Page 1 of 5 12345 LastLast
Results 1 to 10 of 50

Thread: Malware removal problem

  1. #1
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default Malware removal problem

    Hi,

    I read your sticky and have attempted to follow the instructions to the letter. I created the system registry backup using Erunt, and then downloaded Hijack This, but the virus is preventing it from running.

    Prior to coming to this forum, I had also attempted to use several other virus removal programs and the virus (or trojan) seems able to disable everything I throw at it. I even attempted a Windows System Restore, but got an error message saying that wasn't possible.

    My OS is Windows XP, and my virus software is Quick Heal 10.00 which identified a trojan: \\?\globalroot\Device\__max++>9EC183F2.x86.dll (not sure if that's just one underscore or two).

    I've been working at this for about 3 hours and have to rest for work tomorrow, but will check back tomorrow a.m. for any help you can offer.

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi dharmaj

    Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

    Running from: C:\Documents and Settings\Jordan Van Voast\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\Jordan Van Voast\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B6.tmp\ZAP1B6.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP296.tmp\ZAP296.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C1.tmp\ZAP2C1.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\ZAPD7.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\tmp\tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Config\Config

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\chsime\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp98\imejp98

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\shared\res\res

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\classes\classes

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\trustlib\trustlib

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\mui\mui

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

    Mount point destination : \Device\__max++>\^

    Cannot access: C:\WINDOWS\system32\eventlog.dll

    [1] 2004-08-04 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

    [1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

    [end of diagnostic test]

    NOt sure if this is helpful, but it appears as if the trojan operates by diverting Google searches to advertisement websites (away from your expected destination). However, it doesn't seem to affect searches done in Good Search.

  4. #4
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default p.s.

    Thank you for your help Shaba!

  5. #5
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
    "%userprofile%\desktop\win32kdiag.exe" -f -r
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  6. #6
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default repair step 2 (thank you)

    Running from: C:\Documents and Settings\Jordan Van Voast\desktop\win32kdiag.exe

    Log file at : C:\Documents and Settings\Jordan Van Voast\Desktop\Win32kDiag.txt

    Removing all found mount points.

    Attempting to reset file permissions.

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B6.tmp\ZAP1B6.tmp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B6.tmp\ZAP1B6.tmp

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP296.tmp\ZAP296.tmp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP296.tmp\ZAP296.tmp

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C1.tmp\ZAP2C1.tmp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C1.tmp\ZAP2C1.tmp

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\ZAPD7.tmp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\ZAPD7.tmp

    Found mount point : C:\WINDOWS\assembly\tmp\tmp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\assembly\tmp\tmp

    Found mount point : C:\WINDOWS\Config\Config

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Config\Config

    Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

    Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

    Found mount point : C:\WINDOWS\ime\chsime\applets\applets

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

    Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

    Found mount point : C:\WINDOWS\ime\imejp\applets\applets

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

    Found mount point : C:\WINDOWS\ime\imejp98\imejp98

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

    Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

    Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

    Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

    Found mount point : C:\WINDOWS\ime\shared\res\res

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\ime\shared\res\res

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

    Found mount point : C:\WINDOWS\java\classes\classes

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\java\classes\classes

    Found mount point : C:\WINDOWS\java\trustlib\trustlib

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\java\trustlib\trustlib

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

    Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

    Found mount point : C:\WINDOWS\mui\mui

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\mui\mui

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

    Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

    Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

    Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

    Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

    Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

    Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

    Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

    Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

    Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

    Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

    Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

    Mount point destination : \Device\__max++>\^

    Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

    Cannot access: C:\WINDOWS\system32\eventlog.dll

    Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

  7. #7
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Good

    Please now run win32kdiag.exe in normal way and post back fresh log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  8. #8
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

    I'm assuming that "run in the normal way" means to simply click on the icon on the desktop and then cut and paste the new text file which appears here, which I did:

    Running from: C:\Documents and Settings\Jordan Van Voast\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\Jordan Van Voast\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B6.tmp\ZAP1B6.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP296.tmp\ZAP296.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C1.tmp\ZAP2C1.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\ZAPD7.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\tmp\tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Config\Config

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\chsime\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp98\imejp98

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\shared\res\res

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\classes\classes

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\trustlib\trustlib

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\mui\mui

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

    Mount point destination : \Device\__max++>\^

    Cannot access: C:\WINDOWS\system32\eventlog.dll

  9. #9
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes that is correct.

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    http://www.bleepingcomputer.com/comb...o-use-combofix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    If you need help to disable your protection programs see here.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #10
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default combo fix log

    ComboFix 09-09-28.01 - Jordan Van Voast 09/28/2009 22:22.1.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.700 [GMT -7:00]
    Running from: c:\documents and settings\Jordan Van Voast\Desktop\ComboFix.exe
    FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Microsoft Common
    c:\windows\Installer\10aeb02.msp
    c:\windows\Installer\10aeb18.msp
    c:\windows\Installer\10aeb2d.msp
    c:\windows\Installer\1599f.msp
    c:\windows\Installer\16aef7.msp
    c:\windows\Installer\17f8b.msp
    c:\windows\Installer\193f170.msp
    c:\windows\Installer\193f18a.msp
    c:\windows\Installer\1fb640a.msp
    c:\windows\Installer\1fee0c.msp
    c:\windows\Installer\24c6c1.msp
    c:\windows\Installer\25c79fe.msp
    c:\windows\Installer\26e282b.msp
    c:\windows\Installer\3106d9c.msp
    c:\windows\Installer\3106db1.msp
    c:\windows\Installer\3106dc6.msp
    c:\windows\Installer\3336da2.msp
    c:\windows\Installer\36a46a.msp
    c:\windows\Installer\4a884.msp
    c:\windows\Installer\4a899.msp
    c:\windows\Installer\4a8ae.msp
    c:\windows\Installer\5af153.msp
    c:\windows\Installer\606a81.msi
    c:\windows\Installer\60fade.msp
    c:\windows\Installer\60fadf.msp
    c:\windows\Installer\60faf4.msp
    c:\windows\Installer\6ea9c9.msp
    c:\windows\Installer\783a07.msp
    c:\windows\Installer\783a1c.msp
    c:\windows\Installer\783a31.msp
    c:\windows\Installer\abc8f1.msp
    c:\windows\Installer\abc906.msp
    c:\windows\Installer\adb1c5.msp
    c:\windows\Installer\adb1da.msp
    c:\windows\Installer\aebf05.msp
    c:\windows\Installer\aebf1a.msp
    c:\windows\Installer\bac90.msp
    c:\windows\Installer\baca4.msp
    c:\windows\Installer\bacb8.msp
    c:\windows\Installer\baccd.msp
    c:\windows\Installer\bace9.msp
    c:\windows\Installer\bacfe.msp
    c:\windows\Installer\bad16.msp
    c:\windows\Installer\bad2b.msp
    c:\windows\Installer\e5af35.msp
    c:\windows\Installer\e5af49.msp
    c:\windows\Installer\e5af5d.msp
    c:\windows\Installer\e5af72.msp
    c:\windows\Installer\fde99c.msp

    Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


    ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
    .

    2009-09-23 06:25 . 2009-09-23 06:25 -------- d-----w- c:\program files\Trend Micro
    2009-09-23 06:20 . 2009-09-23 06:20 -------- d-----w- c:\program files\ERUNT
    2009-09-23 05:27 . 2009-09-29 04:13 0 ----a-r- c:\windows\win32k.sys
    2009-09-23 05:21 . 2009-09-23 05:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-23 05:21 . 2009-09-23 05:21 -------- d-----w- c:\program files\Lavasoft
    2009-09-23 05:12 . 2009-09-23 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-23 05:12 . 2009-09-23 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-23 04:40 . 2009-09-23 05:21 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}(2)
    2009-09-23 04:40 . 2009-09-23 05:21 -------- d-----w- c:\program files\Lavasoft(2)
    2009-09-22 17:09 . 2009-09-22 17:09 -------- d-----w- C:\temp
    2009-09-13 16:20 . 2009-09-13 16:20 -------- d-----w- c:\windows\system32\XPSViewer
    2009-09-13 16:20 . 2009-09-13 16:20 -------- d-----w- c:\program files\MSBuild
    2009-09-13 16:20 . 2009-09-13 16:20 -------- d-----w- c:\program files\Reference Assemblies
    2009-09-13 16:20 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-09-13 16:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2009-09-13 16:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
    2009-09-13 16:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2009-09-13 16:20 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-09-13 16:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2009-09-13 16:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
    2009-09-13 16:20 . 2009-09-13 16:20 -------- d-----w- C:\e54eb5121e70e4f6b4e2b8eedc31
    2009-09-10 03:01 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-09-09 05:54 . 2009-09-09 05:54 -------- d-----w- c:\program files\Common Files\supportsoft
    2009-09-09 05:52 . 2009-01-20 21:33 3833856 ----a-w- c:\windows\system32\cdintf300.dll
    2009-09-09 05:35 . 2009-09-09 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
    2009-09-09 04:31 . 2009-09-09 05:31 -------- d-----w- c:\documents and settings\Jordan Van Voast\Application Data\Download Manager
    2009-09-09 04:31 . 2009-09-09 04:31 -------- d-----w- c:\program files\Akamai

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-29 05:17 . 2008-10-18 15:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-09-29 05:13 . 2008-10-18 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-29 04:25 . 2008-06-11 04:02 -------- d-----w- c:\program files\Mozilla Thunderbird
    2009-09-28 23:46 . 2008-08-02 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-09-27 04:50 . 2009-08-22 04:36 -------- d-----w- c:\documents and settings\Jordan Van Voast\Application Data\U3
    2009-09-23 05:21 . 2008-10-18 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-09-16 15:04 . 2008-06-10 23:49 47312 ----a-w- c:\documents and settings\Jordan Van Voast\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-09 05:49 . 2008-06-11 06:33 -------- d-----w- c:\program files\Common Files\Intuit
    2009-09-09 05:47 . 2008-06-11 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
    2009-08-22 08:15 . 2009-08-22 08:15 -------- d-----w- c:\program files\Quick Heal
    2009-08-22 08:08 . 2009-02-24 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2009-08-22 08:07 . 2008-06-13 03:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-31 21:25 . 2009-06-24 15:43 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 06:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]

    c:\documents and settings\Jordan Van Voast\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-16 984352]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
    backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
    backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
    "10426:UDP"= 10426:UDP:SingleClick ICC

    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\aawservice.exe [7/3/2009 7:49 AM 611664]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S2 Online Protection System;Online Protection System;c:\progra~1\QUICKH~1\QUICKH~1\opssvc.exe --> c:\progra~1\QUICKH~1\QUICKH~1\opssvc.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-29 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 02:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dharmafriendship.org/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
    FF - ProfilePath - c:\documents and settings\Jordan Van Voast\Application Data\Mozilla\Firefox\Profiles\cc7n0pab.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.dharmafriendship.org/
    FF - component: c:\documents and settings\Jordan Van Voast\Application Data\Mozilla\Firefox\Profiles\cc7n0pab.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.
    - - - - ORPHANS REMOVED - - - -

    AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-28 22:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2412)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Olympus\DeviceDetector\DM1Service.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-29 22:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-29 05:29

    Pre-Run: 134,795,784,192 bytes free
    Post-Run: 135,040,700,416 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    218 --- E O F --- 2009-09-29 01:26

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •