Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With infection


  • This topic is locked This topic is locked
26 replies to this topic

#16 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 12 November 2009 - 05:36 PM

Did you run that command with win32kdiag.exe yet?
Please post the log from that command.


Let's try combofix again now that we've cleaned up a few things.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

BC AdBot (Login to Remove)

 


#17 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 12 November 2009 - 08:58 PM

I went back to post #14 and copied and pasted entire line into RUN. I will post log here.

Running from: C:\Users\Milt\Desktop\win32kdiag.exe

Log file at : C:\Users\Milt\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21B3.tmp\ZAP21B3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21B3.tmp\ZAP21B3.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP456B.tmp\ZAP456B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP456B.tmp\ZAP456B.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D78.tmp\ZAP7D78.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D78.tmp\ZAP7D78.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\Windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\java\classes\classes

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Minidump\Minidump

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\logs\logs

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6000.16903_none_bcd054bd502d52a6\x86_wsdapi_31bf3856ad364e35_6.0.6000.16903_none_bcd054bd502d52a6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6000.16903_none_bcd054bd502d52a6\x86_wsdapi_31bf3856ad364e35_6.0.6000.16903_none_bcd054bd502d52a6

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6000.21103_none_bd59c9aa694b25b2\x86_wsdapi_31bf3856ad364e35_6.0.6000.21103_none_bd59c9aa694b25b2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6000.21103_none_bd59c9aa694b25b2\x86_wsdapi_31bf3856ad364e35_6.0.6000.21103_none_bd59c9aa694b25b2

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6001.18306_none_beb994414d512f9c\x86_wsdapi_31bf3856ad364e35_6.0.6001.18306_none_beb994414d512f9c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6001.18306_none_beb994414d512f9c\x86_wsdapi_31bf3856ad364e35_6.0.6001.18306_none_beb994414d512f9c

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6001.22491_none_bedce04e66bc4c2c\x86_wsdapi_31bf3856ad364e35_6.0.6001.22491_none_bedce04e66bc4c2c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6001.22491_none_bedce04e66bc4c2c\x86_wsdapi_31bf3856ad364e35_6.0.6001.22491_none_bedce04e66bc4c2c

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6002.18085_none_c048867f4ab94af1\x86_wsdapi_31bf3856ad364e35_6.0.6002.18085_none_c048867f4ab94af1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6002.18085_none_c048867f4ab94af1\x86_wsdapi_31bf3856ad364e35_6.0.6002.18085_none_c048867f4ab94af1

Found mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6002.22194_none_c0c6531463dfed55\x86_wsdapi_31bf3856ad364e35_6.0.6002.22194_none_c0c6531463dfed55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x86_wsdapi_31bf3856ad364e35_6.0.6002.22194_none_c0c6531463dfed55\x86_wsdapi_31bf3856ad364e35_6.0.6002.22194_none_c0c6531463dfed55

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16908_none_b71543169d58fafc\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16908_none_b71543169d58fafc

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16908_none_b71543169d58fafc\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16908_none_b71543169d58fafc

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21108_none_b79eb803b676ce08\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21108_none_b79eb803b676ce08

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21108_none_b79eb803b676ce08\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21108_none_b79eb803b676ce08

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18311_none_b8e9afca9a8df67d\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18311_none_b8e9afca9a8df67d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18311_none_b8e9afca9a8df67d\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18311_none_b8e9afca9a8df67d

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22497_none_b922cef1b3e70dd9\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22497_none_b922cef1b3e70dd9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22497_none_b922cef1b3e70dd9\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22497_none_b922cef1b3e70dd9

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.18091_none_ba79a25297f52b29\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.18091_none_ba79a25297f52b29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.18091_none_ba79a25297f52b29\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.18091_none_ba79a25297f52b29

Found mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.22200_none_bb639005b0cab34a\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.22200_none_bb639005b0cab34a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\33c6dbd62afdd63b131f4eba491de2db\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.22200_none_bb639005b0cab34a\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.22200_none_bb639005b0cab34a

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Cannot access: C:\Windows\System32\drivers\sfi.dat

Attempting to restore permissions of : C:\Windows\System32\drivers\sfi.dat

[1] 2009-11-12 20:14:01 1474832 C:\Windows\System32\drivers\sfi.dat ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Cannot access: C:\Windows\System32\mrt.exe

Attempting to restore permissions of : C:\Windows\System32\mrt.exe

Cannot access: C:\Windows\System32\wbem\WmiPrvSE.exe

Attempting to restore permissions of : C:\Windows\System32\wbem\WmiPrvSE.exe

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp



Finished!

