Malwarebytes, HijackThis, RootRepeal all won't run

[maximal]

The sVCHOSt.exe is 345 bytes

4.00 kb on disk

Thats the problem, an uncomplete download, re-download\save, from this link and click to run.

http://download.bleepingcomputer.com/sUBs/...x++/sVchost.exe

size:2.97 MB (3,124,190 bytes)

size on disk:2.98 MB (3,125,248 bytes)

The log is too big to fit in one post or to attach it (551k), let me know what I should do with it

[LonnyRJ]

Attach it here please

http://www.malwarebytes.org/forums/index.php?showforum=55

[maximal]

Attach it here please

http://www.malwarebytes.org/forums/index.php?showforum=55

http://www.malwarebytes.org/forums/index.php?showtopic=21559

[LonnyRJ]

Progress

Did you run it in safe mode it rebooted the pc and now running in none safe mode ?

Run sVchost.exe once more, first ensure all protection software is disabled or not running.

[maximal]

Progress

Did you run it in safe mode it rebooted the pc and now running in none safe mode ?

Run sVchost.exe once more, first ensure all protection software is disabled or not running.

When it boots into regular mode it now asks for my to enter my Windows product activation key.

When I enter the key that came with the computer, it says that it is not valid for this version of Windows. When I enter the upgrade key from Vista Ultimate, it gives an error saying that I cannot use this key on new installations (even though it is the key that was/is in use prior to this malware).

Either way it still won't let me log into Windows in regular mode.

Is this something that I have to contact Microsoft for, or is there a way to fix it in safe mode (I can still log into safe mode fine)

[LonnyRJ]

We can probaly deal with that later, did you try desktop\sVchost.exe again (special version of combofix)

Please do and post its log

C:\Windows\System32\scecli.dll 01/19/2008 03:36 AM 60,928

This is the file it should replace with a copy from another location

[maximal]

[maximal]

ComboFix Beta_09-08-12.05 - Gary 08/14/2009 7:57.3.2 - NTFSx86 MINIMAL

Microsoft

[LonnyRJ]

Does mbam open for you or do you still get the access denied message ?

If it wont open navigate to its folder in program files rightclick > properties on mbam.exe > security tab > advaned > edit > and remove if present "everyone" then tick the box for "include inheritible permisions etc etc" >click apply then OK

Run mbam do not scan instead go to "more tools" file assasin > run tool , paste in this line

c:\windows\System32\scecli.dll

click open > yes then ok, close mbam.

reboot your pc

Get and post both a mbam and desktop\sVchost.exe logs

=========

c:\windows\System32\scecli.dll is an infected legit windows file and windows will replace it

[maximal]

Does mbam open for you or do you still get the access denied message ?

If it wont open navigate to its folder in program files rightclick > properties on mbam.exe > security tab > advaned > edit > and remove if present "everyone" then tick the box for "include inheritible permisions etc etc" >click apply then OK

Run mbam do not scan instead go to "more tools" file assasin > run tool , paste in this line

c:\windows\System32\scecli.dll

click open > yes then ok, close mbam.

reboot your pc

Get and post both a mbam and desktop\sVchost.exe logs

=========

c:\windows\System32\scecli.dll is an infected legit windows file and windows will replace it

When I click on open after typing that line I get a box that says:

scecli.dll

This file is in use.

Enter a new name or close the file that's open in another program.

{OK}

If I click OK, it just brings me back to the "open" box for FileASSASSIN

[LonnyRJ]

No need to quote me everytime

Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.

Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,74,00,00
;sceclt

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

go start run type

%windir%\system32

press enter find and delete scecli.dll (cafefull of spelling), wait a few moments then look again for scecli.dll to see if windows replaced it, if it did great if not copy its from this location

C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll

to c:\windows\system32\

Now those logs please

[maximal]

ComboFix Beta_09-08-12.05 - Gary 08/14/2009 21:09.5.2 - NTFSx86 MINIMAL

Microsoft

[LonnyRJ]

Lets change Notification Packages value back to what it should be.

Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.

Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
;scecli

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

---------------

When it boots into regular mode it now asks for my to enter my Windows product activation key.

Yes contact microsoft

You might even tell them of this thread.

Keep us informed please.

[maximal]

Lets change Notification Packages value back to what it should be.

Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.

Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
;scecli

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

---------------

Yes contact microsoft

You might even tell them of this thread.

Keep us informed please.

Microsoft told me that my c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\softwarelicensing\tokens.dat file is corrupt, and the only way to fix it is to back my computer up and reinstall windows.

I don't think this is true, do you have any ideas?

[maximal]

Microsoft told me that my c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\softwarelicensing\tokens.dat file is corrupt, and the only way to fix it is to back my computer up and reinstall windows.

I don't think this is true, do you have any ideas?

Ok, this has been fixed and I'm now able to log into regular mode again (found a way to replace the tokens.dat file)

[maximal]

Ok, this has been fixed and I'm now able to log into regular mode again (found a way to replace the tokens.dat file)

everything appears to be fixed except I'm no longer able to use Windows Vista Aero Glass theme...

[maximal]

HJT log in case there was something I missed

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:53:14 PM, on 8/17/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\DELL\MediaDirect\PCMService.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Windows\OEM02Mon.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Samsung\EmoDio\SMSTray.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\DELL\QuickSet\quickset.exe

C:\Program Files\SetPoint\SetPoint.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Windows Sidebar\sidebar.exe

c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: QuickSet.lnk = C:\Program Files\DELL\QuickSet\quickset.exe

O4 - Global Startup: SetPoint.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O13 - Gopher Prefix:

O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab

O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctmweb/testoc.cab

O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: PostgreSQL Database Server 8.0.0-rc1 (pgsql-8.0.0-rc1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0.0-rc1\bin\pg_ctl.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe

O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 10278 bytes

[LonnyRJ]

"everything appears to be fixed except I'm no longer able to use Windows Vista Aero Glass theme..."

Just now im more concerned with the apperant lack of an antivirus program, Is there a reason for this ?

[maximal]

"everything appears to be fixed except I'm no longer able to use Windows Vista Aero Glass theme..."

Just now im more concerned with the apperant lack of an antivirus program, Is there a reason for this ?

While I was trying to figure out what was preventing me from enabling Aero glass, I uninstalled Avira to see if it was preventing it, as it has caused a similar problem before, I ran this scan prior to reinstalling it.

[LonnyRJ]

You you tried second and third ideas they mention here ?

http://www.howtogeek.com/howto/windows-vis...nable-it-again/

[AdvancedSetup]

This post is closed. If you're having issues with Malware or similar issues with Cryptographic Services please start your own new post.