Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Tool


  • This topic is locked This topic is locked
19 replies to this topic

#1 Rieman Miller

Rieman Miller

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 25 October 2009 - 11:03 PM

I seemed to have contracted the Security Tool virus. A supposed security protection program has installed itself, without my doing, onto my computer and continuously advises me that I have various infected programs on my computer. One side effect is that I am unable to view my desktop. As per the self-help guide on this site for removing Security Tool, I ran Process Explorer and tried to stop it from running, then attempted to use Malwarebytes Anti-Malware program, however was unable to run it and got the following warning window: " Windows cannot acces the specified device, path or file. You may not have the appropriate permission to access the item." Furthermore, I was unable to run DDS. Whenever I click on the icon, the window pops up for just a a few seconds, then closes again, and no scan is done. However, I was able to run RootRepeal once before the same thing occurred as with DDS.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/25 22:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1EB9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BE9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7B7F000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE5B9000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7A21000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEDEA7000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\i386\cleanmgr.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\i386\eudcedit.exe
Status: Allocation size mismatch (API: 147456, Raw: 126976)

Path: c:\i386\fsquirt.exe
Status: Allocation size mismatch (API: 94208, Raw: 73728)

Path: c:\i386\fsutil.exe
Status: Allocation size mismatch (API: 45056, Raw: 32768)

Path: c:\i386\narrator.exe
Status: Allocation size mismatch (API: 49152, Raw: 36864)

Path: c:\i386\packager.exe
Status: Allocation size mismatch (API: 57344, Raw: 40960)

Path: c:\i386\regtlib.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\sol.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\i386\spoolsv.exe
Status: Allocation size mismatch (API: 49152, Raw: 32768)

Path: c:\i386\usersid.exe
Status: Allocation size mismatch (API: 40960, Raw: 28672)

Path: c:\i386\usrprbda.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\i386\w32tm.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\wab.exe
Status: Allocation size mismatch (API: 32768, Raw: 28672)

Path: c:\i386\wscript.exe
Status: Allocation size mismatch (API: 73728, Raw: 65536)

Path: c:\i386\mshearts.exe
Status: Allocation size mismatch (API: 102400, Raw: 81920)

Path: c:\i386\ipv6.exe
Status: Allocation size mismatch (API: 53248, Raw: 40960)

Path: c:\i386\oemig50.exe
Status: Allocation size mismatch (API: 57344, Raw: 40960)

Path: c:\i386\wbemtest.exe
Status: Allocation size mismatch (API: 81920, Raw: 73728)

Path: c:\i386\wextract.exe
Status: Allocation size mismatch (API: 69632, Raw: 45056)

Path: c:\i386\cmd.exe
Status: Allocation size mismatch (API: 196608, Raw: 176128)

Path: c:\i386\cmdl32.exe
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: c:\i386\cmstp.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\i386\conf.exe
Status: Allocation size mismatch (API: 528384, Raw: 520192)

Path: c:\i386\syncapp.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\tfswcmd.exe
Status: Allocation size mismatch (API: 188416, Raw: 167936)

Path: c:\i386\tfswctrl.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\i386\dwwin.exe
Status: Allocation size mismatch (API: 139264, Raw: 131072)

Path: c:\i386\dxdiag.exe
Status: Allocation size mismatch (API: 655360, Raw: 643072)

Path: c:\i386\gearsec.exe
Status: Allocation size mismatch (API: 45056, Raw: 32768)

Path: c:\i386\ipconfig.exe
Status: Allocation size mismatch (API: 45056, Raw: 32768)

Path: c:\i386\iexpress.exe
Status: Allocation size mismatch (API: 81920, Raw: 73728)

Path: c:\i386\logman.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\i386\logonui.exe
Status: Allocation size mismatch (API: 266240, Raw: 253952)

Path: c:\i386\msimn.exe
Status: Allocation size mismatch (API: 49152, Raw: 32768)

Path: c:\i386\net1.exe
Status: Allocation size mismatch (API: 106496, Raw: 90112)

Path: c:\i386\oobebaln.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\calc.exe
Status: Allocation size mismatch (API: 81920, Raw: 73728)

Path: c:\i386\rdpclip.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\i386\powercfg.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\pxcpya64.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\i386\pxhpinst.exe
Status: Allocation size mismatch (API: 45056, Raw: 28672)

Path: c:\i386\pxinsa64.exe
Status: Allocation size mismatch (API: 49152, Raw: 36864)

Path: c:\i386\rasphone.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\i386\reg.exe
Status: Allocation size mismatch (API: 36864, Raw: 28672)

Path: c:\i386\rsm.exe
Status: Allocation size mismatch (API: 36864, Raw: 28672)

Path: c:\i386\rsmui.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\rstrui.exe
Status: Allocation size mismatch (API: 233472, Raw: 221184)

Path: c:\i386\migpwd.exe
Status: Allocation size mismatch (API: 45056, Raw: 36864)

Path: c:\i386\utilman.exe
Status: Allocation size mismatch (API: 40960, Raw: 32768)

Path: c:\i386\uwdf.exe
Status: Allocation size mismatch (API: 36864, Raw: 32768)

