HI
just want to start off by saying i don't no if this is a malware, spyware, virus etc but i need help i read on this website about a virus just like mine but which i can't find now but it said to post for help. i have some virus which i think is new because its very clever basically it prevents all antiviruses and antispyware from running and when i click on the programs it says you do not have permission etc and those that do open close half way through scanning iv tried safe mode in which it still blocks all antiviruses and it tried to install something else called soft cop which obviously i wasn't trying to install anyway i need help. the page i saw before on this website i can't find now but it said basically it replaces the main windows files with the virus version which i believe is why it still works in safe mode. it is really annoying and i dont want to reboot my computer just because of this virus so could someone help. also i don't no if this will help but yesterday i got really angry as i can't remove it so i thought i would try removing it manually without any antivirus so i went to regedit and looked at all the files i ain't a computer expert just a law student with loads of time but i found this list of all the antivirus on my computer and all the antispyways and it was in a folder called disallowed so i deleted it restared my computer and it was still there so i went to my computer c:/windows/system32 and there are all these weird files called like v5rus, spam, w5orm etc. could someone help me if you need any info just ask i think iv given enough infor anyway but could someone please help me!!!!!!!!!!!!!!!!!!!
p.s please forgive about punctuation spelling etc iv got a lecture now have to go so i rushed it
i was then told to try this :
Welcome to BC
step1.gif
We Need to check for Rootkits with RootRepeal
1. Download RootRepeal from the following location and save it to your desktop.
* Direct Download (Recommended)
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
o Secondary Mirror
* Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
* Rar Mirrors - Only if you know what a RAR is and can extract it.
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
----------------------------------
Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
=============================
step2.gif
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
* This tool will create a diagnostic report
* Double-click on Win32kDiag.exe to run and let it finish.
* When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
* A file called Win32kDiag.txt should be created on your Desktop.
* Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------
step3.gif Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:>, copy and paste the following command and press Enter:
CODE
DIR /a/s %windir%scecli.dll %windir%netlogon.dll %windir%eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
--------------------
Mark
and this was my reply:
hi
for root repeal first time round i did as you said and when scanning it closed by itself now when i tried to open it it says
then i tried to save it as tatertot.scr and even tatertot when you click save as from the download link and still it won't open,the file is not a magnifying glass
that is how all my links to the antivirus programs and antispyware look like
and when i righ click and rename i get this on all my antivirus programs and antispyware:
and for the program Win32kDiag.exe it closed half way through aswell so when i type in
DIR /a/s %windir%scecli.dll %windir%netlogon.dll %windir%eventlog.dll >Log.txt & START notepad Log.txt
no log.txt appears on my desktop but before entering this code a notepad copy of Win32kDiag is on my desktop which is i believe still incomplete it is as follows:
Running from: C:Documents and SettingskDesktopWin32kDiag.exe Log file at : C:Documents and SettingskDesktopWin32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:WINDOWS'... Found mount point : C:WINDOWS$hf_mig$KB950759-IE7KB950759-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$hf_mig$KB953838-IE7KB953838-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$hf_mig$KB956390-IE7KB956390-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$hf_mig$KB958215-IE7KB958215-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$hf_mig$KB960714-IE7KB960714-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$hf_mig$KB961260-IE7KB961260-IE7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWS$regcmp$$regcmp$ Mount point destination : Device__max++>^ Found mount point : C:WINDOWSaddinsaddins Mount point destination : Device__max++>^ Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP23D.tmpZAP23D.tmp Mount point destination : Device__max++>^ Found mount point : C:WINDOWSassemblytemptemp Mount point destination : Device__max++>^ Found mount point : C:WINDOWSassemblytmptmp Mount point destination : Device__max++>^ Found mount point : C:WINDOWSConfigConfig Mount point destination : Device__max++>^ Found mount point : C:WINDOWSConnection WizardConnection Wizard Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd1d1 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd2d2 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd3d3 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd4d4 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd5d5 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd6d6 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd7d7 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSCSCd8d8 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSDownloaded Program FilesDownloaded Program Files Mount point destination : Device__max++>^ Found mount point : C:WINDOWSHelptoursmmtourmmtour Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimechsimeappletsapplets Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeCHTIMEAppletsApplets Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeimejpappletsapplets Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeimejp98imejp98 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeimjp8_1appletsapplets Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeimkr6_1appletsapplets Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimeimkr6_1dictsdicts Mount point destination : Device__max++>^ Found mount point : C:WINDOWSimesharedresres Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109411090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109440090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109511090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109711090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109910090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109B10090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100A0C00000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100C0400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point : C:WINDOWSjavaclassesclasses Mount point destination : Device__max++>^ Found mount point : C:WINDOWSjavatrustlibtrustlib Mount point destination : Device__max++>^ Found mount point : C:WINDOWSLogsLogs Mount point destination : Device__max++>^ Found mount point : C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET FilesBind LogsBind Logs Mount point destination : Device__max++>^ Found mount point : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files Mount point destination : Device__max++>^ Found mount point : C:WINDOWSMinidumpMinidump Mount point destination : Device__max++>^ Found mount point : C:WINDOWSmsappsmsinfomsinfo Mount point destination : Device__max++>^ Found mount point : C:WINDOWSmsdownld.tmpmsdownld.tmp Mount point destination : Device__max++>^ Found mount point : C:WINDOWSOffline Web PagesOffline Web Pages Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthERRORREPQHEADLESQHEADLES Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthERRORREPQSIGNOFFQSIGNOFF Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrBATCHBATCH Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrConfigCacheCache Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrConfigCheckPointCheckPoint Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrHelpFilesHelpFiles Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrInstalledSKUsInstalledSKUs Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrSystem_OEMSystem_OEM Mount point destination : Device__max++>^ Found mount point : C:WINDOWSpchealthhelpctrTempTemp Mount point destination : Device__max++>^ Found mount point : C:WINDOWSPIFPIF Mount point destination : Device__max++>^ Found mount point : C:WINDOWSRegistrationCRMLogCRMLog Mount point destination : Device__max++>^ Found mount point : C:WINDOWSsecuritylogslogs Mount point destination : Device__max++>^ Found mount point : C:WINDOWSSoftwareDistributionAuthCabsDownloadedDownloaded Mount point destination : Device__max++>^ Found mount point : C:WINDOWSSunJavaDeploymentDeployment Mount point destination : Device__max++>^ Cannot access: C:WINDOWSsystem32eventlog.dll [1] 2008-03-21 08:35:58 61952 C:WINDOWSsystem32eventlog.dll () [2] 2008-03-21 08:35:58 56320 C:WINDOWSsystem32logevent.dll (Microsoft Corporation)
also i mentioned before there were some weird files in my C:WINDOWSsystem32 SO I TOOK A screen shot and there below:
thats everythin g i can think of the dds and rootrepeal don't work so thats the only log i can make so could someone please help me it would be much appreciated
if you need any info just ask
thank you
PS incase the other thread is required the link is
http://www.bleepingcomputer.com/forums/ind...p;#entry1468241
incase anyone wants to check it out
Merged posts. ~ OB
Edited by Orange Blossom, 25 October 2009 - 03:04 PM.