Jump to content

Malware shuts down programs


cjc

Recommended Posts

Hi

My computer seem to have got some malware.

The system shuts down programs.

Recently shuting down the system (when running GMER) because Remote Procedure Call (RPC) was ended

next time services.exe was ended and system ended.

mbam shuts down after 10 seconds.

HJT will not install.

Tried to install AVG that found many files with Trojan horse Injector.GT (see attatched Fel)

Please help... have a lot to do on my computer

THANKS Carl

DDS.txt

Attach.txt

ark.txt

Fel.pdf

Link to post
Share on other sites

  • Replies 81
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hello ,

And ;) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Hi, no need for GMER, RKU is also a rootkit scanner. ;)

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi again

Have run Combofix and logg is attatched. Hope you understand swedish!

When I started Windows (at least before running Combobox) I got a message box twice This program was stoped to protect your computer, Generic Host Process for Win 32 Services.

First time I run Combobox after rebooting (Detected Rotkit activitys and have to reboot) while searching the machine suddenly rebooted.

The second time I run Combobox it rebooted and searched to end and produced a log.

After that I restarted the computer and reinstalled Malewarebytes with update and run it. But it stoped after 10 sec. No change of the other problems.

Best regards

Carl

combofixlog.txt

Link to post
Share on other sites

Hi, no problem it is swedish, I know what is supposed to be there. :)

DR. WEB CUREIT

----------------------

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.

alternate download link

Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:

  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click No to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure. Do NOT move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Link to post
Share on other sites

Hi

When running Dr Webb CureIt it finds no infected object in memory. I do not get a option to make a complete scan?

Did manage to run Malwarebytes when started it very early when starting up the computer. Log attatched.

(I installed before rkill and run that also and tried to empty everything with running TEMP and %TEMP% too)

But still Malwarebytes shuts down both in safty mode and normal mode.

Regards Carl

mbam_log_2010_09_14__14_55_02_.txt

Link to post
Share on other sites

Hello again,

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :otl
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\00001439.nmc\nse\bin\nsak.sys -- (nsak)

    :commands
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Hi, we're not desperate yet. :) So, unlesss you prefer to reinstall, lets see if we can do some more digging/fixing.

Lets first run a disk check and if that doesn't change anything, lets verify some of your windows files.

Click Start > Run, type chkdsk /r and press enter. Type Y to schedule the scan for next reboot. Now restart your computer and let the disk check run unhindered. Note - this may take a while.

When done, see if things have improved and post back with the issues that you are still having.

Link to post
Share on other sites

Hi again

I have the same problem as I had from the beginning.

The problem that I have seem to be the same as http://www.bleepingcomputer.com/forums/topic304172.html

That person finaly reinstalled Windows.

However that person had not been able to remove a antivirus completly. He had both installed AVG and Avira but uninstalled before intalling the other one.

I had Norman installed, uninstalled it and installed AVG that found a lot of Trojan horse injector GT. I uninstalled AVG and installed Norman again who did not find any problems. Could I have both antivirus enabeled??

Carl

Link to post
Share on other sites

Hi

Run the sfc /purgecache. It shuts the cmd window and nothing happens.

When searching for the smss.exe files I got

C:\i386\SYSTEM32\SMSS.EXE 273 KB

C:\WINDOWS\system32\smss.exe 50 KB

C:\WINDOWS\ServicePackFiles\i386\smss.exe 50 KB

It seems that it is the SMSS.EXE 273KB that the system uses. Could that be the virus file?

Regards

Carl

Link to post
Share on other sites

It seems that it is the SMSS.EXE 273KB that the system uses. Could that be the virus file?
What makes you think your system is using that copy? Usually windows will use the copy in c:\windows\system32.

What does the c:\i386 folder contain? Did you put it there deliberately or are you not aware what put it there?

Please upload the copy in c:\i386\system32 to www.virustotal.com and post me the complete results.

Link to post
Share on other sites

Hi

When pressing the Alt Ctr Del key and looking on the processes that is run smss.exe uses 428 kb. However I see now the size is not the same as in i386\system32. I just read about possibly virus in smss.exe.

files in this directory

NTDLL.DLL 696 kb

SMSS.EXE 473 kb

Regards from desperate Carl

Link to post
Share on other sites

Hi Elise

This is the report from SMSS.EXE. No luck there.