Path: c:\i386\accwiz.exe
Status: Allocation size mismatch (API: 98304, Raw: 86016)

Path: c:\i386\ssflwbox.scr
Status: Allocation size mismatch (API: 258048, Raw: 233472)

Path: c:\i386\srdiag.exe
Status: Allocation size mismatch (API: 36864, Raw: 32768)

Path: c:\i386\ss3dfo.scr
Status: Allocation size mismatch (API: 495616, Raw: 487424)

Path: c:\i386\wmiadap.exe
Status: Allocation size mismatch (API: 151552, Raw: 126976)

Path: c:\i386\wmiapsrv.exe
Status: Allocation size mismatch (API: 102400, Raw: 81920)

Path: c:\i386\wmlaunch.exe
Status: Allocation size mismatch (API: 94208, Raw: 77824)

Path: c:\i386\winmine.exe
Status: Allocation size mismatch (API: 114688, Raw: 102400)

Path: c:\i386\winnt32.exe
Status: Allocation size mismatch (API: 36864, Raw: 32768)

Path: c:\i386\dvdplay.exe
Status: Allocation size mismatch (API: 36864, Raw: 24576)

Path: c:\i386\freecell.exe
Status: Allocation size mismatch (API: 53248, Raw: 40960)

Path: c:\i386\mplay32.exe
Status: Allocation size mismatch (API: 98304, Raw: 81920)

Path: c:\i386\proquota.exe
Status: Allocation size mismatch (API: 45056, Raw: 36864)

Path: c:\i386\sysparse.exe
Status: Allocation size mismatch (API: 172032, Raw: 167936)

Path: c:\i386\ssmypics.scr
Status: Allocation size mismatch (API: 36864, Raw: 32768)

Path: c:\i386\unregmp2.exe
Status: Allocation size mismatch (API: 122880, Raw: 102400)

Path: c:\i386\hdaudpropshortcut.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\i386\agentsvr.exe
Status: Allocation size mismatch (API: 188416, Raw: 172032)

==EOF==

Thank you in advance for all your help

Attached Files


Edited by Rieman Miller, 25 October 2009 - 11:04 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 25 October 2009 - 11:49 PM

Hi, Rieman Miller :(

Welcome.

Since you are unable to see your desktop, I am assuming you are running these programs throughout the Task Manager? Please save this file to your root directory (c:\ folder). Run C:\win32kdiag.exe" -f -r as a new task. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".) To see the report you can run "Notepad %Userprofile%\desktop\Win32kDiag.txt" as a new task.

Download OTS.exe by OldTimer to your root directory (C:\ folder).
  • Close any open browsers.
  • Run C:\OTS.exe as a new task to start the program.
  • Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here .

Edited by JSntgRvr, 25 October 2009 - 11:52 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 09:31 AM

JStngRvr

Thanks for your quick reply. I'm actually not running things through my task manager. I can't even bring that up. I'm simply able to access the internet and my C:/Folder through the "Start" button.

Whenever I try to run Win32kDiag.exe, a small word bubble pointing to the Seucirty Tool icon on the toolbar pops up and sasys,"Win32kDiag.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using Win32kDiag.exe to connect to remote host" then following that I get any number of bubbles popping up that say the following "Security Tool Wraning: Security Tool has detected harmful software in your system. We strongly recommended you register...."intercepting programs that may compromise your privacy and harm your computer..." and "Spyware.IEMonster activity detected. This spyware attempts to steal passwords from Internet Explorer, Mozilla, Foxfire..." etc. The same thing occurred when I attempted to run OTS. It said that OTS is infected with Lsas.Blaster.Keyloger....



Thanks

Ryan

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 09:37 AM

JStngRvr

Thanks for your quick reply. I'm actually not running things through my task manager. I can't even bring that up. I'm simply able to access the internet and my C:/Folder through the "Start" button.

Whenever I try to run Win32kDiag.exe, a small word bubble pointing to the Seucirty Tool icon on the toolbar pops up and sasys,"Win32kDiag.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using Win32kDiag.exe to connect to remote host" then following that I get any number of bubbles popping up that say the following "Security Tool Wraning: Security Tool has detected harmful software in your system. We strongly recommended you register...."intercepting programs that may compromise your privacy and harm your computer..." and "Spyware.IEMonster activity detected. This spyware attempts to steal passwords from Internet Explorer, Mozilla, Foxfire..." etc. The same thing occurred when I attempted to run OTS. It said that OTS is infected with Lsas.Blaster.Keyloger....



Thanks

Ryan

Please try to run any of these tools in Safe Mode.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 09:46 AM

Another option.

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Remove the checkmark from Hide extensions for known file types
  • Remove the checkmark from Hide protected operating System files
  • Select Apply to All Folders | Yes | Apply | OK.
Rename these files as .com instead of .exe and re-try. You can also rename these files as Miller.com, or Rieman.com. Most malware already recognize these tools and block them. Do not rename any file as Windows or any name that may be recognized as a system file or folder.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 09:50 AM

Here is a third option:

Download and run this file from any of the following locations (if the .exe doesn't run. try the .pif and so forth).

