Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool and others? [Moved]


  • This topic is locked This topic is locked
6 replies to this topic

#1 Rac9n

Rac9n

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 09 November 2009 - 11:40 AM

Okayso, about a week ago the "Security Tool" fake anti-spyware program started popping up on my computer. I hadn't seen it or heard of it before, and especially didn't remember downloading or initiating it, so I was immediately suspicious. I found most of the files associated with it, and deleted them, and the popups and "notifications" have since stopped. What I did was all manual search and delete, though, so I may have missed pieces of it. I've tried "Rkill", but that ended up freezing and shutting down my computer. At about the same time as all of this was going on, my internet started acting up. Any google search result was redirected to a site like "thefeedwater" or a random assortment of advertising pages. If google search results provided the full URL, I could copy and paste and still get through successfully. Most helpful websites, like microsoft.com, symantec.com, almost any anti-spyware or internet security site (anything HELPFUL at ALL), my brower is unable to access. I checked the hosts file, but if I understood it correctly, that wasn't the problem. I tried renaming the hosts file, but the problem persists. In my C:\WINDOWS and C:\WINDOWS\system32 folders, there are a lot of exe files that don't belong. Many of the known badguys I have deleted myself, but some of them keep reappearing, and run on startup. The most persistent are "sv1.exe", "svchust.exe", and "isvchost.exe". In my task manager, once I have ended the previous three that are obviously fake, I have exactly ten instances of "svchost.exe" running. There were at one point constantly four or more instances of "iexplore.exe" running, even when I didn't even have internet explorer open. On top of that, even more instances would appear as actual pop ups, consistently. I actually ended up DELETING iexplore.exe, and I'm now using CravingExplorer, a Japanese browser. Unfortunately (or, fortunately?), this means I can only have one window or tab up at a time and there are no popups.

Additional problems: On restart, about 70% of the time explorer.exe won't start on it's own. It asks me to login with a password I never created (blank, no password), and I've never had to do this before. As soon as it's finished restarting, a dialogue box appears with "UserInit Logon Application - Data Execution Prevention". If I try to start task manager, a similar window appears. I can start the task manager if I hold down ctrl+alt+delete, and then I can start explorer.exe from there. Soon after start up, there's a popup error message saying that a "calc.dll" cannot be found.

Three times recently, I've found three new icons that appear to link to pornographic websites on my desktop. In hindsight, I don't remember what they were actually shortcuts TO.

I've downloaded and run MalwareBytes, Super Anti-Spyware, and Spybot - Search & Destory. Each found a large number of results, and removed them successfully, but the problems have persisted.


Running Processes:

alg.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
Compaq Connections.exe
CravingExplorer.exe
csrss.exe
ehmsas.exe
ehtray.exe
explorer.exe
hpsysdrv.exe
hpwuSchd2.exe
jusched.exe
lsass.exe
LSSrvc.exe
mcrdsvc.exe
msmsgs.exe
navapsvc.exe
NSCSRVCE.exe
rundll32.exe
rundll32.exe
services.exe
smss.exe
SNDSrvc.exe
SUPERAntiSpyware.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
symlcsvc.exe
System
System Idle Process
taskmgr.exe
winlogon.exe
WkCalRem.exe

I'm not sure of the exact location of some of those.

Er, can anyone help me out here, or is this a lost cause?

Edited by Rac9n, 09 November 2009 - 12:14 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:59 AM

Posted 09 November 2009 - 10:15 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:59 AM

Posted 10 November 2009 - 04:08 PM

:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

=======================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Rac9n

Rac9n
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 10 November 2009 - 10:29 PM

Thanks for the response! I have also since discovered that my computer has no sound, at all. VLC and Windows Media Player will play any of my music or video files, but with no sound. The same with youtube videos. I've tried both my speakers and headphones. Huh.

Anyway, the reports you asked for:

Rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 15:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3571000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ABE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8EE8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: c:\windows\system32\wmdtc.exe
Status: Allocation size mismatch (API: 110592, Raw: 90112)

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\Minidump\Minidump
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setup.pss
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB904706\KB904706
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912812\KB912812
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912945\KB912945
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB920213\KB920213
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB924496\KB924496
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB925454\KB925454
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB941568\KB941568
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\nsf291.tmp\nsf291.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\twain_32\OMCAM\OMCAM
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: c:\documents and settings\compaq_administrator\local settings\temp\1912890612.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\documents and settings\compaq_administrator\local settings\temp\1530140642.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\batch\batch
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\86a5d4ec598b957d3e4d2a7951b2c258\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\f90f6c0c452945125b5a22f96ec4c469\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1102.tmp\ZAP1102.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C78.tmp\ZAP5C78.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E2C.tmp\ZAP5E2C.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Apps\2.0\MA9MC3N1.X95\XOG30PY8.VG8\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Apps\2.0\MA9MC3N1.X95\XOG30PY8.VG8\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lauren1\Local Settings\Apps\2.0\G2NDDRY6.XW6\X6W9MK49.7QG\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lauren1\Local Settings\Apps\2.0\G2NDDRY6.XW6\X6W9MK49.7QG\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft
Status: Locked to the Windows API!

==EOF==


Win32kDiag:

Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Compaq_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1102.tmp\ZAP1102.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C78.tmp\ZAP5C78.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E2C.tmp\ZAP5E2C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\86a5d4ec598b957d3e4d2a7951b2c258\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f90f6c0c452945125b5a22f96ec4c469\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\nsf291.tmp\nsf291.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\OMCAM\OMCAM

Mount point destination : \Device\__max++>\^



Finished!



And the final log:


Volume in drive C is PRESARIO
Volume Serial Number is 10F1-FD25

Directory of C:\WINDOWS\$hf_mig$\KB968389\SP2QFE

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\$hf_mig$\KB975467\SP2QFE

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\sp2qfe

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\system32

08/09/2004 11:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/09/2004 11:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

08/09/2004 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

08/09/2004 11:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

08/09/2004 11:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

08/09/2004 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
15 File(s) 3,799,552 bytes
0 Dir(s) 54,729,351,168 bytes free




Again, thank you!

#5 Rac9n

Rac9n
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 11 November 2009 - 10:41 AM

A few updates:
The 'Userinit Logon Application - Data Execution Prevention" popup only appears when explorer.exe does NOT start on its own. Also, if explorer.exe never starts, for any other application I try to start, INCLUDING task manager, the same "Data Execution Prevention"/"Windows has closed this program to prtoect your computer" window appears. Usually though, after several minutes, I can start at least explorer. If it restarts normally, then these windows never appear. Also the three pairs of other error windows that I mentioned in the first post, only appear AFTER explorer.exe has started. The first two say "Error loading C:\WINDOWS\system32\calc.dll The specified module could not be found." and "Error loading "C:\DOCUME~1\COMPAQ~1\ntuser.dll The specified module could not be found."
After closeing, that pair doesn't appear again until the next restart, after explorer.exe starts.
The next pair to appear is a Norton "High Risk Virus Alert" window, "Norton has detected and removed a virus from your computer." The details say:
"Object Name: C:\Documents and Sett...\svc[4].php
Virus Name: W32.Pinfi
Action Taken: The file was repaired."
After clicking OK, the window reappears everal times. The window that usually pops up in tandem with that has the title "csrs32", and says "Run-time error '53': File not found." After clinking OK, this one usually reappears a few times as well.

The next one has the title "DiscUpdMgr.exe - Application Error", and says "The application failed to initialize properly (0x0000007b). Click OK to terminate the application." The window pops up again as soon as I click OK, at least one more time.

Hope that can help somehow!~

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:59 AM

Posted 11 November 2009 - 07:47 PM

\Device\__max++>\^
You are infected with a very persistent type of malware
The safest and recommended way is to reformat and reinstall
You can submit a log but it will take time



Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:59 AM

Posted 11 November 2009 - 09:56 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/270861/security-tool-and-maybe-some-other-badguys/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users