Hi again choltonit
QUOTE(choltonit @ Jun 30 2010, 02:44 PM)
I finally got the password to unlock the McAfee control panel, but I had to offer my services as a car washer/waxer to the Sr. Admin. Punk-@$$-bizznitch that he is.
Good... Running ComboFix would be helpful - it would save us a little time...
I am unable to do anything with c:\windows\system32\ffda.sys because any time I try to attach it, rename it, etc. it says "Someone or something is using this file". Any idea what might be holding it hostage?
Well, to be honest, no idea... ;)
Are you a qualified IT technician (as you're helping with your client's machine)??.. If yes, you'll probably know how to load a Windows Recovery Console (if ComboFix installed it, that's very easy)... From there, you can easily copy that ffda.sys
file as ffda.old, which you'll easily upload to VirusTotal...
I took a quick look at your DDS log again and noticed one other suspicious file - c:\windows\system32\IE7_RegChanges.exe
... Please upload it to VirusTotal for me... If it resists uploading, please use Recovery Console to copy/rename it... How to start the Recovery Console
Once in Recovery Console, execute the following commands (watch the spaces) in bold - click Enter after every one of them:copy c:\windows\system32\ffda.sys c:\windows\system32\ffda.old
copy c:\windows\system32\IE7_RegChanges.exe c:\windows\system32\IE7_RegChanges.old
It should reboot automatically - boot into Normal Mode...
Then you can upload c:\windows\system32\ffda.old
file to http://www.virustotal.com/
... If it comes back as malicious, we can easily delete it with one of our tools (or you can do it easily yourself in the Recovery Console but first you need to disable
Service Driver; or safer: just disable a Service Driver and delete a file in Normal Mode)...
Please confirm you can use ComboFix; if not we'll use a different tool...
Apart from doing above, please do the following for me:
- attach c:\ComboFix.txt to your next reply
- run the following tool:
* Download the file TDSSKiller.zip
and extract it into a folder on the infected PC.
* Execute the file TDSSKiller.exe by double-clicking on it.
* Wait for the scan and disinfection process to be over.
* When its work is over, the utility prompts for a reboot to complete the disinfection.
By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.
Please post that log here.