Sign In
Create Account
3
Hello all! I seem to be infected with this latest nasty bugger that's going around. I was confronted with the usual fake scan & some AV software was installed. As a kneejerk reaction I disabled the running file and tried to remove the software, which only succeeded in a fake uninstall that's removed the icon. It was titled AV something or other - AV Protect or something like that - and used the typical Windows shield as an icon.
In any case, MBAM, HijackThis, and ComboFix solutions are not working for me. MBAM will not run at all, neither will HJT. ComboFix attempts to run but does not move beyond "Attempting to Create System Restore Point." I am also unable to identify any foreign .exe with ProcessExplorer as of yet. Other symptoms include redirects of any and all antivirus related websites to spam sites, slower startup, and all system restore points deleted. I have tried the renaming solutions to no avail.
At this point I'm out of my league, so any help would be appreciated. Thanks so much for your time!
--Falcon
-
This topic is locked
Back to top
#2
Posted 19 August 2009 - 09:15 PM
-
- Experts
-
- 1,848 posts
Forum Deity
- Gender:Male
- Location:The United States
- Interests:Fighting/Analyzing Malware & Social Media
Hi Falcon, Welcome to Malwarebytes 
We Need to check for Rootkits with RootRepeal
We Need to check for Rootkits with RootRepeal
- Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
- Primary Mirror
- Secondary Mirror
- Secondary Mirror
- Primary Mirror
- Rar Mirrors - Only if you know what a RAR is and can extract it.
- Zip Mirrors (Recommended)
- Extract RootRepeal.exe from the archive.
- Open
on your desktop. - Click the
tab. - Click the
button. - Check all seven boxes:
- Push Ok
- Check the box for your main system drive (Usually C:), and press Ok.
- Allow RootRepeal to run a scan of your system. This may take some time.
- Once the scan completes, push the
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
#3
Posted 20 August 2009 - 04:28 AM
-
- Members
-
- 10 posts
New Member
After the first time I tried to run RootRepeal the program presented several error messages and abruptly crashed. Every attempt thereafter yields this error message:
Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.
Followed by another crash on the second attempted scan, after which the program refuses to run and displays this error message:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
Twice I have tried deleting the file and then importing it to my desktop again -- same result.
Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.
Followed by another crash on the second attempted scan, after which the program refuses to run and displays this error message:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
Twice I have tried deleting the file and then importing it to my desktop again -- same result.
#4
Posted 20 August 2009 - 04:31 AM
-
- Members
-
- 10 posts
New Member
Forgot to mention I am given the error message Error - could not init. MFT runlist! before the program crashes on the second try.
#5
Posted 20 August 2009 - 03:27 PM
-
- Experts
-
- 1,848 posts
Forum Deity
- Gender:Male
- Location:The United States
- Interests:Fighting/Analyzing Malware & Social Media
Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:
#6
Posted 20 August 2009 - 08:18 PM
-
- Members
-
- 10 posts
New Member
Win32KDiag log follows:
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB894391\KB894391
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP301.tmp\ZAP301.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A7.tmp\ZAP3A7.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP499.tmp\ZAP499.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B1.tmp\ZAP4B1.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP505.tmp\ZAP505.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Options\Install\Install
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\attrib.exe
[1] 2004-08-04 07:00:00 11264 C:\WINDOWS\$NtServicePackUninstall$\attrib.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:12 12288 C:\WINDOWS\ServicePackFiles\i386\attrib.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:12 12288 C:\WINDOWS\system32\attrib.exe ()
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{C26033F5-0364-41AC-9A36-A5364CB0555E}\{C26033F5-0364-41AC-9A36-A5364CB0555E}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall\McAfee.com Personal Firewall
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Wildtangent\Cdacache\Cdacache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\YMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\My Yahoo! Music\My Yahoo! Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\findstr.exe
[1] 2004-08-04 07:00:00 27136 C:\WINDOWS\$NtServicePackUninstall$\findstr.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:20 27136 C:\WINDOWS\ServicePackFiles\i386\findstr.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:20 27136 C:\WINDOWS\system32\findstr.exe ()
Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\Lang\Lang
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA3E.tmp\MCA3E.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA43.tmp\MCA43.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA5.tmp\MCA5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCAC.tmp\MCAC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCAE.tmp\MCAE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Finished!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB894391\KB894391
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP301.tmp\ZAP301.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A7.tmp\ZAP3A7.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP499.tmp\ZAP499.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B1.tmp\ZAP4B1.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP505.tmp\ZAP505.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Options\Install\Install
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\attrib.exe
[1] 2004-08-04 07:00:00 11264 C:\WINDOWS\$NtServicePackUninstall$\attrib.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:12 12288 C:\WINDOWS\ServicePackFiles\i386\attrib.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:12 12288 C:\WINDOWS\system32\attrib.exe ()
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{C26033F5-0364-41AC-9A36-A5364CB0555E}\{C26033F5-0364-41AC-9A36-A5364CB0555E}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall\McAfee.com Personal Firewall
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Wildtangent\Cdacache\Cdacache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\YMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\My Yahoo! Music\My Yahoo! Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\findstr.exe
[1] 2004-08-04 07:00:00 27136 C:\WINDOWS\$NtServicePackUninstall$\findstr.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:20 27136 C:\WINDOWS\ServicePackFiles\i386\findstr.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:20 27136 C:\WINDOWS\system32\findstr.exe ()
Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\Lang\Lang
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA3E.tmp\MCA3E.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA43.tmp\MCA43.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCA5.tmp\MCA5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCAC.tmp\MCAC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCAE.tmp\MCAE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Finished!
