Greetings G-2-G!

Day 3 of a very aggressive infection; I have followed the 'Malware and Spyware Cleaning Guide', step-by-step, with the following obstacles:
- System Restore simply does not work - when I attempted to launch the S/R from my own OS, it comes back with the message: "Incomplete - no changes made since Restore Point - Pick another Restore Point" - regardless how far I go back. When I try to Run the downloaded version I get the message: "The application failed to initialize properly (0xc000007b). Click on OK to terminate the application"
- Malewarebytes: updater unsuccessful - "Error Code 732(0, 0).
Quick Scan launches and, after 6 seconds, simply disappears. quits, etc., with no error message. Also, re-named .exe file, but to no avail.
RootRepeal - downloading file simply freezes at the 82% mark - still frozen.
- OTL - launched Quick Scan, after 2 - 3 minutes it also simply disappeared - no message, no pop-ups, no explanation.

- Before appealing for your assistance, I tried to launch my own Anti-virus Apps (AVG, Avira, & some other freeware I found on CNET) - none would launch properly. Mostly, they reported connectivity problems when attempting to acquire updates, etc.
- Spybot would not download at all.
- my own, purchased version of 'Super Anti-Spyware' began scanning and, as soon as infected files began appearing in list, my desktop simply shutdown & re-booted - I tried this five times with the same result. I noted 8 'trojan & other type files found' just before it shutdown - and this after only approx. 325 files were scanned!!
- my default browser is Firefox, but now I'm getting IE pop-ups launching by themselves.
- I seem to be able to access my e-mail & navigate the Web normally otherwise, but any attempt to run an a/v, Spy/W remover or Registry Scan causes freezing, inaction, or shutdown.

Your assistance & advice will be most appreciated and will hopefully preserve my sanity. Thank you in advance.O.T.E.

This post has been edited by Wozman: Oct 31 2009, 08:10 PM

Hello! Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

• Please be patient. There may be delays in between my posts, as I must check everything with a moderator before posting.
• Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
• Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise. This makes things easier for me, and the moderator looking over this topic.

I'll post back some instructions shortly.

Hello. I think I know where the problem lies. I need a run with a specialized tool to confirm.

Win32kDiag
Download Win32kDiag from any of the following locations and save it to your Desktop.

Link 1
Link 2
Link 3

• Double-click on Win32kDiag to start the program.
• When finished (message will show), press any key to close it.
• Open the Win32kDiag.txt now on your Desktop and copy\paste the contents back here.

Good Morning - thanks for the reply.
Further to my initial report, when I power up my PC my 'Downloads' folder opens up [in my 'C' drive (OS Drive)], and I get the following message: "the instruction at '0x7c902128' referenced memory at '0xa48c6c9c'. The memory could not be read. Click on OK to terminate the program".

I ran the Win32kDiag and the following text was generated:


Running from: C:\Documents and Settings\Owner\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP168.tmp\ZAP168.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24.tmp\ZAP24.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP249.tmp\ZAP249.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP270.tmp\ZAP270.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BF.tmp\ZAP2BF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6.tmp\ZAPC6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2004-08-04 02:56:50 763392 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Sorry - there was a bit more before it indicated 'Finished':


[2] 2008-04-13 19:12:21 744448 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP118\A0022457.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 02:56:48 30208 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 30208 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[2] 2008-04-13 19:12:18 30208 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP118\A0022429.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012153.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012155.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012156.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

This post has been edited by Wozman: Nov 1 2009, 10:07 AM

Hello.



Step One

1. Please go to Start > Run
2. Copy\Paste the following into the dialogue:
   
   
   CODE
   "%userprofile%\desktop\win32kdiag.exe" -f -r
   
   
3. Click Ok
4. Once done, there should be a file, Win32kDiag.txt on your Desktop.
5. Open it, and post the contents here.

Step Two

1. Please download The Avenger by Swandog46 to your Desktop.
• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


CODE
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Step Three
You must use Internet Explorer to download this!

Please download Combofix from any of the links below. You must rename it before saving.
Please rename it to Wozman before saving it to your desktop.

