Jump to content

Jijack and malware quit running


Recommended Posts

Hijack and Malware tun for a few seconds then just quit. If I try to run them again I have to redo the file security for the application. The only log I have is this one.

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP149.tmp\ZAP149.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP229.tmp\ZAP229.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24F.tmp\ZAP24F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-484763869-343818398-725345543-500\S-1-5-21-484763869-343818398-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2DPOJAKH\2DPOJAKH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LGDUF9NE\LGDUF9NE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M6S3DPG7\M6S3DPG7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZTPJUYQE\ZTPJUYQE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\BRANDING\favs\favs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

I did some more reading and here is the output from Junction exe I hope these logs will help

Junction v1.05 - Windows junction creator and reparse point viewer

Copyright © 2000-2007 Mark Russinovich

Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine: Access is denied.

..

...

...

Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe: Access is denied.

...

...

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.

...

...

...

Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

.

Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.

\\?\c:\\WINDOWS\$hf_mig$\KB915865\KB915865: MOUNT POINT

Substitute Name: \Device\__max++>\^

..

...

...

\\?\c:\\WINDOWS\addins\addins: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP149.tmp\ZAP149.tmp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP229.tmp\ZAP229.tmp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24F.tmp\ZAP24F.tmp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\temp\temp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d1\d1: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d2\d2: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d3\d3: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d4\d4: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d5\d5: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d6\d6: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d7\d7: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d8\d8: MOUNT POINT

Substitute Name: \Device\__max++>\^

..

...

.\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT

Substitute Name: \Device\__max++>\^

..

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\BATCH\BATCH: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Config\News\News: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\System\DFS\DFS: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\System_OEM\System_OEM: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Temp\Temp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PIF\PIF: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT

Substitute Name: \Device\__max++>\^

..

...\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SxsCaPendDel\SxsCaPendDel: MOUNT POINT

Substitute Name: \Device\__max++>\^

.

Failed to open \\?\c:\\WINDOWS\system32\eventlog.dll: The process cannot access the file because it is being used by another process.

.

Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.

.

\\?\c:\\WINDOWS\system32\1025\1025: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1028\1028: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1031\1031: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1037\1037: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1041\1041: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1042\1042: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\1054\1054: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\2052\2052: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\3076\3076: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\3com_dmi\3com_dmi: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\Adobe\update\update: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\appmgmt\MACHINE\MACHINE: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\appmgmt\S-1-5-21-484763869-343818398-725345543-500\S-1-5-21-484763869-343818398-725345543-500: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Desktop\Desktop: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Favorites\Favorites: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2DPOJAKH\2DPOJAKH: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LGDUF9NE\LGDUF9NE: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M6S3DPG7\M6S3DPG7: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZTPJUYQE\ZTPJUYQE: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\My Documents: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\NetHood\NetHood: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\config\systemprofile\Recent\Recent: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\dhcp\dhcp: MOUNT POINT

Substitute Name: \Device\__max++>\^

..

\\?\c:\\WINDOWS\system32\drivers\disdn\disdn: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\DRVSTORE\DRVSTORE: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\export\export: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\Machine\Machine: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\User\User: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\BRANDING\favs\favs: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\CINTLGNT\CINTLGNT: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\PINTLGNT\PINTLGNT: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\IME\TINTLGNT\TINTLGNT: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\mui\dispspec\dispspec: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemcust\oemcust: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemhw\oemhw: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\html\oemreg\oemreg: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\oobe\sample\sample: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\ShellExt\ShellExt: MOUNT POINT

Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\system32\wbem\mof\bad\bad: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wbem\mof\good\good: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wbem\snmp\snmp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\wins\wins: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system32\xircom\xircom: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Temp\Google Toolbar\Google Toolbar: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2: MOUNT POINT

Substitute Name: \Device\__max++>\^

Link to post
Share on other sites

Hello and welcome to the forum!

Try running a scan with RootRepeal, followed by DDS, a scanner tool.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results soon.

    [*]Follow the instructions that pop up for posting the results and then click Ok.

    [*]The black and message box window shall then disappear.

    [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

Link to post
Share on other sites

RootRepeal does not run or at least the one I down loaded from the forum sticky help notes did not work. I will follow your posting when I get home tonight and update you with the information. I also have the active desktop recover screen comming up with both normal logon and safemode with networking

Link to post
Share on other sites

Hello.

Yes, many tools including those aboved are being blocked.

Please run Combofix, then followed by Win32KDiag again.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Win32KDiag

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1

Link 2

Link 3

  1. Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
  2. A black command prompt window shall appear.
  3. It will now begin to scan. This may take a while, please be paitent until the scan is complete.
  4. Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
  5. A log file called Win32KDiag.txt will be created on your desktop.
  6. Please copy and paste the contents of that log file here in your next reply please.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Try running DDS again, followed by GMER. Post the logs once they are done.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

  • Please download GMER from one of the following locations, and save it to your desktop:

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.

  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    gmerNoDialog.png

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)

    [*]Click on btnScan.png and wait for the scan to finish.

    [*]If you see a rootkit warning window, click OK.

    [*]Push btnSave.png and save the logfile to your desktop.

    [*]Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Due to lack of feedback this topic is now closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,

Extremeboy

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.