Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help with Infected Computer--Antivirus Pro


  • This topic is locked This topic is locked
42 replies to this topic

#1 Djones75

Djones75

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 04 October 2009 - 04:06 PM

I originally posted on "Am I Infected, What Do I Do" and was referred to this forum.

My computer is a Dell Inspiron 1525
OS: Windows XP Professional

I have tried to follow the Prep Guide but were unable to get DDS to run. When I try to run DDS, the black screen just disappears. They then suggested that I download and run RSIT. Again, I was able to download it but when I attempt to run it just closes and nothing happens. Here is a little background of the issues that I am having:

Initially, I believe the computer was infected with malware by Antivirus Pro 2010. I have tried to use Malwarebyte to remove the malware, but after downloading and installing Malwarebyte, the program launches but when I try to scan it appears to close the program and will not scan. When I attempt to open Malwarebyte from the Program list, I get the following error message: "Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item."

At this point, the anti-virus software has been disabled and I am unable to turn any antivirus software on. Also, at this point, when the computer is rebooted the NT Authority System error pops up and the system shuts down after 1 minute.

I was able to download the Win32kDiag Utility so I am attaching that information. I do not know if you are going to be able to help me without the RSIT file, but any help would be appreciated.

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8.tmp\ZAP8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe

[1] 2005-02-24 22:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 12:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 20:22:56 716000 C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 10:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 20:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 20:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB972636-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe ()

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\aba0667128e9978b51c8d9853b0f4799\update\update.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 07:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 07:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 07:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 13 October 2009 - 12:53 PM

Hello Djones75,

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r

into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 14 October 2009 - 12:47 PM

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 07:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 07:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 07:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 14 October 2009 - 01:22 PM

Hi Djones75,

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r


The result is not what I expected.
Did you run the above several times? Or did you run it previously?



Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\system32\logevent.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========


:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 14 October 2009 - 02:36 PM

Thank you for your reply, I did run the 1st request twice. Sorry.

I have attempted to run the Avenger per your instructions and got this error message.

Attached File  Error.doc   149.5KB   9 downloads



The above attachment is a screen shot of the error message, can you open it?
Error message:
Error:Invalid script.
A valid script must begin with a command directive.
Aborting execution!

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 14 October 2009 - 02:46 PM

Djones75,

can you open it?

No. only post txt files



The above attachment is a screen shot of the error message, can you open it?
Error message:
Error:Invalid script.
A valid script must begin with a command directive.
Aborting execution


You are not running Avenger the right way. :(

A "valid script must begin with a command directive" means Avenger did not find Files to Move:
one the first line.

It has worked for thousands of people! If follow the directions then it will work.

Be sure to put Files to Move: on the first line
and
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll on the second line, just like the directions say.

Edited by SifuMike, 14 October 2009 - 02:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 14 October 2009 - 05:18 PM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:14:03 2009

14:14:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:29:13 2009

14:29:13: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:30:41 2009

14:30:41: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:33:59 2009

14:33:59: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\eventlog.dll" not found!
File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#8 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 14 October 2009 - 05:23 PM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:14:03 2009

14:14:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:29:13 2009

14:29:13: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:30:41 2009

14:30:41: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 14 14:33:59 2009

14:33:59: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\eventlog.dll" not found!
File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 14 October 2009 - 06:21 PM

Error: file "C:\eventlog.dll" not found!



Well, you finally managed to run the Avenger, but you screwed up the first step. :(

Seems you have a very hard time following directions.

The first step should move the eventlog.dll to "C:\eventlog.dll" and it will make a a command prompt that says "1 file(s) copied"
I told you NOT to proceed to the Avenger step it you did not get this message!
Avenger will not work if you have not created file you are asking Avenger to move.


Press Enter.
When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.




Now we have to begin again. :(

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\system32\logevent.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

    Let me know if you get the message within the Command Prompt "1 file(s) copied"

Edited by SifuMike, 14 October 2009 - 06:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 15 October 2009 - 03:28 AM

I got the message within the Command Prompt."1 file(s) copied" after

Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
copy C:\WINDOWS\system32\logevent.dll C:\ /y


Error: file "C:\eventlog.dll" not found!
File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


It looks like Avenger is looking for eventlog.dll, but you had me copy logevent.dll ????

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 15 October 2009 - 10:36 AM

This should work.

  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\logevent.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 15 October 2009 - 11:05 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 15 October 2009 - 11:26 AM

Hi,

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
  • Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
Copy and paste the following command (the bold text) into the open command window, and press Enter:

"%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

Wait until a log file opens. Copy and paste or attach the content of it.

Edited by SifuMike, 15 October 2009 - 11:27 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Djones75

Djones75
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 15 October 2009 - 12:37 PM

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\RSIT.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe: Access is denied.




...

...


Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.bat.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware2\mbam.exe: Access is denied.


...

...
Failed to open \\?\c:\\Program Files\Microsoft Windows OneCare Live\ClientSD: Access is denied.



Failed to open \\?\c:\\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe: Access is denied.




...
Failed to open \\?\c:\\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe: Access is denied.





Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


.\\?\c:\\WINDOWS\$hf_mig$\KB915865\KB915865: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\$hf_mig$\KB969059\KB969059: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB974112\KB974112: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB974571\KB974571: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB975025\KB975025: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB975467\KB975467: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\addins\addins: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33F.tmp\ZAP33F.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP370.tmp\ZAP370.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8.tmp\ZAP8.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d1\d1: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d2\d2: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d3\d3: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d4\d4: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d5\d5: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d6\d6: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d7\d7: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d8\d8: MOUNT POINT
Substitute Name: \Device\__max++>\^

..\\?\c:\\WINDOWS\ftpcache\ftpcache: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

...\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT
Substitute Name: \Device\__max++>\^

...\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msdownld.tmp\msdownld.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\batch\batch: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Config\News\News: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\update.exe: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\EventCache\EventCache: MOUNT POINT
Substitute Name: \Device\__max++>\^

..
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.




...

...

...

.\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 AM

Posted 15 October 2009 - 01:03 PM

  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\\Documents and Settings\Owner\Desktop\RSIT.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Malwarebytes' Anti-Malware\mbam.bat.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Malwarebytes' Anti-Malware2\mbam.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

Now run Malwarebytes and post its log.

Edited by SifuMike, 15 October 2009 - 01:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users