Jump to content

Cant run any Software


Recommended Posts

I am unable to run mbam or any other software execpt for avast which does not find any virus. Systems are that mbam says its an error with its vboc6x file or something like that. also networking has been disabled along with some registery edit privialges. Cannot run hijackthis or combofix. Please help

Link to post
Share on other sites

Hi wsutiger, Welcome to Malwarebytes :(

Step #1

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Step #2

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

Link to post
Share on other sites

Ok here are the log files.. not sure if mentioned but copy and paste is disabled along with network usage.

rootrepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/19 01:03

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF73AC000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D9F000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF7A87000 Size: 49152 File Visible: No Signed: -

Status: -

==EOF==

win 32

Searching 'C:\WINDOWS'...

Finished!

Link to post
Share on other sites

Forgot to run out of safemode

Here is the Rootrepeal file after reg login

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/19 01:35

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA9CAE000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7DD5000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9606000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\sccfg.sys

Status: Invisible to the Windows API!

Path: CSSDT

-------------------

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7bdb36a

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7bdbcd8

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7bdb842

#: 154 Function Name: NtQueryInformationProcess

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7bd81e0

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7bdc142

==EOF==

Link to post
Share on other sites

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Is there a way that i can scan the hard drive seperatly.. in previous virus cases i always was most sucessful by removing the harddrive from the origninal and connecting to a seperate machine then running the scan. If i do that which locations should i foucs on and what software should i be using?

Link to post
Share on other sites

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Couldnt get the software to run on the infected laptop so i ended up removing the hard drive and hooking it up to another clean system. from there i ran rootrepeal and came up with the following

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/19 17:57

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\Combo-Fix\catchme.sys

Address: 0xBA380000 Size: 31744 File Visible: No Signed: -

Status: -

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xBA108000 Size: 60416 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB4D76000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA61C000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP90.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Address: 0xBA5B2000 Size: 6464 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB30DF000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: Volume E:\

Status: MBR Rootkit Detected!

Path: Volume E:\, Sector 1

Status: Sector mismatch

Path: Volume E:\, Sector 2

Status: Sector mismatch

Path: Volume E:\, Sector 3

Status: Sector mismatch

Path: Volume E:\, Sector 4

Status: Sector mismatch

Path: Volume E:\, Sector 5

Status: Sector mismatch

Path: Volume E:\, Sector 6

Status: Sector mismatch

Path: Volume E:\, Sector 7

Status: Sector mismatch

Path: Volume E:\, Sector 8

Status: Sector mismatch

Path: Volume E:\, Sector 9

Status: Sector mismatch

Path: Volume E:\, Sector 10

Status: Sector mismatch

Path: Volume E:\, Sector 11

Status: Sector mismatch

Path: Volume E:\, Sector 12

Status: Sector mismatch

Path: Volume E:\, Sector 13

Status: Sector mismatch

Path: Volume E:\, Sector 14

Status: Sector mismatch

Path: Volume E:\, Sector 15

Status: Sector mismatch

Path: Volume E:\, Sector 16

Status: Sector mismatch

Path: Volume E:\, Sector 17

Status: Sector mismatch

Path: Volume E:\, Sector 18

Status: Sector mismatch

Path: Volume E:\, Sector 19

Status: Sector mismatch

Path: Volume E:\, Sector 20

Status: Sector mismatch

Path: Volume E:\, Sector 21

Status: Sector mismatch

Path: Volume E:\, Sector 22

Status: Sector mismatch

Path: Volume E:\, Sector 23

Status: Sector mismatch

Path: Volume E:\, Sector 24

Status: Sector mismatch

Path: Volume E:\, Sector 25

Status: Sector mismatch

Path: Volume E:\, Sector 26

Status: Sector mismatch

Path: Volume E:\, Sector 27

Status: Sector mismatch

Path: Volume E:\, Sector 28

Status: Sector mismatch

Path: Volume E:\, Sector 29

Status: Sector mismatch

Path: Volume E:\, Sector 30

Status: Sector mismatch

Path: Volume E:\, Sector 31

Status: Sector mismatch

Path: Volume E:\, Sector 32

Status: Sector mismatch

Path: Volume E:\, Sector 33

Status: Sector mismatch

Path: Volume E:\, Sector 34

Status: Sector mismatch

Path: Volume E:\, Sector 35

Status: Sector mismatch

Path: Volume E:\, Sector 36

Status: Sector mismatch

Path: Volume E:\, Sector 37

Status: Sector mismatch

Path: Volume E:\, Sector 38

Status: Sector mismatch

Path: Volume E:\, Sector 39

Status: Sector mismatch

Path: Volume E:\, Sector 40

Status: Sector mismatch

Path: Volume E:\, Sector 41

Status: Sector mismatch

Path: Volume E:\, Sector 42

Status: Sector mismatch

Path: Volume E:\, Sector 43

Status: Sector mismatch

Path: Volume E:\, Sector 44

Status: Sector mismatch

Path: Volume E:\, Sector 45

Status: Sector mismatch

Path: Volume E:\, Sector 46

Status: Sector mismatch

Path: Volume E:\, Sector 47

Status: Sector mismatch

Path: Volume E:\, Sector 48

Status: Sector mismatch

Path: Volume E:\, Sector 49

Status: Sector mismatch

Path: Volume E:\, Sector 50

Status: Sector mismatch

Path: Volume E:\, Sector 51

Status: Sector mismatch

Path: Volume E:\, Sector 52

Status: Sector mismatch

Path: Volume E:\, Sector 53

Status: Sector mismatch

Path: Volume E:\, Sector 54

Status: Sector mismatch

Path: Volume E:\, Sector 55

Status: Sector mismatch

Path: Volume E:\, Sector 56

Status: Sector mismatch

Path: Volume E:\, Sector 57

Status: Sector mismatch

Path: Volume E:\, Sector 58

Status: Sector mismatch

Path: Volume E:\, Sector 59

Status: Sector mismatch

Path: Volume E:\, Sector 60

Status: Sector mismatch

Path: Volume E:\, Sector 61

Status: Sector mismatch

Path: Volume E:\, Sector 62

Status: Sector mismatch

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f6b8

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xba3b436a

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f574

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551fa52

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f14c

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xba3b4cd8

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f64e

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f08c

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f0f0

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xba3b4842

#: 154 Function Name: NtQueryInformationProcess

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xba3b11e0

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f76e

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f72e

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xba3b5142

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb551f8ae

==EOF==

Link to post
Share on other sites

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

ran avenger and got the following

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

mbam and combo fix still do not work

Link to post
Share on other sites

  • Staff

wsutiger,

SpySentinel will be away for a bit and I will be taking over for him.

At this time, disconnect from the Internet and get required downloads from a known clean computer.

Do you have your Windows XP CD?

If so, insert it in the CD drive, boot from the CD, and when the menu appears, press R to access the Recovery Console.

Once there, enter these commands one at a time.

COPY C:\WINDOWS\ServicePackFiles\i386\scecli.dll C:\scecli.dll

(Press Enter)

exit

Restart your computer back in Normal Mode and try the Avenger2 script again.

After that, try running MBAM and ComboFix.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.