Jump to content

Malwarebytes quick scan freezing after 2 seconds


Mkerig

Recommended Posts

I have the most annoying malware virus. When I install MBAM and use it the quick scan stops after 2 seconds and closes. When I try starting the program again is says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Can you please help me fix this?

Link to post
Share on other sites

Thank you for the quick reply this is what the scan got

Running from: C:\Documents and Settings\Administrator.MATT\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator.MATT\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP183.tmp\ZAP183.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A7.tmp\ZAP1A7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A8.tmp\ZAP1A8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28A.tmp\ZAP28A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33F.tmp\ZAP33F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE6.tmp\ZAPE6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\ServicePackFiles\i386\avc.sys

[1] 2004-08-04 02:10:10 38912 C:\WINDOWS\ServicePackFiles\i386\avc.sys ()

Link to post
Share on other sites

Hi, Mkerig :)

Please follow these steps:

Step 1

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. This time around allow the application to complete the process. When it's finished, there will be a log called Win32kDiag.txt on your desktop. If the word Finished is not at the end of the report, the application hasn't finished. Please open it with notepad once finished and post the contents here in your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

Here is the Win32kdiag log

Running from: C:\Documents and Settings\Administrator.MATT\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator.MATT\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP183.tmp\ZAP183.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP183.tmp\ZAP183.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A7.tmp\ZAP1A7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A7.tmp\ZAP1A7.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A8.tmp\ZAP1A8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A8.tmp\ZAP1A8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28A.tmp\ZAP28A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28A.tmp\ZAP28A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33F.tmp\ZAP33F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33F.tmp\ZAP33F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE6.tmp\ZAPE6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE6.tmp\ZAPE6.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Cannot access: C:\WINDOWS\ServicePackFiles\i386\avc.sys

Attempting to restore permissions of : C:\WINDOWS\ServicePackFiles\i386\avc.sys

[1] 2004-08-04 02:10:10 38912 C:\WINDOWS\ServicePackFiles\i386\avc.sys ()

[1] 2008-04-13 14:46:20 38912 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\avc.sys ()

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\avc.sys

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\avc.sys

[1] 2004-08-04 02:10:10 38912 C:\WINDOWS\ServicePackFiles\i386\avc.sys ()

[1] 2008-04-13 14:46:20 38912 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\avc.sys ()

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

And the Combofix log

ComboFix 09-09-23.02 - Administrator 09/26/2009 18:02.1.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.406 [GMT -4:00]

Running from: c:\documents and settings\Administrator.MATT\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ADMINI~1.MAT\LOCALS~1\Temp\csrss.exe

c:\documents and settings\Matts\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\Matts\Desktop\Advanced Virus Remover.lnk

c:\documents and settings\Matts\Start Menu\Advanced Virus Remover.lnk

c:\windows\Installer\10f335e.msi

c:\windows\system32\41.exe

c:\windows\system32\a99k.bin

c:\windows\system32\AVR09.exe

c:\windows\system32\buwapite.dll

c:\windows\system32\certstore.dat

c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk

c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk

c:\windows\system32\dijuboru.dll

c:\windows\system32\drivers\gasfkywpynsmrv.sys

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\smss.exe

c:\windows\system32\gasfkybmlkrpme.dat

c:\windows\system32\gasfkydrqltepk.dll

c:\windows\system32\gasfkyjooiesbv.dat

c:\windows\system32\gasfkyoblcvmdb.dat

c:\windows\system32\gasfkyorxtftpe.dll

c:\windows\system32\gasfkypbyfvkos.dll

c:\windows\system32\gasfkyuxfubhdh.dll

c:\windows\system32\gasfkywkubnvqc.dll

c:\windows\system32\gasfkyxtsvrcrx.dll

c:\windows\system32\gasfkyylvasxge.dat

c:\windows\system32\hezaguga.exe

c:\windows\system32\kosagiti.dll

c:\windows\system32\kwave.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lutovute.exe

c:\windows\system32\luveteyo.dll

c:\windows\system32\mndisk.sys

c:\windows\system32\raditile.exe

c:\windows\system32\sdra64.exe

c:\windows\system32\sstray.exe

c:\windows\system32\sugedaji.dll

c:\windows\system32\wijidapa.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\wolugeri.dll

c:\windows\system32\ygsuhdf83id.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gasfkyymrmpjet

-------\Legacy_gasfkyymrmpjet

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_MNDISK

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_6to4

-------\Service_Ias

-------\Service_mndisk

((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))

.

2009-09-26 21:08 . 2009-09-26 21:08 -------- d-----w- c:\documents and settings\Administrator.MATT\Local Settings\Application Data\Identities

2009-09-26 20:26 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-26 20:26 . 2009-09-26 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-26 20:26 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-26 20:11 . 2009-09-26 20:11 288768 ----a-w- C:\ve87g5ut.exe

2009-09-26 19:42 . 2009-09-26 19:42 -------- d-----w- c:\documents and settings\Administrator.MATT\Application Data\Malwarebytes

2009-09-26 19:42 . 2009-09-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-26 19:42 . 2009-09-26 20:02 -------- d-----w- c:\program files\SHITTY stuff

2009-09-26 07:18 . 2009-09-26 07:18 13104 ----a-w- c:\documents and settings\Administrator.MATT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-26 03:58 . 2009-09-26 03:58 -------- d-----w- c:\documents and settings\Administrator.MATT\Local Settings\Application Data\Mozilla

2009-09-25 20:40 . 2009-09-26 20:23 0 ----a-r- c:\windows\win32k.sys

2009-09-25 12:21 . 2009-09-26 20:49 16 ----a-w- c:\windows\pxysdb.dat

2009-09-25 12:21 . 2009-09-26 21:51 23155 ----a-w- c:\windows\system32\sebdpp.dll

2009-09-25 12:21 . 2009-09-25 12:21 8432 ----a-w- c:\windows\system32\sebdpx.sys

2009-09-17 07:35 . 2009-09-21 00:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-11 22:27 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-08 18:01 . 2009-09-08 18:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-09-04 23:23 . 2009-09-04 23:23 -------- d-----w- c:\documents and settings\Matts\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-26 19:50 . 2009-07-30 06:41 -------- d-----w- c:\program files\Steam

2009-09-26 02:58 . 2008-09-09 17:07 15360 -c--a-w- c:\windows\TASKMAN.EXE

2009-09-25 20:22 . 2009-08-12 05:20 -------- d-----w- c:\documents and settings\Matts\Application Data\BitTorrent

2009-09-06 07:40 . 2009-08-16 21:36 -------- d-----w- c:\program files\DivX

2009-09-04 23:23 . 2009-09-04 23:23 -------- d-----w- c:\program files\iTunes

2009-09-04 23:23 . 2009-09-04 23:23 -------- d-----w- c:\program files\iPod

2009-09-04 23:23 . 2009-09-04 23:21 -------- d-----w- c:\program files\Common Files\Apple

2009-09-04 23:23 . 2009-09-04 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-09-04 23:22 . 2009-09-04 23:22 -------- d-----w- c:\program files\Bonjour

2009-09-04 23:22 . 2009-09-04 23:22 -------- d-----w- c:\program files\QuickTime

2009-09-04 23:22 . 2009-09-04 23:21 -------- d-----w- c:\program files\Apple Software Update

2009-09-04 23:21 . 2009-09-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-22 21:56 . 2009-08-22 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA

2009-08-18 08:45 . 2009-04-02 01:54 13104 ----a-w- c:\documents and settings\Matts\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-18 05:41 . 2009-08-18 05:41 -------- d-----w- c:\program files\MSBuild

2009-08-18 05:41 . 2009-08-18 05:41 -------- d-----w- c:\program files\Reference Assemblies

2009-08-18 05:36 . 2009-08-18 05:36 -------- d-----w- c:\program files\MSXML 6.0

2009-08-18 05:34 . 2009-08-16 21:42 -------- d-----w- c:\documents and settings\Matts\Application Data\DivX

2009-08-16 21:36 . 2009-08-16 21:36 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-08-12 05:20 . 2009-08-12 05:20 -------- d-----w- c:\program files\BitTorrent

2009-08-05 09:11 . 2008-09-10 01:17 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 04:37 . 2009-08-01 04:37 -------- d-----w- c:\documents and settings\Matts\Application Data\FUEL Demo

2009-07-17 18:55 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 06:18 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll

2009-07-10 20:19 . 2009-07-10 20:19 251 ----a-w- c:\windows\PowerReg.dat

2009-05-02 05:51 . 2009-05-02 05:51 1228304 ----a-w- c:\program files\ADBEFLPRCS4Win_LS1.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-11-17 7700480]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-11-17 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-17 1622016]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sebdpp]

2009-09-26 21:51 23155 ----a-w- c:\windows\system32\sebdpp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sebdpx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"PnkBstrB"=2 (0x2)

"PnkBstrA"=2 (0x2)

"idsvc"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 sebdpx;SEB Controller;c:\windows\system32\sebdpx.sys [9/25/2009 8:21 AM 8432]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\Matts\Desktop\VCdRom.sys --> c:\documents and settings\Matts\Desktop\VCdRom.sys [?]

S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [4/20/2009 8:59 PM 28672]

.

Contents of the 'Scheduled Tasks' folder

2009-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://url.urtbk.com/cpv.jsp?p=113090&ip=68.100.215.90&url=http%3A%2F%2Fwww.malwareremovalbot.com%2F%3Fhop%3Djayasd&context=Welcome+to+MalwareRemovalBOT+-+Remove+Malware%2C+Spyware+and+Viruses+from+Your+Computer&selectedKeyword=virus&selectedListingId=7362670&default=http%3A%2F%2F82.98.231.93%2F%3Fsource%3Dvenus_ron_090%26affid%3D201026%26guid%3D7fd4f15ea1e3e944995c46a61f3d4c45%26uid%3D22b51e28a88111de8488201026ffffff%26rid%3Dota100001%26ver%3D21127%26m%3D1sc7%26b42%3D0.0091

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrator.MATT\Application Data\Mozilla\Firefox\Profiles\y3cp3r2x.default\

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{7e87add4-e2cb-43f9-ba01-e4c53dbf3205} - dijuboru.dll

HKLM-Run-tegeyizew - c:\windows\system32\luveteyo.dll

HKLM-Run-nForce Tray Options - sstray.exe

HKLM-Run-buliwapeha - wolugeri.dll

SharedTaskScheduler-{111c258c-839d-4829-9cb4-da61720b75ee} - c:\windows\system32\luveteyo.dll

SSODL-lusagudej-{111c258c-839d-4829-9cb4-da61720b75ee} - c:\windows\system32\luveteyo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-26 18:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2009-09-26 18:11 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-26 22:11

Pre-Run: 8,775,856,128 bytes free

Post-Run: 9,017,282,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /bootlog /safeboot:network

232 --- E O F --- 2009-09-12 03:05

Link to post
Share on other sites

Hi, Mkerig :P

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

http://www.malwarebytes.org/forums/index.p...f=7&t=25787

Collect::[4]

C:\ve87g5ut.exe

c:\windows\win32k.sys

c:\windows\pxysdb.dat

c:\windows\system32\sebdpp.dll

c:\windows\system32\sebdpx.sys

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sebdpp]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sebdpx.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=-

Drivers::

sebdpx

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Update and run MBAM. If having problems updating or running MalwareBytes Antimalware, remove your copy and proceed as follows:

mbamicontw5.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Lets check for remnants:

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.