SMSS.EXE

Submission date: 2010-09-17 19:31:14 (UTC)

Current status: queued queued (#2) analysing finished

Result: 0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2010.09.18.00 2010.09.17 -

AntiVir 8.2.4.52 2010.09.17 -

Antiy-AVL 2.0.3.7 2010.09.17 -

Authentium 5.2.0.5 2010.09.17 -

Avast 4.8.1351.0 2010.09.17 -

Avast5 5.0.594.0 2010.09.17 -

AVG 9.0.0.851 2010.09.17 -

BitDefender 7.2 2010.09.17 -

CAT-QuickHeal 11.00 2010.09.17 -

ClamAV 0.96.2.0-git 2010.09.17 -

Comodo 6112 2010.09.17 -

DrWeb 5.0.2.03300 2010.09.17 -

Emsisoft 5.0.0.37 2010.09.17 -

eSafe 7.0.17.0 2010.09.17 -

eTrust-Vet 36.1.7862 2010.09.17 -

F-Prot 4.6.1.107 2010.09.16 -

F-Secure 9.0.15370.0 2010.09.17 -

Fortinet 4.1.143.0 2010.09.17 -

GData 21 2010.09.17 -

Ikarus T3.1.1.88.0 2010.09.17 -

Jiangmin 13.0.900 2010.09.17 -

K7AntiVirus 9.63.2542 2010.09.17 -

Kaspersky 7.0.0.125 2010.09.17 -

McAfee 5.400.0.1158 2010.09.17 -

McAfee-GW-Edition 2010.1C 2010.09.17 -

Microsoft 1.6201 2010.09.17 -

NOD32 5458 2010.09.17 -

Norman 6.06.06 2010.09.17 -

nProtect 2010-09-17.01 2010.09.17 -

Panda 10.0.2.7 2010.09.17 -

PCTools 7.0.3.5 2010.09.17 -

Prevx 3.0 2010.09.17 -

Rising 22.65.04.01 2010.09.17 -

Sophos 4.57.0 2010.09.17 -

Sunbelt 6888 2010.09.17 -

SUPERAntiSpyware 4.40.0.1006 2010.09.17 -

Symantec 20101.1.1.7 2010.09.17 -

TheHacker 6.7.0.0.022 2010.09.17 -

TrendMicro 9.120.0.1004 2010.09.17 -

TrendMicro-HouseCall 9.120.0.1004 2010.09.17 -

VBA32 3.12.14.0 2010.09.17 -

ViRobot 2010.8.25.4006 2010.09.17 -

VirusBuster 12.65.12.0 2010.09.17 -

Additional informationShow all

MD5 : f8ea39e10783b5d387e93fc9a17c2132

SHA1 : 32b4694ab799bda504e624f886e8f3a009c624d9

SHA256: a12d0281dab7ffe5c597226a32e643b3169c3a77ba51331d1cbd1b13de20acc2

ssdeep: 3072:7l1Lz59YB+Mv5DSvSWT555o5dOT36GT6o35n5sh07hT/7mTCliiAyMFYyr37NMZZ:yIqc

File size : 483840 bytes

First seen: 2009-08-04 08:43:52

Last seen : 2010-09-17 19:31:14

TrID:

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. Med ensamratt.

product......: Operativsystemet Microsoft_ Windows_

description..: Installationsprogram for Windows 2000 (teckenbaserade delen, anvandarlagesfasen)

original name: USETUP.EXE

internal name: USETUP.EXE

file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x193F

timedatestamp....: 0x41107C83 (Wed Aug 04 06:04:51 2004)

machinetype......: 0x14c (I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0xFBA, 0x1000, 6.44, 8fd325c7d5e11e0c685e4284daeda831

.data, 0x2000, 0x850, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.rsrc, 0x3000, 0x747C4, 0x74800, 2.87, 524623fd6d491f9b3c2045971f657f71

.reloc, 0x78000, 0x5DE, 0x600, 1.64, 7f1325ae20588ba69fe86c7028887f23

[[ 1 import(s) ]]

ntdll.dll: RtlSetOwnerSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlFreeSid, RtlAllocateAndInitializeSid, NtClose, NtSetSecurityObject, NtOpenFile, RtlInitUnicodeString, LdrUnloadDll, LdrGetProcedureAddress, LdrLoadDll, NtQueryInformationProcess, NtResumeThread, NtWaitForSingleObject, NtTerminateProcess, RtlDestroyProcessParameters, RtlCreateUserProcess, RtlCreateProcessParameters, NtDeleteKey, NtOpenKey, NtQueryDirectoryObject, NtFlushVirtualMemory, NtShutdownSystem, NtFsControlFile, NtCreatePagingFile, RtlGetFullPathName_U, wcslen, NtSetEvent, NtDeviceIoControlFile, RtlPcToFileHeader, RtlCreateUserThread, NtCreateFile, NtCreateEvent, NtQuerySystemInformation, NtInitializeRegistry, RtlAdjustPrivilege, DbgBreakPoint, RtlAllocateHeap, RtlUnicodeStringToAnsiString, RtlNormalizeProcessParams

Regards

Carl

Link to post
Share on other sites

Please click Start > Run, type cmd and press enter.

In the command window type sfc /purgecache and press enter. Let me know what returns.

If you did this, you should have been in the command window and something should have been displayed after you entered the command. Did it just return to the prompt?

In that case, at the command prompt type sfc /scannow and let me know what happens.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.