View Full Version : Infected
Hi there,
Im not sure what I got but I cant execute any antivirus or hijackthis programs.
When I try to start my computer in normal mode is gets past posting and then sits at a black screen churning and never reaches the login screen (windows vista).
I can start my computer in safe mode but again, I can run any antivirus. Norton, Spybot, adaware Hijackthis... none work. Any help would be much appreciated.
I dont want this thread to get locked for bumping but is there some other information that I can provide that would make helping with this problem easier? Any and all help is greatly appreciated.
Hi twosips
Please try to rename HijackThis.exe and let me know if it runs now :)
Thank you for the response. I cannot rename the hijackthis executable. I am being denied. I am in safe mode as I cant start in normal mode. I am able to execute Hijackthis right off the trend micro website but the program does not save a logfile.
I see.
Let me know if you can run this one:
Download at your desktop DDS from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove DDS from your desktop.
I did this and no reports opened up.
Did notepad open as minimized?
Did notepad open as minimized?
No notepad did not open at all
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
That worked. Here is the log.
Running from: C:\Users\Frank\Desktop\Win32kDiag.exe
Log file at : C:\Users\Frank\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\bthservsdp.dat
[1] 2009-10-25 21:06:35 12 C:\Windows\bthservsdp.dat ()
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Running from: C:\Users\Frank\Desktop\Win32kDiag.exe
Log file at : C:\Users\Frank\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\bthservsdp.dat
[1] 2009-10-25 21:06:35 12 C:\Windows\bthservsdp.dat ()
Found mount point : C:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\inf\en-US\en-US
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\nap\configuration\configuration
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Panther\unattend\unattend
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Log looks a bit odd.
Did you run it like that from start- run?
"%userprofile%\desktop\win32kdiag.exe" -f -r
Sorry. I was going too fast and did not read your instructions carefully. I will be more careful going forward.
I repeated and did it the way you said. Here is the result.
Running from: C:\Users\Frank\Desktop\win32kdiag.exe
Log file at : C:\Users\Frank\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\AppPatch\Custom\Custom
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\temp\temp
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\tmp\tmp
Cannot access: C:\Windows\bthservsdp.dat
Attempting to restore permissions of : C:\Windows\bthservsdp.dat
Found mount point : C:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ehome\CreateDisc\style\style
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Globalization\Globalization
Found mount point : C:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Help\Corporate\Corporate
Found mount point : C:\Windows\inf\en-US\en-US
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\inf\en-US\en-US
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Microsoft.NET\authman\authman
Found mount point : C:\Windows\nap\configuration\configuration
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\nap\configuration\configuration
Found mount point : C:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Panther\setup.exe\setup.exe
Found mount point : C:\Windows\Panther\unattend\unattend
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Panther\unattend\unattend
Found mount point : C:\Windows\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PIF\PIF
Found mount point : C:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PLA\Templates\Templates
Found mount point : C:\Windows\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Registration\CRMLog\CRMLog
Found mount point : C:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SchCache\SchCache
Found mount point : C:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\security\templates\templates
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Found mount point : C:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment
Cannot access: C:\Windows\System32\cngaudit.dll
Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll
[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()
[2] 2006-11-02 04:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)
[1] 2006-11-02 04:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
[1] 2009-10-31 21:17:53 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
[1] 2009-10-31 20:58:58 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
[1] 2009-10-31 21:19:47 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
[1] 2009-10-31 21:19:39 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Found mount point : C:\Windows\Temp\7zS1F.tmp\7zS1F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Temp\7zS1F.tmp\7zS1F.tmp
Found mount point : C:\Windows\Temp\7zS70FA.tmp\7zS70FA.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Temp\7zS70FA.tmp\7zS70FA.tmp
Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit
Found mount point : C:\Windows\Temp\_avast4_\_avast4_
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Temp\_avast4_\_avast4_
Found mount point : C:\Windows\tracing\tracing
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\tracing\tracing
Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes
Finished!
Good :)
Now please rerun win32kdiag.exe in normal way.
Running from: C:\Users\Frank\Desktop\Win32kDiag.exe
Log file at : C:\Users\Frank\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\inf\en-US\en-US
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\System32\cngaudit.dll
[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()
[2] 2006-11-02 04:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)
[1] 2006-11-02 04:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
[1] 2009-10-31 21:17:53 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
[1] 2009-10-31 20:58:58 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
[1] 2009-10-31 21:19:47 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
[1] 2009-10-31 21:19:39 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()
Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes
Mount point destination : \Device\__max++>\^
Finished!
