Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection (max++?)


  • This topic is locked This topic is locked
16 replies to this topic

#1 chaytah

chaytah

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 October 2009 - 11:42 PM

Hi,

I need help with a suspected rootkit infection on 2 computers. Both computers are showing the same behavior.

I have Norton Internet Security 2009 (trial) installed on a fresh copy of WinXP Pro SP3. I downloaded a file off a p2p network that seemed to run fine, but also spawned msa.exe that NAV immediately quarantined. I figured this was the end of it, and I did not see anything weird on the system till much later.

Later I noticed a process called b.exe that I killed, located, and deleted from my temp folder. Suspecting spyware (and assuming NAV would be protecting the computer from any virii) I downloaded Spybot S&D and HijackThis. Spybot installed without issues and I was able to update it and apply immunizations. However a few seconds after I kicked off the first system scan it shutdown unexpectedly. When I tried to run it again, I got a 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.' A closer examination reveals that SpybotSD.exe has been marked as a hidden system file. Uninstalling Spybot did not remove the file, neither did the freeware program 'Dr. Delete'.

I have 2 partitions, the one running XP is formatted NTFS, and the other one is FAT32. I downloaded both the HijackThis installer and the HijackThis standalone executable. I installed (on NTFS) and was able to launch HijackThis. However it shutdown unexpectedly when I tried 'scan and save log'. A subsequent try showed that HijackThis.exe is now suffering the same fate as SpybotSD.exe.

The standalone copy of HijackThis.exe was on my FAT32 partition, and still launches, and can still be deleted; though it still shutdown when I try to a scan option. I'm assuming this is because of differing (or lacking) file security options available on FAT32.

Googling (Firefox and IE still work fine) the symptoms led me here and to believe that I might have a 'max++' rootkit infection. However I did not install Windows Police Pro and am not getting harassed. NAV still seems to be working fine, but a full system scan is showing my computer as clean.

Following instructions in the preparation guide, I downloaded dds.scr, disabled NAV (to avoid it's script killer), and kicked it off. It starts a command prompt window which then closes after a brief message. I notice that eds.exe gets spawned, but after waiting almost 30 minutes for it, I killed it. It never gave me any txt files after multiple tries.

I then tried the full report option in RootRepeal. RootRepeal gets unexpectedly shutdown while scanning the 'Files' section and after only reporting eventlog.dll is the Windows/system32 folder as being locked. I was able to get a RootRepeal report if I didn't scan the 'Files' section. The report is attached.

Finally, browsing through the other posts here, I also tried rkill.pif. It gave me the following output ("INFO: No tasks running with the specified criteria. The operation completed successfully" (this last line posted 5 times)) before refreshing my screen, restarting the windows task bar, and launching explorer focused on 'My Documents'. It also created two files: pev.exe and ncmd.cfxxe that I'm assuming are benign.

So far I've tried all these steps on my laptop (my desktop is in similar state), and the report is from there. Please let me know if you want me to do steps differently for each computer affected.

Thanks in advance for your help.

Attached Files


Edited by chaytah, 28 October 2009 - 11:54 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 28 October 2009 - 11:46 PM

Hi, chaytah :(

Welcome.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"%userprofile%\desktop\win32kdiag.exe" -f -r

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 October 2009 - 12:24 AM

Thanks for the quick response! I was still editing my original post!


Running from: D:\Software\XP\Anti-Malware Tools\Win32kDiag.exe
Log file at : C:\Documents and Settings\Rehan\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EB.tmp\ZAP2EB.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EB.tmp\ZAP2EB.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40F.tmp\ZAP40F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40F.tmp\ZAP40F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EC.tmp\ZAP4EC.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EC.tmp\ZAP4EC.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA8.tmp\ZAPAA8.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA8.tmp\ZAPAA8.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.6425\12.0.6425
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37ea7d9587e54acc7afa27dc26096f4f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\37ea7d9587e54acc7afa27dc26096f4f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Cannot access: C:\WINDOWS\system32\dumprep.exe
Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!


For good measure, I ran it a second time and it seemed to have cleared up:


Running from: D:\Software\XP\Anti-Malware Tools\Win32kDiag.exe
Log file at : C:\Documents and Settings\Rehan\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)


Finished!


I'm going to try it one more time after I reboot.

Thanks again!

Edited by chaytah, 29 October 2009 - 02:50 AM.


#4 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 October 2009 - 02:57 AM

And.... it's back after reboot :( :


Running from: D:\Software\XP\Anti-Malware Tools\win32kdiag.exe
Log file at : C:\Documents and Settings\Rehan\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EB.tmp\ZAP2EB.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EB.tmp\ZAP2EB.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40F.tmp\ZAP40F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40F.tmp\ZAP40F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EC.tmp\ZAP4EC.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EC.tmp\ZAP4EC.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA8.tmp\ZAPAA8.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA8.tmp\ZAPAA8.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.6425\12.0.6425
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37ea7d9587e54acc7afa27dc26096f4f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\37ea7d9587e54acc7afa27dc26096f4f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c01481096f08117233982ca37f9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp


Finished!


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 29 October 2009 - 08:58 AM

Hi, chaytah :(

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 October 2009 - 12:03 PM

Hi,

Combo-Fix seems to have run it's course. It installed the Windows Recovery Console and got to work. The log is pasted below.

2 concerns:

1) Once the computer was back up after Combo-Fix was done, Norton Internet Security did not come back up. I rebooted, and it started fine. While I was typing this message it detected and quarantined Trojan.Dropper in C:\System Volume Information\_restore{..blah..}\rp29\a0007865.dll. I currently have NAV running a full system scan.

2) Apart from ComboFix.log, 2 additional files and 2 directories were added to C:\: Boot.bak, cmldr, and the directories Combo-Fix, Qoobox.

I'm assuming they will be safe to remove once you give let me know everythings clean.


ComboFix 09-10-28.08 - Rehan 10/29/2009 9:30.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1575 [GMT -7:00]
Running from: d:\software\XP\Anti-Malware Tools\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 16:30 . 2008-04-14 07:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 16:30 . 2008-04-14 07:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 11:38 . 2009-10-29 11:38 43752 ----a-w- c:\documents and settings\Riva\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:30 . 2009-10-29 07:30 -------- d-----w- c:\program files\Dr Delete
2009-10-29 05:53 . 2009-10-29 05:57 -------- d-----w- c:\documents and settings\Rehan\Local Settings\Application Data\Adobe
2009-10-29 03:41 . 2009-10-29 07:34 -------- d-----w- c:\program files\Trend Micro
2009-10-28 22:57 . 2009-10-28 23:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 22:57 . 2009-10-28 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-28 02:22 . 2009-10-28 02:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-10-28 02:22 . 2005-11-30 12:00 8704 ----a-w- c:\windows\system32\CNMVS4W.DLL
2009-10-28 02:22 . 2005-11-30 12:00 140288 ----a-w- c:\windows\system32\CNMLM4W.DLL
2009-10-27 22:41 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-10-27 22:41 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-10-27 14:18 . 2009-10-27 16:40 -------- d-----w- c:\documents and settings\Riva\Local Settings\Application Data\Adobe
2009-10-27 11:31 . 2004-03-29 23:23 90112 ----a-w- c:\windows\unvise32.exe
2009-10-27 11:30 . 2009-10-27 11:31 -------- d-----w- c:\program files\ColorVision
2009-10-26 19:59 . 2009-10-26 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-26 07:53 . 2009-10-26 07:55 -------- d-----w- c:\documents and settings\Rehan\Application Data\Media Player Classic
2009-10-26 07:52 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-26 07:52 . 2009-10-26 07:52 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-26 07:52 . 2004-01-11 22:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-26 07:52 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-26 05:38 . 2008-11-04 10:30 30568 ----a-w- c:\windows\system32\mdimon.dll
2009-10-26 05:37 . 2009-10-26 06:22 -------- d-----w- c:\program files\Microsoft Works
2009-10-26 05:36 . 2009-10-26 05:36 -------- d-----w- c:\program files\Microsoft.NET
2009-10-26 05:33 . 2009-10-26 05:50 -------- d-----w- c:\windows\SHELLNEW
2009-10-26 05:33 . 2009-10-26 05:33 -------- d-----w- c:\documents and settings\Rehan\Local Settings\Application Data\Microsoft Help
2009-10-26 05:33 . 2009-10-26 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-26 05:27 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-26 05:27 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-26 05:27 . 2008-04-14 07:16 25600 -c--a-w- c:\windows\system32\dllcache\hidbth.sys
2009-10-26 05:27 . 2008-04-14 07:16 25600 ----a-w- c:\windows\system32\drivers\hidbth.sys
2009-10-26 05:27 . 2008-04-14 07:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-10-26 05:27 . 2008-04-14 07:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-26 04:59 . 2009-10-26 05:34 -------- d-----w- c:\windows\Internet Logs
2009-10-26 04:48 . 2009-10-26 04:48 -------- d-----w- c:\documents and settings\Riva\Local Settings\Application Data\Mozilla
2009-10-26 04:40 . 2004-01-23 22:28 113596 ----a-w- c:\windows\system32\dneinobj.dll
2009-10-26 04:40 . 2003-07-25 01:55 139604 ----a-w- c:\windows\system32\drivers\dne2000.sys
2009-10-26 04:40 . 2005-04-07 23:23 299083 ----a-w- c:\windows\system32\drivers\CVPNDRVA.sys
2009-10-26 04:40 . 2005-04-07 23:19 163840 ----a-w- c:\windows\system32\vpnapi.dll
2009-10-26 04:40 . 2005-02-08 17:27 5185 ----a-w- c:\windows\system32\drivers\CVirtA.sys
2009-10-26 04:40 . 2009-10-26 04:40 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-10-26 04:40 . 2009-10-26 04:40 -------- d-----w- c:\program files\Cisco Systems
2009-10-26 04:40 . 2005-04-07 23:26 176152 ----a-w- c:\windows\system32\CSGina.dll
2009-10-26 04:35 . 2009-10-26 04:35 0 ----a-w- c:\windows\nsreg.dat
2009-10-26 04:35 . 2009-10-26 04:35 -------- d-----w- c:\documents and settings\Rehan\Local Settings\Application Data\Mozilla
2009-10-26 04:34 . 2009-10-26 04:34 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-26 03:14 . 2009-10-29 16:20 0 ----a-r- c:\windows\win32k.sys
2009-10-26 03:13 . 2009-10-26 03:12 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-10-26 03:13 . 2009-10-26 03:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-26 03:13 . 2009-10-26 03:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-26 03:13 . 2009-10-26 03:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-26 03:13 . 2009-10-26 03:13 -------- d-----w- c:\program files\Symantec
2009-10-26 03:12 . 2009-10-27 17:51 -------- d-----w- c:\windows\system32\drivers\NIS
2009-10-26 03:12 . 2009-10-26 03:12 -------- d-----w- c:\program files\Norton Internet Security
2009-10-26 03:12 . 2009-10-26 03:12 -------- d-----w- c:\program files\Windows Sidebar
2009-10-26 03:12 . 2009-10-26 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-26 03:12 . 2009-10-27 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-26 03:12 . 2009-10-26 03:12 -------- d-----w- c:\program files\NortonInstaller
2009-10-26 03:11 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-10-26 03:11 . 2009-10-26 03:11 -------- d-----w- c:\program files\ISO Recorder
2009-10-26 03:10 . 2009-10-26 03:10 -------- d-----w- c:\windows\Downloaded Installations
2009-10-26 02:50 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-26 02:42 . 2009-10-26 05:25 -------- d-----w- c:\program files\DIFX
2009-10-26 02:42 . 2009-10-26 05:25 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-26 02:42 . 2006-11-15 07:16 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2009-10-26 02:42 . 2006-11-15 02:42 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2009-10-26 02:42 . 2006-11-15 00:35 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2009-10-26 02:42 . 2005-05-07 02:06 16480 ----a-w- c:\windows\system32\rixdicon.dll
2009-10-26 02:42 . 2004-09-03 17:00 90112 ----a-w- c:\windows\system32\snymsico.dll
2009-10-26 02:34 . 2009-10-26 02:24 12328 ----a-w- c:\documents and settings\Rehan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 02:34 . 2009-10-26 02:50 -------- d-----w- c:\documents and settings\Rehan\Local Settings\Application Data\ApplicationHistory
2009-10-26 02:32 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-26 02:31 . 2006-03-25 01:30 282624 ----a-w- c:\windows\stsystra.exe
