Jump to content

Can't run MBAM or Hijackthis or any other scans


Recommended Posts

I am having the problem much like many other recent posters. I have tried many of the solutions in the pinned threads but can't get combofix or any of the other programs to run either. Renaming programs also doesn't work. I hear ads playing and get redirects when I try to use the web.

Any suggestions? Thanks so much!!

Link to post
Share on other sites

Hello & Welcome to Malwarebytes'

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:

  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS

Download DDS.scr by sUBs from one of the following links & save it to your desktop.

Link 1

Link 2

  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:

Contents of DDS log

Contents of Attach.txt

Contents of Gmer log

Link to post
Share on other sites

Hello & Welcome to Malwarebytes'

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:

  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.

  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:

    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.

    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.

  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.

  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS

Download DDS.scr by sUBs from one of the following links & save it to your desktop.

Link 1

Link 2

  • Double-Click on dds.scr and a command window will appear. This is normal

  • Shortly after two logs will appear, DDS.txt & Attach.txt

  • A window will open instructing you save & post the logs

  • Save the logs to a convenient place such as your desktop

  • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent

  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    th_Gmer_initScan.gif

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections

    • IAT/EAT

    • Drives/Partition other than Systemdrive (typically C:\)

    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:

Contents of DDS log

Contents of Attach.txt

Contents of Gmer log

I will try this and respond within 3 hours from this post. Thank you!

Link to post
Share on other sites

I was able to download dds.scr but it would not run. Or at least it appeared to start but the logs never appeared despite waiting 15-20 minutes each time.

I was able to download and run GMer rootkit Scanner. Here is the log:

GMER 1.0.15.15020 [e3n79m57.exe] - http://www.gmer.net

Rootkit scan 2009-08-09 16:38:49

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF67759AA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF6775958]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF677596C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF6775A57]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF6775A83]

Code 869E3EC6 ZwEnumerateKey

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF6775ADB]

Code 86962610 ZwFlushInstructionCache

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF67759EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF6775B1D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF6775A2D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF6775930]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF6775944]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF67759BE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF6775B59]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF6775AC5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF6775AAF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF6775A6D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF6775B45]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF6775B31]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF6775996]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF6775982]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF6775A19]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF6775B07]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF6775A00]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF67759D4]

Code 8698D2AE IofCallDriver

Code 869D431E IofCompleteRequest

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [256] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [504] 0x35670000

Library C:\WINDOWS\system32\ntelogon.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [616] 0x744B0000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [776] 0x35670000

Library \\?\globalroot\Device\__max++>\016F1C66.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [832] 0x35670000

Library \\?\globalroot\Device\__max++>\016F1C66.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [896] 0x35670000

Library \\?\globalroot\Device\__max++>\016F1C66.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [952] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [988] 0x35670000

Library \\?\globalroot\Device\__max++>\016F1C66.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1804] 0x35670000

Library \\?\globalroot\Device\__max++>\016F1C66.x86.dll (*** hidden *** ) @ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [1952] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2020] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [3424] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3472] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3756] 0x35670000

Library \\?\globalroot\Device\__max++>\1D37231C.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3780] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETwtkptbxc.sys (*** hidden *** ) [sYSTEM] SKYNETcquwmdbp <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp@imagepath \systemroot\system32\drivers\SKYNETwtkptbxc.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main@aid 10096

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main\delete@C:\DOCUME~1\Owner\LOCALS~1\Temp\ytasfwnsviriesbc.tmp

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETwtkptbxc.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtcmfyqyq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules@SKYNETlog.dat \systemroot\system32\SKYNETmayufifi.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETjnbtlkhn.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcquwmdbp\modules@SKYNET.dat \systemroot\system32\SKYNETbedxevum.dat

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi

ComboFix

Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

Link 1

Link 2

**IMPORTANT !!! RENAME ComboFix.exe to commy.exe BEFORE you save it to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:

ComboFix log

Update on how the computer is running

Link to post
Share on other sites

You have a couple of Rootkits on board, one of which is new & particualry nasty.

RootRepeal

Download RootRepeal.zip from here & unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program

Copy the contents of RootRepeal.txt in your next reply

Link to post
Share on other sites

I should also mention that PC Antispyware 2010 is popping up all the time now and causing difficulty. I don't know where it came from and I can't remove it in any normal way.

Link to post
Share on other sites

Hi

We need to try & kill the main Rootkit infection before we can do anything else. I need a little more information so please run the following batch file:

Look.bat

  • Open Notepad by clicking Start>Run, type in Notepad then click OK
  • Copy the contents of the Code Box below to Notepad
  • Name the file as Look.bat
  • Change the Save as Type to All Files
  • Save the file to your Desktop
@ECHO OFFDIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll >Log.txtSTART Log.txtDEL %0

Double click on the Look.bat. A window will open and close. This is normal.

It will produce log file named log.txt on your desktop. Post the contents of the file in your next reply.

Link to post
Share on other sites

Volume in drive C has no label.

