Jump to content

Desktop gone, exe files won't run and spyware programs shut down in mid scan


Dave5151

Recommended Posts

I have developed a most unusual problem and I cannot see a way round it. I am using Windows XP SP3.

1. My desktop has suddenly vanished along with the taskbar. Only the background remains. This also occurs in safe mode too.

2. Many .exe files no longer work. I keep getting the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item."

3. I cannot check for spyware or viruses as when I run any program to check for them, the programs close themselves down when I begin the scans.

4. Any attempt to research the problem on the internet causes the internet browser to close down. The browser only seems to do this when I go to any pages where I can download anti spyware programs, etc.

I can only access anything on my PC now by the use of the Task Manager. Because of this problem, I have been unable to run the programs you requested before posting this as they just close themselves down when I try to run them, including Anti-Malware and Hijack this, which until this problem, have always worked fine.

I hope someone can help me on this one. This is the most serious problem I've ever had. Thanks in advance

Sorry, also forgot to mention that all my system restore dates have gone too so I can't even try that.

Link to post
Share on other sites

As I feared, this did not work. I ran Win32kDiag and I let it do it's thing. Then when it finished and it said "press any key to continue", I did so, and the black box vanished and nothing else happened and no .txt file was saved. I have searched for the file and it definetly is not there. This kind of thing is what keeps happening with other programs. Whatever this infection is, it seems to be designed to be impervious.

Link to post
Share on other sites

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

I managed to get Win32kdiag to run in safe mode. This is the first program like this I have been able to run in safe mode. The log is as follows. I am currently trying Rootrepeal and will post the log later if it works.

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Kaspersky Anti-Virus 2010 Beta

Kaspersky Anti-Virus 2010 Beta

OneCare Advisor (Windows Live Toolbar)

OneCare Advisor (Windows Live Toolbar)

``````````````````````````````

Anti-malware/Other Utilities Check:

Spyware Doctor 6.1

SpywareBlaster 4.2

Spybot - Search & Destroy

Malwarebytes' Anti-Malware

IE SpyAd

HijackThis 2.0.2

RegVac Registry Cleaner 5.01 (Trial Version)

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Link to post
Share on other sites

Rootrepeal worked and here is the log :

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/22 07:36

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: ang7tlts.SYS

Image Path: C:\WINDOWS\System32\Drivers\ang7tlts.SYS

Address: 0xB88B6000 Size: 417792 File Visible: No Signed: -

Status: -

Name: apb1247b.SYS

Image Path: C:\WINDOWS\System32\Drivers\apb1247b.SYS

Address: 0xB884F000 Size: 421888 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA6584000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79CF000 Size: 8192 File Visible: No Signed: -

Status: -

Name: mchInjDrv.sys

Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Address: 0xA65D1000 Size: 2560 File Visible: No Signed: -

Status: -

Name: PCI_NTPNP4384

Image Path: \Driver\PCI_NTPNP4384

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA594C000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\PIF\PIF

Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config

Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard

Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache

Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui

Status: Locked to the Windows API!

Path: C:\WINDOWS\occache\occache

Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins

Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB888240\KB888240

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912812\KB912812

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB916281\KB916281

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB918899\KB918899

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB920213\KB920213

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB922760\KB922760

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB924496\KB924496

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB929969\KB929969

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933566\KB933566

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168

Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943460\KB943460

Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode

Status: Locked to the Windows API!

Path: C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog

Status: Locked to the Windows API!

Path: C:\WINDOWS\AppPatch\Custom\Custom

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo

Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98

Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\ASM\ASM

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment

Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Status: Locked to the Windows API!

Path: C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\6d16348987bfa3ee3fd983361ac371cb\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\f079f64483de750433b596960466dd78\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\88a28ec3847c01e056ff4268caaa255d\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\3a4c74ad66aac0b11d953bbcf3937ae6\backup\backup

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16F.tmp\ZAP16F.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CD.tmp\ZAP1CD.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3BA.tmp\ZAP3BA.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D.tmp\ZAP3D.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A.tmp\ZAP5A.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C.tmp\ZAP5C.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E0.tmp\ZAP5E0.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\av3.tmp

Status: Allocation size mismatch (API: 16130048, Raw: 0)

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\12\12-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v12-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\13\13-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v13-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\14\14-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v14-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\15\15-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v15-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\16\16-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v16-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\17\17-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v17-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\18\18-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v18-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\19\19-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v19-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\20\20-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v20-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\21\21-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v21-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\22\22-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v22-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\23\23-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v23-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\24\24-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v24-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\david thompson\Local Settings\Application Data\Microsoft\Messenger\dave.thompson5151@btinternet.com\SharingMetadata\x_07xshellx89_x@hotmail.com\DFSR\Staging\CS{3AE0B93B-C421-9EB2-0BBF-5B6452DF66FB}\25\25-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v25-{74453364-E9B7-4E43-ADFF-F2ED88A862D3}-v25-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

SSDT

-------------------

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843dec6

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e620

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f130

#: 035 Function Name: NtCreateEvent

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f630

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e902

#: 041 Function Name: NtCreateKey

Status: Hooked by "PCTCore.sys" at address 0xba6dad72

#: 043 Function Name: NtCreateMutant

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f508

#: 044 Function Name: NtCreateNamedPipeFile

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843da9e

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f3c4

#: 047 Function Name: NtCreateProcess

Status: Hooked by "PCTCore.sys" at address 0xba6bb9a6

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "PCTCore.sys" at address 0xba6bbb98

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843dc5a

#: 051 Function Name: NtCreateSemaphore

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f762

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440fd8

#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e3dc

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f466

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84409da

#: 063 Function Name: NtDeleteKey

Status: Hooked by "PCTCore.sys" at address 0xba6db568

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "PCTCore.sys" at address 0xba6db820

#: 066 Function Name: NtDeviceIoControlFile

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843ed8a

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84419ac

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d7d6

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d880

#: 084 Function Name: NtFsControlFile

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843eb96

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440a6c

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843cdd4

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843cde6

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa844108c

#: 111 Function Name: NtNotifyChangeKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d9cc

#: 114 Function Name: NtOpenEvent

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f6d2

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e6a2

#: 119 Function Name: NtOpenKey

Status: Hooked by "PCTCore.sys" at address 0xba6d9a80

#: 120 Function Name: NtOpenMutant

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f5a0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e0c4

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8441002

#: 126 Function Name: NtOpenSemaphore

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843f804

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843dfe8

#: 160 Function Name: NtQueryKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d92a

#: 161 Function Name: NtQueryMultipleValueKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d552

#: 167 Function Name: NtQuerySection

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84413ac

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843d258

#: 180 Function Name: NtQueueApcThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440cf0

#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xba6dbc8a

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843ca5a

#: 194 Function Name: NtReplyPort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843fb8e

#: 195 Function Name: NtReplyWaitReceivePort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843fa54

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440700

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843cbbc

#: 206 Function Name: NtResumeThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa844188c

#: 207 Function Name: NtSaveKey

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843c85c

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843ee6e

#: 213 Function Name: NtSetContextThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e4dc

#: 230 Function Name: NtSetInformationToken

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84400d0

#: 237 Function Name: NtSetSecurityObject

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440b66

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84414ee

#: 247 Function Name: NtSetValueKey

Status: Hooked by "PCTCore.sys" at address 0xba6db036

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84415d2

#: 254 Function Name: NtSuspendThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa84416fe

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8440906

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "PCTCore.sys" at address 0xba6bb656

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e192

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa844125e

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa843e31c

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x8ae911e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x89fa6790 Size: 121

Object: Hidden Code [Driver: UdfsЅఇ浍浓Ⲡ誟

Link to post
Share on other sites

Hi, Dave5151 :)

The log for Win32kdiag is not included. It should be saved on your desktop.

Lets take a deeper look:

Download OTS.exe by OldTimer to your Desktop.

  1. Close any open browsers.
  2. Double-click on OTS.exe to start the program.
  3. Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.

[*]Now click the Run Scan button on the toolbar.

[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

[*]When the scan is complete Notepad will open with the report file loaded in it.

[*]Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

Link to post
Share on other sites

Sorry, I must have posted the wrong log earlier. This is the log for Win32kdiag.

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Kaspersky Anti-Virus 2010 Beta

Kaspersky Anti-Virus 2010 Beta

OneCare Advisor (Windows Live Toolbar)

OneCare Advisor (Windows Live Toolbar)

``````````````````````````````

Anti-malware/Other Utilities Check:

Spyware Doctor 6.1

SpywareBlaster 4.2

Spybot - Search & Destroy

Malwarebytes' Anti-Malware

IE SpyAd

HijackThis 2.0.2

RegVac Registry Cleaner 5.01 (Trial Version)

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Link to post
Share on other sites

Win32kdiag report - 3rd time lucky. I don't know how it happened, but what I posted earlier was indeed what was contained in the Win32kdiag.txt file that was on my desktop. I have run the program again and this time it looks correct. I have already posted the OTS log, but I have attached it again to this post in case it has been missed.

Running from: C:\Documents and Settings\david thompson\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\david thompson\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB888240\KB888240

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929969\KB929969

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16F.tmp\ZAP16F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CD.tmp\ZAP1CD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3BA.tmp\ZAP3BA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D.tmp\ZAP3D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A.tmp\ZAP5A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C.tmp\ZAP5C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E0.tmp\ZAP5E0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe

[1] 2007-06-13 12:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 11:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 20:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:19 1033728 C:\WINDOWS\explorer.exe ()

[1] 2008-04-14 01:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 20:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3a4c74ad66aac0b11d953bbcf3937ae6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6d16348987bfa3ee3fd983361ac371cb\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\88a28ec3847c01e056ff4268caaa255d\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f079f64483de750433b596960466dd78\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Hi, Dave5151 :)

Please follow these steps:

Step 1

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"C:\Documents and Settings\david thompson\Desktop\Win32kDiag(2).exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

I have a few questions befre I do this.

1. Do you have the correct log for Win32Kdiag.txt which I posted last night at 7pm? The fact that you are asking me to post it again is making me wonder if it was received.

2. If I do need to post it again, I cannot do it by the method you described as I cannot click on Start due to having no desktop and task bar.

3. Combo-Fix stated that I have Kaspersky Anti-Virus running but as far as I am aware I have not got it running. I don't know which of the processes running in Task Manager Kaspersky is to shut it down. Because of this, I have not let Combo-Fix run yet.

Link to post
Share on other sites

I have a few questions befre I do this.

1. Do you have the correct log for Win32Kdiag.txt which I posted last night at 7pm? The fact that you are asking me to post it again is making me wonder if it was received.

2. If I do need to post it again, I cannot do it by the method you described as I cannot click on Start due to having no desktop and task bar.

3. Combo-Fix stated that I have Kaspersky Anti-Virus running but as far as I am aware I have not got it running. I don't know which of the processes running in Task Manager Kaspersky is to shut it down. Because of this, I have not let Combo-Fix run yet.

How are you running these programs?

Do you have access to the Recovery Console? The Recovery Console can be accessed with the XP installation CD. Has nothing to do with reinstalling Windows. The Recovery Console is a tool we can use to remove and replace files and folders. Let me know if you have access to it. It is an option we can use.

Are you familiar with running programs throughout a command prompt?

Link to post
Share on other sites

How are you running these programs?

Do you have access to the Recovery Console? The Recovery Console can be accessed with the XP installation CD. Has nothing to do with reinstalling Windows. The Recovery Console is a tool we can use to remove and replace files and folders. Let me know if you have access to it. It is an option we can use.

Are you familiar with running programs throughout a command prompt?

I am running the programs through thr task manager, by selecting file and New task. I do have access to the Recovery console. I don;t have an installation CD, but it comes up as an option on the PC to run it on start-up. I guess it must be already installed.

No, I am not familiar with running programs through a command prompt.

Link to post
Share on other sites

Hi, Dave5151 :)

Run the following command (Including the quotation marks)as a New Task:

"C:\Documents and Settings\david thompson\Desktop\Win32kDiag(2).exe" -f -r

Note: Leave a space between the Win32kDiag(2).exe" and -f and another between -f and -r

Restart the computer to the Recovery Console. At the C:\Windows prompt type the following and press Enter after each line:

Ren Explorer.exe Explorer.old

Copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe

Exit

Allow the computer to restart. If able to logon into Windows, download and run Combo-fix as requested above.

Link to post
Share on other sites

Hi, Dave5151 :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::

c:\windows\win32k.sys

C:\~QTWTMP.TMP

FCopy::

c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys

c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

If you are having problems running MBAM with the latest updates, remove your copy and follow these steps:

mbamicontw5.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Lets scan for remnants:

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

Hi, Dave5151 :)

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Right click on the Start button and select Explore. Navigate to the following location and delete the .bat file indicated.

C:\WINDOWS\SYSTEM32\WINDOWSAUTOMATICUPDATES.BAT

Lets do some housekeeping:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type or copy and paste "c:\documents and settings\david thompson\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.

Create a Restore point (If the above process fails to do so):

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

After posting the above report, let me know how is the computer doing.

Link to post
Share on other sites

The computer is running fine apart from one little thing. SuperAntiSpyware will still not run. It is a program I have had and used for a long time and would like to continue to use it. When I try and run it I get the "Windows cannot access the specified path" error. I have uninstalled it and reinstalled it twice now, but it still will not work. During the installation process I get the message:

"Error 1321. Windows installer has insufficient privileges to modify this file: C:\programfiles\SUPERAntiSpyware\SUPERAnitSpyware.exe"

Then I get the option to Abort, Retry or Ignore. If I click ignore and let it install, when I try to run it I get the "Windows cannot access the specified path error again."

Apart from that, everything else seems fine. Here is the log for GooredFix.

GooredFix by jpshortstuff (24.09.09.1)

Log created at 13:41 on 25/09/2009 (david thompson)

Firefox version 3.0.14 (en-GB)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

linkfilter@kaspersky.ru [19:51 20/09/2009]

{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:41 29/07/2005]

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [14:33 07/07/2007]

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [14:58 07/08/2007]

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [15:53 07/11/2007]

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [13:08 07/03/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

(none)

---------- Old Logs ----------

GooredFix[12.41.12_25-09-2009].txt

-=E.O.F=-

Link to post
Share on other sites

Hi, Dave5151 :P

Download this tool and save it in your root directory (C:\ folder). When saved it should appear as C:\Inherit.exe.

Click on Start -> Run, copy and paste the following command and click OK:

CMD /C C:\Inherit.exe "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

When finished click OK. Retry the program.

Link to post
Share on other sites

Hi, Dave5151 :D

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type or copy and paste "c:\documents and settings\david thompson\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.

Create a Restore point (If the above process fails to do so):

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  9. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  10. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.