Rkill.exe

Rkill.com

Rkill.scr

Rkill.pif

Edited by JSntgRvr, 26 October 2009 - 09:50 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 10:20 AM

Okay, strangely enough, my computer seemed to crash after posting this. It went to a black screen and unfortunately, I wasn't able to copy down what it said. All I can recall is it mentioned something about a "non-page" I believe and then I restarted it. However, now I am able to run Win32kDiag and OTS and there seems to be no overt sign of Security Tool trying to scan my computer or anything along those lines. I can also view my desktop.

Win32 ran completely and I was able to get a log. However, OTS scanned for a short while, then suddenly quit and I am not able to open the program again. I tried the other two options you mentioned and they did not work either. The second option, when I renamed the programs, I got a window that said "Windows cannot acces the specified device, path or file. You may not have the appropriate permission to access the item." When I attempted the third option, when I clicked on the various Rkill programs, a black window came up and said "The operation was completely successfully" four times and then quickly closed. Here is my Win32kDiag log

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP266.tmp\ZAP266.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP342.tmp\ZAP342.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40.tmp\ZAP40.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423.tmp\ZAP423.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP445.tmp\ZAP445.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0af8ccbf848834c4d945c262a211c5fe\0af8ccbf848834c4d945c262a211c5fe

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2004-08-04 05:00:00 55808 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP971\A0064098.dll (Microsoft Corporation)

[2] 2004-08-04 05:00:00 55808 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP971\A0064103.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!


and you'll have to forgive me, but I'm not sure how to run something in safe mode.

Thanks

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 11:46 AM

Hi, Rieman Miller
  • Download the enclosed folder.
  • Save and Extract its contents to a place you can remember and have access (Right click on the .zip folder and select Extract All)
  • Once extracted, open the folder and click on the fix.bat file and Post the resulting report. The report can be accessed by running:

    "start notepad "%temp%\log.txt""
1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\eventlog.dll | C:\Windows\System32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Edited by JSntgRvr, 26 October 2009 - 11:48 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 01:11 PM

Okay, I attempted to use the Fix. bat, but the window opened up and then quickly closed. Then when I tried to click on it once more, the window stating " Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item."
I went ahead and downloaded The Avenger and ran that program. I made it through up to the step where the computer restarts itself. Upon rebooting, after showing the WindowsXP window, I was met with a black screen and a warning window, which mentioned something about Userinit Login Application not working, after that a window asking if I wanted to send a message to Microsoft telling them of the failure. After the the screen remained blank. I was able to reboot by pushing the reboot button, however, upon rebooting, it asked me for my password. Having disabled that feature several years ago, I'm not sure what my password is. I tried every password imaginable, but it would not load. So, at this point I am locked out of my computer and I am using my roommates laptop.

Thanks

Edited by Rieman Miller, 26 October 2009 - 01:13 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 02:27 PM

Is there an option to boot into the recovery console? Is the Windows XP installation CD available.

Boot the computer and after hearing the first beep, tap on F8 to enter the Advanced option. Attempt to boot to the Last Known configuration.


Let me know what happen

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 03:06 PM

I was able to reboot with the last known good configuration. The same thing occurred before my computer locked me out. The screen was black and a window appeared that read "Data Execution Prevention: To help protect your computer, Winows has closed this program, Userinit Logon Application.
Unfortunately, I do not have the Windows XP cd. I did not spring for it when I purchased the laptop a few years back.

Thanks

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 05:21 PM

What is the condition now. Your first statement is that you were able to boot. If so, please click on the win32kdiag.exe, allow it to run unhindered and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 06:42 PM

okay, I rebooted it as last known configuration that was good. It brings me to my desktop. An error message keeps popping up and I can't get it to disappear. "Data Execution Prevention. To help protect your computer, Windows has closed this program Windows Login UI." Then it brings up the "Windows Logon UI ecounter a problem, would you like to notify Microsoft. Fortunately, I am able to simply move this window and work around it. Here is the Win32kdiag log.

Running from: C:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Ryan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP266.tmp\ZAP266.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP342.tmp\ZAP342.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40.tmp\ZAP40.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423.tmp\ZAP423.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP445.tmp\ZAP445.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0af8ccbf848834c4d945c262a211c5fe\0af8ccbf848834c4d945c262a211c5fe

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\cmd.exe

[1] 2008-04-13 19:12:14 409088 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\cmd.exe (Microsoft Corporation)

[1] 2004-08-04 05:00:00 408576 C:\WINDOWS\system32\cmd.exe ()

[1] 2004-08-04 05:00:00 408576 C:\i386\cmd.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,217 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 PM

Posted 26 October 2009 - 07:34 PM

There are two system files patched, CMD.exe and eventlog.dll. I think this is the main problem.

Lets try Combofix:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Miller as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Rieman Miller

Rieman Miller
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 October 2009 - 08:01 PM

Well, I tried to run the Miller.exe (combo fix). A small window with a status bar appeared. After that, a warning window came up "!Alert! It is not safe to continue . The contents of Combofix package has been compromised. You ma be infected with a file patching virus 'Virut".

That doesn't sound good.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users