I believe the problem started when I downloaded AVG
symptoms:
1.right clicking some files OR desktop crashes explorer.exe
2.DDS,Malware Bytes,Spybot,AVG,Adaware,Hijack this usually install but crash upon scanning
3.Once the programs crash and I try to restart, an error window pops up...."....do not have permission..."
4.GMER is a great Malware/Rootkit program that ALLOWS me to scan:System,Sections,IAT/EAT,Devices,Modules,Processes,Threads,Libraries,Registry and Files.
5.SVCSpy is a program that strictly scans services and crashes immediately
6.I removed everything associated (that I could) with AVG and Ultramon as I believe this is the root of the problem.
7. I did a few online scanner that didnt really show much of anything suspicious.
8.win32k.sys:1 and 2 show up as malware w/ no info
9.All same sysmptoms in Safe Mode
10.Tried installing anti-programs with new name from a clean computer and reinstalling through my thumbdrive
I have Maxtor backup drive, which the restore CD doesnt work for some reason. (tried burning .iso cd, and still same)
\file system\fastfat\fat (fltmgr.sys) also shows up
I believe a service is causing the problem
Here are the Win32kdiag.txt and Log txt and GMER scan log
Hope this helps Thanks!!!
Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB925720\KB925720
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP142.tmp\ZAP142.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP189.tmp\ZAP189.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B3.tmp\ZAP1B3.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E9.tmp\ZAP20E9.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21CF.tmp\ZAP21CF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21F4.tmp\ZAP21F4.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\inf\IEM\0409\0409
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ASP.NETClientFiles\ASP.NETClientFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\Microsoft .NET Framework 3.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\MVUNINST\App1\App1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\occache\occache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01cd5ce76aab2e96c5bc0130d8dde39a\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a39d7c907193cb74dabeac9b04866368\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790
Mount point destination : \Device\__max++>\^
Finished!
_____________________________________________________________________________________________
Volume in drive C has no label.
Volume Serial Number is 5417-4880
Directory of C:\WINDOWS\$NtServicePackUninstall$
2004-08-04 08:00 AM 180,224 scecli.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
2004-08-04 08:00 AM 407,040 netlogon.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
2004-08-04 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
2008-04-13 08:12 PM 181,248 scecli.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
2008-04-13 08:12 PM 407,040 netlogon.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
2008-04-13 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes
Directory of C:\WINDOWS\system32
2008-04-13 08:12 PM 181,248 scecli.dll
Directory of C:\WINDOWS\system32
2008-04-13 08:12 PM 407,040 netlogon.dll
Directory of C:\WINDOWS\system32
2008-04-13 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes
Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 126,152,683,520 bytes free
_________________________________________________________________________________________
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 11:20:41
Windows 5.1.2600 Service Pack 3
Running: bu5m0ojl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwwcafow.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [436] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [972] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1008] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1064] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1256] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1604] 0x35670000
---- EOF - GMER 1.0.15 ----
Edited by ScottyK, 02 October 2009 - 10:37 AM.