 Defender 2010 and possible rootkit, [Moved] |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Oct 29 2009, 08:13 PM
Post
#1
|
|
|
Member  Group: Members Posts: 15 Joined: 25-August 08 Member No.: 233,275  |
"Unable to execute file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" "CreateProcess failed; code2. The system cannot find the specified." Someone in a chat told me it may be a "nasty rootkit" and seek help in the forum. Any help would be greatly appreciated. Thanks, J |
 |
 
|
|
Oct 29 2009, 08:16 PM
Post
#2
|
|
 OBleepin Investigator Group: Moderator Posts: 20,218 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.
==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested. -------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.6.2.46, WinPatrol Plus, Sunbelt Personal Firewall - Full, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
Oct 31 2009, 08:24 PM
Post
#3
|
|
 Computer Masochist Group: Moderator Posts: 27,761 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618 |
Try running this application before Mbam
Please download Rkill by Grinler and save it to your desktop.
Any time the computer restarts you will need to run the application again ===================================== We Need to check for Rootkits with RootRepeal
---------------------------------- Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High Also try: right-click on rootrepeal.exe and rename it to tatertot.scr -------------------- Mark
 why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits Become a BleepingComputer fan: Facebook and Twitter |
|
|
|
on your desktop.
tab.
button.
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.|
Nov 2 2009, 03:47 PM
Post
#4
|
|
|
Member Group: Members Posts: 15 Joined: 25-August 08 Member No.: 233,275 |
The infection will not allow the RKill or RootRepeal programs to run. This message pops up in a "Security Warning" box:
"Application cannot be executed. The file ... is infected. Do you want to activate your antivirus software now?" Is there another way to get the programs to run or other programs that may work? Thanks for your help, it is greatly appreciated. Cheers, Julius |
|
|
|
|
Nov 2 2009, 08:54 PM
Post
#5
|
|
|
Computer Masochist Group: Moderator Posts: 27,761 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618 |
Did you try all 4 links of rkil?
See if one of these will work  Please download Win32kDiag.exe by AD and save it to your desktop. alternate download 1 alternate download 2
 Go to  > Run..., then copy and paste this command into the open box: cmdClick OK. At the command prompt C:\>, copy and paste the following command and press Enter: CODE DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt A file called log.txt should be created on your Desktop. Open that file and copy/paste the contents in your next reply. -------------------- Mark
why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits Become a BleepingComputer fan: Facebook and Twitter |
|
|
|
|
Nov 4 2009, 12:44 AM
Post
#6
|
|
|
Member Group: Members Posts: 15 Joined: 25-August 08 Member No.: 233,275 |
I was not able to run any of the 4 rkil files.
Running from: C:\Documents and Settings\Julius Fulton\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Julius Fulton\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMCommon\BCMCommon Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMRes\BCMRes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BusinessLayer\BusinessLayer Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.DataDictionary\Iris.DataDictionary Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.Mapi.MessageStore\Iris.Mapi.MessageStore Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn\Microsoft.BusinessSolutions.eCRM.OutlookAddIn Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.Office\Microsoft.eCRM.Office Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.stdole\Microsoft.eCRM.stdole Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.msforms\Microsoft.Interop.eCRM.msforms Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.Outlook\Microsoft.Interop.eCRM.Outlook Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.OutlookViewCtl\Microsoft.Interop.eCRM.OutlookViewCtl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Impl\Microsoft.Interop.Mapi.Impl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Interfaces\Microsoft.Interop.Mapi.Interfaces Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe [1] 2004-08-10 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) Additional Information The "SecurityTool" program that keeps popping up and asking me if I want to "Continue, unprotected" or "Remove" a list of infected files. The logo is a light blue shield with 2 white gears in it. I get the message below when I try to run programs intended to remove it: "Your PC is still infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using ctfmon.exe to connect to remote host." The Defender 2010 appears to be removed, but this SecurityTool will stop. I was able to run another program yesterday morning: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html. It identified "hidden" files, but recommend I not clean any of them because I may damage my computer. Also, if I leave my computer on too long a blue screen with white writing appears saying something about a problem with "SPCMDCOM.sys" has occurred and I need to check any newly installed software. As you can tell I am having a very rough time and cannot fix this on my own so thanks for all your efforts. Cheers, J PS garmanma - my fiance is from Lakewood, OH and wanted me to tell you "Go Browns!" and thinks for helping so hopefully I won't keep taking her computer for stuff. |
|
|
|
|
Nov 4 2009, 05:33 PM
Post
#7
|
|
|
Computer Masochist Group: Moderator Posts: 27,761 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618 |
QUOTE my fiance is from Lakewood, OH and wanted me to tell you "Go Browns!" Obviously she hasn't been watch those turds in awhile Gotta love 'em though Mount point destination : \Device\__max++>\^ You definitely have a rootkit Now that you were successful in creating a win32diag log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum First, try to run a DDS / HJT log as outlined in our preparation guide: http://www.bleepingcomputer.com/forums/topic34773.html If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully Post here: http://www.bleepingcomputer.com/forums/forum22.html The HJT team is extremely busy, so be patient and good luck -------------------- Mark
why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits Become a BleepingComputer fan: Facebook and Twitter |
|
|
|
|
Nov 4 2009, 07:52 PM
Post
#8
|
|
|
Member Group: Members Posts: 15 Joined: 25-August 08 Member No.: 233,275 |
It's painful for her to watch, but she will never give up on them.
Thanks for all your time and effort. I would just be without a computer if it weren't for this site. Thanks (a million times), Julius |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 15th March 2010 - 05:01 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.