Sign In
Create Account
0
This topic is locked
I stupidly ran it to see just how legit it was, and my installed Comodo Antivirus told me that MSA.EXE, B.EXE, and C.EXE were all trying to do unauthorized actions. I blocked every one of them, and when I went back to the folder to delete the fake Flash Player installer, it was gone.
I thought nothing of it, and ran a Comodo AV scan last night, which came up with zero threats, so I turned off my computer and went to bed.
This morning, I went to university and booted up Chrome to log into the wireless, then went to FireFox to start working on my assignment. The FireFox.exe process loaded, but closed almost immediately after. I tried it again, and the same thing happened. At the end of class, I turned off my machine, hoping it might clear it up. Before it shut down, it gave me a notification that "CUccPlatform" was not responding, so I just hit end task.
Went on break after class and booted up my machine, and FireFox would still not boot. It was at this point that I noticed Windows Live Messenger (which I have enabled to run on startup) was a running process but did not display a window or anything.
I'm a fair bit computer-savvy so I decided to try a few things with FireFox. I renamed it to ff3.exe instead of firefox.exe, and it ran perfectly. This is when I realized I probably had a virus, and related it back to yesterday when I downloaded that file.
I quickly went to the internet and to my Firewall log files to find the cause of the problem. I quickly found C:\WINDOWS\msa.exe (which I found on Google was a piece of malware), and deleted it. I also found the C:\Documents and Settings\USER\Local Settings\Temp\b.exe (and c.exe) and deleted them both.
Thinking I was oh so clever, I started FireFox again (using firefox.exe), but the same problem occurred.
At this point, I was getting a little fed up, so I just used Chrome for the rest of my school day and ran ClamWin Antivirus in the background. It came across a few viral files which I swiftly deleted.
The same problem still existed, so I went back to good old Google, and found MalwareByte's Anti-Malware program, and downloaded it. Immediately after starting a Full Scan, the program terminated and I was unable to run it again (something about invalid permissions--as if I'm not the administrator or something).
Continuing on my witch hunt, I tried HiJackThis! (which I have used with success in the past on my desktop). Same problem--halfway through the scan, it just shuts down and I am unable to run it again.
Attempting once again to rectify the issue, I used Comodo to block all access to the HiJackThis.exe file, and even renamed it Blablabla.exe to see if that could throw the virus off.
Nope; didn't work either.
I've also tried the DDS tool and GMER. They both crash upon completion as well.
Throughout this process I also ended up looking through all my registry keys. I found a few that were mentioned online, namely one named NordPull, and one named poprock. I didn't find any startup keys starting msa.exe or anything suspicious, nor is there anything odd in my Active Processes list.
So basically, it's now been almost 12 hours of frustration, I'm at my wit's end here, and I'm hoping someone can steer me in the right direction. This'll sure teach me to watch TV online...
Cheers, and thanks in advance!
PS: I took the liberty of running Win32kDiag.exe, and here is the log:
Running from: C:\Documents and Settings\Eric\My Documents\Downloads\Win32kDiag.exe
Log file at : C:\Documents and Settings\Eric\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP167.tmp\ZAP167.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP246.tmp\ZAP246.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP263.tmp\ZAP263.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP302.tmp\ZAP302.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35C.tmp\ZAP35C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3EA.tmp\ZAP3EA.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DB.tmp\ZAP5DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Downloaded Installations\{4A950ED3-4763-44A0-910A-B2BA5F2D5CA9}\{4A950ED3-4763-44A0-910A-B2BA5F2D5CA9}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\drivers\sfi.dat
[1] 2009-09-22 18:54:41 1474832 C:\WINDOWS\system32\drivers\sfi.dat ()
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 06:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Patcher2972\Patcher2972
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\twain_32\snp2uvc\snp2uvc
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
Back to top
