Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware Protector 09= Big trouble


  • This topic is locked This topic is locked
30 replies to this topic

#1 Agentinfamous09

Agentinfamous09

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 12 September 2009 - 04:10 AM

Around late August this rogue program installed itself onto my system & since then I'm unable to run Virus scans & i'm being redirected when using google & I also can't sign into MSN beacuse of an invalid IP address.

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CE.tmp\ZAP1CE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EE.tmp\ZAP2EE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65.tmp\ZAP65.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99.tmp\ZAP99.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3.tmp\ZAPC3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB873339\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885835\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885836\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 19:34:52 654848 C:\WINDOWS\$hf_mig$\KB886185\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB887472\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB888302\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 20:35:06 718048 C:\WINDOWS\$hf_mig$\KB890859\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB891781\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB893756\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB894391\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896358\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896423\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896424\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896428\update\update.exe (Microsoft Corporation)

[1] 2005-02-25 04:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899587\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899591\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB900485\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB900725\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901017\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901214\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB902400\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB904706\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB904942\update\update.exe (Microsoft Corporation)

[1] 2005-02-25 04:35:05 718048 C:\WINDOWS\$hf_mig$\KB905414\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB905749\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB908519\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB908531\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB910437\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911280\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911562\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911927\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB912919\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB913580\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB914388\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB914389\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB916595\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB917344\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB917422\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB917953\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB918439\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB919007\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB920670\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920683\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920685\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920872\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB921398\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB922582\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB922616\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB923414\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 18:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB923694\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB923980\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924191\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924270\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924496\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB925454\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB925720\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB925902\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB926255\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB928255\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB928843\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB929123\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB929338\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB929969\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB930178\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931768-IE7\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB931784\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931836\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB933566-IE7\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB935839\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB937143-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:20:44 755576 C:\WINDOWS\$hf_mig$\KB938464\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB938828\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB938829\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941202\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941568\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941644\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941693\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB943485\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944338-v2\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB945553\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB948590\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 16:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 18:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB968220-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 14 September 2009 - 03:44 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

I will review your logs and post instructions forthcoming.
Regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 14 September 2009 - 04:35 PM

Hi & Thank you very much for taking your time to help me. I have follwed the instructions that were provided in your previous post.

Edited by Agentinfamous09, 14 September 2009 - 04:41 PM.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 16 September 2009 - 07:10 AM

Hello again,
Few important points. Do not do anything other than what I have instructed from this point forward. Looks can be deceiving! You are not clean until I give you the "All Clear". :(

Let's begin,

Please do this......

Right click and delete your current copy of Win32kDiag.

Download and run Win32kDiag: againNext......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 September 2009 - 01:56 PM

Thanks again for your help. I hope it's not to serious of issue. When the rogue program installed onto my system it restarted my system automatically & then all hell broke lose with Anti virus programs not running etc etc & google not working.

LOG 1. WIN32KDIAG

Running from: C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\YHAPYBMC\Win32kDiag[1].exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CE.tmp\ZAP1CE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EE.tmp\ZAP2EE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65.tmp\ZAP65.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99.tmp\ZAP99.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3.tmp\ZAPC3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB873339\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885835\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885836\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 19:34:52 654848 C:\WINDOWS\$hf_mig$\KB886185\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB887472\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB888302\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 20:35:06 718048 C:\WINDOWS\$hf_mig$\KB890859\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB891781\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB893756\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB894391\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896358\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896423\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896424\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896428\update\update.exe (Microsoft Corporation)

[1] 2005-02-25 04:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899587\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899591\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB900485\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB900725\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901017\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901214\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB902400\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB904706\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB904942\update\update.exe (Microsoft Corporation)

[1] 2005-02-25 04:35:05 718048 C:\WINDOWS\$hf_mig$\KB905414\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB905749\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB908519\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB908531\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB910437\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911280\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911562\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB911927\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB912919\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB913580\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB914388\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB914389\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB916595\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB917344\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB917422\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB917953\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB918439\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB919007\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB920670\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920683\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920685\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB920872\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB921398\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:28 716000 C:\WINDOWS\$hf_mig$\KB922582\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB922616\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB923414\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 18:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB923694\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB923980\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924191\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924270\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB924496\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB925454\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB925720\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB925902\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB926255\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:16:51 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB928255\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB928843\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB929123\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB929338\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB929969\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB930178\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931768-IE7\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB931784\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB931836\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB933566-IE7\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB935839\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB937143-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:20:44 755576 C:\WINDOWS\$hf_mig$\KB938464\update\update.exe (Microsoft Corporation)

[1] 2005-10-13 00:12:29 716000 C:\WINDOWS\$hf_mig$\KB938828\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 20:29:19 716000 C:\WINDOWS\$hf_mig$\KB938829\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941202\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941568\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941644\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB941693\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB943485\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944338-v2\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB945553\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB948590\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 16:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 18:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2007-03-06 02:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB968220-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 08:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)


LOG 2. PEEK.BAT

Volume in drive C has no label.
Volume Serial Number is 34EE-3BCC

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 01:56 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 01:56 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 01:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:11 62,464 eventlog.dll
3 File(s) 650,752 bytes

Total Files Listed:
9 File(s) 1,938,432 bytes
0 Dir(s) 10,269,057,024 bytes free

Edited by Agentinfamous09, 16 September 2009 - 02:55 PM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 16 September 2009 - 07:28 PM

Hi there,
Nasty rootkit.

Step 1

Please save this file to your Desktop. <--- This is exceptionally important that you save this program to your Desktop!!!! If you do not then the fix that follows will fail!!! If you have trouble saving this to your Desktop tell me about it and Do Not Proceed!!

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 17 September 2009 - 07:45 AM

Step 1: Win32KDIAG Log

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CE.tmp\ZAP1CE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CE.tmp\ZAP1CE.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EE.tmp\ZAP2EE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EE.tmp\ZAP2EE.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65.tmp\ZAP65.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65.tmp\ZAP65.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99.tmp\ZAP99.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99.tmp\ZAP99.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3.tmp\ZAPC3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3.tmp\ZAPC3.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\ERRORREP

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\DirectX\websetup\websetup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\DirectX\websetup\websetup

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 01:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\1\1

Found mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\2\2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\2\2

Found mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\3\3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Samsung_USB_Drivers\3\3

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\system32\ZoneLabs\avsys\avsys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ZoneLabs\avsys\avsys

Found mount point : C:\WINDOWS\system32\ZoneLabs\lib\pyd\pyd

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ZoneLabs\lib\pyd\pyd

Found mount point : C:\WINDOWS\Temp\slu10bc.tmp\slu10bc.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu10bc.tmp\slu10bc.tmp

Found mount point : C:\WINDOWS\Temp\slu1310.tmp\slu1310.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1310.tmp\slu1310.tmp

Found mount point : C:\WINDOWS\Temp\slu1620.tmp\slu1620.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1620.tmp\slu1620.tmp

Found mount point : C:\WINDOWS\Temp\slu1671.tmp\slu1671.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1671.tmp\slu1671.tmp

Found mount point : C:\WINDOWS\Temp\slu1b19.tmp\slu1b19.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1b19.tmp\slu1b19.tmp

Found mount point : C:\WINDOWS\Temp\slu1b50.tmp\slu1b50.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1b50.tmp\slu1b50.tmp

Found mount point : C:\WINDOWS\Temp\slu1b56.tmp\slu1b56.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1b56.tmp\slu1b56.tmp

Found mount point : C:\WINDOWS\Temp\slu1eec.tmp\slu1eec.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1eec.tmp\slu1eec.tmp

Found mount point : C:\WINDOWS\Temp\slu1f37.tmp\slu1f37.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1f37.tmp\slu1f37.tmp

Found mount point : C:\WINDOWS\Temp\slu2116.tmp\slu2116.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2116.tmp\slu2116.tmp

Found mount point : C:\WINDOWS\Temp\slu224b.tmp\slu224b.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu224b.tmp\slu224b.tmp

Found mount point : C:\WINDOWS\Temp\slu2864.tmp\slu2864.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2864.tmp\slu2864.tmp

Found mount point : C:\WINDOWS\Temp\slu2b10.tmp\slu2b10.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2b10.tmp\slu2b10.tmp

Found mount point : C:\WINDOWS\Temp\slu2c37.tmp\slu2c37.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2c37.tmp\slu2c37.tmp

Found mount point : C:\WINDOWS\Temp\slu2e4a.tmp\slu2e4a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2e4a.tmp\slu2e4a.tmp

Found mount point : C:\WINDOWS\Temp\slu2e69.tmp\slu2e69.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2e69.tmp\slu2e69.tmp

Found mount point : C:\WINDOWS\Temp\slu2f53.tmp\slu2f53.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2f53.tmp\slu2f53.tmp

Found mount point : C:\WINDOWS\Temp\slu2f5a.tmp\slu2f5a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2f5a.tmp\slu2f5a.tmp

Found mount point : C:\WINDOWS\Temp\slu3047.tmp\slu3047.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3047.tmp\slu3047.tmp

Found mount point : C:\WINDOWS\Temp\slu31f7.tmp\slu31f7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu31f7.tmp\slu31f7.tmp

Found mount point : C:\WINDOWS\Temp\slu3314.tmp\slu3314.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3314.tmp\slu3314.tmp

Found mount point : C:\WINDOWS\Temp\slu3327.tmp\slu3327.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3327.tmp\slu3327.tmp

Found mount point : C:\WINDOWS\Temp\slu354a.tmp\slu354a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu354a.tmp\slu354a.tmp

Found mount point : C:\WINDOWS\Temp\slu3675.tmp\slu3675.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3675.tmp\slu3675.tmp

Found mount point : C:\WINDOWS\Temp\slu3f12.tmp\slu3f12.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3f12.tmp\slu3f12.tmp

Found mount point : C:\WINDOWS\Temp\slu42ff.tmp\slu42ff.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu42ff.tmp\slu42ff.tmp

Found mount point : C:\WINDOWS\Temp\slu46f9.tmp\slu46f9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu46f9.tmp\slu46f9.tmp

Found mount point : C:\WINDOWS\Temp\slu49c7.tmp\slu49c7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu49c7.tmp\slu49c7.tmp

Found mount point : C:\WINDOWS\Temp\slu4d08.tmp\slu4d08.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu4d08.tmp\slu4d08.tmp

Found mount point : C:\WINDOWS\Temp\slu5128.tmp\slu5128.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5128.tmp\slu5128.tmp

Found mount point : C:\WINDOWS\Temp\slu52b1.tmp\slu52b1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu52b1.tmp\slu52b1.tmp

Found mount point : C:\WINDOWS\Temp\slu555f.tmp\slu555f.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu555f.tmp\slu555f.tmp

Found mount point : C:\WINDOWS\Temp\slu561d.tmp\slu561d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu561d.tmp\slu561d.tmp

Found mount point : C:\WINDOWS\Temp\slu562d.tmp\slu562d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu562d.tmp\slu562d.tmp

Found mount point : C:\WINDOWS\Temp\slu56bd.tmp\slu56bd.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu56bd.tmp\slu56bd.tmp

Found mount point : C:\WINDOWS\Temp\slu599b.tmp\slu599b.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu599b.tmp\slu599b.tmp

Found mount point : C:\WINDOWS\Temp\slu5be6.tmp\slu5be6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5be6.tmp\slu5be6.tmp

Found mount point : C:\WINDOWS\Temp\slu5dd5.tmp\slu5dd5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5dd5.tmp\slu5dd5.tmp

Found mount point : C:\WINDOWS\Temp\slu5eee.tmp\slu5eee.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5eee.tmp\slu5eee.tmp

Found mount point : C:\WINDOWS\Temp\slu5f21.tmp\slu5f21.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5f21.tmp\slu5f21.tmp

Found mount point : C:\WINDOWS\Temp\slu5fbe.tmp\slu5fbe.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5fbe.tmp\slu5fbe.tmp

Found mount point : C:\WINDOWS\Temp\slu5fcd.tmp\slu5fcd.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5fcd.tmp\slu5fcd.tmp

Found mount point : C:\WINDOWS\Temp\slu6192.tmp\slu6192.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu6192.tmp\slu6192.tmp

Found mount point : C:\WINDOWS\Temp\slu6302.tmp\slu6302.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu6302.tmp\slu6302.tmp

Found mount point : C:\WINDOWS\Temp\slu65ba.tmp\slu65ba.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu65ba.tmp\slu65ba.tmp

Found mount point : C:\WINDOWS\Temp\slu65cc.tmp\slu65cc.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu65cc.tmp\slu65cc.tmp

Found mount point : C:\WINDOWS\Temp\slu6abf.tmp\slu6abf.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu6abf.tmp\slu6abf.tmp

Found mount point : C:\WINDOWS\Temp\slu6f56.tmp\slu6f56.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu6f56.tmp\slu6f56.tmp

Found mount point : C:\WINDOWS\Temp\slu7087.tmp\slu7087.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7087.tmp\slu7087.tmp

Found mount point : C:\WINDOWS\Temp\slu7376.tmp\slu7376.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7376.tmp\slu7376.tmp

Found mount point : C:\WINDOWS\Temp\slu7823.tmp\slu7823.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7823.tmp\slu7823.tmp

Found mount point : C:\WINDOWS\Temp\slu7ade.tmp\slu7ade.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7ade.tmp\slu7ade.tmp

Found mount point : C:\WINDOWS\Temp\slu7fbb.tmp\slu7fbb.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7fbb.tmp\slu7fbb.tmp

Found mount point : C:\WINDOWS\Temp\sluad4.tmp\sluad4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\sluad4.tmp\sluad4.tmp

Found mount point : C:\WINDOWS\Temp\sluade.tmp\sluade.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\sluade.tmp\sluade.tmp

Found mount point : C:\WINDOWS\Temp\slub56.tmp\slub56.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slub56.tmp\slub56.tmp

Found mount point : C:\WINDOWS\Temp\slud8d.tmp\slud8d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slud8d.tmp\slud8d.tmp

Found mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP1.DIR\_ISTMP1.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP1.DIR\_ISTMP1.DIR

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!


I copied all the instruction that were provided & did receive the message "1 file(s) copied" , Then I got to the Avenger program & copied the text provided & pressed execute but I received this message, "Error: invalid script. A valid script must begin with a command directive aborting execution" & the program wouldn't run.? Does this mean it's now impossible to fix my computer?

Edited by Agentinfamous09, 17 September 2009 - 09:20 AM.


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 17 September 2009 - 12:22 PM

Hello,
No worries! With Avenger I would like you to copy the script without the word "Code". With that in mind - please follow the steps as I have outlined below and everything should run smooth. Let me know if you run into troubles again. If it still does not work then we have other options. :(

Step 1

Please save this file to your Desktop. <--- This is exceptionally important that you save this program to your Desktop!!!! If you do not then the fix that follows will fail!!! If you have trouble saving this to your Desktop tell me about it and Do Not Proceed!!

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========



Step 2

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:)
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box (excluding the word "Code"!!!!) to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 17 September 2009 - 01:46 PM

Thanks, I ran win32kdiag & the log file was shorter than before. I tried Avenger again excluding "code" & still no luck. What rootkit are we dealing with here? if you don't mind me asking?


Step 1

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 01:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!

Edited by Agentinfamous09, 17 September 2009 - 01:59 PM.


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 17 September 2009 - 03:56 PM

Hi,
Thanks for trying again.

The rootkit is a new variant that disables all of our security tools as you have seen. It is called the Win32k.sys/Max++ rootkit. We should be able to eradicate it!! It is, in and of itself, not particularly dangerous but I am not sure what else is lurking on your computer. We shall see. I will keep you posted. :(

Please do this....

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt logfile
==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 17 September 2009 - 05:54 PM

Hi Again. I follwed your instruction & ran Combo-fix & everything seemed fine but the program got stuck on "rebooting windows, please wait" I waited for over an hour & the computer didn't rebooted so I had to use the taskmanager to restart the computer.


When I got back on the, Catchme.log appeared

File "C:\Combo-Fix\MT_eventlog.dll.tmp" added successfully

Edited by Agentinfamous09, 17 September 2009 - 05:54 PM.


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 17 September 2009 - 06:04 PM

Hello,
Please go to C:\ComboFix.txt and copy and paste the log for my review.
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 18 September 2009 - 04:16 AM

Hi again. I've ran into problems with Combo fix. :( I downloaded the program & re-named it, as instructed, then ran combo fix,I get to stage 50 & it starts listing the infections on the computer, this is where the problems occurd,instead of the preparing the report stage it goes straight into the "Windows is rebooting........ please wait" where I was waiting for an hour & half last night & two hours this Morning but still the computer won't reboot. I also tried to run Combo fix in safe mode but it either restarts my computer or doesn't open.

