xQuasar
2009-09-29, 00:10
Yesterday my computer started lagging hardcore so I rebooted it; upoin the reboot, everything seemed okay until I went to Start Menu -> Control Panel, and as soon as I clicked on Control Panel, Windows Explorer crashed. I tried to start it up again by Task Manager -> New Task... -> "explorer.exe" but I have a "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Rebooting my computer again made things even worse: Windows Explorer just never started.
So then I installed Spybot Search & Destroy, and tried to do a scan: a few seconds into the scan, it closed by itself. Upon trying to re-open Spybot, the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." error popped up again. Subsequent re-installations and re-scans of Spybot yielded the same result.
I would post a HiJackThis log, except it closes a second or two after I click the "Scan system and post a log" button. Upon trying to reopen HiJackThis, the windows permissions error strikes again.
Looking around, I tried to download and run DDS, except it closes right after showing the initial messages (up to "We only require it to run just once. Dispose after use.").
Help? :/
Sorry about the double post, I can't seem to find an edit button anywhere.
I've run Win32kDiag.exe, and it seems to have frozen up but it looks like I have a max++ rootkit infection; this is what Win32kDiag.txt currently looks like:
Running from: C:\Documents and Settings\Michael Su\My Documents\Downloads\Win32kDiag.exe
Log file at : C:\Documents and Settings\Michael Su\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB961373\KB961373
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP181.tmp\ZAP181.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21E.tmp\ZAP21E.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP399.tmp\ZAP399.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe
[1] 2007-06-13 21:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)
[1] 2001-08-23 23:00:00 1000960 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 20:23:07 1033216 C:\WINDOWS\explorer.exe ()
[1] 2004-08-03 23:56:50 1032192 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)
=============================
Sorry about the double post, I can't seem to find an edit button anywhere.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.
If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) ;)
Rebooting my computer again made things even worse: Windows Explorer just never started.
So then I installed Spybot Search & Destroy, and tried to do a scan: a few seconds into the scan, it closed by itself. Upon trying to re-open Spybot, the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." error popped up again. Subsequent re-installations and re-scans of Spybot yielded the same result.
I would post a HiJackThis log, except it closes a second or two after I click the "Scan system and post a log" button. Upon trying to reopen HiJackThis, the windows permissions error strikes again.
Looking around, I tried to download and run DDS, except it closes right after showing the initial messages (up to "We only require it to run just once. Dispose after use.").
Help? :/
Sorry about the double post, I can't seem to find an edit button anywhere.
I've run Win32kDiag.exe, and it seems to have frozen up but it looks like I have a max++ rootkit infection; this is what Win32kDiag.txt currently looks like:
Running from: C:\Documents and Settings\Michael Su\My Documents\Downloads\Win32kDiag.exe
Log file at : C:\Documents and Settings\Michael Su\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB961373\KB961373
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP181.tmp\ZAP181.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21E.tmp\ZAP21E.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP399.tmp\ZAP399.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe
[1] 2007-06-13 21:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)
[1] 2001-08-23 23:00:00 1000960 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 20:23:07 1033216 C:\WINDOWS\explorer.exe ()
[1] 2004-08-03 23:56:50 1032192 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)
=============================
Sorry about the double post, I can't seem to find an edit button anywhere.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.
If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) ;)