Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittent Browser Redirects - Rootkit infection


  • This topic is locked This topic is locked
53 replies to this topic

#1 mh3

mh3

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 July 2010 - 12:58 PM

Hello, I have been trying to deal with various problems with my computer for a couple of months now and am at my wit's end with this one. I keep getting redirected to sites like www.dealparty.com when clicking on google search result links and from what I've read I'm certain there is a rootkit problem. I was ecstatic to find out about this site which has been so helpful so far to someone like me with limited computer knowledge. Repeated scans with McAfee and Malwarebytes reveal nothing.

I've done all the preparation steps except the GMER scan because every time it completes, the computer restarts and I don't have the option to save the log. Am I doing something wrong here?

Here is the DDS txt log, and the DDS attach log is attached. As I mentioned earlier, there is no .ARK file attached because I can't save the GMER scan results for some reason (computer keeps restarting when scan is complete). I would be eternally grateful if anyone could help me out here and get rid of this darn problem. I am planning on buying a new computer and I don't want to copy over any of my existing files from this computer until there are no traces of any problems. Thank you so much in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 21:09:23.93 on Fri 07/16/2010
BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.195 [GMT -7:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\htpatch.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\SYSTEM32\USRmlnkA.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SYSTEM32\USRshutA.exe
C:\WINNT\SYSTEM32\USRmlnkA.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://ie.search.msn.com
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100517174114.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No File
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.1601.0\en-us\msntb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [{488BD1FB-FA1E-B04A-9B6A-0B54D639FD54}] "c:\documents and settings\administrator\application data\oxpa\ipnin.exe"
mRun: [Synchroniz

Attached Files


Edited by Orange Blossom, 18 July 2010 - 02:27 PM.
Pasted in a bit more log from another post. ~ OB


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 25 July 2010 - 09:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 25 July 2010 - 02:43 PM

Thanks for your response, I'm very happy to hear from you! I've run the OTL program and I have the scripts from that. However, I'm running the GMER program in safe mode and it's taking forever! It's been about 3 hours since I started the scan. Not sure if this is normal. I'll keep you posted if it ends.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 25 July 2010 - 03:01 PM

Yes, that's a normal scan length for GMER. It all depends on what's on your computer and how fast it is.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 25 July 2010 - 06:09 PM

So it never stopped, and I had to cancel the scan. Per the instructions above, I ran the scan again with only "system" and "sections" checked. The scan completed (there were 9 results) and the program didn't shut down like before, but now I have a new problem. Since I'm in safe mode, the program display is too big for me to scroll down and hit the "save" button! Please advise and thanks kindly in advance. Perhaps I can do a screen shot?

Edited by mh3, 25 July 2010 - 06:34 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 25 July 2010 - 07:11 PM

it was 'files' and 'sections' not 'system' and 'sections', but we should be able to get what we need from the sections. In the sections part of the log does anything start with rsrc; or just with text or init? If rsrc, please write down that line and send to me. If not, just let me know. If you did run files but had a typo above, let me know if anything 'has suspicious modifications' and write down that file. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 25 July 2010 - 07:58 PM

Perfect! I did actually have "files" checked, sorry about that. There were no "init" results found. Of the 9 results found, there is one .rsrc and one suspicious modification. Here they are:

.rsrc C:\WINNT\System32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF77EFF94]

File C:\WINNT\System32\DRIVERS\redbook.sys suspicious modification

Would you like me to attach the "Extras" and "OTL" logs or copy and paste them into the body of a reply? They seem to be quite long.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 25 July 2010 - 08:35 PM

Please copy and paste OTL.txt; and attach Extras.txt. If you need to spread it across multiple posts, please do that.

PS> thanks for the info on GMER. that's exactly what I needed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 25 July 2010 - 09:14 PM

Sure thing! "Extras" is attached and here's OTL:

OTL logfile created on: 7/25/2010 9:57:23 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 487.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 84.61 Gb Free Space | 75.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 37.27 Gb Total Space | 37.20 Gb Free Space | 99.83% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-PC
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/25 09:55:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/06/24 22:32:44 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/03/10 15:10:40 | 000,439,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MSC\McUICnt.exe
PRC - [2010/03/10 14:41:24 | 000,180,888 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSM\McSmtFwk.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/01/15 17:13:02 | 000,904,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2007/09/03 10:53:01 | 000,462,848 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
PRC - [2004/11/17 09:21:56 | 001,691,648 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
PRC - [2004/03/31 03:00:00 | 000,045,056 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe
PRC - [2002/10/30 02:40:34 | 000,028,672 | R--- | M] () -- C:\WINNT\htpatch.exe
PRC - [2001/08/23 10:00:00 | 000,077,891 | ---- | M] (U.S. Robotics Corporation) -- C:\WINNT\system32\usrmlnka.exe
PRC - [2001/08/23 10:00:00 | 000,069,700 | ---- | M] ( U.S. Robotics Corporation) -- C:\WINNT\system32\usrshuta.exe


========== Modules (SafeList) ==========

MOD - [2010/07/25 09:55:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINNT\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\WINNT\System32\msapps\comsrvr.exe -- (COMServer)
SRV - [2010/04/28 17:13:42 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\WINNT\Temp\0102041280076480mcinst.exe -- (0102041280076480mcinstcleanup) McAfee Application Installer Cleanup (0102041280076480)
SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/04/15 09:45:10 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2008/04/13 17:12:38 | 000,050,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/03/31 03:00:00 | 000,045,056 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Auto | Running] -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2001/01/30 12:00:00 | 000,041,984 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe -- (sasrfcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINNT\System32\DRIVERS\parallel.sys -- (Parallel)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 11:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/09/03 10:52:57 | 000,004,224 | ---- | M] () [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\U3SDR200.SYS -- (U3SDR200)
DRV - [2005/11/04 12:38:00 | 003,519,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/04/05 22:26:42 | 000,000,000 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINNT\System32\Ultra.dll -- (ultra)
DRV - [2005/04/05 20:27:03 | 000,058,000 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K)
DRV - [2004/12/06 15:19:22 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/11/17 09:23:24 | 000,289,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2004/11/17 09:22:46 | 000,023,936 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2004/11/17 09:16:48 | 000,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/17 09:14:02 | 000,141,184 | ---- | M] (Windows ® 2000 DDK provider) [File_System | System | Running] -- C:\WINNT\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2004/11/17 09:10:52 | 000,200,832 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\Udfreadr.sys -- (UDFReadr)
DRV - [2004/11/17 09:10:40 | 000,023,808 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2004/11/17 09:07:30 | 000,117,632 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\Pwd_2k.sys -- (pwd_2k)
DRV - [2004/03/31 03:00:00 | 000,073,216 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\Dalwdm.sys -- (dalwdmservice)
DRV - [2004/03/31 03:00:00 | 000,020,992 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [File_System | Boot | Running] -- C:\WINNT\system32\drivers\DigiFilter.sys -- (DigiFilter)
DRV - [2003/11/06 12:04:24 | 000,068,320 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2003/10/09 10:42:20 | 000,068,672 | R--- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2003/07/29 00:57:20 | 000,040,448 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\DGIVECP.SYS -- (DgiVecp)
DRV - [2003/07/11 15:28:56 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2003/06/19 12:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2002/10/30 20:58:42 | 000,030,848 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\SISAGPx.sys -- (SISAGP)
DRV - [2002/07/11 09:48:18 | 000,044,688 | R--- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\2WireHPL.sys -- (2WIREHPL)
DRV - [2001/08/17 13:28:26 | 000,113,762 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\USRpdA.sys -- (USRpdA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-789336058-854245398-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-507921405-789336058-854245398-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100127023632
FF - prefs.js..extensions.enabledItems: {3385F42D-7E1A-4749-9708-58E178FC6AAD}:1.9.1


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/01 19:04:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3385F42D-7E1A-4749-9708-58E178FC6AAD}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{3385F42D-7E1A-4749-9708-58E178FC6AAD} [2010/06/28 06:56:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/08 19:24:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/18 19:22:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2009/09/15 10:44:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2009/09/15 10:44:43 | 000,000,000 | ---D | M]

[2009/04/10 21:15:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2007/09/21 14:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9tkqixn2.default\extensions
[2010/07/20 19:49:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/18 19:22:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/08/16 17:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/08/16 17:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/08/16 17:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/05/21 08:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/05/21 08:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/05/21 08:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2008/08/16 17:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/08/16 17:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2001/08/23 10:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517174114.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-507921405-789336058-854245398-500\..\Toolbar\WebBrowser: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
O4 - HKLM..\Run: [HTpatch] C:\WINNT\htpatch.exe ()
O4 - HKLM..\Run: [hyh] C:\WINNT\hyh.exe File not found
O4 - HKLM..\Run: [Ixocu] C:\WINNT\adajomucetuh.DLL (Ask.com)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [USRpdA] File not found
O4 - HKU\.DEFAULT..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found
O4 - HKU\S-1-5-18..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found
O4 - HKU\S-1-5-19..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found
O4 - HKU\S-1-5-20..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found
O4 - HKU\S-1-5-21-507921405-789336058-854245398-500..\Run: [{488BD1FB-FA1E-B04A-9B6A-0B54D639FD54}] C:\Documents and Settings\Administrator\Application Data\Oxpa\ipnin.exe ()
O4 - HKU\S-1-5-21-507921405-789336058-854245398-500..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKU\.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINNT\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINNT\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINNT\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet

Attached Files



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 26 July 2010 - 05:35 PM

Hello, mh3.

OK...you have a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578


Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 2


Your log shows signs you tried to remove McAfee using their tool? Do you have any knowledge of that? I need to know if I should remove that entry; or if you want to remove McAfee and switch to another program later.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 26 July 2010 - 06:25 PM

Wow, thank you so much. We have stopped using that computer for any kind of transaction awhile ago, and we are going to trash it. However, the reason I want to go through this process is because there is some data that I want to transfer onto my new computer (which is already purchased and just sitting in the box!). The data is only mp3 files (Itunes, etc.), pictures, and a couple of Word and Excel documents. I thought it would be wise to get rid of the rootkit before transferring the data. I plan on using a flash drive to transfer it. What do you think about transferring the data?

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 26 July 2010 - 06:28 PM

You should be OK if we clean then you can transfer documents (MP3, Video, Documents, Photos), but do not transfer anything in c:\Windows or it's subfolders, or any program files (.exe, .bat, .com, .pif, .scr, etc.). Remind me at the end of this and I'll provide some tips for transferring files over.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 26 July 2010 - 06:34 PM

OK I will begin cleaning process and keep you posted. I'm assuming that the files I want to transfer are not in c:\Windows or it's subfolders?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 26 July 2010 - 08:10 PM

correct. only your documents/photos/videos/music.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 mh3

mh3
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 26 July 2010 - 09:27 PM

I did not try to remove McAfee using their product. There was an "antivir" thing going on and that was probably it. Please advise on removing that entry. Also, downloading Combofix will require me to go onto the net. Is that OK? I can always download it on a clean computer (the one I'm using now) and burn it on to a CD if that would be safer. Thanks & I'll wait to hear from you before going any further.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users