Sign In
Create Account
Google links are being redirected and MBAM / HijackThis / rootrepeal will not run.
Whenever I try to run MBAM / HijackThis / rootrepeal after a fresh download or install, it will start up and scan / run for a few seconds before closing. After that, I cannot start them and receive the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this item" message.
Reinstalling / renaming the programs has not helped.
I should also mention that this started happening after I found c.exe and b.exe running in Task Manager. I found and deleted them but the problems have persisted.
Any help would be greatly appreciated, thank you in advance.
2
Hijackthis, MBAM, rootrepeal will not run. Google links redirected,
Started by cholesterol, Oct 17 2009 08:23 AM
-
This topic is locked
Back to top
#2
Posted 17 October 2009 - 11:56 AM
-
- Moderators
-
- 6,217 posts
Forum Deity
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix when you've accomplished that.
http://www.bleepingc...to-use-combofix
Post the log from ComboFix when you've accomplished that.
#3
Posted 17 October 2009 - 08:11 PM
-
- Members
-
- 16 posts
New Member
When I attempt to run ComboFix, I receive the following message:
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Kaspersky Anti-Virus"
I realize that I should disable it before allowing ComboFix to run but I am unable to find Kaspersky in system tray or the task manager.
When I try to run Kaspersky from the Program Files directory so that I can attempt to bring up a window so I can end it, I receive the "Windows cannot access the specified..." message.
I will await for further instruction before continuing.
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Kaspersky Anti-Virus"
I realize that I should disable it before allowing ComboFix to run but I am unable to find Kaspersky in system tray or the task manager.
When I try to run Kaspersky from the Program Files directory so that I can attempt to bring up a window so I can end it, I receive the "Windows cannot access the specified..." message.
I will await for further instruction before continuing.
#4
Posted 17 October 2009 - 08:14 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
For the moment and for just for the first run, let's disregard that message & allow ComboFix to proceed.
#5
Posted 17 October 2009 - 08:28 PM
-
- Members
-
- 16 posts
New Member
Upon running ComboFix, I receive a message saying that rootkit activity was detected and that the computer needs to be rebooted.
After rebooting, ComboFix begins scanning, goes through its 50 stages, and then it says something about eventlog.dll being infected (I was unable to catch all of it in time as following this the system rebooted once again).
After rebooting, the system starts normally but there is no log to be found.
After rebooting, ComboFix begins scanning, goes through its 50 stages, and then it says something about eventlog.dll being infected (I was unable to catch all of it in time as following this the system rebooted once again).
After rebooting, the system starts normally but there is no log to be found.
#6
Posted 17 October 2009 - 08:37 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
That's okay. Try doing this ...
Go to
→ Run → paste in the single line command & click OK
[indent]%systemdrive%\ComboFix\Combobatch.bat[/indent]
Let me know if that does anything
Go to
→ Run → paste in the single line command & click OK[indent]%systemdrive%\ComboFix\Combobatch.bat[/indent]
Let me know if that does anything
#7
Posted 17 October 2009 - 08:39 PM
-
- Members
-
- 16 posts
New Member
A window pops up for a split second and then closes.
I'm not sure what that did, how should I proceed now?
I'm not sure what that did, how should I proceed now?
#8
Posted 17 October 2009 - 08:44 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
Means something stopped it from running. I think it's probably Kaspersky at work. It may be inaccesible to you but the program is still running.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
#9
Posted 17 October 2009 - 08:46 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
Do this next step after ComboFix has finished running
Download and run Win32kDiag:
Download and run Win32kDiag:
- 1. Download Win32kDiag from any of the following locations and save it to your Desktop.
- Download Win32kDiag (Win32kDiag.exe) - #1
- Download Win32kDiag (Win32kDiag.exe) - #2
- Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
#10
Posted 17 October 2009 - 09:03 PM
-
- Members
-
- 16 posts
New Member
sUBs, on Oct 17 2009, 09:44 PM, said:
Means something stopped it from running. I think it's probably Kaspersky at work. It may be inaccesible to you but the program is still running.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
fr33 worked fine on MBAM, but when I try to drag fr33 into the directory for Kaspersky, I get an "Access is denied" message.
I tried redownloading the file directly into the Kaspersky directory and saving fr33 to the desktop and dragging it from there, but neither attempt has worked.
(The attempts at saving the file directly in the Kaspersky file directory have left me with a fr33.exe that is neither functional nor removable)
#11
Posted 17 October 2009 - 09:06 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
That means Kaspersky's self defense feature is enabled. Didn't do it much good with the infection though. 
I think you need to do this exercise from safe mode where Kaspersky should be inactive.
I think you need to do this exercise from safe mode where Kaspersky should be inactive.
#12
Posted 17 October 2009 - 09:58 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
@cholesterol, are you still there? How are things now?
#13
Posted 17 October 2009 - 09:58 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
@cholesterol, are you still there? How are things now?
#14
Posted 17 October 2009 - 10:01 PM
-
- Members
-
- 16 posts
New Member
Alright, so I successfully managed to use fr33 on Kaspersky while in safe mode.
Following that, I started up Kaspersky, disabled all of its features, and made it so that it would not run on startup.
After doing that, I ran ComboFix again, and this time it ran without telling me that Kaspersky was on.
ComboFix once against said that it detected rootkit activity and rebooted the computer, then it started its scan.
As the scan neared its end, it once again said that C:\Windows\system32\eventlog.dll was infected and that it was attempting to restore it.
It did not say whether it was successful or not and proceeded to reboot the computer once again.
This time, upon booting up, everything was normal except that the ComboFix window was still open (there is nothing in the window and it does not appear to be doing anything). There is no log once again.
Should I proceed to follow your instructions and use Win32kDiag?
Thanks for your patience in helping me deal with issue
Following that, I started up Kaspersky, disabled all of its features, and made it so that it would not run on startup.
After doing that, I ran ComboFix again, and this time it ran without telling me that Kaspersky was on.
ComboFix once against said that it detected rootkit activity and rebooted the computer, then it started its scan.
As the scan neared its end, it once again said that C:\Windows\system32\eventlog.dll was infected and that it was attempting to restore it.
It did not say whether it was successful or not and proceeded to reboot the computer once again.
This time, upon booting up, everything was normal except that the ComboFix window was still open (there is nothing in the window and it does not appear to be doing anything). There is no log once again.
Should I proceed to follow your instructions and use Win32kDiag?
Thanks for your patience in helping me deal with issue
#16
Posted 17 October 2009 - 10:07 PM
-
- Members
-
- 16 posts
New Member
Here is the log from Win32kDiag
Running from: C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB885835\KB885835
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Cache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\EffectResources\VM0303\VM0303
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ie8updates\ie8updates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\52\52
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\60\60
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\eventlog.dll (Microsoft Corporation)
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2
Mount point destination : \Device\__max++>\^
Finished!
Running from: C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB885835\KB885835
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Cache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\EffectResources\VM0303\VM0303
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ie8updates\ie8updates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\52\52
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\60\60
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\eventlog.dll (Microsoft Corporation)
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2
Mount point destination : \Device\__max++>\^
Finished!
#17
Posted 17 October 2009 - 10:13 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry
Reboot the machine and run ComboFix.
(don't forget to copy and paste REGEDIT4)
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog] "Start"=dword:00000004
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry
Reboot the machine and run ComboFix.
#18
Posted 17 October 2009 - 10:26 PM
-
- Members
-
- 16 posts
New Member
I followed your instructions on fix.reg, rebooted, and ran ComboFix again.
This time, it started scanning without saying that it detected rootkit activity, but once it got near the end, it once again said that eventlog.dll was infected and that it was trying to restore it.
It rebooted the system and there is once again no log from ComboFix.
This time, it started scanning without saying that it detected rootkit activity, but once it got near the end, it once again said that eventlog.dll was infected and that it was trying to restore it.
It rebooted the system and there is once again no log from ComboFix.
#19
Posted 17 October 2009 - 10:28 PM
-
- Moderators
-
- 6,217 posts
Forum Deity
Please zip the entire folder - C:\ComboFix
Then upload it to me at > http://www.bleepingc...e.php?channel=4
Let me know when that's done
Then upload it to me at > http://www.bleepingc...e.php?channel=4
Let me know when that's done
#20
Posted 17 October 2009 - 10:32 PM
-
- Members
-
- 16 posts
New Member
When attempting to zip C:\ComboFix, I get a pop up saying:
! C:\ComboFix.rar: Cannot open C:\ComboFix\N_\19960
! The process cannot access the file because it is being used by another process.
Should I upload the resulting rar anyways?
! C:\ComboFix.rar: Cannot open C:\ComboFix\N_\19960
! The process cannot access the file because it is being used by another process.
Should I upload the resulting rar anyways?
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
