Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

major infection


  • Please log in to reply
6 replies to this topic

#1 216linda

216linda

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 25 September 2009 - 12:18 AM

Hi

- a couple days ago I noticed strange beeping sounds while I was watching downloaded tv shows.

then all my desktop icons disappeared, so I restarted my computer and a few new icons appeared along with my usual ones they were icons to nasty sites

- I deleted the icons, but my computer kept making beeping noises

- icons disappear from the desktop ... restart again and the same nasty icons reappear...

- computer running slow and popup windows are appearing out of nowhere and for no reason

- ran a scan check and it says i have 38 viruses, trogans, password something or other

- then my desktop goes to a bunch of 1's and 0's with words in big red letters that say 'warning' 'danger" and wants me to download virus protection

- I call my brother... he says i am infected...and tries to direct me to eset.com my computer won't let me go there..."webpage won't display"

- brother sends combofix to email...i go to work computer and put combofix on memory stick

- tried to install combofix on my computer, when i click on combofix.exe a popup window saying 'ALERT THE COMBO FIX PACKAGE HAS BEEN COMPRIMISED...DOWNLOAD A NEW ONE" but the new one says the same thing...

help!!!
linda

Edited by 216linda, 25 September 2009 - 08:25 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 AM

Posted 25 September 2009 - 07:57 AM

Hi 216linda!

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Download Win32kDiag.exe and save it to your Desktop.
Double-click Win32kDiag.exe to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 216linda

216linda
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 25 September 2009 - 06:49 PM

I tried to do what tutorials have said...but half the things on my computer aren't working anymore...

Elise replied to my post, and i did what she said to do...but the win32kdiag. says it can't access systems on my computer... it has been running for over an hour now and still has not finished.... is this normal?

I jsut finished and I posted the report...hope i did it right...

Sorry for posting two topics Rigel...I am so new to this chatting/posting thing

Edited by 216linda, 25 September 2009 - 07:38 PM.


#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:11 PM

Posted 25 September 2009 - 07:06 PM

Hi Linda,

I have merged your two topics. Please keep comments in the same topic - it prevents confusion.

Depending on the computer and the type of infection, programs can tsometimes take longer to run. Please give it a little longer. If it still fails to complete, try GMER:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 216linda

216linda
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 25 September 2009 - 07:46 PM

Running from: C:\Documents and Settings\Linda\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Linda\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E4.tmp\ZAP2E4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP337.tmp\ZAP337.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP96.tmp\ZAP96.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2004-08-04 02:56:50 764416 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 764928 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[2] 2008-04-13 19:12:21 764928 C:\System Volume Information\_restore{A71D2FB8-3D54-4C91-9CF4-A8630453ABC2}\RP567\A0043052.exe (Microsoft Corporation)

[2] 2008-04-13 19:12:21 744448 C:\System Volume Information\_restore{A71D2FB8-3D54-4C91-9CF4-A8630453ABC2}\RP569\A0060719.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\zfrpmsdxrnw1.sys

[1] 2009-09-24 22:58:22 40192 C:\WINDOWS\system32\drivers\zfrpmsdxrnw1.sys ()



Cannot access: C:\WINDOWS\system32\drivers\zpktuaxsjb7.sys

[1] 2009-09-25 06:42:13 40192 C:\WINDOWS\system32\drivers\zpktuaxsjb7.sys ()



Cannot access: C:\WINDOWS\system32\drivers\zvwltuyr5.sys

[1] 2009-09-24 22:58:22 40192 C:\WINDOWS\system32\drivers\zvwltuyr5.sys ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\AskBarDis\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 AM

Posted 26 September 2009 - 01:16 AM

Hi linda, that was the log I wanted to see. Unfortunately you have a new nasty rootkit on your computer. This can be fixed, but not in this forum since there are a few tools needed we are not allowed to use expect in the HJT malware removal forum.

I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

Make sure you post the win32kDiag.txt contents in your new topic (just as you did here). If you encounter any problems while doing so or if you dont understand something, please post back here :thumbsup:

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 216linda

216linda
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 27 September 2009 - 08:40 PM

Hello, while I appreaciate everyone's help...I took my computer to a PC store and am going to get them to fix the problem.
Again, thank you for the help
Linda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users