Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Has Locked Out My Anti-Malware Programs


  • Please log in to reply
8 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 15 October 2015 - 01:10 PM

I am running a Windows Xp 32 bit system. I clicked on what i thought was a legitimate install file, but turned out to have some extra baggage.

 

At first, the task manager showed a bunch of svchosts and a process called Microsoft.com, and it was using 90 to 100 percent of cpu and memory.

 

I also found that not only were my anti spyware and anti malware programs not functioning, but when I tried to access the program directories, i get an error that says access denied.

 

I normally wait to be told to run combofix, but I am shutting this system down in another month or two so no harm done, plus I have been playing with combifix for a few years an I kind of got the hang of it for the most part.

 

combofix deleted a bunch of stuff, so i rebooted and ran rkill and tdsskiller. both of these programs found nothing, but I was able to re-install malwarebytes and run it. it found and quarentined a bunch of stuff also.

 

i rebooted, and installed avast anti virus and ran that as well. it also found and quarentined stuff, but i was unable to run anything else while it was installed so I uninstalled it. I tried to disable it first but it still interfered with too many things.

 

i was also able to run a stand alone version of hijack this, and I removed all startup entries.

 

i have the combofix log and the malwarebytes log. Let me know if you want to me to post them.

 

The avast log seems to have been deleted with the uninstall. i should have know that would happen, lol.

 

I should also mention that the original install file was the trial version of Macdrive 9 and I downloaded it from a legitimate website. I have since notified them of the infection.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,868 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:33 PM

Posted 15 October 2015 - 02:30 PM

Please follow Steps 6-8 of Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html .  IF you have the CF log, you may also attach that or paste the content into this topic.

 

Louis



#3 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 15 October 2015 - 06:24 PM

Sorry, my bad.

 

I read the preparation guide from the Am I Infected? forum.

 

I have atattched the Farbar logs as well as the CF log

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:33 PM

Posted 16 October 2015 - 07:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold using the Add/Remove Programs applet.
Catalina Savings Printer (HKLM\...\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}) (Version: 1.0.0 - Catalina Marketing Corp) <==== ATTENTION
Freemake Video Converter version 4.1.6 (HKLM\...\Freemake Video Converter_is1) (Version: 4.1.6 - Ellora Assets Corporation)


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-790525478-343818398-682003330-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-790525478-343818398-682003330-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [No File]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-790525478-343818398-682003330-1003: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\DOCUME~1\Johnny\APPLIC~1\CATALI~1\NPBCSK~1.DLL [2013-06-07] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-03-20] (Coupons, Inc.)
S3 catchme; \??\C:\DOCUME~1\Johnny\LOCALS~1\Temp\catchme.sys [X]
R1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [X]
R1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
AlternateDataStreams: C:\WINDOWS\system32\cmd.exe:SummaryInformation
AlternateDataStreams: C:\WINDOWS\system32\cmd.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
CustomCLSID: HKU\S-1-5-21-790525478-343818398-682003330-1003_Classes\CLSID\{AD848A76-F236-5EE2-819B-2BDE7ED40AE7}\InprocServer32 -> C:\Documents and Settings\Johnny\Application Data\Catalina – Print Savings\npBcsKtTcHW.dll (Catalina Marketing Corporation)

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

How is the computer running now?

p.s.
HijackThis is no longer supported.
I suggest your remove it Using the Add/Remove programs applet.
Use the Farbar tool from now on to report problems.
<<<>>>

#5 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 16 October 2015 - 08:43 AM

Thanks for all the help so far.

 

I still can't run the anti-malware programs or access their directories.

 

I get the same access denied error when I try to view the directories in windows explorer.

 

I attatched the log files to this post.

 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:33 PM

Posted 17 October 2015 - 07:43 AM

Failed to create a restore point.



Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    .. 02.01 File Permissions C:\
    .. 02.02 File Permissions D:\
    03 - Reset Service permissions
    04 - Register System Files
    10 - Remove Policies Set By Infections
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    If the problem remains I suggest you start a new topic in the Windows XP forum

    http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

    This is not caused by malware and I do not have a Windows XP to check further.

    ===

    I will leave this topic open for 6 days.
    If you need to return please do.



    =======================


#7 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 17 October 2015 - 08:21 PM

I followed the instructions, but when the program got to the part of registering the system files, it made it as far as 324 files and then stopped.

 

The program is still running, but there has been no additional progress, no cpu usage, no reads or writes for about an hour and a half.

 

the rest of the computer functions fine in the sense that it's not frozen, nor did it crash.

 

It's just no doing anything.

 

Should I force a shutdown and try again?

 

thanks.


Edited by he's dead jim, 17 October 2015 - 08:22 PM.


#8 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 18 October 2015 - 08:37 AM

I shut down the progress window and the program resumed.

 

It finished with no errors.

 

I will test the programs that were giving me probems and if needed, I will start another topic as you suggested in your above post.

 

Thanks for all the help.

 

:)



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:33 PM

Posted 18 October 2015 - 08:40 AM

Yes.

Run it again but DO NOT SELECT 04 - Register System Files.

Let me know how things are.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users