Volume Serial Number is 18C9-AC45

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 PM 407,040 netlogon.dll

2 File(s) 587,264 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

2 File(s) 588,288 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 407,040 netlogon.dll

2 File(s) 588,288 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 60,928 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

2 File(s) 467,968 bytes

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 08:12 PM 407,040 netlogon.dll

2 File(s) 588,288 bytes

Total Files Listed:

10 File(s) 2,820,096 bytes

0 Dir(s) 109,890,101,248 bytes free

Link to post
Share on other sites

Hi

Download +++.exe from Here & save it to your desktop. Double click on +++.exe & allow it to run. Once the machine reboots delete the copy of ComboFix you have & download it again & see if it runs:

Link 1

Link 2

Let me know what happens & if successful post the contents of the ComboFix log.

Link to post
Share on other sites

Hi

We'll have to to do this the long way. Make sure you follow the instructions to the letter. We'll do this in two parts. First I need you to export a Registry Key. Once we have that we'll continue with the second part:

Click Start>>Run then copy/paste the following into the Run box & click OK:

regedit /e c:\output.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa"

This will produce a txt file in C:\ called output (C:\output.txt)

Copy/paste the content of output.txt in your next reply. Once we have this I will have a registry fix for you.

Link to post
Share on other sites

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

00

"Bounds"=hex:00,30,00,00,00,20,00,00

"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\

00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\

6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\

00

"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001

"LsaPid"=dword:0000026c

"SecureBoot"=dword:00000001

"auditbaseobjects"=dword:00000000

"crashonauditfail"=dword:00000000

"disabledomaincreds"=dword:00000000

"everyoneincludesanonymous"=dword:00000000

"fipsalgorithmpolicy"=dword:00000000

"forceguest"=dword:00000001

"fullprivilegeauditing"=hex:00

"limitblankpassworduse"=dword:00000001

"lmcompatibilitylevel"=dword:00000000

"nodefaultadminowner"=dword:00000001

"nolmhash"=dword:00000000

"restrictanonymous"=dword:00000000

"restrictanonymoussam"=dword:00000001

"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders]

"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\

54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\

00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\Windows NT Access Provider]

"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Data]

"Pattern"=hex:cc,88,80,70,6e,95,6a,fe,f2,2a,7c,ef,95,3b,83,32,31,38,30,35,39,\

61,62,34,00,00,00,00,0f,9d,00,00,18,ca,06,00,99,d0,bf,71,04,ca,06,00,10,00,\

00,00,00,00,00,00,f4,c4,83,14,20,e9,05,3d,57,cf,f2,18

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\GBG]

"GrafBlumGroup"=hex:12,1b,63,8b,f9,2f,d6,3e,e9

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\JD]

"Lookup"=hex:16,38,d6,f7,58,1d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\msv1_0]

"ntlmminclientsec"=dword:00000000

"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Skew1]

"SkewMatrix"=hex:dd,b1,77,65,ea,f6,0b,1e,3d,aa,45,a7,91,2f,b7,4b

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SSO\Passport1.4]

"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache]

"Time"=hex:94,db,f4,1a,08,99,c9,01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll]

"Name"="Digest"

"Comment"="Digest SSPI Authentication Package"

"Capabilities"=dword:00004050

"RpcId"=dword:0000ffff

"Version"=dword:00000001

"TokenSize"=dword:0000ffff

"Time"=hex:00,54,cf,23,c4,9d,c8,01

"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll]

"Name"="DPA"

"Comment"="DPA Security Package"

"Capabilities"=dword:00000037

"RpcId"=dword:00000011

"Version"=dword:00000001

"TokenSize"=dword:00000300

"Time"=hex:00,db,62,27,c4,9d,c8,01

"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll]

"Name"="MSN"

"Comment"="MSN Security Package"

"Capabilities"=dword:00000037

"RpcId"=dword:00000012

"Version"=dword:00000001

"TokenSize"=dword:00000300

"Time"=hex:00,08,94,28,c4,9d,c8,01

"Type"=dword:00000031

Link to post
Share on other sites

Ok good

Fix.reg

  • Open Notepad by clicking Start>Run, type in Notepad then click OK
  • Copy the contents of the Code Box below to Notepad
    Note: In Notepad, there must be NO blank lines before the word 'REGEDIT4' and there MUST be one blank line at the end of all the lines. To do this, place the cursor at the end of the last line of text and press Return/Enter on the keyboard.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • Save the file to your Desktop
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"Notification Packages"=hex(7):00

Double click on the fix.reg file & when it prompts to Merge click Yes. REBOOT the computer.

Once you have run the reg fix & rebooted the computer please do the following:

View Hidden Files & Folders Windows XP

To view Hidden Files & Folders do the following:

Click Start

Open My Computer

Select the Tools menu and click Folder Options

Select the View Tab

Under the Hidden files and folders heading select Show hidden files and folders

Uncheck the Hide protected operating system files (recommended) option

Click Yes to confirm

Click OK

Navigate to the file - C:\Windows\System32\scecli.dll

Check the size of the file. (right click > properties)

If it's below 100KB in size, then it's a fake. So right click & select delete

Wait 5 seconds.

Then press F5 on the keyboard to refresh

See if a new scecli.dll is created.

If the new file's size is above 100KB, let me know & we'll continue.

Link to post
Share on other sites

I did not see a prompt to "Merge" but I did get a prompt or "are you sure you want to . . . " and then a message that it was completed. So I rebooted.

Link to post
Share on other sites

That's fine.

Slight change in plan. Before looking for that file, try this:

Delete the copy of ComboFix you have & download it again from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

To make sure it's the correct copy, check to see if the file size is 3,123,864 bytes

If correct, double click to run it. If successful post the log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.