Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

data execution prevention alert(s)


  • Please log in to reply

#1
korhinta

korhinta

    Member

  • Member
  • PipPip
  • 96 posts
hello everyone,

and thanks if you're taking the time to read this... i'll try to make it as short yet inclusive as possible.

i first got a "data execution prevention" message about 2 weeks ago, followed by a "windows explorer needs to close" message.

i freaked, closed everything, scanned everything with avast!, then i got it again like 3 days later.

on the recommendation of a friend, i got malwarebytes, which found something called "morphine packer" or sthg.

i also contacted the support department at avast!, followed their instructions, and just as i was getting my peace of mind i got the same messages again 8 days later.

to save you a day-to-day description, i've done full scans with avast!, boot-time scans (again with avast!), full scans with windows defender (yes, both updated), and more recently i followed your Malware and Spyware Cleaning Guide, up to step 2.
the only thing that has come up was this "morphine packer" which i removed a while ago, and still got a data execution prevention alert afterwards...

any insights or advice would be welcome. the last alert i had was 7 days ago, but i'm still not sure my compu is clean.

thanks in advance.

:)

ps.screenshots, scan logs and other related, are available on request...
  • 0

Advertisements


#2
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
update: just a while after posting the above, my compu froze again (as it did before i got the "data execution prevention" message), and i got a blue screen that "it needs to close to prevent damage to the computer" (dunno how to screenshot this, so i took a photo...).

i did more scans that found nothing, except for a boot-time scan on my external hd, which didn't happen(?): i got "folders scanned: 1, files scanned: 0, will continue with boot".

i came back to your comprehensive guide today and continued from step 2 where i had stopped (i didn't redo steps 1-2).

thanks in advance for any help. :)

Edited by korhinta, 07 June 2010 - 01:54 AM.

  • 0

#3
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
second update: i noticed on my task manager that i'm using full 100% cpu(!), so i checked processes and it was divided 50-50 between LSASS.EXE and WINLOGON.EXE (1% to SVCHOST.EXE). the compu was frozen for a good 10mins til i finally switched it off manually.

dunno if it's related, but it had never happened before...
  • 0

#4
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
i'm counting the hours to post in the waiting room, but in the meantime...

happened again last night... data execution prevention, windows explorer needs to close, dr.watson postmortem debugger needs to close, compu froze, etc.

plus my antivirus (avast!) has been behaving strangely at times.

thanks again for reading. :)
  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,741 posts
  • MVP
Please post your OTL logs. For future reference never reply to your own initial post (use the Edit option to add or change). We look for posts with no replies and when you reply your post drops out of the list. Posts which follow the rules and post MBAM, GMER, OTL and Extras logs usually will get serviced first.

Also do a disk check:
1. Double-click My Computer, and then right-click the hard disk that you want to check.
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, and then restart your computer to start the disk check.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron

Edited by RKinner, 03 June 2010 - 10:31 AM.

  • 0

#6
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
thank you very much for your reply. i feared i was shooting myself in the foot by replying to the initial message, but thought you'd have some system to allocate threads per "helper". anyway.


i do disc checks regularly, i have 64 kb in bad sectors, and the rest is normal (or so i'm told). will do another once i finish this post. (shall i do my external drive too, both internals, or just the system?)
and how do i post the results here?



once again, thanks. :)

Edited by korhinta, 07 June 2010 - 01:56 AM.

  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,741 posts
  • MVP
I asked for the disk check because a bad disk can cause problems like you mention. I can see from OTL that you ran a disk check on 2010/05/31 00:09:14 and that some files or fragments were recovered: C:\FOUND.000. If you run another one and we don't get any more files then at least it is not getting worse.

I do see one suspicious file:

C:\WINDOWS\LOOP.exe

This is probably malware.

If you haven't enabled the viewing of System and Hidden files do so now:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

Now go to http://virustotal.com and Browse to

C:\WINDOWS\LOOP.exe

Then Submit the file. After a few minutes it should give you a report on the file. IF it says something like 0/40 at the top then I don't need the report. If it doesn't say 0/40 then please copy and paste the report into a reply.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Apparently you have lost a critical file that is part of the system restore process.

Start, Run, sfc /scannow , OK

This will check your critical system files and restore them if possible. IF it asks for a CD and you don't have one or it doesn't like your cd then just hit Skip.

Ron
  • 0

#8
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
the virustotal gave loop.exe 0/40 (i saved the report anyway)...

i dled combofix, disabled avast! (i did not disable windows defender or malwarebytes, or "script blocking features"(?)), dled george.exe, closed everything and dclicked it.
i got a "this machine does not have the microsoft windows recovery console", and a prompt to dl it. i did.

it ran, took a lot less than the 10 mins it threatened to, then rebooted my compu itself.

avast! reactivated itself after the reboot...


Apparently you have lost a critical file that is part of the system restore process.

Start, Run, sfc /scannow , OK

This will check your critical system files and restore them if possible. IF it asks for a CD and you don't have one or it doesn't like your cd then just hit Skip.


i don't know what relevance this has, but i disabled system restore a coupla weeks ago, while following the instructions of the avast! support staff.

will do start > run > etc. once i post this message...

Edited by korhinta, 07 June 2010 - 01:58 AM.

  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,741 posts
  • MVP
I thought Avast was smarter than that. Turning off System Restore is a dumb idea which I expect from Symantec and McAfee but not from Avast. Like removing your safety net because there might be something caught in it. Please turn it back on if you can tho the event log says a file is missing so it may not come back.

Combofix did not find much. It removed winpcap. If that was something you use then you will have to reinstall it.

Get ShellExView from
http://www.nirsoft.n...xview_setup.exe

Install it and run it. The third or fourth column from the far right should say Microsoft. Click once or twice on the column header to sort things by No then Yes. Disable all of the items with No by Highlighting them then click on the red light under file.

Reboot or use Task Manager to Stop explorer.exe then restart it.

What this does is remove all non-microsoft modules from Explorer.exe. The assumption is that one of them, tho legitimate is damaged or just poorly written and is causing the problem. IF the problem doesn't come back then you go back in and enable about 1/2 of the things you disabled (highlight and hit the green light) then reboot or restart explorer. If the problem comes back then it is in the group you just enabled so you go back in and disable 1/2 of the ones you have just enabled. The idea is to isolate it down to a single program which you can then uninstall and maybe reinstall.

If you still want to look for malware I have two online scans that are very good:
Use IE or Firefox and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.

Also do the BitDefender scan

http://www.bitdefend...nline/free.html

Ron
  • 0

#10
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
i finished the scannow. got prompted for a cd a few times, but cancelled > skipped (which slightly terrified me), i didn't get a log or report, it just finished.


//
edit: i went to turn system restore on, and the "disable" box was already unchecked... maybe from scannow?

no idea what winpcap is, or how/where i might use it...

going on with the shellexview... done

scanning with eset

Edited by korhinta, 03 June 2010 - 02:23 PM.

  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,741 posts
  • MVP
winpcap is a program used to look at network traffic. It is a freeware program used by intrusion detection software, by packet analysis software and unfortunately also by malware as a way of snooping on your network traffic and stealing passwords. Since you did not install it then you should do the two online scans. ESET may take several hours to complete.

Does System Restore appear to be working now? Combofix likes to force it on if it can.

Unfortunately there is no log created in XP by SFC so we don't know what it did or didn't do. You can also do Start, Run, sigverif, OK then press Start. When it finishes look at the output. Does it find a lot of files it doesn't like or just a few? If only a few what are they?

Ron
  • 0

#12
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
not sure how i can tell if sys.restore is working... the disabling removed all previous points and i haven't yet created a new one...

eset is running, 17% after 17 mins.

shall i wait for it to finish before i run sigverif?


many many thanks again for all this... :)


//
edit: my compu crashed (switched off by itself) while scanning (was at about 30%). :)
did a check disc when i switched back on, found "one allocation unit not valid, enrty truncated".

started eset scanning again, is at 9%, 4 mins in...

Edited by korhinta, 03 June 2010 - 03:10 PM.

  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,741 posts
  • MVP
Just do one thing at a time. IF Eset crashes again then try BitDefender. Other than the winpcap I'm not seeing anything obvious so my gut feeling is that your hard drive is dying and you are losing pieces of files.

Ron
  • 0

#14
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
the idea of a dying hard drive quite scares me. :)


eset still running, 41% at 2:42 hours in...

i'll let it finish, run bitdefender and sigverif, then come back.
  • 0

#15
korhinta

korhinta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
eset scan result:

D:\software\audioextractor.exe probably a variant of Win32/Agent trojan deleted - quarantined


sigverif:

...has scanned and verified digital signature on all files.


bitdefender :

firefox wouldn't allow it to run (i didn't even get a bar on top), so i copy/pasted the link on to internet explorer, i allowed, installed activex ...and 5 mins later it's still "installing components...qsax.ocx"


edit:

copy/pasted bitdefender link on to google chrome... no infections found (i saved the log anyway)

Edited by korhinta, 07 June 2010 - 02:02 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP