Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible System 32 Issues and multiple Malware


  • Please log in to reply
3 replies to this topic

#1 Torin

Torin

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 16 September 2009 - 02:20 AM

When I load my computer it said

windows/system32/cf12480.exe cannot be executed

i know i have the antivirus pro 10 or whatever on my system, but when i try to run anything it closes it down. including malwarebytes.

when i try to do a hijack log it pops up saying 'windows cannot access the specified device, path, or file. you may not have the appropriate permissions to access the item.'

when i tried to run combofix, it would cycle through the system, and then it says windows will now reboot or something, and then it says access denied.

When I get online, and i search a website on google or something, and click on the result for the search it hijacks me to another page of advertisements.

I know your not supposed to run combofix without someone helping but I figured it wouldnt work, thats why i did it.

Ive also tried the root reveal and it closed down after a few seconds.

Any help please.

Edited by Torin, 16 September 2009 - 02:59 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 16 September 2009 - 03:36 AM

Hi Torin, I see you are aware of the risks of running Combofix, but for everyone who reads this.....

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Download and run Win32kDiag:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 16 September 2009 - 03:49 AM

Running from: C:\Documents and Settings\Praha\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Praha\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58F.tmp\ZAP58F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Copy of Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bb339006c086615e2de004d7883b830\0bb339006c086615e2de004d7883b830

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\1abb4643eccf67e5ec8b2a16ba5befb7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a7a44f3060b9de093f833176e196dff7\a7a44f3060b9de093f833176e196dff7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c47336b4131812a4d1c2451b65456451\c47336b4131812a4d1c2451b65456451

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f4fd4ee77827c38e3468e43ad219025c\f4fd4ee77827c38e3468e43ad219025c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\CF12840.exe

[1] 2009-09-16 02:33:29 388608 C:\WINDOWS\system32\CF12840.exe ()



Cannot access: C:\WINDOWS\system32\CF9849.exe

[1] 2009-09-16 01:55:08 388608 C:\WINDOWS\system32\CF9849.exe ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\{8BC6253D-6556-4E73-99EC-C13132E1CB16}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\minis\minis

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\ae94c7c5.sys

[1] 2009-09-16 04:01:45 96384 C:\WINDOWS\system32\drivers\ae94c7c5.sys ()



Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\QuickTime\QuickTime

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca246.tmp\mca246.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca247.tmp\mca247.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca48.tmp\mca48.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca49.tmp\mca49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca4E.tmp\mca4E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca4F.tmp\mca4F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca6F0.tmp\mca6F0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca6F1.tmp\mca6F1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD249.tmp\UPD249.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD4B.tmp\UPD4B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD51.tmp\UPD51.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD6F3.tmp\UPD6F3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Trans_walls\Trans_walls

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\Creative\PD0620\PD0620

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^



Finished!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 16 September 2009 - 04:07 AM

Hi Torin, unfortunately you are infected with the Max++ rootkit. This can be removed, but some tools have to be used that are not allowed here.

Therefore I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

Most likely you will not be able to post a DDS log. Just post the win32kDiag log instead.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users