2009-10-26 02:31 . 2009-10-26 04:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 02:31 . 2009-10-26 02:31 -------- d-----w- c:\program files\SigmaTel
2009-10-26 02:27 . 2006-11-21 11:25 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2009-10-26 02:24 . 2009-10-26 02:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-26 02:23 . 2009-10-26 02:23 -------- d-----w- c:\program files\Intel
2009-10-26 02:17 . 2009-10-26 02:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-26 02:12 . 2009-10-26 02:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-26 02:12 . 2009-10-26 02:12 -------- d-----w- c:\program files\MSBuild
2009-10-26 02:11 . 2009-10-26 02:11 -------- d-----w- c:\program files\Reference Assemblies
2009-10-26 02:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-26 02:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-26 02:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-26 02:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-26 02:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-26 02:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-26 02:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-26 02:05 . 2009-10-26 02:05 -------- d-----w- c:\program files\CONEXANT
2009-10-26 02:05 . 2009-10-26 02:05 -------- d-----w- c:\windows\system32\URTTemp
2009-10-26 01:57 . 2009-08-05 04:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-26 01:57 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-26 01:57 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-26 01:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-26 01:56 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-26 01:55 . 2008-06-13 11:05 272128 -c--a-w- c:\windows\system32\dllcache\bthport.sys
2009-10-26 01:55 . 2008-06-13 11:05 272128 ----a-w- c:\windows\system32\drivers\bthport.sys
2009-10-26 01:43 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-26 01:15 . 2007-03-17 01:10 604928 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 16:19 . 2009-10-27 16:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Spyder2_01001.Wdf
2009-10-27 16:19 . 2009-10-27 16:19 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-10-26 03:13 . 2009-10-26 03:13 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-26 03:13 . 2009-10-26 03:13 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-26 02:20 . 2009-10-26 02:06 776 ----a-w- c:\windows\system32\drivers\sthdae.log
2009-10-25 19:39 . 2009-10-25 19:39 -------- d-----w- c:\program files\microsoft frontpage
2009-10-25 19:35 . 2009-10-25 19:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-25 19:35 . 2009-10-25 19:34 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-11 14:18 . 2008-04-14 12:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 20:04 . 2009-09-07 20:04 16384 ----a-w- c:\documents and settings\Riva\Application Data\onload.exe
2009-09-04 21:03 . 2008-04-14 12:42 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 01:10 . 2009-08-31 01:10 4096 ----a-w- c:\windows\system32\wmvdmoe2.dll
2009-08-31 01:10 . 2009-08-31 01:10 4096 ----a-w- c:\windows\system32\wmvdmod.dll
2009-08-31 01:10 . 2009-08-31 01:10 1329152 ----a-w- c:\windows\system32\wmspdmoe.dll
2009-08-31 01:10 . 2009-08-31 01:10 99840 ----a-w- c:\windows\system32\wmpshell.dll
2009-08-31 01:10 . 2009-08-31 01:10 8231936 ----a-w- c:\windows\system32\wmploc.dll
2009-08-31 01:10 . 2009-08-31 01:10 4096 ----a-w- c:\windows\system32\wmsdmoe2.dll
2009-08-31 01:10 . 2009-08-31 01:10 4096 ----a-w- c:\windows\system32\wmsdmod.dll
2009-08-31 01:07 . 2009-08-31 01:07 1614848 ----a-w- c:\windows\system32\sfcfiles.dll
2009-08-31 01:07 . 2009-08-31 01:07 990208 ----a-w- c:\windows\system32\syssetup.dll
2009-08-31 01:07 . 2009-08-31 01:07 24576 ----a-w- c:\windows\system32\nlsdl.dll
2009-08-31 01:07 . 2009-08-31 01:07 26112 ----a-w- c:\windows\system32\idndl.dll
2009-08-31 01:07 . 2009-08-31 01:07 23552 ----a-w- c:\windows\system32\normaliz.dll
2009-08-31 01:07 . 2009-08-31 01:07 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-31 01:07 . 2009-08-31 01:07 156160 ----a-w- c:\windows\system32\msls31.dll
2009-08-31 01:07 . 2009-08-31 01:07 45568 ----a-w- c:\windows\system32\mshta.exe
2009-08-31 01:07 . 2009-08-31 01:07 40960 ----a-w- c:\windows\system32\licmgr10.dll
2009-08-31 01:07 . 2009-08-31 01:07 36352 ----a-w- c:\windows\system32\imgutil.dll
2009-08-31 01:07 . 2009-08-31 01:07 55296 ----a-w- c:\windows\system32\iesetup.dll
2009-08-31 01:06 . 2009-08-31 01:06 71680 ----a-w- c:\windows\system32\admparse.dll
2009-08-29 07:36 . 2009-08-31 01:07 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-08-31 01:06 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2009-08-31 01:06 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-14 12:42 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 11:36 . 2009-08-25 11:36 78598576 ----a-w- c:\documents and settings\Riva\Application Data\NIS09EN_16.7.2.10.exe
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 02:24 . 2009-10-25 19:36 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2009-10-25 19:36 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-10-25 19:36 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-10-25 19:36 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2008-04-14 12:41 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-10-25 19:36 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-10-25 19:36 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 22:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2008-04-14 12:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-14 07:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2009-08-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-10-25 1425424]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2007-2-13 385024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [10/27/2009 9:29 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [10/27/2009 9:29 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [10/27/2009 9:28 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091021.001\IDSXpx86.sys [10/26/2009 3:18 AM 329080]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [10/27/2009 9:28 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/28/2009 10:18 AM 102448]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2/13/2007 5:16 PM 12288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Rehan\Application Data\Mozilla\Firefox\Profiles\frqwzugh.default\
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1864)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2764)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-29 9:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 16:37