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Hello,
I followed the instructions on the linked page. ComboFix appeared to begin running. I saw a blue progress bar but then it disappeared and none of the other confirmation screens appeared. I waited about 5 mins and nothing. It did not even sound like there was any disk activity. I did not see any log produced.
Then please run it in safe mode and let me know if it worked there.
I ran in safe mode with networking with the same result
That isn't promising.
Download Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog and unzip it to your Desktop.
Note: This programme must be run from an account with Administrator priviledges.
Open the Avenger folder and double click Avenger.exe to launch the programme.
Copy the text in the code box below and Paste it into the Input script here: box.
Files to move:
C:\Windows\System32\logevent.dll | C:\Windows\System32\cngaudit.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Ensure the following:
Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.
Press the Execute key.
Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
Post the log back here please. (it can also be found at C:\avenger.txt)
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6000)
Tue Nov 03 18:42:50 2009
18:42:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\Windows\System32\logevent.dll|C:\Windows\System32\cngaudit.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
as an added note, after the reboot, I am now getting constant popups from SecurityTool. An apparent bogus virus scanner that has infected my pc.
as another update, I tried running malwarebytes again to see if it would work now that I was able to boot in normal mode and I was able to get it to run.
Please post then malwarebytes report next :)
Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 6.0.6000
11/3/2009 9:28:22 PM
mbam-log-2009-11-03 (21-28-22).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 316936
Time elapsed: 1 hour(s), 17 minute(s), 4 second(s)
Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 18
Registry Values Infected: 14
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 80
Memory Processes Infected:
C:\Windows\system32\sdra64.exe (Spyware.Zbot) -> Unloaded process successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Users\Frank\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Memory Modules Infected:
C:\Windows\System32\tepusiga.dll (Trojan.Vundo) -> Delete on reboot.
c:\Windows\System32\hulowadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\hisekeke.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\borababu.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{04163e5a-bd34-4186-b017-367e3be500fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3eca3ef6-6aa3-4872-acb2-6519243a7f06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesiwomeh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86247532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17173726 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81995840 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38488233 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{04163e5a-bd34-4186-b017-367e3be500fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bifevepin (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3eca3ef6-6aa3-4872-acb2-6519243a7f06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kefohevov (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wologenipi (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\06180217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\81995840 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\38488233 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
c:\Windows\System32\hulowadu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\ProgramData\06180217\06180217.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\06180217\06180217.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532\86247532.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\86247532\86247532.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726\17173726.bat (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\17173726\17173726.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\81995840\81995840.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\38488233\38488233.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\System32\tepusiga.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\hisekeke.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\borababu.dll (Trojan.Vundo) -> Delete on reboot.
C:\ProgramData\gelarijo\gelarijo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\jukohani\jukohani.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\kapekabo\kapekabo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\mimegepa\mimegepa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\mosujiki\mosujiki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\parifoma\parifoma.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\rivoyera\rivoyera.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\sijoluja\sijoluja.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\ProgramData\tidifara\tidifara.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\timinebe\timinebe.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\ProgramData\wakozawa\wakozawa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\yiyasafo\yiyasafo.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Windows\System32\lipemeye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\denufudu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\domijifu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\doyanavo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jepayala.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mazimiru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mazimiru.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\pevapiye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pofegohu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vimoveta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wifufulu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wigenupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wonupago.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pidokobo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\Temp\B7CC.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\B885.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\D5C5.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\D90F.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\DB8F.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\F407.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1515.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1BD0.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1DEE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\1E97.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2098.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2253.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\244B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\24DE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2705.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\272B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2A2C.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2ABF.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2DA7.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\2EF8.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3193.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\31D8.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3594.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\359B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\38F0.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3CB3.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3D30.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\3F60.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\423D.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\6FEC.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\742A.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\771B.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\Temp\7DAE.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\Windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Users\Frank\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Windows\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Windows\msa.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Frank\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Doesn't look too good. Backdoor/keylogger/password stealer there.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
I would like to reformat and reinstall but I am nervous. I want to preserve pictures, music, media but do so without preserving the virus. Having never reformatted before, is it possible to safely preserve this stuff?
Is there a forum resource such as this for the reformatting, re installation process that can help someone new to it such as me?
Do you have any other advice for me?
Shabba, I really do appreciate your time and energy here, helping me with this problem. I cant thank you enough.
Yes it is safe in this case.
This (http://www.theeldergeek.com/clean_installation_of_windows_xp.htm) might be helpful here.
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.