Jump to content

Gunslinger Falcon

Members
  • Posts

    10
  • Joined

  • Last visited

Everything posted by Gunslinger Falcon

  1. Hey dude! Thanks so much for all of your help, you put some serious work into this one. I did decide to go ahead and reformat simply because as you said it's the safest option, besides which the thing really needed cleaned up anyway. Again thanks so much for your help, I really appreciate your commitment to helping people out of sticky malware situations. I've installed COMODO firewall and antivirus as well as MBAM on my news system. Anything else I should load up to protect my laptop from future infection?
  2. Avenger log: Still no dice on MBAM or combofix. I'm thinking my best option may be to backup and format - College starts up for me on Monday so time will be scant, and it seems my computer is getting progressively slower. That aside, I was already considering reformatting now that I have a new desktop anyway. But, you let me know what you think is best.
  3. Still no dice. All I get is half a second with the hourglass pointer and then nothing. I've tried it several times, in safe mode and normal. I've triple checked my spelling and all that, since I have to copy it by hand onto the infected laptop.
  4. I tried running the command -- it would appear nothing happens. I get no .txt file or anything. The process appears to run for a split second and then disappears. Still unable to run MBAB.
  5. Just an update - I've tried doing the above in SafeMode, still to no avail. I'm considering backing up my important data and formatting. Is this virus known to spread through USB transfer of music, images, and documents?
  6. Thanks screen317! Killer GUNZ avatar, btw. Avenger2 log: At this time the antivirus rogue kicked into high gear, this time with the name of Windows Antivirus Pro. Having read up on this one I went into the Task Manager and shut down WindowsAntivirusPro.exe and svchast.exe as well as several other random single letter .exe's running. This gave me a brief moment in which MBAB was able to run but it crashed shortly thereafter. Same luck with ComboFix.
  7. Win32KDiag log follows: Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB894391\KB894391 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP301.tmp\ZAP301.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A7.tmp\ZAP3A7.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP499.tmp\ZAP499.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B1.tmp\ZAP4B1.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP505.tmp\ZAP505.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC.tmp\ZAPBC.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Options\Install\Install Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe [1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) [1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe () [1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation) Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\attrib.exe [1] 2004-08-04 07:00:00 11264 C:\WINDOWS\$NtServicePackUninstall$\attrib.exe (Microsoft Corporation) [1] 2008-04-13 19:12:12 12288 C:\WINDOWS\ServicePackFiles\i386\attrib.exe (Microsoft Corporation) [1] 2008-04-13 19:12:12 12288 C:\WINDOWS\system32\attrib.exe () Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{C26033F5-0364-41AC-9A36-A5364CB0555E}\{C26033F5-0364-41AC-9A36-A5364CB0555E} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall\McAfee.com Personal Firewall Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Wildtangent\Cdacache\Cdacache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\YMP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\My Yahoo! Music\My Yahoo! Music Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\dumprep.exe [1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe () Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll () Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\findstr.exe [1] 2004-08-04 07:00:00 27136 C:\WINDOWS\$NtServicePackUninstall$\findstr.exe (Microsoft Corporation) [1] 2008-04-13 19:12:20 27136 C:\WINDOWS\ServicePackFiles\i386\findstr.exe (Microsoft Corporation) [1] 2008-04-13 19:12:20 27136 C:\WINDOWS\system32\findstr.exe () Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Lang\Lang Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCA3E.tmp\MCA3E.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCA43.tmp\MCA43.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCA5.tmp\MCA5.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCAC.tmp\MCAC.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCAE.tmp\MCAE.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished!
  8. Forgot to mention I am given the error message Error - could not init. MFT runlist! before the program crashes on the second try.
  9. After the first time I tried to run RootRepeal the program presented several error messages and abruptly crashed. Every attempt thereafter yields this error message: Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog. Followed by another crash on the second attempted scan, after which the program refuses to run and displays this error message: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Twice I have tried deleting the file and then importing it to my desktop again -- same result.
  10. Hello all! I seem to be infected with this latest nasty bugger that's going around. I was confronted with the usual fake scan & some AV software was installed. As a kneejerk reaction I disabled the running file and tried to remove the software, which only succeeded in a fake uninstall that's removed the icon. It was titled AV something or other - AV Protect or something like that - and used the typical Windows shield as an icon. In any case, MBAM, HijackThis, and ComboFix solutions are not working for me. MBAM will not run at all, neither will HJT. ComboFix attempts to run but does not move beyond "Attempting to Create System Restore Point." I am also unable to identify any foreign .exe with ProcessExplorer as of yet. Other symptoms include redirects of any and all antivirus related websites to spam sites, slower startup, and all system restore points deleted. I have tried the renaming solutions to no avail. At this point I'm out of my league, so any help would be appreciated. Thanks so much for your time! --Falcon
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.