I also went to my Computer, C drive, Combo fix but there was no text file there present except a mirror image of the contence of the (C:) drive & now when I open (C:) there is now no Combo fix there except a file lighlty shaded files named, sqmnoopt.spm & there are 18 present. I also found a text file called bug.text & a file called;

32788R22FWJFW

Bug Text


GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SET "Ver_CF=09-09-17.04"

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

PEV UZIP License\pv_5_2_2.zip .\

MOVE /Y PV.exe PV.cfxxe

IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe
1 file(s) copied.

SED "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV -rtf -s+901 .\OriPath00 && (
SED -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\QuickTime\QTSystem;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
Active code page: 1252

Edited by Agentinfamous09, 18 September 2009 - 09:07 AM.


#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 18 September 2009 - 10:43 AM

Please do this.....

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Agentinfamous09

Agentinfamous09
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 18 September 2009 - 12:22 PM

I followed your instructions but no luck, I either get a blank text document or a message informaing me that "junction" is not an internal or external command, operable program or batch file.


Edit- I apologize for my first post I made the mistake of not placing the extracted item into (C:) Drive & windows. Iv'e done that now & everything is perfect, I apologize for my incompetence.



Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\ahoD.exe: Access is denied.


.

.
Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\OTS.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\RootRepeal.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\HJT\HijackThis.exe: Access is denied.


.

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.




...

...

\\?\c:\\WINDOWS\$hf_mig$\KB932168\KB932168: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB933729\KB933729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB943460\KB943460: MOUNT POINT
Substitute Name: \Device\__max++>\^

..\\?\c:\\WINDOWS\$hf_mig$\KB956844\KB956844: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8: MOUNT POINT
Substitute Name: \Device\__max++>\^



...

...

.\\?\c:\\WINDOWS\addins\addins: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CE.tmp\ZAP1CE.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28.tmp\ZAP28.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EE.tmp\ZAP2EE.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP65.tmp\ZAP65.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99.tmp\ZAP99.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3.tmp\ZAPC3.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\assembly\temp\temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Debug\UserMode\UserMode: MOUNT POINT
Substitute Name: \Device\__max++>\^



...

...\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT
Substitute Name: \Device\__max++>\^



..\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\mui\mui: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\ERRORREP\ERRORREP: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\System\News\News: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^



...

\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SxsCaPendDel\SxsCaPendDel: MOUNT POINT
Substitute Name: \Device\__max++>\^

..
Failed to open \\?\c:\\WINDOWS\system32\dumprep.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\eventlog.dll: The process cannot access the file because it is being used by another process.





Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.


..\\?\c:\\WINDOWS\system32\1025\1025: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1028\1028: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1031\1031: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1037\1037: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1041\1041: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1042\1042: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1054\1054: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\2052\2052: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\3076\3076: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\3com_dmi\3com_dmi: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Desktop\Desktop: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Favorites\Favorites: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\My Documents: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\NetHood\NetHood: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Recent\Recent: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\dhcp\dhcp: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\system32\DirectX\websetup\websetup: MOUNT POINT
Substitute Name: \Device\__max++>\^

..\\?\c:\\WINDOWS\system32\drivers\disdn\disdn: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\export\export: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\CINTLGNT\CINTLGNT: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\PINTLGNT\PINTLGNT: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\TINTLGNT\TINTLGNT: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\inetsrv\inetsrv: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\mui\dispspec\dispspec: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemcust\oemcust: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemhw\oemhw: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemreg\oemreg: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\sample\sample: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\Samsung_USB_Drivers\1\1: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\Samsung_USB_Drivers\2\2: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\Samsung_USB_Drivers\3\3: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\ShellExt\ShellExt: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\spool\PRINTERS\PRINTERS: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wbem\mof\bad\bad: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wbem\snmp\snmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wins\wins: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\ZoneLabs\avsys\avsys: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\ZoneLabs\lib\pyd\pyd: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^

Edited by Agentinfamous09, 18 September 2009 - 02:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users