Pre-Run: 19,920,683,008 bytes free
Post-Run: 20,522,680,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 58217732F99B8ABC2E4C6A235AFE4C05


#7 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 October 2009 - 12:19 PM

Hi,

The NAV scan found Trojan.Dropper once again, this time attached to eventlog.dll in the C:\Qoobox\Quarantine directory that Combo-Fix created. I guess this means that Combo-Fix first created a system restore point (which also backed up up the trojan in the system volume information folder) and then once it identified the infection it quarantined it in the Qoobox folder.

Now I'm wondering if this sucker will come back again from the dead. :(

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 29 October 2009 - 01:58 PM

No, unless you use system restore. We will take care of the quarantined file promptly.

First run the command:

"%userprofile%\desktop\win32kdiag.exe" -f -r

Restart and run it again. Let me know if this time are recreated.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    sfcfiles.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 October 2009 - 10:21 PM

Here's the win32kdiag log:

Running from: D:\Software\XP\Anti-Malware Tools\Win32kDiag.exe
Log file at : C:\Documents and Settings\Rehan\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\dumprep.exe
Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Finished!


And this is the SystemLook log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:13 on 29/10/2009 by Rehan (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [01:07 31/08/2009] [01:07 31/08/2009] 362BC5AF8EAF712832C58CC13AE05750

-=End Of File=-


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 29 October 2009 - 11:44 PM

Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 31 October 2009 - 01:14 PM

Hi,

Sorry for the late reply.

Here's the Kaspersky report. No infected items were found:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 31, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 31, 2009 17:29:53
Records in database: 3109240
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 27916
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:41:19

No threats found. Scanned area is clean.

Selected area has been scanned.


I think my earlier NAV scan removed the infected files that were in system restore and ComboFix's Quarantine.

If we're done, please let me know if I can safely remove the following files and directories:

C:\Combo-Fix\*
C:\Qoobox\*
C:\cmldr

And once again... thank you!

Edited by chaytah, 31 October 2009 - 01:20 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 31 October 2009 - 02:25 PM

Hi, chaytah :(

Do not remove this C:\cmldr. Is part of the Recovery Console.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type or copy and paste "d:\software\XP\Anti-Malware Tools\Combo-Fix.exe" /Uninstall in the runbox and click OK. Note the space between the " and the /Uninstall, it needs to be there.
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 November 2009 - 04:34 PM

Hi,

I followed the last set of instructions, and the computer seems to be doing just fine.

I'm going to follow these same steps on m desktop, and if any results are different, I will post back here.

Thanks for all your help!

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:45 PM

Posted 01 November 2009 - 06:58 PM

Hi,

I followed the last set of instructions, and the computer seems to be doing just fine.

I'm going to follow these same steps on m desktop, and if any results are different, I will post back here.

Thanks for all your help!

What may work for a computer may not work to other computer. Lets work on your desktop.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 chaytah

chaytah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 02 November 2009 - 03:40 PM

Hi,

If it helps, both computers were setup at the same time with the same software, and the source of infection was the same (downloaded file from p2p network). I had run win32kdiag earlier (when we were working on the laptop) and this too had a max++ infection.

Regardless, I will follow your instructions patiently, as you're the expert and not I.

Here's my RootRepeal log. Same issue as with my laptop... RootRepeal gets killed if I run the report with the 'Files' section selected, so I ran with without:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/02 12:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9F78000 Size: 872448 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1042000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7419000 Size: 323584 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xB0112000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF76D7000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x899adcd0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89ab3b80

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x899c6b98

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x899abcd0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x898ecba0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa30d130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x899edc20

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x89a60fc0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89900f20

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89a3ccd0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa30d3b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa30d910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89df7920

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89892ad0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89a0ecd0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8963c660

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x899ac898

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89892930

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89587378

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89a05b78

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89df77a0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x895aa378

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89e487f8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x89d637f0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8959b338

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89e33d08

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89dfdfc0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89a72b38

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa30db60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89a12cd0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89e4acb0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x895b94e0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89a1bb68

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89e33ec8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89af6c20

==EOF==

Edited by chaytah, 02 November 2009 - 03:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users