Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs not opening, or giving errors upon opening, no internet access (Vundo?)


  • This topic is locked This topic is locked
5 replies to this topic

#1 Kadomony

Kadomony

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 28 August 2009 - 01:54 PM

I woke up, and, as has been the case a few times in the last month or so, my computer had some strange spyware stuff. I quickly googled the fix for it, and began to scan with MBAM, however, instead of finishing, and letting me cleanup the problem, it closed, and restarted my computer.

On restart it had disabled taskmanager and registry editing, as well as blocking any programs I was trying to run to fix it (AVG/MBAM). Before fixing that I restarted in safemode and did a scan with AVG. It found several problems and removed them.

On entering standard windows again, the same problems persisted. I managed to restore access to my registry and task manager, but that's it so far.

I've been trying to diagnose and fix my problems for the last 3 hours or so, but everytime i've tried a fix, it hasn't worked.

Running MBAM works up until I hit scan. It looks like it's about to start, then closes, and whenever I try to open it again I get the error:

"Windows cannot access the specified device, path, or file. You may no have the appropriate permissions to access the item."

Reinstalling MBAM "fixes" that error, but it just repeats if I try to scan again.

-I read that someone had the same problem, and tried renaming the mbam.exe to winlogon.exe, but this didn't fix my problem.


I cannot be entirely sure, but it seems like I have no access to the internet on that computer (I am using my laptop to post this). AVG will still run, sort of, but it will not update, but clicking scan does nothing.

I tried installing HJT for a log, but it just wont run, no errors or anything.

I tried downloading Vundofix, but it won't run either, again, no errors.

Everytime I restart I see svchast.exe and cvs.exe, and once I saw a name that I recognized as spyware called braviax, I think. I use taskmgr to close them, as if I don't I get another error message:

"An error occured, please report the following error code o the Malwarebytes' Anti-Malware support team.

Error code: 702 (0, 453)"


I also ran win32kdiag.exe and it sucessfully ran:
--------------------------------------------------------
Log file is located at: D:\Documents and Settings\Cozy Lemon\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...



Found mount point : D:\WINDOWS\$hf_mig$\KB894391\KB894391

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP38F.tmp\ZAP38F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Forms\Forms

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\CDHSKQ2H\CDHSKQ2H

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CMKCVNGU\CMKCVNGU

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\System\System

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\User\User

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: D:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:42 55808 D:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 D:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 D:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 63488 D:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 D:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : D:\WINDOWS\system32\EVGA\EVGA

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

---------------------------------------------------------------------
---------------------------------------------------------------------

I also tried to run peek.bat, but in doing so it briefly flashed on the screen (I am not entirely sure what it said, but it looked like "cannot <something>"), opened an empty log file, and deleted the peek.bat file.


I am assuming I have Vundo based on what I have read of it, but obviously it could be something else, I've never explicitly seen anything on my computer that links to MSJuan or Virtumonde or anything.

I am running XP-SP3 Home.

Thanks for taking the time to read through all of this!


EDIT: I managed to get VundoFix to run by changing it to Vundo-Fix.exe, and upon completion it said I had no problems, so I guess maybe that isn't it after all.

Edited by Kadomony, 28 August 2009 - 05:29 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:03 PM

Posted 28 August 2009 - 09:34 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Kadomony

Kadomony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 28 August 2009 - 09:47 PM

I tried this and it didn't work, mostly the same problems as other scanners (stops very shortly after beginning, admin rights wont let me try again).

I have posted this in the HJT log forum now though, if you want to lock this.


So after leaving my computer on for a while, doing nothing in particular, the internet started working again. I tried to re-do some of the steps, but same results as before.

Edited by Kadomony, 29 August 2009 - 12:59 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:03 PM

Posted 29 August 2009 - 05:34 PM

Your post over there will keep on being moved because it contains no logs


We Need to check for Rootkits with RootRepeal[*]Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
[*]Open Posted Image on your desktop.
[*]Click the Posted Image tab.
[*]Click the Posted Image button.
[*]Check all seven boxes: Posted Image
[*]Push Ok
[*]Check the box for your main system drive (Usually C:), and press Ok.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Kadomony

Kadomony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 29 August 2009 - 05:37 PM

I tried running Rootrepeal and it stats scanning, but about 10 seconds into the scan it just closes, and won't open again (until I unzip a new copy on the desktop).

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:03 PM

Posted 29 August 2009 - 11:57 PM

I think the Win32kDiag.txt you posted will be sufficient. I shall merge your two posts in your topic here: http://www.bleepingcomputer.com/forums/t/253280/most-programs-not-opening-or-giving-errors-upon-opening-no-internet-access/

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users