|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-09-2009, 11:22 AM
|
#21 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Ok, I put all of those codes in, and they all said successful. Then, I ran the shyguyfix.bat as an administrator, and here are the results below! Thanks!
c:\Windows\winsxs\Temp\00013fe3673aca0125080000a4147408\00013fe3673aca0125080000a4147408 c:\Windows\winsxs\Temp\00ba192cda1dca0125000000800a1013\00ba192cda1dca0125000000800a1013 c:\Windows\winsxs\Temp\0480c039ab0cca01250000005008d400\0480c039ab0cca01250000005008d400 c:\Windows\winsxs\Temp\05a61f806c0aca01250000008008e00e\05a61f806c0aca01250000008008e00e c:\Windows\winsxs\Temp\05dc6dc5fc32ca017c100000f80e980d\05dc6dc5fc32ca017c100000f80e980d c:\Windows\winsxs\Temp\092a1e014c13ca0125000000180ffc0d\092a1e014c13ca0125000000180ffc0d c:\Windows\winsxs\Temp\0ec7659a8307ca01250000008011e814\0ec7659a8307ca01250000008011e814 c:\Windows\winsxs\Temp\0f322485ca24ca0125000000580fd80e\0f322485ca24ca0125000000580fd80e c:\Windows\winsxs\Temp\0f5eac9ea001ca011900000038130c10\0f5eac9ea001ca011900000038130c10 c:\Windows\winsxs\Temp\175afe02f016ca01250000004c0dc40c\175afe02f016ca01250000004c0dc40c c:\Windows\winsxs\Temp\17f1019763ffc9011900000070098814\17f1019763ffc9011900000070098814 c:\Windows\winsxs\Temp\1cfd490d6212ca01250000003c0e940a\1cfd490d6212ca01250000003c0e940a c:\Windows\winsxs\Temp\1ee6f94f182aca0125000000ac0d6410\1ee6f94f182aca0125000000ac0d6410 c:\Windows\winsxs\Temp\206d98e9aff7c90119000000a409a005\206d98e9aff7c90119000000a409a005 c:\Windows\winsxs\Temp\227dcf8ba9f4c90119000000e8060817\227dcf8ba9f4c90119000000e8060817 c:\Windows\winsxs\Temp\25a3ae1ded20ca0125080000900ce812\25a3ae1ded20ca0125080000900ce812 c:\Windows\winsxs\Temp\26993cb79315ca0125000000ac00b80f\26993cb79315ca0125000000ac00b80f c:\Windows\winsxs\Temp\27cbeac09934ca012508000074103012\27cbeac09934ca012508000074103012 c:\Windows\winsxs\Temp\27e0cc124500ca01190000005004d003\27e0cc124500ca01190000005004d003 c:\Windows\winsxs\Temp\2914d1fc0f38ca0125080000fc074405\2914d1fc0f38ca0125080000fc074405 c:\Windows\winsxs\Temp\3034128dc92aca0125000000ac0c700e\3034128dc92aca0125000000ac0c700e c:\Windows\winsxs\Temp\3042d9927535ca01250800009409b00b\3042d9927535ca01250800009409b00b c:\Windows\winsxs\Temp\308ed35f25f0c901190000004c0d9814\308ed35f25f0c901190000004c0d9814 c:\Windows\winsxs\Temp\361478ea070bca01250000000405800e\361478ea070bca01250000000405800e c:\Windows\winsxs\Temp\3d1d0bad3a37ca0125080000e80a8403\3d1d0bad3a37ca0125080000e80a8403 c:\Windows\winsxs\Temp\3d88f1da2820ca01250000009803a00b\3d88f1da2820ca01250000009803a00b c:\Windows\winsxs\Temp\4271fb6b1024ca01250000001402900e\4271fb6b1024ca01250000001402900e c:\Windows\winsxs\Temp\4dc06c1c2315ca01250000002c05540e\4dc06c1c2315ca01250000002c05540e c:\Windows\winsxs\Temp\5039ae992308ca0125000000c416f017\5039ae992308ca0125000000c416f017 c:\Windows\winsxs\Temp\5064a9b47306ca0125000000180f580f\5064a9b47306ca0125000000180f580f c:\Windows\winsxs\Temp\50e502954f19ca01250000009c08d007\50e502954f19ca01250000009c08d007 c:\Windows\winsxs\Temp\50fe16bc49f9c9011900000054115013\50fe16bc49f9c9011900000054115013 c:\Windows\winsxs\Temp\55577b25fdf9c901190000009811ac13\55577b25fdf9c901190000009811ac13 c:\Windows\winsxs\Temp\5657ca77c20dca0125000000ac005c03\5657ca77c20dca0125000000ac005c03 c:\Windows\winsxs\Temp\56e01806ba31ca0125000000c0117414\56e01806ba31ca0125000000c0117414 c:\Windows\winsxs\Temp\5a6c10c1c803ca0119000000c00fd80e\5a6c10c1c803ca0119000000c00fd80e c:\Windows\winsxs\Temp\5bdf92815f04ca01190000005015d817\5bdf92815f04ca01190000005015d817 c:\Windows\winsxs\Temp\5c1d24b6d73fca0125080000480a8009\5c1d24b6d73fca0125080000480a8009 c:\Windows\winsxs\Temp\5eb9ba650b03ca011900000008044c08\5eb9ba650b03ca011900000008044c08 c:\Windows\winsxs\Temp\6017e6785332ca0125000000000f9801\6017e6785332ca0125000000000f9801 c:\Windows\winsxs\Temp\60606c685102ca01190000007411e013\60606c685102ca01190000007411e013 c:\Windows\winsxs\Temp\60a61ac7421dca0125000000c4123c06\60a61ac7421dca0125000000c4123c06 c:\Windows\winsxs\Temp\60bb22624af5c90119000000e8088403\60bb22624af5c90119000000e8088403 c:\Windows\winsxs\Temp\693bdafbf400ca0119000000780e800f\693bdafbf400ca0119000000780e800f c:\Windows\winsxs\Temp\6c33e5110ff4c90119000000900cfc09\6c33e5110ff4c90119000000900cfc09 c:\Windows\winsxs\Temp\7ddef528f80bca01250000005008980f\7ddef528f80bca01250000005008980f c:\Windows\winsxs\Temp\807dc236ef46ca012500000050092812\807dc236ef46ca012500000050092812 c:\Windows\winsxs\Temp\808a20e4d3f6c901b9000000f0179017\808a20e4d3f6c901b9000000f0179017 c:\Windows\winsxs\Temp\8261def5e417ca019a0800001015dc11\8261def5e417ca019a0800001015dc11 c:\Windows\winsxs\Temp\856bc1a084efc90119000000c00b480f\856bc1a084efc90119000000c00b480f c:\Windows\winsxs\Temp\8bab4c1c4520ca01ff070000380fec08\8bab4c1c4520ca01ff070000380fec08 c:\Windows\winsxs\Temp\8dac1548b8fac901190000001c13680d\8dac1548b8fac901190000001c13680d c:\Windows\winsxs\Temp\8ef430d95936ca0125080000bc0f5409\8ef430d95936ca0125080000bc0f5409 c:\Windows\winsxs\Temp\9047a40c9a18ca0125000000940ff80b\9047a40c9a18ca0125000000940ff80b c:\Windows\winsxs\Temp\906a309e3a30ca012500000058142813\906a309e3a30ca012500000058142813 c:\Windows\winsxs\Temp\9164440c910eca0125000000f80fc006\9164440c910eca0125000000f80fc006 c:\Windows\winsxs\Temp\95f3139acaebc901190000002807b010\95f3139acaebc901190000002807b010 c:\Windows\winsxs\Temp\986feea9212cca0125000000640f3801\986feea9212cca0125000000640f3801 c:\Windows\winsxs\Temp\9db34631811fca01250000001016280b\9db34631811fca01250000001016280b c:\Windows\winsxs\Temp\9f505d907dfbc90119000000200a8c05\9f505d907dfbc90119000000200a8c05 c:\Windows\winsxs\Temp\a102d757f2f0c901190000003016600f\a102d757f2f0c901190000003016600f c:\Windows\winsxs\Temp\a35c3bb2021aca01250000003005400d\a35c3bb2021aca01250000003005400d c:\Windows\winsxs\Temp\a8cef0f8d908ca01250000002015d410\a8cef0f8d908ca01250000002015d410 c:\Windows\winsxs\Temp\a9a7a671cc05ca0125000000e810280f\a9a7a671cc05ca0125000000e810280f c:\Windows\winsxs\Temp\af2177dd762bca0125000000d80d400f\af2177dd762bca0125000000d80d400f c:\Windows\winsxs\Temp\af4bf2beb7fec901190000003017000e\af4bf2beb7fec901190000003017000e c:\Windows\winsxs\Temp\b099e41bf9f5c90119000000700c8417\b099e41bf9f5c90119000000700c8417 c:\Windows\winsxs\Temp\b12ca835ad47ca0125000000fc04a00f\b12ca835ad47ca0125000000fc04a00f c:\Windows\winsxs\Temp\b3cefcdd550fca012500000004083002\b3cefcdd550fca012500000004083002 c:\Windows\winsxs\Temp\b547a1f695f8c901190000003805340a\b547a1f695f8c901190000003805340a c:\Windows\winsxs\Temp\b5610e9a12fec90119000000040f780b\b5610e9a12fec90119000000040f780b c:\Windows\winsxs\Temp\c04ed4774ffdc9011900000080110013\c04ed4774ffdc9011900000080110013 c:\Windows\winsxs\Temp\c6b1c1ce0a3cca012508000080105412\c6b1c1ce0a3cca012508000080105412 c:\Windows\winsxs\Temp\c83873c7a02fca01250000000005980f\c83873c7a02fca01250000000005980f c:\Windows\winsxs\Temp\cdc9bf9d9811ca01250000001c03440b\cdc9bf9d9811ca01250000001c03440b c:\Windows\winsxs\Temp\cf67b448cff1c90119000000cc08080e\cf67b448cff1c90119000000cc08080e c:\Windows\winsxs\Temp\d02b84a9f113ca0125000000e003700e\d02b84a9f113ca0125000000e003700e c:\Windows\winsxs\Temp\d0527088a1f6c9011900000088060810\d0527088a1f6c9011900000088060810 c:\Windows\winsxs\Temp\d06fa1e3d32cca0125000000280d7808\d06fa1e3d32cca0125000000280d7808 c:\Windows\winsxs\Temp\d094fa533046ca0125000000c0113c16\d094fa533046ca0125000000c0113c16 c:\Windows\winsxs\Temp\d420c3e58ef2c90119000000a008d40b\d420c3e58ef2c90119000000a008d40b c:\Windows\winsxs\Temp\d6794306a822ca0125080000e0053c12\d6794306a822ca0125080000e0053c12 c:\Windows\winsxs\Temp\d6837b56f12dca0125000000c80bd40c\d6837b56f12dca0125000000c80bd40c c:\Windows\winsxs\Temp\dbcaa258193bca0125080000dc170016\dbcaa258193bca0125080000dc170016 c:\Windows\winsxs\Temp\e07e101af230ca01b10000001819bc08\e07e101af230ca01b10000001819bc08 c:\Windows\winsxs\Temp\ef624a80af3cca01250800007c0b2c0f\ef624a80af3cca01250800007c0b2c0f c:\Windows\winsxs\Temp\f050c3123e16ca0125000000e007500e\f050c3123e16ca0125000000e007500e c:\Windows\winsxs\Temp\f18f321da22eca0125000000ec161017\f18f321da22eca0125000000ec161017 c:\Windows\winsxs\Temp\f3677b675bf3c90119000000b810d813\f3677b675bf3c90119000000b810d813 c:\Windows\winsxs\Temp\f3c785b4edeec9011900000030151815\f3c785b4edeec9011900000030151815 c:\Windows\winsxs\Temp\f4638b319540ca0125000000180d200e\f4638b319540ca0125000000180d200e c:\Windows\winsxs\Temp\f641c8a830fcc901190000001410c803\f641c8a830fcc901190000001410c803 c:\Windows\winsxs\Temp\fed9f554b321ca01250800001c0e740c\fed9f554b321ca01250800001c0e740c |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-09-2009, 11:49 AM
|
#22 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Okay, we'll need to do the same with this folder as well
On your keyboard, click the Windows logo key and the letter R to bring up the Run command. Copy/paste the following command into the Run box and click OK: "%userprofile%\desktop\Inherit.exe" "c:\Windows\winsxs\Temp" After you see the OKay message, download the attachment in my previous post again, and follow those same instructions. Post back to tell me what it says. |
|
|
|
|
10-09-2009, 12:11 PM
|
#24 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
 What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course. Get the scan going, then walk away and do something fun for the next couple of hours.  Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner **Note** To optimize scanning time and produce a more sensible report for review:
|
|
|
|
|
10-10-2009, 03:35 AM
|
#25 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hello, sorry for the small delay in getting back to you. I ran Kaspersky and it found 3 infected files. I will post the log below =) Thanks!
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, October 10, 2009 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, October 09, 2009 19:14:35 Records in database: 2942671 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Objects scanned: 143569 Threats found: 2 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 02:07:19 File name / Threat / Threats count C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir Infected: Trojan.Win32.Sirefef.a 1 C:\Windows\System32\LogonUI(386).exe Infected: Virus.Win32.Virut.ce 1 C:\Windows\winsxs\x86_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.0.6001.18000_none_6593128e7338aab2\LogonUI(652).exe Infected: Virus.Win32.Virut.ce 1 Selected area has been scanned. |
|
|
|
|
10-10-2009, 06:44 AM
|
#26 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Any mention of Virut is not good. Let's see what other AV's have to say.
Please go to Virus Total
Do you have the Windows Vista install disc? Also, navigate to C:\Windows\System32\ do you see a lot of LogonUI.exe files listed there? All of them would have a number in parentheses similar to the one I'm having you upload to Virus Total. Last edited by Ried; 10-10-2009 at 07:07 AM. |
|
|
|
|
10-10-2009, 10:33 AM
|
#27 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hello,
I ran the Virus Total tool. I will post the log below. I looked in the C:\windows\system32\ and there is only 2 mentions of LogonUI.exe one of them has no parentheses like what I just typed, and the other is LogonUI(386).exe I do not have the Windows Vista install disc, however, I have 3 recovery disc's from HP (1-3). Here is the Virus Total log below: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.10 - AhnLab-V3 5.0.0.2 2009.10.10 - AntiVir 7.9.1.35 2009.10.09 W32/Virut.Gen Antiy-AVL 2.0.3.7 2009.10.10 - Authentium 5.1.2.4 2009.10.10 W32/Virut.AI!Generic Avast 4.8.1351.0 2009.10.09 - AVG 8.5.0.420 2009.10.04 Win32/Virut BitDefender 7.2 2009.10.10 Win32.Virtob.Gen.12 CAT-QuickHeal 10.00 2009.10.10 W32.Virut.G ClamAV 0.94.1 2009.10.10 - Comodo 2559 2009.10.10 - DrWeb 5.0.0.12182 2009.10.10 Win32.Virut.56 eSafe 7.0.17.0 2009.10.08 Suspicious File eTrust-Vet 35.1.7060 2009.10.09 Win32/Virut.17408 F-Prot 4.5.1.85 2009.10.10 W32/Virut.AI!Generic F-Secure 8.0.14470.0 2009.10.10 Virus.Win32.Virut.ce Fortinet 3.120.0.0 2009.10.10 - GData 19 2009.10.10 Win32.Virtob.Gen.12 Ikarus T3.1.1.72.0 2009.10.10 - Jiangmin 11.0.800 2009.10.08 Win32/Virut.bo K7AntiVirus 7.10.867 2009.10.10 - Kaspersky 7.0.0.125 2009.10.10 Virus.Win32.Virut.ce McAfee 5767 2009.10.10 W32/Virut.n.gen McAfee+Artemis 5766 2009.10.09 W32/Virut.n.gen McAfee-GW-Edition 6.8.5 2009.10.10 Heuristic.LooksLike.Win32.SuspiciousPE.B!88 Microsoft 1.5101 2009.10.10 Virus:Win32/Virut.gen!O NOD32 4495 2009.10.10 Win32/Virut.NBP Norman 6.01.09 2009.10.09 W32/Virut.DX nProtect 2009.1.8.0 2009.10.10 - Panda 10.0.2.2 2009.10.10 W32/Sality.AO PCTools 4.4.2.0 2009.10.10 - Prevx 3.0 2009.10.10 - Rising 21.50.52.00 2009.10.10 Win32.Virut.cr Sophos 4.45.0 2009.10.10 W32/Scribble-B Sunbelt 3.2.1858.2 2009.10.10 Virus.Win32.Virut.ce (v) Symantec 1.4.4.12 2009.10.10 W32.Virut.CF TheHacker 6.5.0.2.035 2009.10.10 - TrendMicro 8.950.0.1094 2009.10.10 Possible_Virus VBA32 3.12.10.11 2009.10.09 - ViRobot 2009.10.9.1978 2009.10.09 Win32.Virut.AM VirusBuster 4.6.5.0 2009.10.10 - Additional information File size: 29696 bytes MD5...: 9331527eb563ba1e4622060a5eb18d47 SHA1..: cec6ad74b18d418e4d17a775d58cfb1e61ad1d9f SHA256: e8c42bad9458c3d1777b9de7dde89077e0a8a725ed524d5d270fd11c3f0f084e ssdeep: 768:mVytuoApLlBwSsgSnf2Aru05mnTqoS0+:mWApLlBj7St6TqoS0+ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x42ef timedatestamp.....: 0xdd0fac10L (invalid) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xecc 0x1000 5.91 7781cbf7f2abbd16d918fc121a2eaada .data 0x2000 0x370 0x400 0.10 e6221dc0fd8c68cda77dc9c35ac6c44f .rsrc 0x3000 0x840 0xa00 4.05 456c4f076f6d87e134711d0c0aecad78 .reloc 0x4000 0x5200 0x5200 7.91 1eac6ca48745214df896dd8bf04043a8 ( 3 imports ) > KERNEL32.dll: SetPriorityClass, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange, UnhandledExceptionFilter > msvcrt.dll: __p__fmode, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, __p__commode, wcstoul, wcsncmp, __wgetmainargs, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit > ole32.dll: CoCreateInstance, CoUninitialize, CoInitializeEx ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Windows Logon User Interface Host original name: logonui.exe internal name: logonui.exe file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned |
|
|
|
|
10-10-2009, 10:43 AM
|
#28 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Thank you. I realize Kaspersky did not flag the one in the system32 folder, but Virut is a polymorphic file infector. As such, it is odd to only see 1 file infected.
Please do me a favor and upload the one in the system32 folder so the other AV's can have a look at that one. Same procedure as before, go to Virus Total and copy/paste this path: C:\Windows\System32\LogonUI.exe Again, click ReAnalyse now if it says it has been analysed before. Post the results for me. ========================= I'd also like to see a new log from junction.bat if you'd be kind enough to run that again. |
|
|
|
|
10-10-2009, 11:19 AM
|
#29 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Here is the results from Virus Total again using the C:\Windows\System32\LogonUI.exe
path. I will post the Junction.bat log after this post. Thanks! Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.10 - AhnLab-V3 5.0.0.2 2009.10.10 - AntiVir 7.9.1.35 2009.10.09 - Antiy-AVL 2.0.3.7 2009.10.10 - Authentium 5.1.2.4 2009.10.10 - Avast 4.8.1351.0 2009.10.09 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.10 - CAT-QuickHeal 10.00 2009.10.10 - ClamAV 0.94.1 2009.10.10 - Comodo 2559 2009.10.10 - DrWeb 5.0.0.12182 2009.10.10 - eSafe 7.0.17.0 2009.10.08 - eTrust-Vet 35.1.7060 2009.10.09 - F-Prot 4.5.1.85 2009.10.10 - F-Secure 8.0.14470.0 2009.10.10 - Fortinet 3.120.0.0 2009.10.10 - GData 19 2009.10.10 - Ikarus T3.1.1.72.0 2009.10.10 - Jiangmin 11.0.800 2009.10.08 - K7AntiVirus 7.10.867 2009.10.10 - Kaspersky 7.0.0.125 2009.10.10 - McAfee 5767 2009.10.10 - McAfee+Artemis 5767 2009.10.10 - McAfee-GW-Edition 6.8.5 2009.10.10 - Microsoft 1.5101 2009.10.10 - NOD32 4495 2009.10.10 - Norman 6.01.09 2009.10.09 - nProtect 2009.1.8.0 2009.10.10 - Panda 10.0.2.2 2009.10.10 - PCTools 4.4.2.0 2009.10.10 - Prevx 3.0 2009.10.10 - Rising 21.50.52.00 2009.10.10 - Sophos 4.45.0 2009.10.10 - Sunbelt 3.2.1858.2 2009.10.10 - Symantec 1.4.4.12 2009.10.10 - TheHacker 6.5.0.2.035 2009.10.10 - TrendMicro 8.950.0.1094 2009.10.10 - VBA32 3.12.10.11 2009.10.09 - ViRobot 2009.10.9.1978 2009.10.09 - VirusBuster 4.6.5.0 2009.10.10 - Additional information File size: 9216 bytes MD5...: 62d577288b48998fc6667bf22dc5b690 SHA1..: d50c0e8f41b31fe95f269e4869c78e1013a20975 SHA256: 2ae9e184ba655eb56488a3deff1c7c37b1c99eeb821e961390fce2efce6d7cbf ssdeep: 192:m6Fts37xYv4wljoy+IYXZmiuoLDLWqqUWj:mClvfyy+fFuozWqqUW PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x155d timedatestamp.....: 0x47918daf (Sat Jan 19 05:42:07 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xecc 0x1000 5.91 7781cbf7f2abbd16d918fc121a2eaada .data 0x2000 0x370 0x400 0.10 e6221dc0fd8c68cda77dc9c35ac6c44f .rsrc 0x3000 0x840 0xa00 4.05 456c4f076f6d87e134711d0c0aecad78 .reloc 0x4000 0x114 0x200 4.14 164efe51f370f57d119de38cc8e43603 ( 3 imports ) > KERNEL32.dll: SetPriorityClass, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange, UnhandledExceptionFilter > msvcrt.dll: __p__fmode, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, __p__commode, wcstoul, wcsncmp, __wgetmainargs, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit > ole32.dll: CoCreateInstance, CoUninitialize, CoInitializeEx ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Windows Logon User Interface Host original name: logonui.exe internal name: logonui.exe file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned |
|
|
|
|
10-10-2009, 11:26 AM
|
#30 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
and here is the log from junction.bat
Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com \\?\c:\\Documents and Settings: JUNCTION Print Name : c:\Users Substitute Name: c:\Users Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .\\?\c:\\ProgramData\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\ProgramData\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\ProgramData\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\ProgramData\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\ProgramData\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\ProgramData\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. . ... ... ...\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT \\?\c:\\Users\Default User: JUNCTION Print Name : c:\Users\Default Substitute Name: c:\Users\Default \\?\c:\\Users\All Users\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\Users\All Users\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\Users\All Users\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\Users\All Users\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\Users\All Users\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\Users\All Users\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. .. \\?\c:\\Users\Default\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Roaming Substitute Name: c:\Users\Default\AppData\Roaming \\?\c:\\Users\Default\Local Settings: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\My Documents: JUNCTION Print Name : c:\Users\Default\Documents Substitute Name: c:\Users\Default\Documents \\?\c:\\Users\Default\NetHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Default\PrintHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Default\Recent: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Default\SendTo: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Default\Start Menu: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Default\Templates: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\AppData\Local\History: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\History Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Users\Default\Documents\My Music: JUNCTION Print Name : c:\Users\Default\Music Substitute Name: c:\Users\Default\Music \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION Print Name : c:\Users\Default\Pictures Substitute Name: c:\Users\Default\Pictures \\?\c:\\Users\Default\Documents\My Videos: JUNCTION Print Name : c:\Users\Default\Videos Substitute Name: c:\Users\Default\Videos \\?\c:\\Users\Public\Documents\My Music: JUNCTION Print Name : c:\Users\Public\Music Substitute Name: c:\Users\Public\Music \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION Print Name : c:\Users\Public\Pictures Substitute Name: c:\Users\Public\Pictures \\?\c:\\Users\Public\Documents\My Videos: JUNCTION Print Name : c:\Users\Public\Videos Substitute Name: c:\Users\Public\Videos \\?\c:\\Users\Trevor Bayless\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming \\?\c:\\Users\Trevor Bayless\Cookies: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies \\?\c:\\Users\Trevor Bayless\Local Settings: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\My Documents: JUNCTION Print Name : C:\Users\Trevor Bayless\Documents Substitute Name: C:\Users\Trevor Bayless\Documents \\?\c:\\Users\Trevor Bayless\NetHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Trevor Bayless\PrintHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Trevor Bayless\Recent: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Trevor Bayless\SendTo: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Trevor Bayless\Start Menu: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Trevor Bayless\Templates: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Trevor Bayless\AppData\Local\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local .\\?\c:\\Users\Trevor Bayless\AppData\Local\History: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Trevor Bayless\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files .. ... ... ... ... ... ... ...\\?\c:\\Users\Trevor Bayless\Documents\My Music: JUNCTION Print Name : C:\Users\Trevor Bayless\Music Substitute Name: C:\Users\Trevor Bayless\Music \\?\c:\\Users\Trevor Bayless\Documents\My Pictures: JUNCTION Print Name : C:\Users\Trevor Bayless\Pictures Substitute Name: C:\Users\Trevor Bayless\Pictures \\?\c:\\Users\Trevor Bayless\Documents\My Videos: JUNCTION Print Name : C:\Users\Trevor Bayless\Videos Substitute Name: C:\Users\Trevor Bayless\Videos ... ... ... ... ...\\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0: MOUNT POINT Substitute Name: \Device\__max++>\^ ... ...\\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming \\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Documents Substitute Name: C:\Windows\system32\config\systemprofile\Documents \\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Music Substitute Name: C:\Windows\system32\config\systemprofile\Music \\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Pictures Substitute Name: C:\Windows\system32\config\systemprofile\Pictures \\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Videos Substitute Name: C:\Windows\system32\config\systemprofile\Videos ... ... ... ... ... ... ... Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . |
|
|
|
|
10-10-2009, 01:27 PM
|
#31 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Download both attached zip files to your desktop.
1. First, extract the contents of the fix.zip to the desktop. Double click the fix folder to open it. Drag the fix.bat next to Inherit.exe. Right click the fix.bat and run as administrator. 2. After you've done that, double click the runthis.zip. Right click the runthis.bat and run as administrator. 3. Run junction.bat again and post the log. Last edited by Ried; 10-11-2009 at 11:19 PM. |
|
|
|
|
10-10-2009, 03:02 PM
|
#32 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hello,
I did everything above before I ran the Junction.bat. Everything seemed to run successfully. I will post the Junction.bat log below. Thanks! Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com \\?\c:\\Documents and Settings: JUNCTION Print Name : c:\Users Substitute Name: c:\Users Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .\\?\c:\\ProgramData\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\ProgramData\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\ProgramData\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\ProgramData\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\ProgramData\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\ProgramData\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. . ... ... ...\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT \\?\c:\\Users\Default User: JUNCTION Print Name : c:\Users\Default Substitute Name: c:\Users\Default \\?\c:\\Users\All Users\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\Users\All Users\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\Users\All Users\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\Users\All Users\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\Users\All Users\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\Users\All Users\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. .. \\?\c:\\Users\Default\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Roaming Substitute Name: c:\Users\Default\AppData\Roaming \\?\c:\\Users\Default\Local Settings: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\My Documents: JUNCTION Print Name : c:\Users\Default\Documents Substitute Name: c:\Users\Default\Documents \\?\c:\\Users\Default\NetHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Default\PrintHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Default\Recent: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Default\SendTo: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Default\Start Menu: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Default\Templates: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\AppData\Local\History: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\History Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Users\Default\Documents\My Music: JUNCTION Print Name : c:\Users\Default\Music Substitute Name: c:\Users\Default\Music \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION Print Name : c:\Users\Default\Pictures Substitute Name: c:\Users\Default\Pictures \\?\c:\\Users\Default\Documents\My Videos: JUNCTION Print Name : c:\Users\Default\Videos Substitute Name: c:\Users\Default\Videos \\?\c:\\Users\Public\Documents\My Music: JUNCTION Print Name : c:\Users\Public\Music Substitute Name: c:\Users\Public\Music \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION Print Name : c:\Users\Public\Pictures Substitute Name: c:\Users\Public\Pictures \\?\c:\\Users\Public\Documents\My Videos: JUNCTION Print Name : c:\Users\Public\Videos Substitute Name: c:\Users\Public\Videos \\?\c:\\Users\Trevor Bayless\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming \\?\c:\\Users\Trevor Bayless\Cookies: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies \\?\c:\\Users\Trevor Bayless\Local Settings: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\My Documents: JUNCTION Print Name : C:\Users\Trevor Bayless\Documents Substitute Name: C:\Users\Trevor Bayless\Documents \\?\c:\\Users\Trevor Bayless\NetHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts .\\?\c:\\Users\Trevor Bayless\PrintHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Trevor Bayless\Recent: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Trevor Bayless\SendTo: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Trevor Bayless\Start Menu: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Trevor Bayless\Templates: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Trevor Bayless\AppData\Local\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\AppData\Local\History: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Trevor Bayless\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files .. ... ... ... ... ... ... ...\\?\c:\\Users\Trevor Bayless\Documents\My Music: JUNCTION Print Name : C:\Users\Trevor Bayless\Music Substitute Name: C:\Users\Trevor Bayless\Music \\?\c:\\Users\Trevor Bayless\Documents\My Pictures: JUNCTION Print Name : C:\Users\Trevor Bayless\Pictures Substitute Name: C:\Users\Trevor Bayless\Pictures \\?\c:\\Users\Trevor Bayless\Documents\My Videos: JUNCTION Print Name : C:\Users\Trevor Bayless\Videos Substitute Name: C:\Users\Trevor Bayless\Videos ... ... ... ... ...\\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0: MOUNT POINT Substitute Name: \Device\__max++>\^ ... ...\\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming \\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Documents Substitute Name: C:\Windows\system32\config\systemprofile\Documents \\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Music Substitute Name: C:\Windows\system32\config\systemprofile\Music \\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Pictures Substitute Name: C:\Windows\system32\config\systemprofile\Pictures \\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Videos Substitute Name: C:\Windows\system32\config\systemprofile\Videos ... ... ... ... ... ... ... Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . |
|
|
|
|
10-10-2009, 07:36 PM
|
#33 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Those folders are still there. Let's try this one more time.
1. Delete the previous runthis folder and runthis.zip from your desktop. Also delete the fix.zip and the fix folder. 2. Download the attached revised.zip to your desktop. Double click to open it, and right click the revised.bat and run as administrator. 3. Run the junction.bat again and post the log. Last edited by Ried; 10-11-2009 at 11:19 PM. |
|
|
|
|
10-11-2009, 12:20 AM
|
#34 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hi, I deleted the runthis.zip and folder, and also the fix.zip and folder. Then, I ran the revised.bat and it came up showing "Deleted Successfully!!" I will post the junction.bat log below! Thanks!
Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com \\?\c:\\Documents and Settings: JUNCTION Print Name : c:\Users Substitute Name: c:\Users Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .\\?\c:\\ProgramData\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\ProgramData\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\ProgramData\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\ProgramData\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\ProgramData\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\ProgramData\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. . ... ... ...\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT \\?\c:\\Users\Default User: JUNCTION Print Name : c:\Users\Default Substitute Name: c:\Users\Default \\?\c:\\Users\All Users\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\Users\All Users\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\Users\All Users\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\Users\All Users\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\Users\All Users\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\Users\All Users\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. .. \\?\c:\\Users\Default\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Roaming Substitute Name: c:\Users\Default\AppData\Roaming \\?\c:\\Users\Default\Local Settings: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\My Documents: JUNCTION Print Name : c:\Users\Default\Documents Substitute Name: c:\Users\Default\Documents \\?