Edited by Iowa Hawkeye, 12 November 2009 - 09:27 PM.


#18 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 12 November 2009 - 09:37 PM

Ok, I downloaded and renamed Combo-Fix.exe before saving to desktop. Launched it but got error message: Windows cannot access specified device, path or file. You may not have appropriate permissions.

#19 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 13 November 2009 - 08:58 AM

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#20 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 13 November 2009 - 09:23 AM

Here is the log you asked for.


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

..
Failed to open \\?\c:\\Program Files\COMODO\COMODO Internet Security\Quarantine: Access is denied.


.

...

...

...


Failed to open \\?\c:\\Program Files\Dell Support Center\HWDiag\bin\pcdrsysinfodirect.p5x: Access is denied.


...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


.
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.


..\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates



...
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ead68023b9e60d8f10f6ed90e896ea90_6c0dfda2-005d-4614-968c-348116f6b595: Access is denied.




...

.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0b3ffb52-ccf1-11de-956d-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0b3ffb5e-ccf1-11de-956d-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0b3ffb80-ccf1-11de-956d-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0e4566dc-cea5-11de-8a83-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0e4566e6-cea5-11de-8a83-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0e4566fc-cea5-11de-8a83-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0e456706-cea5-11de-8a83-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{0e45670a-cea5-11de-8a83-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{549c8af8-cc45-11de-b80c-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{549c8b04-cc45-11de-b80c-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{5c895e31-cb69-11de-952a-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296b7-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296bb-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296bf-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296c3-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296c7-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296cb-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296cf-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{854296d3-cf61-11de-80e0-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{cac826e6-cf90-11de-b486-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{e84a3200-cdcc-11de-81ea-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{e84a323c-cdcc-11de-81ea-001d09b1a28b}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.


\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT

\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..

.
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ead68023b9e60d8f10f6ed90e896ea90_6c0dfda2-005d-4614-968c-348116f6b595: Access is denied.


..

...\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Milt\Application Data: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming
Substitute Name: C:\Users\Milt\AppData\Roaming

\\?\c:\\Users\Milt\Cookies: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Milt\Local Settings: JUNCTION
Print Name : C:\Users\Milt\AppData\Local
Substitute Name: C:\Users\Milt\AppData\Local

\\?\c:\\Users\Milt\My Documents: JUNCTION
Print Name : C:\Users\Milt\Documents
Substitute Name: C:\Users\Milt\Documents

\\?\c:\\Users\Milt\NetHood: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Milt\PrintHood: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Milt\Recent: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Milt\SendTo: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Milt\Start Menu: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Milt\Templates: JUNCTION
Print Name : C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Milt\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Milt\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Milt\AppData\Local
Substitute Name: C:\Users\Milt\AppData\Local

\\?\c:\\Users\Milt\AppData\Local\History: JUNCTION
Print Name : C:\Users\Milt\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Milt\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Milt\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Milt\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Milt\AppData\Local\Microsoft\Windows\Temporary Internet Files



...

...

...

...

...

...


Failed to open \\?\c:\\Users\Milt\Desktop\HijackThis.exe: Access is denied.



Failed to open \\?\c:\\Users\Milt\Desktop\Downloads\hawkeye.exe.exe: Access is denied.



Failed to open \\?\c:\\Users\Milt\Documents\hjscan.exe.exe: Access is denied.


\\?\c:\\Users\Milt\Documents\My Music: JUNCTION
Print Name : C:\Users\Milt\Music
Substitute Name: C:\Users\Milt\Music

\\?\c:\\Users\Milt\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Milt\Pictures
Substitute Name: C:\Users\Milt\Pictures

\\?\c:\\Users\Milt\Documents\My Videos: JUNCTION
Print Name : C:\Users\Milt\Videos
Substitute Name: C:\Users\Milt\Videos

..\\?\c:\\Users\Milt_2\Application Data: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming
Substitute Name: C:\Users\Milt_2\AppData\Roaming

\\?\c:\\Users\Milt_2\Cookies: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Milt_2\Local Settings: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Local
Substitute Name: C:\Users\Milt_2\AppData\Local

\\?\c:\\Users\Milt_2\My Documents: JUNCTION
Print Name : C:\Users\Milt_2\Documents
Substitute Name: C:\Users\Milt_2\Documents

\\?\c:\\Users\Milt_2\NetHood: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Milt_2\PrintHood: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Milt_2\Recent: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Milt_2\SendTo: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Milt_2\Start Menu: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Milt_2\Templates: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Milt_2\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Milt_2\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Local
Substitute Name: C:\Users\Milt_2\AppData\Local

\\?\c:\\Users\Milt_2\AppData\Local\History: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Milt_2\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Milt_2\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Milt_2\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Milt_2\AppData\Local\Microsoft\Windows\Temporary Internet Files

.

\\?\c:\\Users\Milt_2\Documents\My Music: JUNCTION
Print Name : C:\Users\Milt_2\Music
Substitute Name: C:\Users\Milt_2\Music

\\?\c:\\Users\Milt_2\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Milt_2\Pictures
Substitute Name: C:\Users\Milt_2\Pictures

\\?\c:\\Users\Milt_2\Documents\My Videos: JUNCTION
Print Name : C:\Users\Milt_2\Videos
Substitute Name: C:\Users\Milt_2\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Windows\System32\drivers\sfi.dat: Access is denied.


...

...

...

...

...

...

...
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

#21 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 13 November 2009 - 07:04 PM

We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:


    "%userprofile%\desktop\inherit" "c:\Program Files\COMODO\COMODO Internet Security\Quarantine"

    "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"

    "%userprofile%\desktop\inherit" "c:\Users\Milt\Desktop\HijackThis.exe"

    "%userprofile%\desktop\inherit" "c:\Users\Milt\Desktop\Downloads\hawkeye.exe.exe"

    "%userprofile%\desktop\inherit" "c:\Users\Milt\Documents\hjscan.exe.exe"

    "%userprofile%\desktop\inherit" "c:\Windows\System32\drivers\sfi.dat"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

=======================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#22 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 13 November 2009 - 09:29 PM

It's sure good to finally get a scan to run and finish. Here is MBAB log.

Malwarebytes' Anti-Malware 1.41
Database version: 3167
Windows 6.0.6002 Service Pack 2

11/13/2009 8:17:23 PM
mbam-log-2009-11-13 (20-17-23).txt

Scan type: Quick Scan
Objects scanned: 98523
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

#23 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 14 November 2009 - 08:49 AM

Ok, give me an update on how things are working. Or not working, if that's the case. :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#24 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 14 November 2009 - 04:53 PM

Things seem to be working fine. I haven't found anything that is negative but I haven't been using computer much since you informed me not to. If you are getting to the end of my disinfection, would you please give me some suggestions as to anti-spyware programs, anti-virus programs ect. that you feel do a good job of protecting my system. I have Super Anti-spyware Pro, Mbam, Spyware Dr. full version and Comodo anti-virus/firewall suite. Something thats not a memory hog. Should I have a anti-spyware program running in the background? I know alot of it is personal preference but would like to know your preferences. Thanks

#25 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 14 November 2009 - 05:18 PM

SpywareDoctor can be pretty heavy on resources if you run it in the background, but it's an excellent program. I also recommend Malwarebytes and Superantispyware. If it was me I'd make sure that I had at least two of those three and ran them regularly, as well as an antivirus, firewall, and Spywareblaster. Here's some more info for you.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#26 Iowa Hawkeye

Iowa Hawkeye
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 14 November 2009 - 06:21 PM

Ok, Thank you very much for your help. Greatly appreciated. I will take your suggestions and use them religiously. Should I have a spyware/malware program running in the background and which one of the ones listed above would you suggest? I will help you with your fight against Malware. Not near enough for what you did, just a token of my appreciation. Thanks again Sam.

By the way. Is it necessary to do a full scan on these programs? I usually do but they sure take along time to finish. I also downloaded SpywareBlaster and its running. Instructions say it doesn't have to be showing in task bar to protect my computer. Is that correct? So basically all I have to do is keep it updated?

Edited by Iowa Hawkeye, 15 November 2009 - 02:57 AM.


#27 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:16 PM

Posted 15 November 2009 - 05:46 PM

I would keep one program providing real time protection. You can experiment with them and see which one seems to be easiest on your computer's resources. I'm guessing Superantispyware will be, but not sure. Try to get in the habit of running a scan at least once per week. I would run the full scan at least once a month, but the rest of the time you'll probably be ok with the quick scan. You are correct, Spywareblaster does not need to run in the background. Just keep it updated.

Thank you for the donation! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users