Google links are being redirected and MBAM / HijackThis / rootrepeal will not run.
Whenever I try to run MBAM / HijackThis / rootrepeal after a fresh download or install, it will start up and scan / run for a few seconds before closing. After that, I cannot start them and receive the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this item" message.
Reinstalling / renaming the programs has not helped.
I should also mention that this started happening after I found c.exe and b.exe running in Task Manager. I found and deleted them but the problems have persisted.
Any help would be greatly appreciated, thank you in advance.
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix when you've accomplished that.
When I attempt to run ComboFix, I receive the following message:
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Kaspersky Anti-Virus"
I realize that I should disable it before allowing ComboFix to run but I am unable to find Kaspersky in system tray or the task manager.
When I try to run Kaspersky from the Program Files directory so that I can attempt to bring up a window so I can end it, I receive the "Windows cannot access the specified..." message.
I will await for further instruction before continuing.
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Kaspersky Anti-Virus"
I realize that I should disable it before allowing ComboFix to run but I am unable to find Kaspersky in system tray or the task manager.
When I try to run Kaspersky from the Program Files directory so that I can attempt to bring up a window so I can end it, I receive the "Windows cannot access the specified..." message.
I will await for further instruction before continuing.
For the moment and for just for the first run, let's disregard that message & allow ComboFix to proceed.
Upon running ComboFix, I receive a message saying that rootkit activity was detected and that the computer needs to be rebooted.
After rebooting, ComboFix begins scanning, goes through its 50 stages, and then it says something about eventlog.dll being infected (I was unable to catch all of it in time as following this the system rebooted once again).
After rebooting, the system starts normally but there is no log to be found.
After rebooting, ComboFix begins scanning, goes through its 50 stages, and then it says something about eventlog.dll being infected (I was unable to catch all of it in time as following this the system rebooted once again).
After rebooting, the system starts normally but there is no log to be found.
That's okay. Try doing this ...
Go to
→ Run → paste in the single line command & click OK
Let me know if that does anything
Go to
→ Run → paste in the single line command & click OK%systemdrive%\ComboFix\Combobatch.bat
Let me know if that does anything
A window pops up for a split second and then closes.
I'm not sure what that did, how should I proceed now?
I'm not sure what that did, how should I proceed now?
Means something stopped it from running. I think it's probably Kaspersky at work. It may be inaccesible to you but the program is still running.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
Do this next step after ComboFix has finished running
Download and run Win32kDiag:
Download and run Win32kDiag:
- 1. Download Win32kDiag from any of the following locations and save it to your Desktop.
- Download Win32kDiag (Win32kDiag.exe) - #1
- Download Win32kDiag (Win32kDiag.exe) - #2
- Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
QUOTE (sUBs @ Oct 17 2009, 09:44 PM) 
Means something stopped it from running. I think it's probably Kaspersky at work. It may be inaccesible to you but the program is still running.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
Not a worry. ComboFiix has done enough to dislodge the main infection. It's easy to tell. Your machine shouldnt be feeling slow anymore
Do this next step for every program of your's that complains about "Windows cannot access the specified..."
We'll start with MBAM
------------
1) Please download this file
2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\
3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe
--------
After doing that, disable Kaspersky and double click ComboFix.exe to run it again.
fr33 worked fine on MBAM, but when I try to drag fr33 into the directory for Kaspersky, I get an "Access is denied" message.
I tried redownloading the file directly into the Kaspersky directory and saving fr33 to the desktop and dragging it from there, but neither attempt has worked.
(The attempts at saving the file directly in the Kaspersky file directory have left me with a fr33.exe that is neither functional nor removable)
That means Kaspersky's self defense feature is enabled. Didn't do it much good with the infection though. 
I think you need to do this exercise from safe mode where Kaspersky should be inactive.
I think you need to do this exercise from safe mode where Kaspersky should be inactive.
@cholesterol, are you still there? How are things now?
@cholesterol, are you still there? How are things now?
Alright, so I successfully managed to use fr33 on Kaspersky while in safe mode.
Following that, I started up Kaspersky, disabled all of its features, and made it so that it would not run on startup.
After doing that, I ran ComboFix again, and this time it ran without telling me that Kaspersky was on.
ComboFix once against said that it detected rootkit activity and rebooted the computer, then it started its scan.
As the scan neared its end, it once again said that C:\Windows\system32\eventlog.dll was infected and that it was attempting to restore it.
It did not say whether it was successful or not and proceeded to reboot the computer once again.
This time, upon booting up, everything was normal except that the ComboFix window was still open (there is nothing in the window and it does not appear to be doing anything). There is no log once again.
Should I proceed to follow your instructions and use Win32kDiag?
Thanks for your patience in helping me deal with issue
Following that, I started up Kaspersky, disabled all of its features, and made it so that it would not run on startup.
After doing that, I ran ComboFix again, and this time it ran without telling me that Kaspersky was on.
ComboFix once against said that it detected rootkit activity and rebooted the computer, then it started its scan.
As the scan neared its end, it once again said that C:\Windows\system32\eventlog.dll was infected and that it was attempting to restore it.
It did not say whether it was successful or not and proceeded to reboot the computer once again.
This time, upon booting up, everything was normal except that the ComboFix window was still open (there is nothing in the window and it does not appear to be doing anything). There is no log once again.
Should I proceed to follow your instructions and use Win32kDiag?
Thanks for your patience in helping me deal with issue
Yes, please run Win32kDiag
Here is the log from Win32kDiag
Running from: C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB885835\KB885835
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Cache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\EffectResources\VM0303\VM0303
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ie8updates\ie8updates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\52\52
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\60\60
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\eventlog.dll (Microsoft Corporation)
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2
Mount point destination : \Device\__max++>\^
Finished!
Running from: C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Jebsen\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB885835\KB885835
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BE.tmp\ZAP2BE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Cache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\EffectResources\VM0303\VM0303
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ie8updates\ie8updates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\52\52
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\asms\60\60
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\eventlog.dll (Microsoft Corporation)
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)
[1] 2004-08-04 00:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 00:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2
Mount point destination : \Device\__max++>\^
Finished!
Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry
Reboot the machine and run ComboFix.
(don't forget to copy and paste REGEDIT4)
CODE
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog]
"Start"=dword:00000004
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry
Reboot the machine and run ComboFix.
I followed your instructions on fix.reg, rebooted, and ran ComboFix again.
This time, it started scanning without saying that it detected rootkit activity, but once it got near the end, it once again said that eventlog.dll was infected and that it was trying to restore it.
It rebooted the system and there is once again no log from ComboFix.
This time, it started scanning without saying that it detected rootkit activity, but once it got near the end, it once again said that eventlog.dll was infected and that it was trying to restore it.
It rebooted the system and there is once again no log from ComboFix.
Please zip the entire folder - C:\ComboFix
Then upload it to me at > http://www.bleepingcomputer.com/submit-malware.php?channel=4
Let me know when that's done
Then upload it to me at > http://www.bleepingcomputer.com/submit-malware.php?channel=4
Let me know when that's done
When attempting to zip C:\ComboFix, I get a pop up saying:
! C:\ComboFix.rar: Cannot open C:\ComboFix\N_\19960
! The process cannot access the file because it is being used by another process.
Should I upload the resulting rar anyways?
! C:\ComboFix.rar: Cannot open C:\ComboFix\N_\19960
! The process cannot access the file because it is being used by another process.
Should I upload the resulting rar anyways?
How big is the rar file?
That means ComboFix is still running. Look in Task Manager and see which process is running. Many of ComboFix processes has the cfxxe extension
QUOTE
! C:\ComboFix.rar: Cannot open C:\ComboFix\N_\19960
That means ComboFix is still running. Look in Task Manager and see which process is running. Many of ComboFix processes has the cfxxe extension
I've managed to rar it without any problems and it's just been uploaded.
Downloading it now. Give me a few moments with it. Shouldnt take too long
I think I know what's wrong now.
Please run the regfix from post #17 again. Then reboot the machine.
After rebooting, go to the folder - C:\Windows\System32
Locate this file - eventlog.dll and delete it
Then wait 5 seconds and refresh the page by pressing F5 on your keyboard.
If a new copy of Eventlog.dll re-appears, then all's well. The operating system regenerated a fresh copy
If a new copy doesnt appear, locate this file - eventlog(3).dll
Rename it to eventlog.dll
Please run the regfix from post #17 again. Then reboot the machine.
After rebooting, go to the folder - C:\Windows\System32
Locate this file - eventlog.dll and delete it
Then wait 5 seconds and refresh the page by pressing F5 on your keyboard.
If a new copy of Eventlog.dll re-appears, then all's well. The operating system regenerated a fresh copy
If a new copy doesnt appear, locate this file - eventlog(3).dll
Rename it to eventlog.dll
I followed your instructions and a new copy of eventlog.dll did not reappear.