\c:\\Users\Default\NetHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Default\PrintHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Default\Recent: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Default\SendTo: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Default\Start Menu: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Default\Templates: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\AppData\Local\History: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\History Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Users\Default\Documents\My Music: JUNCTION Print Name : c:\Users\Default\Music Substitute Name: c:\Users\Default\Music \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION Print Name : c:\Users\Default\Pictures Substitute Name: c:\Users\Default\Pictures \\?\c:\\Users\Default\Documents\My Videos: JUNCTION Print Name : c:\Users\Default\Videos Substitute Name: c:\Users\Default\Videos \\?\c:\\Users\Public\Documents\My Music: JUNCTION Print Name : c:\Users\Public\Music Substitute Name: c:\Users\Public\Music \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION Print Name : c:\Users\Public\Pictures Substitute Name: c:\Users\Public\Pictures \\?\c:\\Users\Public\Documents\My Videos: JUNCTION Print Name : c:\Users\Public\Videos Substitute Name: c:\Users\Public\Videos \\?\c:\\Users\Trevor Bayless\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming \\?\c:\\Users\Trevor Bayless\Cookies: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies \\?\c:\\Users\Trevor Bayless\Local Settings: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\My Documents: JUNCTION Print Name : C:\Users\Trevor Bayless\Documents Substitute Name: C:\Users\Trevor Bayless\Documents \\?\c:\\Users\Trevor Bayless\NetHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts .\\?\c:\\Users\Trevor Bayless\PrintHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Trevor Bayless\Recent: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Trevor Bayless\SendTo: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Trevor Bayless\Start Menu: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Trevor Bayless\Templates: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Trevor Bayless\AppData\Local\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\AppData\Local\History: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Trevor Bayless\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files .. ... ... ... ... ... ... ... \\?\c:\\Users\Trevor Bayless\Documents\My Music: JUNCTION Print Name : C:\Users\Trevor Bayless\Music Substitute Name: C:\Users\Trevor Bayless\Music \\?\c:\\Users\Trevor Bayless\Documents\My Pictures: JUNCTION Print Name : C:\Users\Trevor Bayless\Pictures Substitute Name: C:\Users\Trevor Bayless\Pictures \\?\c:\\Users\Trevor Bayless\Documents\My Videos: JUNCTION Print Name : C:\Users\Trevor Bayless\Videos Substitute Name: C:\Users\Trevor Bayless\Videos ... ... ... ... ... \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0: MOUNT POINT Substitute Name: \Device\__max++>\^ ... ... \\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming \\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Documents Substitute Name: C:\Windows\system32\config\systemprofile\Documents \\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files .\\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Music Substitute Name: C:\Windows\system32\config\systemprofile\Music \\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Pictures Substitute Name: C:\Windows\system32\config\systemprofile\Pictures \\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Videos Substitute Name: C:\Windows\system32\config\systemprofile\Videos .. ... ... ... ... ... ... . Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied. .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .. |
|
|
|
|
10-11-2009, 06:48 AM
|
#35 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hi shyguy,
One more round and we should be good. Delete your existing Win32kDiag.exe and download the latest version from here. Save it to your desktop. On your keyboard, press the Windows Logo key and the letter R to bring up the Run command box. Copy-paste the following bolded text into the Run box, and click OK. "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents in your next reply. ====================================== I'd also like to do one more check for the presence of Virut. This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean--for now, I only want to see a Report of what it finds. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Please include the following in your next reply: Win32kDiag.txt DrWeb log |
|
|
|
|
10-11-2009, 10:48 AM
|
#36 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hi =) Here is the Win32kDiag log. I will be running the Dr. Web Cureit now and post the log a little later. Thank you for your help!
Running from: C:\Users\Trevor Bayless\Desktop\win32kdiag.exe Log file at : C:\Users\Trevor Bayless\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\Windows'... Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a: 3 Could not open reparse point C:\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0: 3 Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-10-11 11:19:15 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-10-11 11:19:08 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-10-11 11:19:08 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-10-11 11:19:08 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () |
|
|
|
|
10-11-2009, 11:17 PM
|
#37 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,995
OS: WinXP and Vista
|
Re: Computer badly infected with viruses - PLEASE HELP!
You're welcome, but we'll have to run another batch file. I was waiting for you to post the DrWeb results so I could deal with that at the same time, but it's getting late. :)
Let me know if you're having trouble running DrWeb. If it's taking hours, upon hours, upon hours, run it from Safe Mode.
Last edited by Ried; 10-31-2009 at 07:40 PM. |
|
|
|
|
10-12-2009, 01:24 AM
|
#38 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hello,
I'm terribly sorry for the delay in posting the DrWeb log. It ran into some complications. I have ran the DrWeb scan twice now, and each time it finishes, I go to File>Save Log and my computer gives me a blue screen with some words on it and restarts, then when it's booting back up it have to check the drives for some reason. Since I thought it was going to happen again on the second time, before I clicked "File>Save Log" I took a screen shot of the viruses it found. I will post the screen shot on this post. Also, I just tried running the runthis2.bat and it gives me he black administrator screen and goes away in less then 1 second. In the next post, I will post the junction.bat log. Thanks a million Ried! |
|
|
|
|
10-12-2009, 01:41 AM
|
#39 (permalink) |
|
Registered User
Join Date: Apr 2009
Location: United States
Posts: 55
OS: Windows XP / Vista / Linux Mint 7
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hello again! Here is the log from Junction.bat that I just ran. Like I said in the post before, I ren the runthis2.bat and it flashes the black screen for less than a second, so i'm not sure if it worked. Here is the log below =)
Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com \\?\c:\\Documents and Settings: JUNCTION Print Name : c:\Users Substitute Name: c:\Users Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .\\?\c:\\ProgramData\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\ProgramData\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\ProgramData\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\ProgramData\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\ProgramData\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\ProgramData\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. . ... ... ...\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT \\?\c:\\Users\Default User: JUNCTION Print Name : c:\Users\Default Substitute Name: c:\Users\Default \\?\c:\\Users\All Users\Application Data: JUNCTION Print Name : c:\ProgramData Substitute Name: c:\ProgramData \\?\c:\\Users\All Users\Desktop: JUNCTION Print Name : c:\Users\Public\Desktop Substitute Name: c:\Users\Public\Desktop \\?\c:\\Users\All Users\Documents: JUNCTION Print Name : c:\Users\Public\Documents Substitute Name: c:\Users\Public\Documents \\?\c:\\Users\All Users\Favorites: JUNCTION Print Name : c:\Users\Public\Favorites Substitute Name: c:\Users\Public\Favorites \\?\c:\\Users\All Users\Start Menu: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Start Menu Substitute Name: c:\ProgramData\Microsoft\Windows\Start Menu \\?\c:\\Users\All Users\Templates: JUNCTION Print Name : c:\ProgramData\Microsoft\Windows\Templates Substitute Name: c:\ProgramData\Microsoft\Windows\Templates . Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9d01204a0294f878ccfc90f86a6d9550_b6f4ef62-bf5c-4674-87cc-43aa9fb14601: Access is denied. .. \\?\c:\\Users\Default\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Roaming Substitute Name: c:\Users\Default\AppData\Roaming \\?\c:\\Users\Default\Local Settings: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\My Documents: JUNCTION Print Name : c:\Users\Default\Documents Substitute Name: c:\Users\Default\Documents \\?\c:\\Users\Default\NetHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Default\PrintHood: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Default\Recent: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Default\SendTo: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Default\Start Menu: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Default\Templates: JUNCTION Print Name : c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: c:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION Print Name : c:\Users\Default\AppData\Local Substitute Name: c:\Users\Default\AppData\Local \\?\c:\\Users\Default\AppData\Local\History: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\History Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION Print Name : c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Users\Default\Documents\My Music: JUNCTION Print Name : c:\Users\Default\Music Substitute Name: c:\Users\Default\Music \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION Print Name : c:\Users\Default\Pictures Substitute Name: c:\Users\Default\Pictures \\?\c:\\Users\Default\Documents\My Videos: JUNCTION Print Name : c:\Users\Default\Videos Substitute Name: c:\Users\Default\Videos \\?\c:\\Users\Public\Documents\My Music: JUNCTION Print Name : c:\Users\Public\Music Substitute Name: c:\Users\Public\Music \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION Print Name : c:\Users\Public\Pictures Substitute Name: c:\Users\Public\Pictures \\?\c:\\Users\Public\Documents\My Videos: JUNCTION Print Name : c:\Users\Public\Videos Substitute Name: c:\Users\Public\Videos .\\?\c:\\Users\Trevor Bayless\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming \\?\c:\\Users\Trevor Bayless\Cookies: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Cookies \\?\c:\\Users\Trevor Bayless\Local Settings: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\My Documents: JUNCTION Print Name : C:\Users\Trevor Bayless\Documents Substitute Name: C:\Users\Trevor Bayless\Documents \\?\c:\\Users\Trevor Bayless\NetHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Users\Trevor Bayless\PrintHood: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Users\Trevor Bayless\Recent: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Users\Trevor Bayless\SendTo: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Users\Trevor Bayless\Start Menu: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Users\Trevor Bayless\Templates: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Users\Trevor Bayless\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Users\Trevor Bayless\AppData\Local\Application Data: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local Substitute Name: C:\Users\Trevor Bayless\AppData\Local \\?\c:\\Users\Trevor Bayless\AppData\Local\History: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\History \\?\c:\\Users\Trevor Bayless\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Users\Trevor Bayless\AppData\Local\Microsoft\Windows\Temporary Internet Files .. ... ... ... ... ... ... ... .\\?\c:\\Users\Trevor Bayless\Documents\My Music: JUNCTION Print Name : C:\Users\Trevor Bayless\Music Substitute Name: C:\Users\Trevor Bayless\Music \\?\c:\\Users\Trevor Bayless\Documents\My Pictures: JUNCTION Print Name : C:\Users\Trevor Bayless\Pictures Substitute Name: C:\Users\Trevor Bayless\Pictures \\?\c:\\Users\Trevor Bayless\Documents\My Videos: JUNCTION Print Name : C:\Users\Trevor Bayless\Videos Substitute Name: C:\Users\Trevor Bayless\Videos .. ... ... ... ... .\\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.16679_none_128e8c93a2bce482: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6000.20821_none_13463890bbb92b06: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.18061_none_147798d59fe28eca: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0\x86_microsoft-windows-ehome-devices-ehreplay_31bf3856ad364e35_6.0.6001.22165_none_150536c8b8fc93f0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.16679_none_3200fce9dd0448e0: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6000.20821_none_32b8a8e6f6008f64: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.16679_none_249fac1865043b1f: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6000.20821_none_255758157e0081a3: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.18061_none_2688b85a6229e567: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d\x86_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.0.6001.22165_none_2716564d7b43ea8d: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.16679_none_3d017dbd628e4075: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9\x86_microsoft-windows-m..mediadeliveryengine_31bf3856ad364e35_6.0.6000.20821_none_3db929ba7b8a86f9: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.16679_none_d9d44caa5a19bb32: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6000.20821_none_da8bf8a7731601b6: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.18061_none_dbbd58ec573f657a: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\Windows\SoftwareDistribution\Download\b1b96411ebe18f45eb0a2fed3bb469d8\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.0.6001.22165_none_dc4af6df70596aa0: MOUNT POINT Substitute Name: \Device\__max++>\^ .. ... .\\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming \\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Documents Substitute Name: C:\Windows\system32\config\systemprofile\Documents \\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts \\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts \\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent \\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo \\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu \\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files \\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Music Substitute Name: C:\Windows\system32\config\systemprofile\Music \\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Pictures Substitute Name: C:\Windows\system32\config\systemprofile\Pictures \\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION Print Name : C:\Windows\system32\config\systemprofile\Videos Substitute Name: C:\Windows\system32\config\systemprofile\Videos .. ... ... ... ... ... ... .. Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied. . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... |
|
|
|
|
10-12-2009, 02:08 AM
|
#40 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,648
OS: xp
|
Re: Computer badly infected with viruses - PLEASE HELP!
Hi shyguy
Id like to take a stab at those pesky max++ montpoints They are harmless at this stage so not to be worried. Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor). Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop. **removed** then run junction. bat again please. Last edited by Ried; 10-12-2009 at 08:16 AM. Reason: per request |
|
|
|
| Thread Tools | |
|
|
