WiredWX Hobby Weather ToolsLog in

 


Redirecting Virus blocking all Anti-viral programs

3 posters

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Hello.

We can't remove the malware just yet because Spybot will interfere. You can install it back once we are done. Smile...

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Spybot Search and Destory

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    C:\Windows\Tasks\bzuhknhx.job
    C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
    C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "d06888aa"=-
    "PC Antispyware 2010"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"=-
    "Cognac"=-
    "MSFox"=-
    "sysguard"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
========== FILES ==========
C:\Windows\Tasks\bzuhknhx.job moved successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job moved successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\d06888aa deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PC Antispyware 2010 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Cognac deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSFox deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysguard deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!

OTM by OldTimer - Version 3.0.0.6 log created on 08102009_145711

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Smile... Didn't think that would work. Guess the bad guys haven't caught up with that tool yet.

Give Hijack This a try now.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
HijackThis still won't open when I click on it, or even when I rename it. Should I try it in safe-mode?

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Yes, but I suspect it still wont open, let me know anyhow.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
It didn't run in safe-mode, even when I attempted to re-name it. Where do we go from here?

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
I want to check something.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    scecli.dll
    netlogon.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Here are the results:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:57 on 10/08/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [03:25 21/05/2008] [08:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [08:12 17/01/2001] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 18/08/2001] [00:12 14/04/2008] (Unable to calculate MD5)

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [03:25 21/05/2008] [08:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [08:12 17/01/2001] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 18/08/2001] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

-=End Of File=-

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Nice, the crot infection. Indifferent or Blank

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\scecli.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
All rightly:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\scecli.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Okay, I need you to re-run SystemLook script again, I need to know if that scecli.dll is back or not, whether it's a clean copy or not.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 18:11 on 10/08/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [03:25 21/05/2008] [08:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [08:12 17/01/2001] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [03:25 21/05/2008] [08:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [08:12 17/01/2001] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 18/08/2001] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

-=End Of File=-

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Well, it hasn't come back with a clean copy, we'll replace it later anyway.

See if you can run Hijack This now.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Nope, I still can't open it. I click on it, but nothing happens.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
Can you re-run SilentRunners so we have an updated log.

descriptionRedirecting Virus blocking all Anti-viral programs - Page 2 EmptyRe: Redirecting Virus blocking all Anti-viral programs

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum