Jump to content

MBAM and HJT won't run


Recommended Posts

I tried to do a quick scan with MBAM but after 3 seconds it shutdown. When I tried to open MBAM again, I got the following message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I uninstalled and then reinstalled MBAM but the same thing happened.

I downloaded HJT to my desktop and tried to run it but after scanning for a short time it also shutdown. I then got the same message as above with MBAM when I tried to open HJT again.

What else can I do. I've also tried using AVG 8.5.409 but after I complete a scan it tells me I have some infections. Some infections were moved to the virus vault but when I try to access the virus vault I get the following error "Virus vault initialization failed. Window will close now." Not sure if this has anything to do with it.

Thanks in advance

Vinnie

Link to post
Share on other sites

Welcome Vinnie

Download (dont run yet) this tool

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

http://ad13.geekstogo.com/Win32kDiag.exe

Place it on your desktop.

Go start run copy then paste in the entire line below and press enter

"%userprofile%\desktop\Win32kDiag.exe" -r -f

A log should open when it is finished, post it please.

~~~~~~~

Visit the webpage below for instructions for downloading and running ComboFix:

But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it.

A right click disable is not enough they need to be thoughly disbled.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txt

Note: If windows auto-update comes up cancel it for now.

For others looking for a solution, please do not try my advice to this user, post for help yourself.

Link to post
Share on other sites

Running from: C:\Documents and Settings\Vincent\desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Vincent\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\29851d78a712dd32528f7e769a84edaa\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\29851d78a712dd32528f7e769a84edaa\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\windows\net\net

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9bdb478ba8417d739a3c7ead1452ae1c\9bdb478ba8417d739a3c7ead1452ae1c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9bdb478ba8417d739a3c7ead1452ae1c\9bdb478ba8417d739a3c7ead1452ae1c

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd6c2e7701be1a2e63281605463e5e51\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WBEM\WBEM

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

~

ComboFix 09-09-23.02 - Vincent 09/23/2009 23:12.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.192 [GMT -7:00]

Running from: c:\documents and settings\Vincent\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\owotepu.bat

c:\documents and settings\All Users\Documents\oxalalaq.reg

c:\documents and settings\Vincent\Application Data\iwan.inf

c:\documents and settings\Vincent\Cookies\oruqipofo.scr

c:\documents and settings\Vincent\Cookies\sotuba.bat

c:\documents and settings\Vincent\Cookies\uqoqixiw.scr

c:\documents and settings\Vincent\Local Settings\Application Data\cosaj.reg

c:\documents and settings\Vincent\Local Settings\Application Data\urelyv.inf

c:\documents and settings\Vincent\Local Settings\Temporary Internet Files\efuc.dl

c:\documents and settings\Vincent\Local Settings\Temporary Internet Files\inylybym.inf

c:\documents and settings\Vincent\Local Settings\Temporary Internet Files\qypyf.pif

c:\documents and settings\Vincent\Local Settings\Temporary Internet Files\ujukirulew.bin

c:\program files\Common Files\kyvybymamu.bat

c:\program files\internet optimizer

c:\program files\quick links

c:\program files\quick links\Uninst.log

c:\program files\SurfAccuracy

c:\program files\SurfAccuracy\sacc.cfg.bb79093cf9bc3e7ab182c2913f61e630

c:\program files\SurfAccuracy\sacc.cfg.d5a37a155c71f12aeee8f657420e7d42

c:\windows\dowikiqiv.exe

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\Installer\37b88a.msi

c:\windows\Installer\37b890.msi

c:\windows\Installer\37b896.msi

c:\windows\Installer\9a089.msp

c:\windows\run.log

c:\windows\sonce122713.dat

c:\windows\sonce122739.dat

c:\windows\system32\babjqhsy.ini

c:\windows\system32\cumbpsag.ini

c:\windows\system32\sysloc

c:\windows\system32\UACbxxtpyleewbsinv.dat

c:\windows\system32\UACttrrkqfnghxgpwg.log

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))

.

2009-09-24 06:38 . 2009-09-24 06:39 -------- d-----w- c:\windows\LastGood

2009-09-21 05:25 . 2009-09-21 05:25 -------- d-----w- c:\program files\Trend Micro

2009-09-21 04:37 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-21 04:37 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-19 01:30 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-19 01:05 . 2009-09-24 04:50 0 ----a-r- c:\windows\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 01:22 . 2005-08-03 03:43 -------- d-----w- c:\documents and settings\Vincent\Application Data\MSN6

2009-09-20 20:19 . 2008-02-25 02:38 -------- d-----w- c:\program files\PartyGaming.Net

2009-09-20 19:43 . 2009-05-17 04:21 -------- d-----w- c:\program files\Enigma Software Group

2009-09-20 17:55 . 2008-06-04 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-16 02:15 . 2008-12-18 22:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-16 02:15 . 2008-12-18 22:15 11952 ----a-w- c:\windows\system32\avgrsstx(3).dll

2009-08-16 02:15 . 2008-12-18 22:15 11952 ----a-w- c:\windows\system32\avgrsstx(2).dll

2009-08-16 02:15 . 2008-12-18 22:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-16 02:15 . 2008-12-18 22:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2008-10-18 05:39 . 2008-10-18 05:39 13062 ----a-w- c:\program files\Common Files\sunicypam.db

2003-02-21 12:42 . 2003-02-21 12:42 348160 ----a-w- c:\program files\msvcr71.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-01-15 49152]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-30 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Event Reminder.lnk - c:\program files\Broderbund\Broderbund Party and Crafts Creator\pmremind.exe [2007-10-15 331776]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2008-8-1 114688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 02:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/18/2008 3:14 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/18/2008 3:15 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/18/2008 3:14 PM 297752]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/18/2008 3:14 PM 908056]

.

Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mStart Page = hxxp://www.google.com

DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{4372325A-36B7-9C4B-94EE-91E8DD41FA09} - control64.dll

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

HKCU-Run-Testimonials - Uint32.exe

HKCU-Run-MsNetHelper - keybdll.exe

HKCU-Run-pizda - MONITER.exe

HKLM-Run-dmedg.exe - c:\windows\system32\dmedg.exe

HKLM-Run-ProfileWatcher - c:\program files\ProfileWatcher\profilewatcher.exe

HKLM-Run-defect08 - br0ken.exe

Notify-jkkHApml - jkkHApml.dll

AddRemove-Quick Links - c:\program files\Quick Links\Uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 23:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wuauclt.exe.wusetup.199984.bak 53080 bytes executable

c:\windows\system32\wuaueng.dll.wusetup.206078.bak 1712984 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2416)

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\bwwxbvtn\bwwxbvtn\tdlwsp.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-24 23:50 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-24 06:50

Pre-Run: 31,163,633,664 bytes free

Post-Run: 33,124,794,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

181

Link to post
Share on other sites

Looking much better

Reinstall Mbam update do a quickscan take action on any items found and post its log please.

Download MBR.exe from http://www.gmer.net/#files

Place it on your desktop but run it in this fashion, go start run type in

"%userprofile%\desktop\mbr.exe" -t

press enter and post the mbr.log that will be next to the mbr.exe tool

Link to post
Share on other sites

After I posted my last log, I shutdown my computer. My computer asked if I wanted to update Windows after loging off and I did.

The next day I turned on my computer and it automatically when to a screen asking if I wanted to start in Safe Mode, Safe Mode with Command Prompt, Safe Mode with networking, Open Windows Normally, or Open Windows with the last properly working settings.

I first choose Safe Mode. The screen then showed a long list of words that covered the whole screen. Something similar to WINDOWS\SYSTEM32\DRIVERS\(This part had different letters each time).SYS It stayed like this for a while so I hit the reset button.

When it started up it asked about the different Safe Modes again. I choose Open with the last properly working settings and my screen was very faint but I could see the Windows XP logo as it normally does when it logs on but nothing happened.

So now I can't even log on to Windows to use my computer. I'm writting this from another computer at work.

Hopefully I can log back on some how so I don't loose my files.

Link to post
Share on other sites

Any luck ?

Combofix installed the recovery console and made registry backups, unfortunatly the trojan/virus you had usualy

prevents registry backups being made properly, we can check that.

1. Restart your computer

2. Before Windows loads, you will be prompted to choose which Operating System to start (be quick its only there to 2 seconds)

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

Once at c:\windows\erdnt\hiv-backup type

dir

(write down what you see and post that in your next reply)

type exit

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.