Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiVirus Pro 2010 infection -- MBAM FAILS?!


  • This topic is locked This topic is locked
9 replies to this topic

#1 DnDer

DnDer

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 10 October 2009 - 08:01 PM

That's the long and the short of it.

I install MBAM according to the directions, off my USB key, and after it launches, and I start the scan... The scan lasts about 10 seconds before MBAM disappears.

When I click on the desktop shortcut to MBAM to re-launch, I'm told "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Which is odd, since this account (3 out of the 4, in fact) are administrator accounts on this XP Media Center machine.

What do you recommend?

BC AdBot (Login to Remove)

 


#2 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 11 October 2009 - 08:48 AM

New thought: Should I consider running a copy of Ultimate Boot CD For Windows? Or is this a problem I really want to fix inside the original computer, without loading a tool like that?

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:53 PM

Posted 11 October 2009 - 09:54 PM

You need to run some rootkit tools

:trumpet:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

============================

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 11 October 2009 - 11:06 PM

RootReveal failed to complete. The scan runs for less than a minute. I was able to screen cap the following files before it closed:

C:\hyberfil.sys -- Locked to the Windows API!
C:\WINDOWS\System32\eventlog.dll -- Locked to the Windows API

I'll continue with the next two steps.

Edited by DnDer, 11 October 2009 - 11:07 PM.


#5 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 11 October 2009 - 11:22 PM

Win32kDiag

Running from: J:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Len\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP134.tmp\ZAP134.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DA.tmp\ZAP1DA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BC.tmp\ZAP2BC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAE.tmp\ZAPAE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\90A2CC5A3D9ECE9429D33078B4DBC4C2\1.20.0\1.20.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCQTFILE00000\MCQTFILE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{169F8893-C1C5-4847-972C-EA1E008112AC}\{169F8893-C1C5-4847-972C-EA1E008112AC}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\{435E969D-867E-4364-8E74-3DC8A69C5BDB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{67AEFC4C-69E4-11D7-85F4-00E018013273}\{67AEFC4C-69E4-11D7-85F4-00E018013273}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\{7201B853-5833-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{7A900EAB-DA37-4554-AF19-9C337476D05D}\{7A900EAB-DA37-4554-AF19-9C337476D05D}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9154ED7C-926E-49CC-B677-0CF3C5267457}\{9154ED7C-926E-49CC-B677-0CF3C5267457}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\{9E2514D9-DC24-4634-B348-61F3EF0F1628}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\{A1185190-514F-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\{AC157741-3285-4D6A-B934-9174587A3493}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{B3549608-69D3-11D7-AB2D-0090271A23A2}\{B3549608-69D3-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{FD851F7E-F887-405D-9E1C-488811113EF3}\{FD851F7E-F887-405D-9E1C-488811113EF3}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!



CLI Logfile

Volume in drive C has no label.
Volume Serial Number is 98AD-F836

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 05:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 130,270,273,536 bytes free

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 PM

Posted 12 October 2009 - 08:05 AM

Your system is infected with a new rootkit variant that has become quite pervasive as evidenced by these entries:
Mount point destination : \Device\__max++>\^
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will require the use of more powerful tools than we recommend in this forum.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

Start a new topic and post your DDS log along with the Win32kDiag.txt report in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If DDS will not run, then just post the results of Win32kDiag.txt. Be sure to include a note that you tried to follow the Prep Guide but were unable to get DDS to run.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have [b]0 replies
as this makes it easier for them to identify those who have not been helped. If you post another response there will be [b]1 reply
. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 12 October 2009 - 10:58 AM

DDS failed to run. The DOS window flashed opened and closed, and I have not seen any results, nor have I seen any indication that it's scanning like it should. (I can't open task manager to verify that DDS is a running process.)

Is this something I need to wait for? Or it really didn't function?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 PM

Posted 12 October 2009 - 11:06 AM

Just post the Win32kDiag.txt with a comment that you were unable to get DDS to run because of the malware infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 12 October 2009 - 11:55 AM

Done.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 PM

Posted 12 October 2009 - 01:11 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users