Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cant cut and paste, cant change services


  • Please log in to reply

#16
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
cant do this because i cant copy/paste
  • 0

Advertisements


#17
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Are you able to boot into the recovery console?
If you do then do the following.
If you are not familiar with the Recovery Console then I will briefly explain it.
It is an option that you normally see when you turn on your computer.
It will say your operating system name then underneath it will say the Recovery Console.

When you see the Recovery Console option use your arrow button to select it then hit enter.
You do not have to hit any buttons until it prompts you.
=========================================
After you start the Windows Recovery Console, you receive the following message:
Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to exit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
Choose the number that says C:\Windows then hit Enter.
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.
If you do not have one then hit enter again. (By Default the password is blank)
If you use a password then type it in and hit Enter again.
Then it will bring you to this prompt C:\WINDOWS
When you are at that part then carefully type in this exactly:
copy "C:\Windows\ServicePackFiles\i386\svchost.exe" "C:\WINDOWS\system32\svchost.exe" then hit Enter. (quote marks included and make sure that there is a space between the ends of the file paths)
If done correctly you should see a 1 file(s) copied message then the prompt that you began with.
AFter that you can type in Exit then hit Enter to restart your computer.
================================================
Log back in then do the following:

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\mllmj.dll
    C:\Documents and Settings\All Users\Application Data\xajwnyju.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========
After that I would like for you to go to Start > Run then type in this > Services.msc then hit ok.
It will open up the services window.
Then scroll down until you see the Cryptographic Service and double click it.
Then in the next window make sure it is started.
If it is not then press the Start button.
Also make sure it is set to Automatic instead of manual or disabled.
You can do so by clicking the drop down menu that is present there to the side wher it tells you what it's startup type is.
=============================================
After all of that let me know how things are running and post the OTMove it log,and a new Hijackthis log.
  • 0

#18
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
there is no servicepackfiles folder
  • 0

#19
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Directory"
    • Enter Drive eg.. C:\
  • In the box labeled "File"
    • Enter this file name svchost.exe to search for the file(s)
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please type the entire contents of the Notepad and post them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"

  • 0

#20
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
here you go

C:\i386\svchost.exe - 14336 Bytes
C:\WINDOWS\system32\svchost.exe - 19249 Bytes
  • 0

#21
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Are you able to boot into the recovery console?
If you do then do the following.
If you are not familiar with the Recovery Console then I will briefly explain it.
It is an option that you normally see when you turn on your computer.
It will say your operating system name then underneath it will say the Recovery Console.

When you see the Recovery Console option use your arrow button to select it then hit enter.
You do not have to hit any buttons until it prompts you.
=========================================
After you start the Windows Recovery Console, you receive the following message:
Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to exit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
Choose the number that says C:\Windows then hit Enter.
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.
If you do not have one then hit enter again. (By Default the password is blank)
If you use a password then type it in and hit Enter again.
Then it will bring you to this prompt C:\WINDOWS
When you are at that part then carefully type in this exactly:
copy "C:\i386\svchost.exe " "C:\WINDOWS\system32\svchost.exe" then hit Enter. (quote marks included and make sure that there is a space between the ends of the file paths)
If done correctly you should see a 1 file(s) copied message then the prompt that you began with.
AFter that you can type in Exit then hit Enter to restart your computer.
================================================
Log back into normal mode then do the following:

I would like for you to go to Start > Run then type in this > Services.msc then hit ok.
It will open up the services window.
Then scroll down until you see the Cryptographic Service and double click it.
Then in the next window make sure it is started.
If it is not then press the Start button.
Also make sure it is set to Automatic instead of manual or disabled.
You can do so by clicking the drop down menu that is present there to the side wher it tells you what it's startup type is.
===========================================
Then::
Please submit the following file to one of these online file scanners.
(All you have to do is choose the browse button and browse to the C:\WIndows\system32 folder then navigate to this file svchost.exe and choose open)

C:\WINDOWS\system32\svchost.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#22
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
svchost.exe: i get access denied when trying to copy
  • 0

#23
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
was able to copy svchost.

there is no cryptographic service listed. note that in my original post, i said i could not change any service via properties or doubleclicking
  • 0

#24
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
here is the virus total report

Antivirus Version Last Update Result
AhnLab-V3 2008.7.9.0 2008.07.08 -
AntiVir 7.8.0.64 2008.07.08 -
Authentium 5.1.0.4 2008.07.08 -
Avast 4.8.1195.0 2008.07.08 -
AVG 7.5.0.516 2008.07.08 -
BitDefender 7.2 2008.07.08 -
CAT-QuickHeal 9.50 2008.07.08 -
ClamAV 0.93.1 2008.07.09 -
DrWeb 4.44.0.09170 2008.07.08 -
eSafe 7.0.17.0 2008.07.08 -
eTrust-Vet 31.6.5937 2008.07.08 -
Ewido 4.0 2008.07.08 -
F-Prot 4.4.4.56 2008.07.08 -
F-Secure 7.60.13501.0 2008.07.08 -
Fortinet 3.14.0.0 2008.07.08 -
GData 2.0.7306.1023 2008.07.08 -
Ikarus T3.1.1.26.0 2008.07.09 -
Kaspersky 7.0.0.125 2008.07.09 -
McAfee 5334 2008.07.08 -
Microsoft 1.3704 2008.07.09 -
NOD32v2 3252 2008.07.08 -
Norman 5.80.02 2008.07.08 -
Panda 9.0.0.4 2008.07.08 -
Prevx1 V2 2008.07.09 -
Rising 20.52.12.00 2008.07.08 -
Sophos 4.31.0 2008.07.08 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.09 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.08 -
VBA32 3.12.6.8 2008.07.08 -
VirusBuster 4.5.11.0 2008.07.08 -
Webwasher-Gateway 6.6.2 2008.07.08 -
Additional information
File size: 14336 bytes
MD5...: 8f078ae4ed187aaabc0a305146de6716
SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f
2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002509
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )
  • 0

#25
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I was aware that you couldn't change the services I was just checking to see if you could after overwriting the patched malware file.


Please download and run this tool and see if you can post the log it produces.
http://download.blee...CF-querySvc.exe
If you are able to post if not then you can upload the file here so I can see it.
To upload it do the following:
In your next reply click on the Browse button and then go to the file that you saved.
Then click on Upload.
Then click the dropdown that says Manage current attachments.
Then insert image into text editor.
  • 0

Advertisements


#26
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Attached File  sUBs.txt   1.23KB   64 downloadshere you go
  • 0

#27
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the attached file and run it on the infected computer please.
Just double click it after you extract it.
==========================


After that run the CF-querySvc program again and upload the results here please.
  • 0

#28
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
fix.bat ran and closed quickly so i assume there is no report fro that

Attached File  sUBs.txt   1.23KB   95 downloads
  • 0

#29
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It appears that nothing has changed.
Do you have the Xp Cd used to install Windows on your computer?

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\mllmj.dll
    C:\Documents and Settings\All Users\Application Data\xajwnyju.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=============
Please post that log and let me know about the cd option.
  • 0

#30
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
ok. i will do this tomorrow morning. why do i neeed the cd? i have it but i dont want to install again and lose everything
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP