PDA

View Full Version : a.exe, b.exe, c.exe etc!



claire
2009-08-30, 13:43
think this may be a fairly common problem at the moment. Last night noticed in task manager b.exe, clicked on it and went to end task. before running AVG I right clicked on desktop and all icons went, leavnig me with only the wallpaper. Rebboted in safe Mode, but could only use Safe Mode with command Prompt, so went there, deleted a.exe, b.exe, c.exe, d.exe, MSA.exe from directories via DOS. Checked, reluctantly!, in Registry but could not find any mention anywhere. Rebooted, got Task Manager up, ran AVG which found and quarantined 4 files. Still no icons. ran VCleaner via DOS and found nothing. Task Manager shows 26 running apps, about 8 of these are svchosts. Usually only run about 26 apps in Task Manager normaly.

Have now realised am stuffed and have come begging for help. :sick:

And after thinking oh well wil use system restore, only to discover that no restore point has been set. Yet am sure I had done that previously (not today tho)

Have just copied across Win32kDiag.exe and am running that on the assumption that will be asked.

Thank you for your help.

Have run win32kdiag.exe but cannot transfer it from that pc to this one. tried copying it to a cd through dos, task managr and it just isn't working. Any ideas at all please?

Still no joy with cd drive, used clean WD book. Please tell me this won't infect that and this laptop!!

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\A6W_DATA\A6W_DATAMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28F.tmp\ZAP28F.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP371.tmp\ZAP371.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1.tmp\ZAPC1.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE3.tmp\ZAPE3.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Debug\UserMode\UserModeMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Downloaded Installations\{E38286E5-E17F-4BEB-8388-2A9FC030D0DE}\{E38286E5-E17F-4BEB-8388-2A9FC030D0DE}Mount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\explorer.exe[1] 2007-06-13 12:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)[1] 2007-06-13 11:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)[1] 2004-08-04 08:56:49 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)[1] 2008-04-14 01:12:19 1033728 C:\WINDOWS\explorer.exe ()[1] 2008-04-14 01:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\ftpcache\ftpcacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe[1] 2004-08-04 08:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\MsgMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\eventlog.dll[1] 2004-08-04 08:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)[1] 2008-04-14 01:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()[2] 2008-04-14 01:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\hkcmd.exe[1] 2005-06-21 16:44:34 126976 C:\WINDOWS\system32\hkcmd.exe ()Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\inetsrv\inetsrvMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\rundll32.exe[1] 2004-08-04 08:56:55 33280 C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Microsoft Corporation)[1] 2008-04-14 01:12:33 33280 C:\WINDOWS\ServicePackFiles\i386\rundll32.exe (Microsoft Corporation)[1] 2008-04-14 01:12:33 33280 C:\WINDOWS\system32\rundll32.exe ()Found mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\mof\good\goodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google ToolbarMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Temp\MCQTFILE00000\MCQTFILE00000Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_Mount point destination : \Device\__max++>\^Finished!
=================================
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Blade81
2009-09-01, 20:54
Hi,

Please post the log in original format with linebreaks. The one you posted is pretty hard to read. Alternatively, you may attach the log as an attachment to your reply.

claire
2009-09-03, 09:34
Had to give up with this and send it in to local shop. Incidentally, they mentioned it was "a particularly evil rootkit" and wiped the machine and started from scratch.

Thank you anyway.

Blade81
2009-09-03, 10:00
Ok. Thanks for letting us know. Topic closed.