Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection


  • This topic is locked This topic is locked
63 replies to this topic

#1 Travis0808

Travis0808

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 30 October 2009 - 12:30 AM

I attempted to do the prep guide but all of the scanners for the logs got canceled, Ive attempted to use Malwarebytes Anti-Malware but that program shut down shortly after scanning started, same with a whole list of other programs including the RSIT.exe program, anyways, all I got to work was the Win32kDiag log, which didn't officially finish running it just quit loading and I was forced to exit the program, but it still made the log file which is as follows:


Running from: C:\Users\Travis\Desktop\Win32kDiag.exe

Log file at : C:\Users\Travis\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\bd1409bd3825172e5262cca6f0336455\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\c452caabaad248a66aa697d8c8545eb1\$dpx$.tmp\$dpx$.tmp

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18: 3
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\CNGAUDIT.DLL



And the log from the cmd prompt;


Volume in drive C is OS
Volume Serial Number is 942E-D904

Directory of C:\Windows\System32

11/02/2006 04:46 AM 176,640 scecli.dll

Directory of C:\Windows\System32

11/02/2006 04:46 AM 559,616 netlogon.dll
2 File(s) 736,256 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Total Files Listed:
4 File(s) 1,472,512 bytes
0 Dir(s) 65,923,403,776 bytes free


Can you please help me to remove this from my computer!

Edited by Travis0808, 30 October 2009 - 12:39 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 05 November 2009 - 08:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 08 November 2009 - 03:37 AM

Hi and thank you for taking the time to help me, yes I am here and ready to get this thing off my computer

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 08 November 2009 - 10:09 AM

You have a rootkit and we need to start to remove it. Please follow the instructions below if you are still in possession of the Win32diag program. If you don't have it then redownload it first from this link.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then run this batch program

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 08 November 2009 - 02:47 PM

Win32kDiag log:



Running from: C:\Users\Travis\Desktop\Win32kDiag.exe

Log file at : C:\Users\Travis\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\bd1409bd3825172e5262cca6f0336455\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\c452caabaad248a66aa697d8c8545eb1\$dpx$.tmp\$dpx$.tmp

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18: 3
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\CNGAUDIT.DLL





peek.bat log.txt



Volume in drive C is OS
Volume Serial Number is 942E-D904

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 176,640 scecli.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 559,616 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 61,952 CNGAUDIT.DLL
3 File(s) 798,208 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 03:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 03:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 03:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 08 November 2009 - 04:21 PM

Okay, not sure what's happened here :(

The Win32diag program run with the following command

"%userprofile%\desktop\win32kdiag.exe" -f -r

Should result in detection and removal as the example below:
Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Please run it again making sure the bold type is copied and pasted into the Run box.
Posted Image
m0le is a proud member of UNITE

#7 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 09 November 2009 - 03:17 AM

I ran the program line as you stated, ""%userprofile%\desktop\win32kdiag.exe" -f -r" in the run and it came up with this log...


Running from: C:\Users\Travis\Desktop\win32kdiag.exe

Log file at : C:\Users\Travis\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\en-US\en-US

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18: 3
Cannot access: C:\Windows\System32\CNGAUDIT.DLL

Attempting to restore permissions of : C:\Windows\System32\CNGAUDIT.DLL

[1] 2006-11-02 03:46:03 61952 C:\Windows\System32\CNGAUDIT.DLL ()

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 09 November 2009 - 05:38 PM

That's done the trick :(


Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\Windows\System32\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"

    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
(This copies the clean system file to the system root)


Next
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    files to move:c:\eventlog.dll | C:\Windows\System32\CNGAUDIT.DLL
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

That should remove the false system file and will mean that we should be able to run Combofix to clean up the rest.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks, let me know if there are problems during this part of the fix :(
Posted Image
m0le is a proud member of UNITE

#9 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 10 November 2009 - 02:51 AM

I pasted "copy C:\Windows\System32\eventlog.dll C:\ /y" into the cmd prompt and this is what it gave me


Microsoft Windows [Version 6.0.6000]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Users\Travis>copy C:\Windows\System32\eventlog.dll C:\ /y
The system cannot find the file specified.

C:\Users\Travis>copy C:\Windows\System32\eventlog.dll C:\ /y
The system cannot find the file specified.

C:\Users\Travis>

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 10 November 2009 - 09:25 AM

That means that the backup copy we were going to use to replace the malware file does not exist.

Go through to the Combofix stage for now.


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 10 November 2009 - 12:33 PM

Wow, seems like I can never actually do what you need to me to do, now the problem is ComboFix wont download, under any of those links you provided me. It goes to a blank webpage and says 404 - NOT FOUND, I even tried to download it off of a couple sites on Google, it still gave me the 404 message, maybe you can send me an email with the attachment or something or test those links out

Posted Image

Edited by Travis0808, 10 November 2009 - 12:39 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 10 November 2009 - 03:52 PM

Those links are fine but the malware is stopping you doing a large amount of things. Not your fault at all :(

Let's try this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6 \cngaudit.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"

    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
(This copies the clean system file to the system root)


Now run the Avenger script
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    files to move:c:\cngaudit.dll | C:\Windows\System32\CNGAUDIT.DLL
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
Let's see how that goes. :(
Posted Image
m0le is a proud member of UNITE

#13 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 10 November 2009 - 06:32 PM

I copied the exact text it did not work this is what it said


Microsoft Windows [Version 6.0.6000]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Users\Travis>copy C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf38
56ad364e35_6.0.6000.16386_none_e62d292932a96ce6 \cngaudit.dll C:\ /y
The syntax of the command is incorrect.

C:\Users\Travis>

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 PM

Posted 10 November 2009 - 07:14 PM

That one was my fault not the malware :(

Try this code.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"

    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
(This copies the clean system file to the system root)

Then you should be able to go to the Avenger step.

Let me know if we get foiled again! :(
Posted Image
m0le is a proud member of UNITE

#15 Travis0808

Travis0808
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 10 November 2009 - 07:41 PM

Success!


Microsoft Windows [Version 6.0.6000]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Users\Travis>copy C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf38
56ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll C:\ /y
1 file(s) copied.



Avenger File:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\cngaudit.dll|C:\Windows\System32\CNGAUDIT.DLL" completed successfully.

Completed script processing.

*******************

Finished! Terminate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users