NT Authority shutting me down

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ramshead, Jan 10, 2005.

  1. ramshead

    ramshead Private E-2

    Hi. Yet another about:blank problem. :mad:

    I've done everything in that 'do me first' sticky, then I tried to do everything in the 'when all else fails' sticky. when I ran HiJackThis (step9) I get a "full or write protected.." message on one of the items I try to fix...and the BHO and the others show right back up. So I continue on. I tried to delete the .dll's when I get to step10a, and I get that "full or write protected or in use" message. But Nt Authority keeps shutting me down when I try to end the .dll processes in process explorer.

    Also, in an earlier step where I have to open the .dll in notepad, and then delete everything and save, I get this message that it can't save and to "make sure the path and filename are correct".

    I can't run about:buster because I get shut down.

    What next :rolleyes:

    Anything I'm forgetting?
     
  2. ramshead

    ramshead Private E-2

    Yes I am forgetting something...and of course I realize this after the 5 min edit time limit. I looked up the nt authority thing through the forums...and I would like to mention that the only time I have this problem is when I try to kill those bad processes so that I can delete those bad .dll's. I tried to download the W32.Blaster.Worm Removal Tool and that doesn't work. I keep getting this site that I know is baaaad instead of the majorgeeks download (unless, of course, you are offering this "great spank-me-daddy porn" LOL). :rolleyes:
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure you have all of your Windows Updates?

    If you have run ALL the steps in the READ ME FIRST, make sure you follow the guidelines below and post your HJT log.


    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  4. ramshead

    ramshead Private E-2

    Okay. here you go :) I have all the windows updates except for the SP2. Everytime I tried to download it, it would stop once it was downloaded, but would not install (tried 3 times about a month ago). It would sit there, even overnight :(
    As for the log, I have tried to delete these below (via the format used in "When all else fails"). Hijack won't let me fix the 04. The 04 along with a bunch of dll's in the system32 folder (all Melcosoft) are the problems I get when trying to run Process explorer. I would try to kill them, but I would get that damn message (read first post).

    Another thing, there is one .dll in the system32 folder that is too long for me to open in notepad via run. There are 54 '.dll' in the name. So I tried to open it through right-click, open with. But I still couldn't save it (and the others). I think I mentioned this in the first post too.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Please download this tool: Pocket KillBox Do not run it yet.

    Please print out these instructions or save them locally so that you can operate with All Browser Windows CLOSED.

    Okay exit ALL browsers (including the one you are reading in now) before continuing.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Please run HijackThis and Check the Boxes for the Following:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
    O4 - Global Startup: winlogin.exe
    O20 - AppInit_DLLs: 3dfgrpcthe2j27ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

    Exit HJT.

    Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

    Then, Click Delete (red X) and then click NO when asked if you wish to reboot.

    Now make sure the Delete on Reboot option is still chosen and then, Copy and Paste the following into the Box: C:\WINDOWS\System32\3dfgrpcthe2j27ll.dll

    Then, Click Delete (red X) and then click YES when asked if you wish to reboot and OK your way out and allow it to reboot.

    You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

    While in Safe Mode (making sure that you are able to view hidden files) use Windows Explorer and navigate to and DELETE the following if they somehow should remain:

    C:\WINDOWS\System32\W8C6S4~1.DLL
    C:\WINDOWS\System32\3dfgrpcthe2j27ll.dll

    Now run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and Rescan and Attach a fresh HJT. How are things running? Let me know of any problems that you may have encountered with the above instructions.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds