internet explorer won't do anything when clicked. I managed to download dds onto a flash drive with another computer, and run it on the infected one, but I can't copy the resulting files, or drag and drop them into the flash drive. I can't move or copy and paste any files/folders. Can't even rearrange icons on the desktop. MBAM was previously installed and functional, but malware is blocking it now. Tried downloading it onto a flash drive under a different name but would not load.


I realized the computer would let me take a screen shot and save it in paint, so that's what I did for the dds files. I know it's inconvenient, but it's the only way I could get the results on here. The picture files had to be zipped due to their size.


Please help. Thanks for your time.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 14 December 2012 - 09:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 14 December 2012 - 10:46 PM

Yes, I'm here and haven't touched anything on the affected computer.

Thanks for assisting.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 15 December 2012 - 09:22 PM

What we need is a tool that the malware won't attempt to block. Failing that a different way to boot the system outside of Windows.

Let's try the first fix first

  • Download RogueKiller (by tigzy) onto a flashdrive and plug it into the infected machine
  • Start RogueKiller.exe. from the flashdrive folder
  • Right click -> run as administrator
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad into your next reply. Or screenshoot using Paint as before if you are still unable to do that

Posted Image
m0le is a proud member of UNITE

#5 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 15 December 2012 - 10:32 PM

I was able to run the scan and save the report to the flash drive. It's attached. I did not proceed with fixing or deleting any of the things it found. Figured it was best for you to have a look at the report first. Copy and paste is still unavailable for any files/folders, and the start menu is still gone. I did not check the internet, because I am running the computer in safe mode without networking.

Thanks again.


RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 12/15/2012 22:16:04

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELLSPWN] HKUS\.DEFAULT[...]\command : ("C:\WINDOWS\TEMP\wmsdk64_32.exe" /START "%1" %*) -> FOUND
[SHELLSPWN] HKUS\S-1-5-18[...]\command : ("C:\WINDOWS\TEMP\wmsdk64_32.exe" /START "%1" %*) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 0a14fd8706b165d979e87e4042269e2f
[BSP] 84ca1a2bc92ffcdfebfd8825278d3aa0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 107945121505611168c884e670655e29
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 8203 | Size: 1871 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12152012_02d2216.txt >>
RKreport[1]_S_12152012_02d2216.txt

Attached Files


Edited by vr6ownzu, 15 December 2012 - 10:33 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 16 December 2012 - 09:40 PM

We can remove or fix these entries
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Delete
  • After it is complete click on the report button
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Posted Image
m0le is a proud member of UNITE

#7 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 16 December 2012 - 10:55 PM

Here is the report. I have been running the computer in safe mode under the admin account, no networking. Completed the scan as requested and deleted what was found. I restarted it normally after the scan. Still no internet, copy/paste, or start menu. Computer appears unchanged. Restarted in safe mode, and no difference.



RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 12/16/2012 21:40:53

Bad processes : 0

Registry Entries : 7
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SHELLSPWN] HKUS\.DEFAULT[...]\command : ("C:\WINDOWS\TEMP\wmsdk64_32.exe" /START "%1" %*) -> REPLACED ("%1" %*)

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : Rogue.AntiSpy-AH

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 0a14fd8706b165d979e87e4042269e2f
[BSP] 84ca1a2bc92ffcdfebfd8825278d3aa0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_12162012_02d2140.txt >>
RKreport[1]_S_12152012_02d2216.txt ; RKreport[2]_D_12162012_02d2140.txt

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 17 December 2012 - 07:12 PM

Please run FSS

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#9 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 17 December 2012 - 07:36 PM

Farbar Service Scanner Version: 10-12-2012
Ran by Julio (administrator) on 17-12-2012 at 19:27:44
Running from "F:\"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.

Dhcp Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of Dhcp. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of Dhcp. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Dhcp registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.

netman Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Srservice registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Srservice registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Srservice registry key. The service key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

EventSystem Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.

cryptsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open cryptsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open cryptsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open cryptsvc registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================

RpcSs Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open RpcSs registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open RpcSs registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open RpcSs registry key. The service key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-12 08:56] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-12 08:55] - [2008-08-14 04:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-12 09:01] - [2004-08-12 09:01] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-12 09:07] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-12 08:58] - [2004-08-12 08:58] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-12 08:56] - [2008-02-20 00:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-12 08:58] - [2004-08-12 08:58] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2004-08-12 09:02] - [2005-08-22 13:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-03-30 23:02] - [2004-08-12 09:10] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2009-03-30 23:03] - [2004-08-12 09:06] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2009-03-30 23:03] - [2004-08-12 09:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2004-08-12 09:10] - [2004-08-12 09:10] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-03-30 23:02] - [2004-08-12 09:10] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2009-03-30 23:04] - [2004-08-12 09:10] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2009-03-30 23:04] - [2004-08-12 09:03] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2004-08-12 08:57] - [2008-07-07 15:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-12 08:56] - [2004-08-12 08:56] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2004-08-12 09:06] - [2012-01-15 15:43] - 0039424 ____A (Microsoft Corporation) 6F8DD4197E710F72849DE451DBD9D87C

C:\WINDOWS\system32\rpcss.dll
[2004-08-12 09:04] - [2009-02-09 05:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2004-08-12 09:05] - [2009-02-06 12:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE


Extra List:
=======
Avgtdix(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 17 December 2012 - 08:33 PM

Download Windows Repair (all in one) from here

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Posted Image



Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Posted Image


Go to Step 4 and under "System Restore" click on Create button:

Posted Image


Go to Start Repairs tab and click Start button.

Posted Image


Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Posted Image

Click on box next to the Restart System when Finished. Then click on Start.

Then let me know how the machine is
Posted Image
m0le is a proud member of UNITE

#11 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 17 December 2012 - 08:48 PM

After it was installed, I clicked on the icon, and get an alert saying:

failed to load control "lvButtons_H" from . Your version of may be outdated. Make sure you are using the version of the control that was provided with your application.

When I hit ok, nothing happens.

#12 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 17 December 2012 - 09:04 PM

This occurred both under a normal start and under admin in safe mode.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 17 December 2012 - 09:12 PM

Are you still without internet access in normal mode? You need internet access for the Windows Repair tool to work correctly.
Posted Image
m0le is a proud member of UNITE

#14 vr6ownzu

vr6ownzu
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 17 December 2012 - 09:13 PM

yes, I'm still without internet.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:34 AM

Posted 17 December 2012 - 09:19 PM

Let's try and give your machine the files it is missing. Download the file on this page to another computer and transfer to the machine without connection via flashdrive. Then run the file by double-clicking it. Then try the Windows Repair tool again.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users