Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection/No desktop icons or taskbar/other problems


  • This topic is locked This topic is locked
70 replies to this topic

#1 Tumbo

Tumbo

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 09 November 2009 - 12:26 AM

Hello:

I managed to download a virus, malware or whatever from a fake site: hxxp://microsoftmedicenter.com/pluginerror/

Maybe somebody can go to that site and tell me what I have got myself into...

Anyways, after realizing that I made this mistake, I ran Symantec Antivirus (month old definitions), which quarantined the following:
1. jar_cache7190243559420621033.tmp - "still contains 3 infected items"
2. myf/y/PayloadX.class
3. myf/y/LoaderX.class
4. myf/y/AppetX.class

In the meantime, I have no desktop taskbar or icons, and cannot right click on the desktop. I can use my pointer and Task Manager to run some programs. I have tried numerous things, with no luck. I can't connect to the internet with that computer, or run a Restore. Through Task Manager or the cmd prompt I have run another Symantec full scan (nothing), cmd mrt.exe (no problems), cmd sfc/scannow (nothing), cmd explorer ("access denied"), iexplore (doesn't work). I was able to download to the thumb new Symantec virus definitions, then load on infected computer, which seemed to go fine, but when I open Symantec it still shows an older definition file date. I tried Free Windows Registry Repair 2.0, lots of errors found, fixed them, no luck. I tried file system check, no problems. I tried other virus scanners, all of which come up with no viruses, so maybe Symantec got them quarantined, and now we just have to repair the damage??

I can use a thumb drive from another computer (which has up-to-date Symantec virus and firewall protection) to download and transfer and then move over to run files on the infected computer. I scan the thumb drive for viruses every time I move it to the uninfected computer.

Regarding your Preperation Guide, I was able to do the following:
1. DDS. I could not run DDS. It would flash onscreen quickly with the initial black screen, then close. Your instructions ask to disable any script-blocking programs, but I am not sure how to do this, and which programs are script blocking...?
2. RootRepeal.Log ran fine. File is attached Ark.txt
3. I also ran hijackthis. The file is also attached hijackthis.txt (I took no actions with this program).

I can try to run DDS again with some further instruction on what programs/how to disable script blocking via Task Manager, if necessary.

Many thanks for your assistance in advance...

Edited by Orange Blossom, 09 November 2009 - 12:41 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 03:51 PM

Hi Tumbo,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 08:20 PM

Hello farbar:

Thanks for taking the time to work with me on this problem. The issue is still unresolved.

I will refrain from making any changes to my system from here forward. I did try to run WinSock XP Fix a day ago in an effort to try and get the machine to connect to the internet, with no success. Again, I will only make any changes from now forward as instructed.

I look forward to working with you.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 08:48 PM

So you have no desktop (explorer is not loading) but you can bring up task manager?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 08:54 PM

Beside giving me feedback about the question I asked, give me as much information as you can about what is functioning and what is not functioning. It gives me a clear picture of the situation to know what is going on at the other end, and also helps me to know your options so that I can guide you through the shortest way in performing the fixes.

Edited by farbar, 16 November 2009 - 06:30 AM.
spelling


#6 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 09:23 PM

I have no desktop icons, no taskbar, just wallpaper.

I can run task manager. I can't run explorer ("access is denied"), but can run many programs through task manager or the cmd prompt.

I can run firefox and my wifi usb antenna application software (which is connected/operational), but can't get browsers such as firefox or lotus notes to connect.

I can't run a restore point (rstrui.exe).

I can download programs on a good computer to a thumb drive, then run them on the problem computer.

I can run numerous commands via the cmd prompt, but not some such as control.exe, icwconn1.exe, inetwiz.exe.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 09:38 PM

  • Download the attached file and save it to your flash drive. Insert it to the infected computer and run it. A log.txt file opens, if it didn't open there will be a log.txt file on your flash dirve. Please post the content of it.

  • Download and run Win32kDiag:
  • Run Win32kDiag.exe and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Bring up Task Manager > under File menu type in the Run box: "%userprofile%\desktop\Win32kDiag.txt"
  • Please post the entire contents of that log as a reply to this topic.

Edited by farbar, 13 November 2009 - 09:39 PM.


#8 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 10:06 PM

Below are the entire contents of that log as you requested:


Running from: E:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Chris Miller\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1EB.tmp\ZAP1EB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP242.tmp\ZAP242.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP255.tmp\ZAP255.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69.tmp\ZAP69.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91.tmp\ZAP91.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A.tmp\ZAP9A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\ZAPD1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe

[1] 2002-08-29 04:00:00 1004032 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:20 1033728 C:\WINDOWS\explorer.exe ()

[1] 2008-04-14 04:42:20 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2002-08-29 04:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:22 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-14 04:42:22 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\profiles\rcac\rcac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\12b4cb19388f1450bf596b1bd5219f33\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe

[1] 2005-02-24 19:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 09:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 07:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 05:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 05:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 03:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 09:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 17:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB969059\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB971486\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 23:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB971961\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 05:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB973525\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 05:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB974112\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB974455-IE7\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB974571\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB975025\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\$hf_mig$\KB975467\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 04:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 03:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe ()

[1] 2007-03-05 17:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\b3bf74f55136e7636e609c29522f7318\update\update.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\hkcmd.exe

[1] 2004-11-02 07:59:42 126976 C:\WINDOWS\system32\hkcmd.exe ()



Cannot access: C:\WINDOWS\system32\igfxtray.exe

[1] 2004-11-02 08:03:44 155648 C:\WINDOWS\system32\igfxtray.exe ()



Cannot access: C:\WINDOWS\system32\svchost.exe

[1] 2002-08-29 04:00:00 12800 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:38 14336 C:\WINDOWS\ServicePackFiles\i386\svchost.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:38 14336 C:\WINDOWS\system32\svchost.exe ()



Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\notes6030C8\notes6030C8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^



Finished!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 10:14 PM

Well done. Did you run the batch file?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 10:23 PM

Please don't miss my previous post. Did you receive my PM?

Edited by farbar, 13 November 2009 - 10:23 PM.


#11 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 10:24 PM

I wondered why that .bat file was attached with no instructions... I think I read and followed your initial post, but you were actually re-editing the same post instructions while I was reading the old post, so I missed your .bat instructions. My bad...

Anyway, I just ran it - here's the content of it:

Volume in drive C is IBM_PRELOAD
Volume Serial Number is F885-BE29

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/29/2002 04:00 AM 49,152 eventlog.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/29/2002 04:00 AM 174,592 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/29/2002 04:00 AM 399,360 netlogon.dll
3 File(s) 623,104 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:41 AM 56,320 eventlog.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:42 AM 407,040 netlogon.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 04:41 AM 61,952 eventlog.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 407,040 netlogon.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,917,952 bytes
0 Dir(s) 5,210,824,704 bytes free

#12 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 10:29 PM

Let me know if you need anything else - just want to make sure we are in-sync here...

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 10:42 PM

Yes, I edited the post to attach the bat file. Now we can have a shot at this nasty rootkit and restore explorer and others as well. Please give me a reply as fast as you can to run a tool the next round after restoring the desktop. I have to go to sleep soon.
  • Bring up Task Manager > Type in the Run box the following and click OK:

    sc config eventlog start= disabled

  • Important: Reboot the computer.

  • Your flash drive should be connected. Bring up Task Manager > Type in the Run box the following and click OK:

    e:\win32kdiag.exe -f -r

    (Note: There is space after exe and -f)

  • Reboot again. If the desktop is back there will be the log. Otherwise retrieve the log the same way as the previous post.


#14 Tumbo

Tumbo
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 13 November 2009 - 10:58 PM

Desktop icons & Taskbar are back! I'm impressed! Looks like we'll both sleep well tonight...


Log text is here:

Running from: e:\win32kdiag.exe

Log file at : C:\Documents and Settings\Chris Miller\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759

Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1EB.tmp\ZAP1EB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1EB.tmp\ZAP1EB.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP242.tmp\ZAP242.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP242.tmp\ZAP242.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP255.tmp\ZAP255.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP255.tmp\ZAP255.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69.tmp\ZAP69.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69.tmp\ZAP69.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91.tmp\ZAP91.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91.tmp\ZAP91.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A.tmp\ZAP9A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A.tmp\ZAP9A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\ZAPD1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\ZAPD1.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\CABS\CABS

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\Install\Install

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\ERRORREP

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\profiles\rcac\rcac

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\profiles\rcac\rcac

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\12b4cb19388f1450bf596b1bd5219f33\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\12b4cb19388f1450bf596b1bd5219f33\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\hkcmd.exe

Attempting to restore permissions of : C:\WINDOWS\system32\hkcmd.exe

Cannot access: C:\WINDOWS\system32\igfxtray.exe

Attempting to restore permissions of : C:\WINDOWS\system32\igfxtray.exe

Cannot access: C:\WINDOWS\system32\svchost.exe

Attempting to restore permissions of : C:\WINDOWS\system32\svchost.exe

Note: Granted Everyone Full Access to svchost.exe

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\Temp\notes6030C8\notes6030C8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\notes6030C8\notes6030C8

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05



Finished!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:22 AM

Posted 13 November 2009 - 11:04 PM

Great. :(
  • Your flash drive should be connected. Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:

    "e:\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.

  • Tell me also if you have internet connection and if your internet browser is functioning.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users