Download Link #1
Download Link #2

==================================

1. Temporarily disable Anti-Virus\Anti-Malware real-time protection.
2. Double click on Wozman and follow the prompts.
3. Be patient. It could take a while to load\run.
4. When finished, it will produce a report for you.
5. Please post the C:\ComboFix.txt so we can continue cleaning the system.

Logs&Info
Remember to post back the following logs:

1. Win32kDiag.txt
2. C:\avenger.txt
3. C:\ComboFix.txt

This post has been edited by piano9playa5: Nov 1 2009, 11:01 AM

STEP 1:

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP168.tmp\ZAP168.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP168.tmp\ZAP168.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp\ZAP1B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24.tmp\ZAP24.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24.tmp\ZAP24.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP249.tmp\ZAP249.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP249.tmp\ZAP249.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP270.tmp\ZAP270.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP270.tmp\ZAP270.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BF.tmp\ZAP2BF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BF.tmp\ZAP2BF.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6.tmp\ZAPC6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6.tmp\ZAPC6.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012153.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012155.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{F9A9B019-FD9E-49E2-B048-EC61048A58DF}\RP110\A0012156.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!


STEP 2: - Avenger won't execute. I've pasted the code you provided but I get the following message: "Error: Invalid Script. A valid script must begin with a command directive.". I'll stop here before going to Step 3. My apologies - I should probably know about 'command prompt', but I'm still near the bottom of the learning curve.

This post has been edited by Wozman: Nov 1 2009, 03:01 PM

I think I know the problem. You need to copy ALL of the contents of the codebox.. Including Files to Move:
Once you've pasted it into Avenger, it should like this:






Making sure you've copied all of the codebox, please do Step Two and then proceed to Step Three.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Nov 01 13:08:14 2009

13:08:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Nov 01 13:09:23 2009

13:09:23: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "zjgewectf7" found!
DisplayName: zjgewectf7.sys
ImagePath: system32\drivers\zjgewectf7.sys
Start Type: 1 (System)

Hidden driver "zrskoyvmxrycy9" found!
DisplayName: zrskoyvmxrycy9.sys
ImagePath: system32\drivers\zrskoyvmxrycy9.sys
Start Type: 1 (System)

Rootkit scan completed.

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


That was the Avenger text; however as I was waiting for the Combofix text, I got the following 'pop-up': "ALERT: It is NOT SAFE to continue. The contents of the Combofix package has been compromised. Please download a copy from http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Note: you may be infected with a file-patching virus 'Virut'"
I have tried downloading this from both links, both re-naming the.exe file, as well as leaving it as - all with the same pop-up warning.

This post has been edited by Wozman: Nov 2 2009, 07:54 AM

Hello. That warning from CF doesn't look good. I will need to confirm:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Click Browse, navigate to the following file, and click Open.
  
  
  • c:\windows\system32\userinit.exe
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.
• Please repeat the above steps for each of the following files:
  • C:\WINDOWS\explorer.exe
  • C:\WINDOWS\System32\svchost.exe

OK - here goes, in the order you indicated:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 20:41:50 (CST)
Scanner results: 35% Scanner(s) (13/37) found malware!
File Name : userinit.exe
File Size : 45568 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 727a47a36b7afab799af48ae8caf8cc5
SHA1 : f0888067e6d5094233f1d0cc54d4ca1f14168b84
Online report : http://virscan.org/report/ceaf25bab53e513d...b254d19b45.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091103030118 2009-11-03 0.08 -
AhnLab V3 2009.11.03.00 2009.11.03 2009-11-03 0.08 -
AntiVir 8.2.1.53 7.1.6.180 2009-11-02 0.22 W32/Virut.Gen
Antiy 2.0.18 20091102.3201984 2009-11-02 0.02 -
Arcavir 2009 200911021829 2009-11-02 0.05 -
Authentium 5.1.1 200911022233 2009-11-02 1.24 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091102-0 2009-11-02 0.01 Win32:Vitro
AVG 8.5.288 270.14.46/2477 2009-11-03 0.56 -
BitDefender 7.81008.4480846 7.28714 2009-11-03 3.95 Win32.Virtob.Gen.12
CA (VET) 18337069 18337069 18337069 0.14 -
ClamAV 0.95.2 9977 2009-11-03 0.02 -
Comodo 3.12 2821 2009-11-03 0.08 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.36 Win32.Virut.56
F-Prot 4.4.4.56 20091102 2009-11-02 1.22 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.02.15 2009-11-02 0.10 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.14 2009-11-02 0.08 -
GData 19.8700/19.532 20091103 2009-11-03 0.08 -
ViRobot 20091102 2009.11.02 2009-11-02 0.08 -
Ikarus T3.1.01.72 2009.11.03.74424 2009-11-03 6.22 Gen.Malware
JiangMin 11.0.800 2009.11.02 2009-11-02 0.08 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.2.21 2009-11-02 0.08 -
McAfee 5.3.00 5790 2009-11-02 3.43 W32/Virut.n.gen
Microsoft 1.5202 2009.11.03 2009-11-03 0.08 -
Norman 6.01.09 6.01.00 2009-11-02 4.01 W32/Virut.DY
Panda 9.05.01 2009.11.02 2009-11-02 0.08 -
Trend Micro 8.700-1004 6.598.01 2009-11-02 0.05 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.11.02 2009-11-02 0.08 -
Rising 20.0 21.54.04.00 2009-11-02 0.08 -
Sophos 3.00.1 4.46 2009-11-03 2.86 -
Sunbelt 5484 5484 2009-11-02 0.08 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 0.08 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.08 -
VBA32 3.12.10.11 20091102.1420 2009-11-02 1.99 -
VirusBuster 4.5.11.10 10.113.5/1998065 2009-11-02 3.10 Win32.Virut.AB.Gen



VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 20:47:17 (CST)
Scanner results: 32% Scanner(s) (12/37) found malware!
File Name : svchost.exe
File Size : 33792 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e732381078194663c0dc94b9551b327c
SHA1 : 8d9f812f313d85294e18b4e3e7e500e7785454e9
Online report : http://virscan.org/report/f2c90b9c97e13421...82d7df719d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091103030118 2009-11-03 0.08 -
AhnLab V3 2009.11.03.00 2009.11.03 2009-11-03 0.08 -
AntiVir 8.2.1.53 7.1.6.180 2009-11-02 0.49 W32/Virut.Gen
Antiy 2.0.18 20091102.3201984 2009-11-02 0.02 -
Arcavir 2009 200911021829 2009-11-02 0.05 -
Authentium 5.1.1 200911022233 2009-11-02 1.22 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091102-0 2009-11-02 0.01 Win32:Vitro
AVG 8.5.288 270.14.46/2477 2009-11-03 0.51 -
BitDefender 7.81008.4480846 7.28714 2009-11-03 3.94 Win32.Virtob.Gen.12
CA (VET) 18337069 18337069 18337069 0.08 -
ClamAV 0.95.2 9977 2009-11-03 0.01 -
Comodo 3.12 2821 2009-11-03 0.08 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.31 Win32.Virut.56
F-Prot 4.4.4.56 20091102 2009-11-02 1.20 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.02.15 2009-11-02 0.10 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.14 2009-11-02 0.08 -
GData 19.8700/19.532 20091103 2009-11-03 0.08 -
ViRobot 20091102 2009.11.02 2009-11-02 0.08 -
Ikarus T3.1.01.72 2009.11.03.74424 2009-11-03 4.31 -
JiangMin 11.0.800 2009.11.02 2009-11-02 0.08 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.2.21 2009-11-02 0.08 -
McAfee 5.3.00 5790 2009-11-02 3.43 W32/Virut.n.gen
Microsoft 1.5202 2009.11.03 2009-11-03 0.08 -
Norman 6.01.09 6.01.00 2009-11-02 4.01 W32/Virut.DY
Panda 9.05.01 2009.11.02 2009-11-02 0.08 -
Trend Micro 8.700-1004 6.598.01 2009-11-02 0.05 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.11.02 2009-11-02 0.08 -
Rising 20.0 21.54.04.00 2009-11-02 0.08 -
Sophos 3.00.1 4.46 2009-11-03 2.87 -
Sunbelt 5484 5484 2009-11-02 0.08 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 0.08 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.08 -
VBA32 3.12.10.11 20091102.1420 2009-11-02 1.97 -
VirusBuster 4.5.11.10 10.113.5/1998065 2009-11-02 2.98 Win32.Virut.AB.Gen



VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 20:49:56 (CST)
Scanner results: 35% Scanner(s) (13/37) found malware!
File Name : explorer.exe
File Size : 1053184 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ec59c61e4b2b1994f20b65a3055961a9
SHA1 : 7e979eab0c5c49a2e06a5b5a7b4ce3cc428c7e1f
Online report : http://virscan.org/report/48e05677b07d658b...e8be358798.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091103030118 2009-11-03 0.08 -
AhnLab V3 2009.11.03.00 2009.11.03 2009-11-03 0.08 -
AntiVir 8.2.1.53 7.1.6.180 2009-11-02 0.45 W32/Virut.Gen
Antiy 2.0.18 20091102.3201984 2009-11-02 0.02 -
Arcavir 2009 200911021829 2009-11-02 0.09 -
Authentium 5.1.1 200911022233 2009-11-02 1.24 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091102-0 2009-11-02 0.05 Win32:Vitro
AVG 8.5.288 270.14.46/2477 2009-11-03 0.47 -
BitDefender 7.81008.4480846 7.28714 2009-11-03 3.94 Win32.Virtob.Gen.12
CA (VET) 18337069 18337069 18337069 0.08 -
ClamAV 0.95.2 9977 2009-11-03 0.17 -
Comodo 3.12 2821 2009-11-03 0.08 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.31 Win32.Virut.56
F-Prot 4.4.4.56 20091102 2009-11-02 1.22 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.02.15 2009-11-02 0.13 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.14 2009-11-02 0.08 -
GData 19.8700/19.532 20091103 2009-11-03 0.08 -
ViRobot 20091102 2009.11.02 2009-11-02 0.08 -
Ikarus T3.1.01.72 2009.11.03.74424 2009-11-03 4.24 Trojan.Win32.Patched
JiangMin 11.0.800 2009.11.02 2009-11-02 0.08 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.3.7 2009-11-03 0.08 -
McAfee 5.3.00 5790 2009-11-02 3.45 W32/Virut.n.gen
Microsoft 1.5202 2009.11.03 2009-11-03 0.08 -
Norman 6.01.09 6.01.00 2009-11-02 4.00 W32/Virut.DY
Panda 9.05.01 2009.11.02 2009-11-02 0.08 -
Trend Micro 8.700-1004 6.598.01 2009-11-02 0.10 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.11.02 2009-11-02 0.08 -
Rising 20.0 21.54.04.00 2009-11-02 0.08 -
Sophos 3.00.1 4.46 2009-11-03 2.90 -
Sunbelt 5484 5484 2009-11-02 0.08 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 0.08 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.08 -
VBA32 3.12.10.11 20091102.1420 2009-11-02 2.06 -
VirusBuster 4.5.11.10 10.113.5/1998065 2009-11-02 3.61 Win32.Virut.AB.Gen


That's it - I think I got all three done, but it took awhile.
Thank you again for your (ongoing) patience.
Wozman

I'm afraid I have some bad news.

You have been infected with a polymorphic file infecter named Virut. This infection will spread to every executable file in your computer, and unfortunately the only cure for it is to Reformat and Reinstall.

Right now, the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:

• .exe
• .scr
• .htm
• .html
• .xml
• .zip
• .rar

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news. If you need any help with the reformat\reinstall, I'm here.

piano9playa5 - I thank you for your extensive assistance. I think I know what I have to do. And then, when I find the culprit behind these viruses, I also know what I have to do. And then, when I get paroled, I'll re-format & re-install (lol - just kidding, although I can think of some original corrective measures for those responsible). Oh well, thanks again. Kudos to you and your colleagues, this is a great site which I will be telling the 'world' about.

Best Regards,

Wozman

Thank you for your kind words.

I thought you were serious for a moment...

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.