Jump to content

Unable to run MBAM, any virus protection, and HijackThis


junktrunk

Recommended Posts

Hello,

I am using a separate computer than the one infected, because the virus is not allowing me to access this website. I am infected with both Windows Police Pro and Total Security. They are preventing me from using any virus or spybot programs. I can use my browser, but am prevented from using certain pages, like Malwarebytes. I am unable to use HijackThis as well. I'm running Windows XP. When I try to run Task Manager, the entire program isn't visible, only the processes tab. I tried to follow instructions in this post: http://www.malwarebytes.org/forums/index.php?showtopic=23983, but was then unable to open MBAM.

Any help would be greatly appreciated.

Link to post
Share on other sites

Lets try a rootkit detector. Please read these instructions carefully.

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

I'm not sure how, but when I restarted my computer I was able to run Win32KDiag, and got this log:

Running from: E:\Documents and Settings\Jenaveve\Desktop\Win32kDiag.exe

Log file at : E:\Documents and Settings\Jenaveve\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'E:\WINDOWS'...

Found mount point : E:\WINDOWS\$hf_mig$\KB972260\KB972260

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP389.tmp\ZAP389.tmp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP496.tmp\ZAP496.tmp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB2.tmp\ZAPB2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: E:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2001-08-23 07:00:00 714752 E:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:52 743936 E:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2004-08-04 01:56:52 764416 E:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\helpsvc.exe (Microsoft Corporation)

Link to post
Share on other sites

Well, that is much better. At least we have identify the problem, but still did not finished. Lets see if we can remove those mountpoints.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. (Allow enough time to run this application) When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"E:\Documents and Settings\Jenaveve\Desktop\Win32kDiag.exe" -f -r

Then, please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Link to post
Share on other sites

Thank you. Still working on ComboFix, but here is Win32kDiag log:

Running from: E:\Documents and Settings\Jenaveve\Desktop\Win32kDiag.exe

Log file at : E:\Documents and Settings\Jenaveve\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'E:\WINDOWS'...

Found mount point : E:\WINDOWS\$hf_mig$\KB972260\KB972260

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\$hf_mig$\KB972260\KB972260

Found mount point : E:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\addins\addins

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP389.tmp\ZAP389.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP389.tmp\ZAP389.tmp

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP496.tmp\ZAP496.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP496.tmp\ZAP496.tmp

Found mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB2.tmp\ZAPB2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB2.tmp\ZAPB2.tmp

Found mount point : E:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\temp\temp

Found mount point : E:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\assembly\tmp\tmp

Found mount point : E:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Config\Config

Found mount point : E:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : E:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\chsime\applets\applets

Found mount point : E:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : E:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\imejp\applets\applets

Found mount point : E:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\imejp98\imejp98

Found mount point : E:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : E:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : E:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : E:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\ime\shared\res\res

Found mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : E:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\java\classes\classes

Found mount point : E:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\java\trustlib\trustlib

Found mount point : E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : E:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\msapps\msinfo\msinfo

Found mount point : E:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\mui\mui

Found mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: E:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Attempting to restore permissions of : E:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : E:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : E:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\PIF\PIF

Found mount point : E:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : E:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Found mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Found mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Found mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Found mount point : E:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Found mount point : E:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : E:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : E:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : E:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : E:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1025\1025

Found mount point : E:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1028\1028

Found mount point : E:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1031\1031

Found mount point : E:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1037\1037

Found mount point : E:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1041\1041

Found mount point : E:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1042\1042

Found mount point : E:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\1054\1054

Found mount point : E:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\2052\2052

Found mount point : E:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\3076\3076

Found mount point : E:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : E:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : E:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\ESSPXWJ4\ESSPXWJ4

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\ESSPXWJ4\ESSPXWJ4

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData\HPAppData

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData\HPAppData

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\QSL9MEM6\ak.c.ooyala.com\ak.c.ooyala.com

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\QSL9MEM6\ak.c.ooyala.com\ak.c.ooyala.com

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : E:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Found mount point : E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : E:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : E:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Found mount point : E:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : E:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : E:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : E:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\dhcp\dhcp

Found mount point : E:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: E:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : E:\WINDOWS\system32\dumprep.exe

Cannot access: E:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : E:\WINDOWS\system32\eventlog.dll

[1] 2001-08-23 07:00:00 47616 E:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 55808 E:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 61952 E:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 01:56:44 55808 E:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : E:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\export\export

Found mount point : E:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : E:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : E:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : E:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : E:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : E:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : E:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : E:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : E:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\oobe\sample\sample

Found mount point : E:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : E:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : E:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : E:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\wbem\mof\good\good

Found mount point : E:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : E:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\wins\wins

Found mount point : E:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\system32\xircom\xircom

Found mount point : E:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Found mount point : E:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : E:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Link to post
Share on other sites

Am actually unable to run Combofix. I have AVG disabled and am unable to open Avira to disable. I have no other virus protection running.

When I try to run ComboFix, I get this iexplorer error:

"The instruction at "0x7c901e76" referenced memory at "0x0000000000". The memory could not be "read"."

And another window pops up that says "Disclaimer of Warranty on Software...."

I followed instructions and redownloaded from given link as Combo-Fix.

Link to post
Share on other sites

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-16 20:24:07

Windows 5.1.2600 Service Pack 2

Running: oz7qo9dg.exe; Driver: E:\DOCUME~1\Jenaveve\LOCALS~1\Temp\pxtdypow.sys

---- System - GMER 1.0.15 ----

Code 89C12148 ZwEnumerateKey

Code 89C12228 ZwFlushInstructionCache

Code 89D4A9F6 ZwSaveKey

Code 89D55466 ZwSaveKeyEx

Code 89D3C9F6 IofCallDriver

Code 8A49D0EE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Services - GMER 1.0.15 ----

Service E:\WINDOWS\system32\drivers\kbiwkmxdebnalw.sys (*** hidden *** ) [sYSTEM] kbiwkmnwyqryoy <-- ROOTKIT !!!

Service system32\drivers\UACvkalrjrbob.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

To boot your computer in Safe Mode follow these steps :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

.

Then run Combofix. If Combofix wont run, try GMER once again and post its report.

Link to post
Share on other sites

I'm guessing it's really bad when I am unable to run in Safe Mode. Every time I select it, the computer reboots completely.

Is there anything I can do at this point other than reinstall Windows?

I am sure we can try, but considering the type of infection affecting the computer, a reformat and and clean install would be my recommendation. The computer is infected with a backdoor trojan

These are the most dangerous, and most widespread type of Trojan. Backdoor Trojans provide the author or

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.