Jump to content

Rootkit - Same problem as everyone else: Combofix/malwarebytes/etc/etc wont run


peeped
 Share

Recommended Posts

Hi, I'm having the same issue as a lot of people at the moment. I've tried following some instructions from the other threads but they're all kinda user specific. please help me.

Symptoms:

- iexplorer.exe running in background - may play audio adverts.

- google links in IE broken. (i'm currently using chrome to post this)

- only other symptom is none of my antivirus or spyware programs work.

I've tried running Combofix, Anti-malware, adaware, spybot S&D and Hijackthis. Every one either doesnt load or crashes to desktop half way through the scan. I've tried renaming the files, combofix and ,malwarebytes still crashes. Ive also tried in safemode.

I have successfully managed to run GMER - here is the log:

GMER 1.0.15.15077 [look.exe] - http://www.gmer.net

Rootkit scan 2009-08-30 13:12:21

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code 8A1F046E ZwEnumerateKey

Code 8A1F06C6 ZwFlushInstructionCache

Code 89BDC646 ZwSaveKey

Code 89BEB7DE ZwSaveKeyEx

Code 8A1EDE1D IofCallDriver

Code 8A1ED975 IofCompleteRequest

Code 8A1F112D ZwSaveKey

Code 8A1F14DD ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EDFEA 5 Bytes JMP 8A1EDE22

.text ntkrnlpa.exe!IofCompleteRequest 804EE07A 5 Bytes JMP 8A1ED97A

.text ntkrnlpa.exe!ZwSaveKey 804FE46C 5 Bytes JMP 8A1F1132

.text ntkrnlpa.exe!ZwSaveKeyEx 804FE480 5 Bytes JMP 8A1F14E2

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AABBE 5 Bytes JMP 8A1F06CA

PAGE ntkrnlpa.exe!ZwSaveKey 80617330 5 Bytes JMP 89BDC64A

PAGE ntkrnlpa.exe!ZwSaveKeyEx 806173C0 5 Bytes JMP 89BEB7E2

PAGE ntkrnlpa.exe!ZwEnumerateKey 806196C6 5 Bytes JMP 8A1F0472

? win32k.sys:1 The system cannot find the file specified. !

? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[264] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[264] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[264] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[312] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[312] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[312] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Bonjour\mDNSResponder.exe[384] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Bonjour\mDNSResponder.exe[384] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[432] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[432] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[432] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[572] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[572] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[572] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1272] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1272] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1380] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1380] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00C9000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 0118000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WININET.dll!HttpAddRequestHeadersW 780CCF4D 5 Bytes JMP 0127000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00E927E0

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WS2_32.dll!send 71AB428A 5 Bytes JMP 00E927C0

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00E927A0

.text C:\Program Files\Internet Explorer\Iexplore.exe[1724] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00E929A0

.text C:\WINDOWS\System32\svchost.exe[1756] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1756] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1756] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1832] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1832] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1832] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2

.text C:\WINDOWS\system32\spoolsv.exe[1856] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE

.text C:\WINDOWS\system32\spoolsv.exe[1856] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96

.text C:\Program Files\Java\jre6\bin\jqs.exe[2076] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Java\jre6\bin\jqs.exe[2076] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Java\jre6\bin\jqs.exe[2076] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\PnkBstrA.exe[2556] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\PnkBstrA.exe[2556] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\WINDOWS\system32\PnkBstrA.exe[2556] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3472] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3472] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\847C6932.x86.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3472] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\847C6932.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Bonjour\mDNSResponder.exe[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Bonjour\mDNSResponder.exe[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Hotspot Shield\bin\openvpnas.exe[432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Hotspot Shield\bin\openvpnas.exe[432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Internet Explorer\Iexplore.exe[1724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Internet Explorer\Iexplore.exe[1724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1832] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1832] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\spoolsv.exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672A94

IAT C:\WINDOWS\system32\spoolsv.exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672A1E

IAT C:\Program Files\Java\jre6\bin\jqs.exe[2076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Java\jre6\bin\jqs.exe[2076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\PnkBstrA.exe[2556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\WINDOWS\system32\PnkBstrA.exe[2556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[3472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\847C6932.x86.dll

IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[3472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\847C6932.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A55D1B8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Rdbss \Device\FsWrap 8A264798

Device \Driver\Cdrom \Device\CdRom1 8A3386B8

Device \FileSystem\Srv \Device\LanmanServer 8A2F1750

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus \Device\00000096 8A2DC208

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\nvatabus \Device\00000098 8A2DC208

Device \Driver\nvatabus \Device\NvAta0 8A2DC208

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A310178

Device \Driver\nvatabus \Device\NvAta1 8A2DC208

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A310178

Device \Driver\nvatabus \Device\NvAta2 8A2DC208

Device \FileSystem\Npfs \Device\NamedPipe 89C4E930

Device \FileSystem\Msfs \Device\Mailslot 89D36808

Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 8A248008

Device \Driver\d347prt \Device\Scsi\d347prt1 8A248008

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89BE5B60

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89BE5B60

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89BE5B60

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89BE5B60

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89BE5B60

Device \FileSystem\Cdfs \Cdfs 8A1D83C8

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [264] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [312] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [312] 0x00AE0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [312] 0x35670000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [384] 0x35670000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Hotspot Shield\bin\openvpnas.exe [432] 0x35670000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [572] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [860] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [860] 0x00AF0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1272] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1380] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1380] 0x00AE0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1380] 0x35670000

Library \\?\globalroot\systemroot\system32\UACyonmncwxsh.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1704] 0x00E50000

Library \\?\globalroot\systemroot\system32\UACyonmncwxsh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1724] 0x01050000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1724] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1756] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1756] 0x00AF0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1756] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1832] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1832] 0x00AE0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1832] 0x35670000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2076] 0x35670000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\PnkBstrA.exe [2556] 0x35670000

Library \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2988] 0x10000000

Library \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2988] 0x00AE0000

Library \\?\globalroot\Device\__max++>\847C6932.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\WMPNetwk.exe [3472] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmfrmsupag.sys (*** hidden *** ) [sYSTEM] kbiwkmjdcdqesm <-- ROOTKIT !!!

Service C:\WINDOWS\system32\drivers\UACwxcnoeblgi.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm@imagepath \systemroot\system32\drivers\kbiwkmfrmsupag.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main@aid 10002

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main@sid 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main\injector@* kbiwkmwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmfrmsupag.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmmykxjkrj.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmbpjddgvv.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmlkayvqkq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjdcdqesm\modules@kbiwkm.dat \systemroot\system32\kbiwkmrufordsy.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwxcnoeblgi.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwxcnoeblgi.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwoogfsdlpk.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvuncakcdvj.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACapwmstjtys.db

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyonmncwxsh.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm@imagepath \systemroot\system32\drivers\kbiwkmfrmsupag.sys

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main@aid 10002

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main@sid 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main\injector@* kbiwkmwsp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmfrmsupag.sys

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmmykxjkrj.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmbpjddgvv.dat

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmlkayvqkq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjdcdqesm\modules@kbiwkm.dat \systemroot\system32\kbiwkmrufordsy.dat

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwxcnoeblgi.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwxcnoeblgi.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwoogfsdlpk.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkkmgtvoowx.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvuncakcdvj.dat

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACapwmstjtys.db

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UAClqpbcedlfq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyonmncwxsh.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

Thanks

Link to post
Share on other sites

Also, this is the Win32kDiag log. Thanks guys!!!

Log file is located at: C:\Documents and Settings\James\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25A.tmp\ZAP25A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\ZAPD7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2002-08-29 03:41:24 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 08:56:50 743936 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2004-08-04 08:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PEV.exe

[1] 2009-08-23 03:09:13 229376 C:\WINDOWS\PEV.exe ()

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\cmd.exe

[1] 2001-08-23 13:00:00 375808 C:\WINDOWS\$NtServicePackUninstall$\cmd.exe (Microsoft Corporation)

[1] 2004-08-04 08:56:48 388608 C:\WINDOWS\ServicePackFiles\i386\cmd.exe (Microsoft Corporation)

[2] 2009-08-30 12:04:48 388608 C:\WINDOWS\system32\CF14197.exe (Microsoft Corporation)

[2] 2009-08-30 01:30:22 388608 C:\WINDOWS\system32\CF20961.exe (Microsoft Corporation)

[2] 2009-08-30 01:31:55 388608 C:\WINDOWS\system32\CF21265.exe (Microsoft Corporation)

[2] 2009-08-30 11:37:19 388608 C:\WINDOWS\system32\CF8809.exe (Microsoft Corporation)

[1] 2004-08-04 08:56:48 388608 C:\WINDOWS\system32\cmd.exe ()

Found mount point : C:\WINDOWS\system32\config\RCSBakup\RCSBakup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\regback\regback

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2002-08-29 03:40:52 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:56:42 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Hello.

You have a couple rootkit infections on your system.

We'll start with Combofix. If there is any problems, please STOP and let me KNOW before proceeding.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,

Extremeboy

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.