Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I run my own IT business and have seen many viruses and am usually successful at removing them without having to format.
However, this virus has me stumped. At first I didn't think it was a virus. No trace of it from first glance. Nothing unusual in the "Run" keys, no unusual processes, msconfig looked good.
I picked up a clients PC and did a system restore to a few days back. It seemed to fix the issue, so I installed some extra ram to get his system to optimal proformance and to make an extra buck. Well while I was showing him the difference in proformance the shell vanished. Explorer.exe was removed from the processes. I tried to reload it and it said I didn't have permission to run it. Strange huh?
Well so I started doing my research using taskman, opening IE to get some window browsing going. Ran AVG... everytime i started a scan it would stop it. Non of the components in AVG were loaded either. Had a malware removal tool also, ran it... closed it. Tried to open it again.. got the same error as Explorer.exe got. Eventually this happened to IE too. Got Hijackthis in and started a scan, also closed during scan like AVG. I tried safe mode, same issue. No shell, no access to most programs, and closes everything.
If I had some lead on what program is doing this, that would help. But I can't seem to get any clues.
Anyone have any ideas??? is there a DOS vers of hijackthis? Even so, AVGs dos scan stopped too. So it might be no use. Just need some insite. Thanks!
It is probably Windows Police Pro.
Please save this file to your desktop.
Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.
0 
The log was too long to post, furthermore I don't have a desktop... hence why i said explorer won't load. Tried to manual start it, get a perm error.
And its not Windows Police Pro. There is no fake "Antivirus" software running that resembles windows police pro.
PS... there is nothing in the Log that is out of the ordinary.
Let me explain better what is happening.
Windows starts up, no taskbar, no icons (no explorer.exe...). I tried to manually open explorer.exe and get this errror:
"Windows cannot access the speccified device, path, or file. You may not have the appropriate permissions to access the item."
I get the same error with IE, AVG, and some other Spyware removal tool. Hijackthis opens, starts to scan, then closes immidiately during the scan.
Things I still have access to:
cmd.exe
notepad.exe
taskmgr.exe
and various other programs.The strange thing is, I had access to explorer for a while, access to IE, AVG too. Then one by one as I was tried to investigate it locked permissions on these like it did explorer. Its a very smart virus if you ask me. Also the control command doesn't respond. It did for awhile but stop shortly after I used it a few times. I'm assuming its a service running in the background but I can't even access services to see if that is the case.
Just lemme know if you get any insight on this issue. Thanks.
0
Was there a bunch of max++ lines in it? What are you using to access the forum, not the infected computer I suppose, and will the infected computer boot into safe mode with networking and get a desktop?
0
Running from: F:\Win32kDiag.exe
Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe
[1] 2007-06-13 06:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)
[1] 2004-08-04 14:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 05:23:07 1033216 C:\WINDOWS\explorer.exe ()
[1] 2008-04-13 19:12:19 1033728 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 05:23:07 1033216 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)
This is the first part of the file the rest just repeats and its updates... i noticed the explorer in the windows DIR is not branded with microsoft. I was able to get the shell up using another file in another DIR. I backed it up also. I tried using MRT and it started to scan, closed out, and now I can't access it also. Another scan bites the dust. I can't figure it out for anything. I know the explorer running won't last long. the virus will take it down too.
From what I read, what is keeping me from finding the virus via scan is a rootkit. Thats when i got MRT involved because it detects rootkits. But with MRT out... i don't know what to do. Everything that scans the registry fails and is locked.
0
First go to start> control panel> administrative tools> services> scroll down to eventlog> double click it> click stop> to the far right of "startup type" click the blue drop down arrow> select disabled> click ok then restart the computer.
Download Inherit.exe from subs from this link
1.Drag and drop any .exe files that will not run onto Inherit2.Please confirm the prompts
3.This shall restore permissions to the application
4.The application should now run normallyPlease open a command prompt (Start -> Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter
DIR /a/s c:\scecli.dll netlogon.dll eventlog.dll >Log.txt&log.txt
Please post the log that was produced.
0
I see what your getting at. Yeah that file is much smaller than it should be. I'd post the log up, but I'm still having problems retrieving data from the PC. I'm on my laptop btw.
What should I do next. I repared the file, restarted but it still has the virus on it, a setup file just randomly loaded and the closed. Got an error on the screen that says "Error Loading tapi.nfo"
0
I too have a similar issue, although it doesn't appear to be as severe, yet. I am unable to access multiple programs due to a permission issue. HijackThis, ANY anti-virus/spyware programs, etc are unavailable. I ran the inherit.exe and nothing ever came up. However, I was successful in running Win32kDiag.exe and it returned a log file as noted below. What does any of this mean? Whats up with the max++?
<<log file>>
Running from: C:\Users\Jeff\Desktop\Win32kDiag.exe
Log file at : C:\Users\Jeff\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A9.tmp\ZAP3A9.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97BC.tmp\ZAP97BC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ModemLogs\ModemLogs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\nap\configuration\configuration
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Options\Cabs\Cabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SMINST\APPS\DTA\DTA
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SMINST\DRV\DTA\DTA
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\System32\cngaudit.dll
[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()
0
Hey, i know this might not be right, but ill say it anyway and
give my input. Have you tried Malwarebytes, its a very good
spyware, and its free. Also in my opinion AVG sucks balls.
My work uses Quick heal and kaspersky, never a job they
cant do. This computer sounds viruses up to its ass, use
malwarebytes and tell me how much viruses it finds.
-2
@ Stevem
I fixed my issue...I checked out other posts by jabuck and found this info which worked for me...
<<----Original Message-->>
Please download ComboFix to the desktop from one of the following links:
Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to "Combo-Fix", click save.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
<<--End Original Message-->>
I also used the Inherit.exe program he suggested which re-enabled usage of HijackThis and other "locked" files.
Props to you jabuck!
0
I appreciate all the help I got with this. I love trying to stump a virus that is this difficult, but I was on a time frame. The client needed his PC back today so I just backed up the data(which was only 500kb haha! no emails, no pictures... just word docs... easy)
Evedently the virus is a Rootkit. It mounted to the "svchost.exe" I don't understand how rootkits work and how to remove them. I know people might have gotten them fixed, but its not like any other virus I have seen. This thing was smart.
Basicly what I think the rootkit does is mount a DLL and run its script through svchost (I saw this in the dlls loaded into it). It uses rdp to perform its task(shutting down programs, changing perms, etc). I do alot of manual removal, I prefer it over software, I just trust myself better. I use unlocker to do alot of what I do. Basicly I figured if I moved svchost to another location(unlocker does this and keeps the process running) and the put in its place a clean svchost that in restart it would work. Nope. Both svchost files were clean. I'm assuming the virus loads into the svchost like any service does, however its not located in the regestry like other services are. So I don't know. Its weird.
But its back and up running fine now. Thanks anyway!
0  |
 hotmail virus
|
The 'ol Google Redirectin...
|
| Login or Register to Reply | |
| Login | Register |
| Ads by Google |