#7
Posted 20 August 2009 - 08:21 PM
-
- Experts
-
- 1,848 posts
Forum Deity
- Gender:Male
- Location:The United States
- Interests:Fighting/Analyzing Malware & Social Media
Step #1
1. Go to Start->Run and type in notepad and hit OK.
2. Then copy and paste the content of the following codebox into Notepad:
3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.
4. Double click fixes.bat.
Step #2
We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Step #3
Now try running ComboFix and Malwarebytes, then post the logs here.
1. Go to Start->Run and type in notepad and hit OK.
2. Then copy and paste the content of the following codebox into Notepad:
Quote
@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit
3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.
4. Double click fixes.bat.
Step #2
We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please download The Avenger2 by SwanDog46.
- Unzip avenger.exe to your desktop.
- Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Files to move: c:\scecli.dll | C:\WINDOWS\system32\scecli.dll
- Now start The Avenger2 by double clicking avenger.exe on your desktop.
- Read the prompt that appears, and press OK.
- Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
- Press the "Execute" button.
- You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE. - Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Step #3
Now try running ComboFix and Malwarebytes, then post the logs here.
#8
Posted 20 August 2009 - 09:33 PM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Gunslinger Falcon,
SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent instructions and we'll continue from there.
-screen317
SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent instructions and we'll continue from there.
-screen317
#9
Posted 21 August 2009 - 03:20 AM
-
- Members
-
- 10 posts
New Member
screen317, on Aug 20 2009, 10:33 PM, said:
Gunslinger Falcon,
SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent instructions and we'll continue from there.
-screen317
SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent instructions and we'll continue from there.
-screen317
Thanks screen317! Killer GUNZ avatar, btw.
Avenger2 log:
Quote
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\scecli.dll" not found!
File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\scecli.dll" not found!
File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
At this time the antivirus rogue kicked into high gear, this time with the name of Windows Antivirus Pro. Having read up on this one I went into the Task Manager and shut down WindowsAntivirusPro.exe and svchast.exe as well as several other random single letter .exe's running. This gave me a brief moment in which MBAB was able to run but it crashed shortly thereafter. Same luck with ComboFix.
#10
Posted 21 August 2009 - 04:59 PM
-
- Members
-
- 10 posts
New Member
Just an update - I've tried doing the above in SafeMode, still to no avail. I'm considering backing up my important data and formatting. Is this virus known to spread through USB transfer of music, images, and documents?
#11
Posted 21 August 2009 - 08:43 PM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Hi Gunslinger Falcon,
You're welcome, and wow haha no one has recognized my avatar in the years I've had it up. 
I do not believe it transfers through removable media; however, this is a new infection and the fixes are still being developed. We do have a lead on this case though. Give this a try:
Please delete your copy of Win32kDiag.
Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
See if you can run MBAM now.
-screen317
Quote
Thanks screen317! Killer GUNZ avatar, btw.
Quote
I'm considering backing up my important data and formatting. Is this virus known to spread through USB transfer of music, images, and documents?
Please delete your copy of Win32kDiag.
Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
See if you can run MBAM now.
-screen317
#12
Posted 22 August 2009 - 04:04 AM
-
- Members
-
- 10 posts
New Member
I tried running the command -- it would appear nothing happens. I get no .txt file or anything. The process appears to run for a split second and then disappears. Still unable to run MBAB.
#13
Posted 22 August 2009 - 05:42 AM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Gunslinger Falcon,
Delete your copy and download it again. Try the command and let me know if it still wont work.
-screen317
Delete your copy and download it again. Try the command and let me know if it still wont work.
-screen317
#14
Posted 22 August 2009 - 01:35 PM
-
- Members
-
- 10 posts
New Member
screen317, on Aug 22 2009, 06:42 AM, said:
Gunslinger Falcon,
Delete your copy and download it again. Try the command and let me know if it still wont work.
-screen317
Delete your copy and download it again. Try the command and let me know if it still wont work.
-screen317
Still no dice. All I get is half a second with the hourglass pointer and then nothing. I've tried it several times, in safe mode and normal. I've triple checked my spelling and all that, since I have to copy it by hand onto the infected laptop.
#15
Posted 22 August 2009 - 10:40 PM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Hi,
Let's pursue an alternate route.
Navigate to Start --> Run, and enter the following:
cmd.exe
Press Enter.
Type this command in the black box that appears (exactly as shown):
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll "%userprofile%\desktop"
Press Enter.
After it completes, type exit and press Enter.
Next, we need to execute an Avenger2 script.
Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Next, try running MBAM.
-screen317
Let's pursue an alternate route.
Navigate to Start --> Run, and enter the following:
cmd.exe
Press Enter.
Type this command in the black box that appears (exactly as shown):
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll "%userprofile%\desktop"
Press Enter.
After it completes, type exit and press Enter.
Next, we need to execute an Avenger2 script.
Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please download The Avenger2 by SwanDog46.
- Unzip avenger.exe to your desktop.
- Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Files to move: "%userprofile%\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dll
- Now start The Avenger2 by double clicking avenger.exe on your desktop.
- Read the prompt that appears, and press OK.
- Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
- Press the "Execute" button.
- You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE. - Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Next, try running MBAM.
-screen317
#16
Posted 23 August 2009 - 05:12 AM
-
- Members
-
- 10 posts
New Member
Avenger log:
Still no dice on MBAM or combofix. I'm thinking my best option may be to backup and format - College starts up for me on Monday so time will be scant, and it seems my computer is getting progressively slower. That aside, I was already considering reformatting now that I have a new desktop anyway. But, you let me know what you think is best.
Quote
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file move operations must be within volumes.
File move operation ""C:\Documents and Settings\Falcon\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc000003e (STATUS_DATA_ERROR)
Completed script processing.
*******************
Finished! Terminate.
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file move operations must be within volumes.
File move operation ""C:\Documents and Settings\Falcon\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc000003e (STATUS_DATA_ERROR)
Completed script processing.
*******************
Finished! Terminate.
Still no dice on MBAM or combofix. I'm thinking my best option may be to backup and format - College starts up for me on Monday so time will be scant, and it seems my computer is getting progressively slower. That aside, I was already considering reformatting now that I have a new desktop anyway. But, you let me know what you think is best.
#17
Posted 23 August 2009 - 10:45 PM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
I didn't want to have you format. We almost have this beat.
If you're still up for it, we can try this Avenger script.
If you need to format so you have a clean computer for school, by all means do so. It is the safest route.
Next, we need to execute an Avenger2 script.
Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Next, try running MBAM and ComboFix (grab a new copy).
-screen317
If you're still up for it, we can try this Avenger script.
If you need to format so you have a clean computer for school, by all means do so. It is the safest route.
Next, we need to execute an Avenger2 script.
Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please download The Avenger2 by SwanDog46.
- Unzip avenger.exe to your desktop.
- Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Files to move: "C:\Documents and Settings\Falcon\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dll
- Now start The Avenger2 by double clicking avenger.exe on your desktop.
- Read the prompt that appears, and press OK.
- Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
- Press the "Execute" button.
- You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE. - Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Next, try running MBAM and ComboFix (grab a new copy).
-screen317
#18
Posted 24 August 2009 - 11:26 AM
-
- Members
-
- 10 posts
New Member
Hey dude! Thanks so much for all of your help, you put some serious work into this one. I did decide to go ahead and reformat simply because as you said it's the safest option, besides which the thing really needed cleaned up anyway. Again thanks so much for your help, I really appreciate your commitment to helping people out of sticky malware situations.
I've installed COMODO firewall and antivirus as well as MBAM on my news system. Anything else I should load up to protect my laptop from future infection?
I've installed COMODO firewall and antivirus as well as MBAM on my news system. Anything else I should load up to protect my laptop from future infection?
#19
Posted 24 August 2009 - 09:25 PM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Gunslinger Falcon,
Thanks for letting me know.
Yes, here are additional steps to increase your protection.
1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.
2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.
3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.
4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.
5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
6) Be sure to update your Antivirus and Antispyware programs often!
Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?
Safe surfing,
-screen317
Thanks for letting me know.
Yes, here are additional steps to increase your protection.
1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.
2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.
3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.
4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.
5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
6) Be sure to update your Antivirus and Antispyware programs often!
Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?
Safe surfing,
-screen317
#20
Posted 03 September 2009 - 08:49 AM
-
- Moderators
-
- 16,440 posts
MBAM Sentinel
- Gender:Male
- Location:Los Angeles
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