I renamed eventlog(3).dll to eventlog.dll as per your instruction.
What should I do now?
I renamed eventlog(3).dll to eventlog.dll as per your instruction.
What should I do now?
Please launch mbam.exe and perform a Quick Scan. Then show me the results of the scan
MBAM ran successfully!
Here are the results of the quick scan.
Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 2
10/17/2009 4:11:42 PM
mbam-log-2009-10-17 (16-11-42).txt
Scan type: Quick Scan
Objects scanned: 97857
Time elapsed: 2 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
Here are the results of the quick scan.
Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 2
10/17/2009 4:11:42 PM
mbam-log-2009-10-17 (16-11-42).txt
Scan type: Quick Scan
Objects scanned: 97857
Time elapsed: 2 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
ESET Online Scanner
- Please go to the following link ESET Online Scanner Link
- Tick the box YES, I accept the Terms Of Use
- Click the Start button
- Now click the Install button
- Click Start
The scanner engine will initialise and update - Do Not tick the box Remove found threats
- Click the Scan button
The scan will now run, please be patient - When the scan finishes click the Details tab
- Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.
Finally! The scan completed.
Here are the results.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.6208
# api_version=3.0.2
# EOSSerial=98658cf43d23434eba1976a08e858c99
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-17 11:57:40
# local_time=2009-10-17 04:57:40 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=crash
# scanned=72390
# found=6
# cleaned=0
# scan_time=2000
C:\Documents and Settings\Jebsen\Desktop\a2uploader_CID53\a2uploader.exe a variant of Win32/Packed.Themida application 00000000000000000000000000000000 I
C:\Neowiz\Pmang\Launcher\launcher.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Neowiz\Pmang\Launcher\launchern.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.ADJ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\spcfmg.exe Win32/Spy.Agent.NLZ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\y3gsixor.sve Win32/Spy.Agent.NLZ trojan 00000000000000000000000000000000 I
Here are the results.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.6208
# api_version=3.0.2
# EOSSerial=98658cf43d23434eba1976a08e858c99
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-17 11:57:40
# local_time=2009-10-17 04:57:40 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=crash
# scanned=72390
# found=6
# cleaned=0
# scan_time=2000
C:\Documents and Settings\Jebsen\Desktop\a2uploader_CID53\a2uploader.exe a variant of Win32/Packed.Themida application 00000000000000000000000000000000 I
C:\Neowiz\Pmang\Launcher\launcher.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Neowiz\Pmang\Launcher\launchern.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.ADJ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\spcfmg.exe Win32/Spy.Agent.NLZ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\y3gsixor.sve Win32/Spy.Agent.NLZ trojan 00000000000000000000000000000000 I
QUOTE
C:\Documents and Settings\Jebsen\Desktop\a2uploader_CID53\a2uploader.exe
C:\Neowiz\Pmang\Launcher\launcher.exe
C:\Neowiz\Pmang\Launcher\launchern.exe
C:\Neowiz\Pmang\Launcher\launcher.exe
C:\Neowiz\Pmang\Launcher\launchern.exe
Any idea what these files are? They look to be false positives to me
a2uploader is something I use to flash the firmware on my phone.
The other two are from a game that I uninstalled awhile ago. I guess not everything was completely removed.
The other two are from a game that I uninstalled awhile ago. I guess not everything was completely removed.
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
CODE
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
C:\WINDOWS\system32\spcfmg.exe
C:\WINDOWS\system32\y3gsixor.sve
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else Nircmd infobox "Deleted Successfully !!" ""
start combofix /u
del %0
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
C:\WINDOWS\system32\spcfmg.exe
C:\WINDOWS\system32\y3gsixor.sve
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else Nircmd infobox "Deleted Successfully !!" ""
start combofix /u
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
First a pop up said "Deleted successfully!"
After that, ComboFix ran, than another message popped up saying "Uninstalled successfully"
After that, ComboFix ran, than another message popped up saying "Uninstalled successfully"
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955
After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.
Kindly respond to this thread once more so we can mark this thread as resolved.
-
Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /U - ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. - Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. - http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
- http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
- http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955
After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.
Kindly respond to this thread once more so we can mark this thread as resolved.
Looks like I've got most of those steps down already, but I'll be sure to go through all of it.
Thank you very much for your help and patience!
I'm extremely grateful and at ease knowing that there are such helpful people out there.
Thank you very much for your help and patience!
I'm extremely grateful and at ease knowing that there are such helpful people out there.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.