Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safety Center - System Antivirus Pro - Rootkit


  • This topic is locked This topic is locked
50 replies to this topic

#1 sarcasmic

sarcasmic

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 22 September 2009 - 06:56 PM

Hello All,

I am now posting here at the advice of the "Am I Infected" forum. This is the original thread: http://www.bleepingcomputer.com/forums/t/258634/safety-center-system-antivirus-pro-explorer-not-working/

My computer has been acting up for a bit. The latest incarnation of whatever mess I've gotten myself into is Safety Center. Last week it was System Antivirus Pro. I see a folder that has been created on my C:\ for Windows Police Pro.

Currently my explorer doesn't seem to be working. I cannot click on anything on the desktop. I cannot access "My Computer" or most of my programs. I was able to run Symantec earlier and it quarantined another dozen or so files. Now that I thought I'd cleared those out, "Security Center" pops up when I restart the computer. I still can't click on anything on the desktop. MalwareBytes still won't run, even after reinstalling I get an "Error 707 (3)"

I tried disabling programs on startup through msconfig.

The suspicious programs that I've disabled are:

17590154
A blank one with the command "\Program\"
b.exe
kuhgsysguard.exe
net.net

as well as some others that I believe I know the origin of.

Folders that have appeared in my C:\\ since yesterday...

"Safety Center"
"Movie Joiner"
"Windows Police Pro"
"jgfkdm"
"collin"

The only successful log I've been able to run is from Win32kDiag.


Thank you all so much for your help. Here is the Win32kDiag log:


Beginning of Win32kDiag.txt
=====

Running from: C:\Documents and Settings\Josh\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Josh\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB961371\KB961371

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\update\update.exe

[1] 2004-07-28 19:15:07 654336 C:\WINDOWS\$hf_mig$\KB834707\update\update.exe (Microsoft Corporation)

[1] 2004-07-20 16:02:56 654336 C:\WINDOWS\$hf_mig$\KB840987\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 18:46:38 654848 C:\WINDOWS\$hf_mig$\KB867282\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB873333\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB873339\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB885250\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885835\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885836\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 14:34:52 654848 C:\WINDOWS\$hf_mig$\KB886185\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB887472\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB887742\update\update.exe (Microsoft Corporation)

[1] 2004-07-20 18:02:54 654336 C:\WINDOWS\$hf_mig$\KB887822\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB888113\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB888302\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB890046\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB890047\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB890175\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB890859\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB890923\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB891781\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB893066\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB893086\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB893756\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB894391\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896358\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896422\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896423\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896424\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896428\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 23:35:05 718048 C:\WINDOWS\$hf_mig$\KB896688\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 23:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899587\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899589\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899591\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB900485\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB900725\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901017\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB901190\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901214\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB902400\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB904706\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 23:35:05 718048 C:\WINDOWS\$hf_mig$\KB905414\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB905749\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB905915\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB908519\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB908531\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB910437\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB911280\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB911562\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB911567\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB911927\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB912812\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB912919\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB913446\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB913580\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB914388\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB914389\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB916595\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB917344\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB917422\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB917953\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB918439\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB919007\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB920670\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB920683\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB920685\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB920872\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB922582\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB923414\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB923694\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB923980\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB924191\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB924270\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB924496\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB925902\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB926255\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:16:51 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB928090\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB928255\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB928843\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB929123\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB929338\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB929969\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB930178\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB931784\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931836\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB932168\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB933729\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB935839\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB936357\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB937894\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB938127\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB938464-v2\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB938828\update\update.exe (Microsoft Corporation)

[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB938829\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB941202\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB941568\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB941644\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB942615\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB942840\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB943460\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB943485\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB944338-v2\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB946627\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 11:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 08:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2004-01-09 18:46:46 568320 C:\WINDOWS\$xpsp1hfm$\KB828741\update\update.exe (Microsoft Corporation)

[1] 2004-01-09 18:46:46 568320 C:\WINDOWS\$xpsp1hfm$\KB835732\update\update.exe (Microsoft Corporation)

[1] 2002-09-21 13:44:06 273408 C:\WINDOWS\$xpsp1hfm$\Q329048\update\update.exe (Microsoft Corporation)

[1] 2002-11-14 11:01:10 409088 C:\WINDOWS\$xpsp1hfm$\Q329170\update\update.exe (Microsoft Corporation)

[1] 2002-09-21 13:44:06 273408 C:\WINDOWS\$xpsp1hfm$\Q329390\update\update.exe (Microsoft Corporation)

[1] 2003-07-14 20:41:08 431104 C:\WINDOWS\$xpsp1hfm$\Q329441\update\update.exe (Microsoft Corporation)

[1] 2002-09-21 13:44:06 273408 C:\WINDOWS\$xpsp1hfm$\Q329834\update\update.exe (Microsoft Corporation)

[1] 2002-11-14 11:01:10 409088 C:\WINDOWS\$xpsp1hfm$\Q810577\update\update.exe (Microsoft Corporation)

[1] 2002-11-14 11:01:10 409088 C:\WINDOWS\$xpsp1hfm$\Q811630\update\update.exe (Microsoft Corporation)

[1] 2003-03-21 16:54:58 411136 C:\WINDOWS\$xpsp1hfm$\Q817606\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\update\update.exe (Microsoft Corporation)

[1] 2006-04-10 12:36:18 710584 C:\WINDOWS\SoftwareDistribution\Download\6c4788c9549d437e76e1773a7639582a\update\update.exe (Microsoft Corporation)

[1] 2007-08-10 20:46:20 755576 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\update\update.exe ()

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\update\update.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2001-08-23 08:00:00 47616 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 03:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\0\Private\Runtime\AllUsersData\SkinEngine\features\photoview2\graphics\graphics

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\0\Private\Vendor\AllUsersData\ThemesV3\Windows\assets\graphics\Includes\Includes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\viewmgr\viewmgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\vmgr\179955\179955

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\vmgr\4294950730\4294950730

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 22 September 2009 - 07:23 PM

Hi, sarcasmic :(

Welcome.

Please follow these steps:

Step 1

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 22 September 2009 - 08:35 PM

Ok, I'm using my laptop right now. I ran the Win32kDiag command that you gave me, and it saved a file to the desktop like it was supposed to. Then i downloaded ComboFix like you said, renamed it when downloading, and ran it.

Running Combo-Fix.exe cause Safety Center to pop up. It previously had not popped up because I'm in Safe Mode. I also ran the Win32kDiag program in Safe Mode. I'm not sure if that effects the results.

Regardless, it's been over 30 mins since I started running Combo-Fix. It had a pop-up at first that said what combofix.org and combofixdownload.com were not affiliated and to ask for your money back if you'd bought something from those sites. I clicked Yes to proceed, then that's the last message that I've gotten from it.

I didn't want to touch anything while it was running, so I don't know if it's still running or if it crashed immediately after clicking "Yes"

It has also caused Outlook 2003 to start.

Is it ok to touch the computer and post the Win32kDiag log yet? Should i restart in regular mode to run Combofix? I'm not sure if I'll be able to click on anything if I am in regular mode, so if this is what you want me to do, tell me what command to run.

Thanks!!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 22 September 2009 - 08:57 PM

Ok, I'm using my laptop right now. I ran the Win32kDiag command that you gave me, and it saved a file to the desktop like it was supposed to. Then i downloaded ComboFix like you said, renamed it when downloading, and ran it.

Running Combo-Fix.exe cause Safety Center to pop up. It previously had not popped up because I'm in Safe Mode. I also ran the Win32kDiag program in Safe Mode. I'm not sure if that effects the results.

Regardless, it's been over 30 mins since I started running Combo-Fix. It had a pop-up at first that said what combofix.org and combofixdownload.com were not affiliated and to ask for your money back if you'd bought something from those sites. I clicked Yes to proceed, then that's the last message that I've gotten from it.

I didn't want to touch anything while it was running, so I don't know if it's still running or if it crashed immediately after clicking "Yes"

It has also caused Outlook 2003 to start.

Is it ok to touch the computer and post the Win32kDiag log yet? Should i restart in regular mode to run Combofix? I'm not sure if I'll be able to click on anything if I am in regular mode, so if this is what you want me to do, tell me what command to run.

Thanks!!

Did you transferred Combofix to the sick computer or did a direct download to it?

Post the Win32kDiag.txt in a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 22 September 2009 - 09:18 PM

I did a direct download. I only got on the laptop when I wasn't sure if I should touch the sick computer. I'm back on the sick one now.

For an added bit of information, there are a few processes running now that were not before I started.

cmd.execf
NirCmd.cfxxe

I also see that Chrome was running in the task manager, though I did not have an instance of it on my task bar. I just ended the process.

Here is the contents of Win32kDiag.txt:

====

Running from: C:\Documents and Settings\Josh\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Josh\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB961371\KB961371

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB961371\KB961371

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.6361\11.0.6361

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2001-08-23 08:00:00 47616 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 03:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\0\Private\Runtime\AllUsersData\SkinEngine\features\photoview2\graphics\graphics

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\0\Private\Runtime\AllUsersData\SkinEngine\features\photoview2\graphics\graphics

Found mount point : C:\WINDOWS\Temp\0\Private\Vendor\AllUsersData\ThemesV3\Windows\assets\graphics\Includes\Includes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\0\Private\Vendor\AllUsersData\ThemesV3\Windows\assets\graphics\Includes\Includes

Found mount point : C:\WINDOWS\Temp\viewmgr\viewmgr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\viewmgr\viewmgr

Found mount point : C:\WINDOWS\Temp\vmgr\179955\179955

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr\179955\179955

Found mount point : C:\WINDOWS\Temp\vmgr\4294950730\4294950730

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr\4294950730\4294950730

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 22 September 2009 - 10:25 PM

Hi, sarcasmic :(

End Task to all these programs and shutdown Combo-fix.


Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 23 September 2009 - 07:13 AM

I downloaded the program you requested and saved it in to my root folder, C:\. When trying to close out all the programs that had opened as a result of running combofix, I noticed that one of the windows open was a warning from Combofix that my Symantec Anti-virus Client Software was running. I did not have a Symantec icon in the tray, so I thought it wasn't running. Also, I did not see anything for Symantec in the Task Manager as an active running process.

I tried closing Outlook that opened, but it kept reopening, so I restarted hoping this would help, however I had not been able to get back into windows. I cannot boot normally into Windows, it just keeps resetting. When booting into safe mode, it will either reset, or if it does get into Safe Mode, I immediately get the warning that "Explorer" had to shut down.

The last time I restarted, I booted into Safe Mode and logged in as Administrator. While Windows was still loading, I once again got the "Explorer needs to shut down" message and also got a message that "Dr Watson Postmortem something" needed to close as well. Once again the desktop is frozen and explorer isn't working.

This thing is nasty...

I was able to log into Safe Mode with Command Prompt. Is there anything I can do from there?

Thanks again for your help.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 23 September 2009 - 08:13 AM

I was able to log into Safe Mode with Command Prompt. Is there anything I can do from there?

Thanks again for your help.

Yes, at the prompt type the following and press Enter

cd C:\
Dir


Note the name of the file you saved as GMER. Type that name and press Enter. Follow the instructions above to run GMER. Remember, if you are prompted to scan your system click "No", save the log and post back the results.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 23 September 2009 - 04:16 PM

Ok, I ran the program using the command prompt. I tried to reconnect to the internet using that computer. I got firefox to run, but it will not connect to anything. Same with internet explorer.

I'll just type the contents of that log here since I can't think of a better way to do it. If you can think of a better way, I'd appreciate it. Is there something else I may need to do to make the internet work in Command Prompt mode? Thanks!


=====
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-23 17:01:43
Windows 5.1.2600 Service Pack 2
Running: t5e5o6qm.exe; Driver; C:\DOCUME~1\Josh\LOCALS~1\Temp\uwdiqpog.sys

---- System - GMER 1.0.15 ----
Code 8233AAD6 ZwEnumerateKey
Code 8230A92E ZwFlushInstructionCache
Code 822651F6 ZwSaveKey
Code 82265526 ZwSaveKeyEx
Code 82369505 IofCallDriver
Code 823CB135 IofCompleteRequest
Code 8236894D ZwSaveKey
Code 823696C5 ZwSaveKeyEx

---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\rotscxtjlhaiiy.sys (*** hidden *** ) [SYSTEM] rotcxnmevxenq
<-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACuxqunfhbqg.sys (*** hidden *** ) [SYSTEM] UACd.sys
<-- ROOTKIT!!!

----EOF - GMER 1.0.15 ----

Edited by sarcasmic, 23 September 2009 - 04:20 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 23 September 2009 - 07:42 PM

Hi, sarcasmic :(

Run GMER once again. Locate and delete the following files:

C:\WINDOWS\system32\drivers\rotscxtjlhaiiy.sys
C:\WINDOWS\system32\drivers\UACuxqunfhbqg.sys


Close GMER. Then, if you downloaded Combofix as instructed, run the following command:

%Userprofile%\Desktop\Combo-fix.exe /killall

That should launch Combofix.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 23 September 2009 - 08:23 PM

Hello,

GMER was still running, so i went ahead and hit Scan again. While I was typing this response, the window just disappeared. I went back to C:\ and tried to restart the program, and it says "Access is denied"

If, using the command prompt, I get into the "drivers" folder, I type "del rotscxtjlhaiiy.sys" but am told that the file cannot be found. How do I delete it? Do I just right click in GMER and select "Delete Service"?

Thanks

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 23 September 2009 - 09:01 PM

Hello,

GMER was still running, so i went ahead and hit Scan again. While I was typing this response, the window just disappeared. I went back to C:\ and tried to restart the program, and it says "Access is denied"

If, using the command prompt, I get into the "drivers" folder, I type "del rotscxtjlhaiiy.sys" but am told that the file cannot be found. How do I delete it? Do I just right click in GMER and select "Delete Service"?

Thanks

You lost a great opportunity there. No re-scan was necessary. The problem with these rootkits is that will rip the permissions of files ran. See if you can download another copy of GMER.

Would it be possible to run win32kdiag.exe again? Can you boot to the Recovery Console?

Edited by JSntgRvr, 23 September 2009 - 09:02 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 23 September 2009 - 09:35 PM

Hello,

GMER was still running, so i went ahead and hit Scan again. While I was typing this response, the window just disappeared. I went back to C:\ and tried to restart the program, and it says "Access is denied"

If, using the command prompt, I get into the "drivers" folder, I type "del rotscxtjlhaiiy.sys" but am told that the file cannot be found. How do I delete it? Do I just right click in GMER and select "Delete Service"?

Thanks

You lost a great opportunity there. No re-scan was necessary. The problem with these rootkits is that will rip the permissions of files ran. See if you can download another copy of GMER.

Would it be possible to run win32kdiag.exe again? Can you boot to the Recovery Console?

Ugh, I thought I needed to rescan. This STINKS!!! Thank you so much for helping me. I hope I haven't ruined everything.

I was able to run win32kdiag.exe again. I don't know how to get the log uploaded though since I can't connect to the internet with the computer. Do you know how to make Internet Explorer work? Is there anything in particular that I should look for in that log if there is no way to upload it? It would take hours to type everything contained in the log.

I've never used the recovery console before. I suppose I'd have to install that from the XP cd? I have my original XP Pro CD from 2001, but a friend gave me a copy of a new Pro CD with SP3.

If I can't connect to the internet, is there any way to download another copy of GMER? Can I download it to this laptop, burn it to a CD, and run it from the command prompt?

Thanks again.

#14 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 23 September 2009 - 11:39 PM

Ok, I am still in Safe Mode with Command Prompt

I downloaded GMER on the laptop, burned it to a CD, and copied it to my C:\ on the sick computer. I ran it same as before, and deleted the two items that I was supposed to delete.

I then ran "Combo-fix.exe /killall" from my desktop where I saved it. It opened briefly, then Safety Center opened back up. It's been several minutes now and I haven't seen Combo-fix do anything.

Should I try to restart into a GUI version of windows now that those two rootkit programs have been deleted through GMER?

Thanks for your patience. I definitely appreciate all the time you're spending helping me out.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:09 PM

Posted 24 September 2009 - 12:22 AM

Hi, sarcasmic

While you posted I was about to give you instructions to work throughout the Recovery Console. I will keep those instructions just in case.

We need to reset the permissions altered by the malware.
  • Download this tool and save it in a place you can remember, depending on how we are going to run Combofix, throughtout the Exporer GUI or a command prompt.
  • If we are going to use Explorer GUI, Copy and paste Inherit.exe to the same directory where Combo-fix.exe is located, then drag Combo-fix into the inherit.exe and drop it:
  • when finished click OK and click on Combo-fix.
If we are to use the Command prompt however, copy the Inherit.exe file to your working directory. At that directory then type the following and press Enter:

Inherit.exe %Userprofile%\Desktop\Combo-fix.exe (After it finishes click OK) Then type the following and press Enter:
%Userprofile%\Desktop\Combo-fix.exe /killall

Lets see how it works.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users