Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run any Anti-Virus/Malware programs or visit Antivirus sites, please help.


  • Please log in to reply
7 replies to this topic

#1 strctlylo

strctlylo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 19 October 2009 - 10:15 AM

Symentec detected a virus a few days ago on my pc and I thought I was able to delete/quarantine it. However, I've noticed, like many others, that my google search links get hijacked and redirect me to various websites. If I am trying to access a security wesite like eset, mcaffee, norton, my browser won't connect at all. I've browsed through these forums and I've tried running some programs to get started fixing this myself but these programs start but get killed and won't complete.
* 'Hijack this' won't complete.
* Malwarybytes starts and then gets killed. After it gets killed, I can no longer access Malwarebytes. Also, I have changed the name of the .exe file to avoid detection but no luck.
* Rootkit repeal - doesn't ask me for the options to select which sections to scan. I can however scan and I do have a log for what it was able to scan. (I have changed the disk level to high and also renamed to tatortot.scr - with no change in behavior)
* Can't connect to eset online scanner
* Combo fix - when I try to run this I get a message that indicates Combo Fix package might have been compromised and asks that I download a fresh file from your website (which I have done several times). The same messages goes on to say that I may be infected with a 'file patching virus - virut' (I've changed the name to try to avoid detection but that didn't work) then the file is deleted from my desktop.

When I try to get to my task manager, the top section of the task manager is no longer there so I can't get to a section to kill any specific processes.

I understand that my machine is probably severely infected and I may need to reformat but I'd like to see if I can get this off first before I go that route.

Any and all help you can provide would be greatly appreciated.

I had a similar problem on another pc and was able to follow all of these steps and was able to get rid of malware/virus but not on this pc.

Thanks again.

BC AdBot (Login to Remove)

 


#2 strctlylo

strctlylo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 19 October 2009 - 10:24 AM

Follow Up:

After trying Malwarebytes and having it stop on me, when I try to click on the .exe to run it again, I get:
'windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item.'

I am the admin on the pc.

Thanks again.

#3 strctlylo

strctlylo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 19 October 2009 - 12:56 PM

more info: I reran the root repeal and I had to run them sector by sector. The program was not able to scan the boot sector. It did mention that a MBR Rootkit was detected. Here are the following logs that I was able to get.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 12:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 12:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74E3000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: AES256.SYS
Image Path: AES256.SYS
Address: 0xF78AA000 Size: 18464 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEB0B4000 Size: 138368 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7475000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF049000 Size: 212992 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 225280 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6F8D000 Size: 1331200 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF0B2000 Size: 2367488 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF07D000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF2F4000 Size: 643072 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7CB2000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xEDC19000 Size: 4224 File Visible: - Signed: -
Status: -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 12:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\SgLogPlayer.exe
PID: 152 Status: -

Path: C:\Program Files\Utimaco\SafeGuard Easy\ecview.exe
PID: 248 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 268 Status: -

Path: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PID: 296 Status: -

Path: C:\WINDOWS\DOWNLO~1\MyWebEx\319\atnthost.exe
PID: 448 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 600 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 656 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 660 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 684 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 728 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 740 Status: -

Path: C:\WINDOWS\DOWNLO~1\MyWebEx\319\raagtapp.exe
PID: 812 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 948 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 960 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 968 Status: -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 12:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 12:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x86232590, TID: 2532]
Process: svchost.exe (PID: 2356) Address: 0x0040118d Size: -


This was all I could find after trying that program.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:08 PM

Posted 20 October 2009 - 09:55 PM

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

==============================

:swtep3:
Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 strctlylo

strctlylo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 21 October 2009 - 08:26 AM

Thank you for your time. Here is the win32kDiag.txt

Running from: C:\Documents and Settings\elara.GSLLC\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\elara.GSLLC\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB952004\KB952004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB955839\KB955839

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956390\KB956390

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956802\KB956802

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB958690\KB958690

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB959426\KB959426

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB960225\KB960225

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB960803\KB960803

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB961371\KB961371

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB961371-v2\KB961371-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB961373\KB961373

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB961501\KB961501

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB963027\KB963027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB967715\KB967715

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968537\KB968537

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB969059\KB969059

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB969897\KB969897

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB970238\KB970238

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971032\KB971032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971633\KB971633

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB972260\KB972260

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB973815\KB973815

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB974112\KB974112

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB974455\KB974455

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB974571\KB974571

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB975025\KB975025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB975467\KB975467

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 05:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\38cc9246b0b2808f85d733169eec82d4\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5457b20e4d74937d47b86f91637bd134\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a855eed5ad28db3548ad40195130e787\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c4ef6b3b8c831d4c05216d73b034eec4\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fa2ebe7f385da369070f93700f340c57\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\IVBACKUP\IVBACKUP

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\NLU40.tmp\NLU40.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RarSFX5\RarSFX5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\VBE\VBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

#6 strctlylo

strctlylo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 21 October 2009 - 08:29 AM

Here is the log.txt file:

Volume in drive C has no label.
Volume Serial Number is 5C2E-2926

#7 strctlylo

strctlylo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 21 October 2009 - 08:38 AM

I've tried to go back into the command prompt and I receive the message that windows cannot access the specified file, devide or path or that I may not have the right permissions to access the file.

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:08 PM

Posted 21 October 2009 - 05:59 PM

You have a rootkit infection
The log you have is good enough



Now that you were successful in creating a win32diag log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users