Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot run any anti-virus or malware scanning tools


  • This topic is locked This topic is locked
62 replies to this topic

#1 hoosiers23

hoosiers23

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 11 November 2010 - 11:07 PM

Dear BleepingComputer.com gurus,

My father-in-law's XP (Sp3) machine has had a history of issues over the past few months, to the point of constant blue-screens, random shutdowns, had a 'professional' look at it. Then noticed some odd things:

-McAfee's Real-Time Scanning was shut off. When starting it, it turns on for a few seconds, then switches back to being 'Off'.
-Windows Update constantly shows the same update available for download (the current month's malicious software removal tool). Click to download and install it, it 'installs' quickly, and then about a minute later, the yellow shield/exclamation point is back, notifying me of the same update I just installed! (Tried windowsupdate.microsoft.com, and the filesize of this update that never goes away is '0 KB', very fishy.)
-Tried to install malwarebytes: on install, updated definitions with no problem, program boots up, but when you initiate a scan, the program dies and just disappears after a few seconds. When I click on mbam.exe again, I get the error:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
...So, I downloaded malwarebytes and installed on my laptop, copied the mbam.exe to my flash drive, renamed it, and pasted the renamed file into the expected path of mbam.exe. On first attempt to run it, the program starts. As soon as I initiate any kind of scan, the program dies after a few seconds. And then on 2nd attempt to run the re-named mbam, I get the same permission error just described. It's almost as if the infection is keeping track of files/filenames to block from scanning and solving the issue. (Searched registry for my renamed mbam executable(s), and found nothing except the usual history of exe's recently run.)

So, I decided to turn to the experts here, and was going through the prep steps - and was able to get the DDS and Attach text files without any problem, however, when I attempted GMER:
-I got to the point of unchecking the suggested items, and I click 'Scan'. A few seconds later, the program dies and disappears. So I tried to click on GMER.exe again, and got the windows permissions error seen above, just like when trying to get mbam.exe to run. My apologies for not being able to get the ark.txt file as requested. (This thing is like the Borg, it assimilates too quickly!)

(And luckily no browsers are hijacked and I have internet connections working, which is a moral victory compared to other times I've had to deal with malware issues on my own machines!)

My DDS.txt is below, my Attach.txt is attached, and unfortunately, I was unable to get the GMER scan to run because of the issues I am having. Any help you can provide is unbelievably appreciated!

Many thanks in advance!
hoosiers23


DDS (Ver_10-11-10.01) - NTFSx86
Run by Bill at 22:44:02.03 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.526 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Verizon\VSP\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uWinlogon: Shell=c:\documents and settings\bill\application data\hotfix.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101111205840.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MapQuest Toolbar Loader: {bd3fd433-147a-482e-a192-614f26e2310c} - c:\program files\mapquest toolbar\mapquesttb.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: MapQuest Toolbar: {9302e698-7e00-43ab-b867-c6e759bc2ada} - c:\program files\mapquest toolbar\mapquesttb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Awaweweci] rundll32.exe "c:\windows\dieace32.dll",Startup
uRun: [awrmbjpk] c:\docume~1\bill\locals~1\temp\tmemonvae\ralikkllanw.exe
uRun: [hvfsys32] c:\docume~1\bill\locals~1\temp\hvfsys32.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [hvfsys32] c:\docume~1\bill\locals~1\temp\hvfsys32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateforietool.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284994800093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285014920531
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.89,93.188.161.229
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: doctordom: {d1577581-2ed7-469f-99b1-72c1339e0ee0} - c:\windows\system32\hkushdr.dll
LSA: Notification Packages = dieace32.dll scecli
mASetup: {2C7339OW-2J09-4501-B2F3-C3508F2941KL} - c:\documents and settings\bill\application data\microsoft\ntlsapi32.exe
mASetup: {D27339OW-8UIL-4501-B2F3-C3508X8241KL} - c:\documents and settings\bill\application data\microsoft\utfsapi32.exe

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-10 84072]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-25 54752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-10 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-10 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-10 141792]
R2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2009-12-30 668912]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-10 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-10 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-10 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-10 88544]
S1 56739d1;56739d1;c:\windows\system32\drivers\56739d1.sys --> c:\windows\system32\drivers\56739d1.sys [?]
S1 81e29c71;81e29c71;c:\windows\system32\drivers\81e29c71.sys --> c:\windows\system32\drivers\81e29c71.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-10 171168]
S3 DFBCFDBA;DFBCFDBA; [x]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-10 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-10 84264]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-12 01:55:23 -------- d-----w- c:\docume~1\bill\applic~1\McAfee
2010-11-10 19:11:11 -------- d-sh--w- C:\found.000
2010-10-23 12:55:23 495616 --sh--r- c:\docume~1\bill\applic~1\microsoft\utfsapi32.exe
2010-10-23 12:55:06 11 ----a-w- c:\windows\system32\import53an35ygsfsgftdoc.tmp

==================== Find3M ====================

2010-10-14 02:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-09-29 22:42:09 199 ----a-w- c:\docume~1\bill\applic~1\jsdfgs.bat
2010-09-22 18:23:24 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:45:17.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 11 November 2010 - 11:19 PM

Hello Victim,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

Please run the following Scanners and post there logs also:

1.
Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.

    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


2.
Download Bootkit remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 13 November 2010 - 11:09 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 13 November 2010 - 07:44 PM

Hi fireman4it,

My apologies for not replying in the last day or two. I don't have access to my father-in-law's computer every day, and I submitted my original post at the end of the night the last time I was there. Thank you so much for replying so quickly with what is hopefully a great solution for this problem. I will be working on his computer later tonight and will post everything you requested. Stay tuned!

Thanks again,
hoosiers23

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 13 November 2010 - 08:57 PM

Hello,

Thanks for letting me know. I will be awaiting your logs so we can begin cleaning the machine. :whistle:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 13 November 2010 - 11:44 PM

1. RKUnhooker is scanning as we speak...
Did not see any warning, but here is the report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6A56000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1306624 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF68C8000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 929792 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF66E4000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF6821000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF732D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAA5C6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF659F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF73E7000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xAA70C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9C7E000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF6625000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA95AD000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF67BB000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF69EA000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF74BE000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9D4E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7300000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8FE2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAA636000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA683000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF67FB000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xAA6AB000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6670000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF6797000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6A1E000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF69C7000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA661000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7456000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF748E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF72E6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xAA417000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xAA3FE000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7476000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA586000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF73BA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF66A5000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF73D1000 drvmcdb.sys 90112 bytes (Sonic Solutions, Device Driver)
0xAA430000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xAA119000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF66BC000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF66D0000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6A42000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA765000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xAA6D1000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7444000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF74AD000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6694000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF75DD000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76AD000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF768D000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF766D000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76BD000 C:\WINDOWS\system32\DRIVERS\redbook.sy@ 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAA25E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6BF5000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF754D000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF767D000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76CD000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF752D000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA971E000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xAA536000 C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 49152 bytes (Microsoft Corporation, Family Safety Filter Driver (TDI))
0xF76ED000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF6B95000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF769D000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF751D000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76DD000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF759D000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF750D000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF6C15000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF6C25000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF753D000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF6BB5000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF765D000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF76FD000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF6BA5000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAA1E6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF755D000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF75AD000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF770D000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78A5000 C:\WINDOWS\System32\Drivers\cxru5494.SYS 32768 bytes
0xF78C5000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF77E5000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78BD000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78CD000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF78DD000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xF77BD000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF778D000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7855000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF78D5000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7905000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77CD000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF78B5000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77D5000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78FD000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xF77A5000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF77DD000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF790D000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF7795000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF78ED000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78F5000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78E5000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF782D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7925000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF79D1000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF6E70000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA472000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF72AD000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xAA4DA000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF791D000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7921000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA7B4000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF79E9000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF79E5000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA9D2E000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6615000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF72A1000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF79F1000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A01000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7A71000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF7A57000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A81000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A55000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A11000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7A0D000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A59000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A5B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A43000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7A47000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A89000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A49000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A0F000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C50000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BD0000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BFC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7AD5000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7BF0000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7BEF000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================


Nothing detected :(

2. And here is the Bootkit Remover report:

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
Boot sector MD5 is: e7e6f498a5aad54bc8d066e2192a8456

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...


--------
Thanks so much for your help thus far!!
hoosiers23

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 14 November 2010 - 04:50 AM

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2010 - 06:18 PM

Hi fireman,

Unfortunately, ComboFix does not seem to be running properly on this infected machine. Here's what happened:

-Turned off as many things as I could find in McAfee Security Center.
-No other malware/spyware programs are running (can't get any of them to work anyway - it's one of the symptoms.)
-Ran ComboFix.exe
-A small gray window with the simple text 'Combo Fix' with a green progress bar appears, I mouse pointer has the hourglass appear, my desktop icons flicker twice, the progress bar window disappears, and my mouse pointer goes to it's usual state, and no report or anything is generated.

-Double clicked on ComboFix.exe again after a few minutes, same result.

-Went to my windows services and stopped everything I could related to McAfee
-Double clicked on ComboFix.ese again... same result.

How do I proceed?
Thanks,
hoosiers23

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 14 November 2010 - 06:41 PM

Hello,

Please delete the copy of Combofix you have on your desktop and do the following.


Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note::

If Combofix still don't run try running it in Safemode.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2010 - 07:27 PM

Ok, here's the latest:

-Did Save Target As... on Link 1 in your latest post, saved it as 1234.scr to the desktop. (I ignored the fact that the screenshot says to save it as Combo-Fix.exe, because in the step right after that you specifically said to double-click on 1234.scr.)
-Ran the .scr file, nothing happened, just a quick change of the icon of the file to the default .exe icon, no progress bar or anything.
-Note: if I renamed it '1234.exe', it would make the progress bar appear, but with the same results as my previous post. (a.k.a. No results)

-Deleted 1234.scr
-Re-downloaded as 12345.scr
-Rebooted into Safe Mode (without Networking)
-Double-clicked on that file, nothing happened
-Suddenly realized that I forgot to disable all McAfee services while in Safe Mode...so...

-Rebooted into 'normal' mode, deleted file, re-downloaded file, saved it as abc123.scr
-Rebooted into Safe Mode, disabled all McAfee services
-Double-cliced on abc123.scr - same results as above with 1234.scr in Normal mode. (not even a progress bar)
-Renamed it to abc123.exe, got a progress bar, but nothing after that.

Was curious what the heck was being run on startup - so I went to the registry to see what was in the 'Run' keys in various spots...some weirdness that I could find: (I was still in safe mode looking at this)

**Location, then Key name, then value**
HKCU\Software\Windows\CurrentVersion\Run, hvfsys32, [TheUserProfile]\LocalSettings\Temp\hvfsys32.exe
HKCU\Software\Windows\CurrentVersion\Run, Awaweweci, rundll32.exe "C:\WINDOWS\dieace32.dll", Startup
HKCU\Software\Windows\CurrentVersion\Run, awrmbjpk, ...[TheUserProfile]\LocalSettings\Temp\tmemonvae\ralikkllanw.exe

HKLM\Software\Windows\CurrentVersion\Run, hvfsys32, [TheUserProfile]\LocalSettings\Temp\hvfsys32.exe

I left them alone and restarted into normal mode so I could write this post. (I have a laptop handy if necessary to check things out online while working on this machine in safe mode.)

Weird thing - I couldn't even find the Local Settings folder (or any of the 'hidden by default' user profile folders), even after I went to Folder Options to view hidden files and folders. Very odd indeed!!

Getting as annoyed as I am at this point? :)

Talk soon,
hoosiers23

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 14 November 2010 - 07:51 PM

Hello,

Just another day of malware removal. We have many more options and tools to use yet.

1.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

2.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2010 - 08:11 PM

Thanks so much for the fast replies, can't tell you how much it is appreciated!

1. MBRCheck results:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7A0D000 \WINDOWS\system32\KDCOM.DLL
0xF791D000 \WINDOWS\system32\BOOTVID.dll
0xF74BE000 ACPI.sys
0xF7A0F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74AD000 pci.sys
0xF750D000 isapnp.sys
0xF7921000 compbatt.sys
0xF7925000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7AD5000 pciide.sys
0xF778D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A11000 intelide.sys
0xF751D000 MountMgr.sys
0xF748E000 ftdisk.sys
0xF7795000 PartMgr.sys
0xF752D000 VolSnap.sys
0xF7476000 atapi.sys
0xF753D000 disk.sys
0xF754D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7456000 fltmgr.sys
0xF7444000 sr.sys
0xF73E7000 mfehidk.sys
0xF73D1000 drvmcdb.sys
0xF755D000 PxHelp20.sys
0xF73BA000 KSecDD.sys
0xF732D000 Ntfs.sys
0xF7300000 NDIS.sys
0xF72E6000 Mup.sys
0xF789D000 \SystemRoot\System32\Drivers\cxru5494.SYS
0xF760D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6C85000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6C71000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78A5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C4D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78AD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6C19000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF6BF6000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6AF7000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6A50000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF78B5000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6A2A000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF69EA000 \SystemRoot\system32\drivers\smwdm.sys
0xF69C6000 \SystemRoot\system32\drivers\portcls.sys
0xF761D000 \SystemRoot\system32\drivers\drmk.sys
0xF6913000 \SystemRoot\system32\drivers\senfilt.sys
0xF78BD000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF762D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78C5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF68FF000 \SystemRoot\system32\DRIVERS\parport.sys
0xF763D000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A05000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF764D000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A43000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF765D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF766D000 \SystemRoot\system32\DRIVERS\redbook.sy@
0xF78CD000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF7AE3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF68EB000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF767D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF72AD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF68D4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF768D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF769D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78D5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF68C3000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76AD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF689F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF6854000 \SystemRoot\system32\drivers\mfefirek.sys
0xF78DD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78E5000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF76BD000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78F5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A47000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF67CE000 \SystemRoot\system32\DRIVERS\update.sys
0xF6DD0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78FD000 \SystemRoot\system32\DRIVERS\omci.sys
0xF76CD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76ED000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A49000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79C1000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7905000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79D5000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF771D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF790D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7A4B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C28000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A4D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77A5000 \SystemRoot\system32\drivers\ssrtln.sys
0xF77BD000 \SystemRoot\System32\drivers\vga.sys
0xF7A4F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A51000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77C5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77CD000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF79DD000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA6C5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA66C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA659000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xAA633000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA5E3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF772D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF79F1000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAA5C1000 \SystemRoot\System32\drivers\afd.sys
0xF773D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA596000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA526000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF774D000 \SystemRoot\System32\Drivers\Fips.SYS
0xF79FD000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF776D000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA50E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A61000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA714000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77DD000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B23000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAA780000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7BFC000 \SystemRoot\system32\dla\tfsndres.sys
0xAA390000 \SystemRoot\system32\dla\tfsnifs.sys
0xAA436000 \SystemRoot\system32\dla\tfsnopio.sys
0xF7A67000 \SystemRoot\system32\dla\tfsnpool.sys
0xF77F5000 \SystemRoot\system32\dla\tfsnboio.sys
0xAA770000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7BFD000 \SystemRoot\system32\dla\tfsndrct.sys
0xAA377000 \SystemRoot\system32\dla\tfsnudf.sys
0xAA35E000 \SystemRoot\system32\dla\tfsnudfa.sys
0xAA4B6000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xAA3E6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAA079000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA1EE000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9D9E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7ABD000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA9C06000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9BD6000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA94E5000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9A66000 \SystemRoot\system32\drivers\cfwids.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
916 C:\WINDOWS\system32\smss.exe
968 csrss.exe
992 C:\WINDOWS\system32\winlogon.exe
1036 C:\WINDOWS\system32\services.exe
1048 C:\WINDOWS\system32\lsass.exe
1248 C:\WINDOWS\system32\svchost.exe
1296 svchost.exe
1420 C:\WINDOWS\system32\svchost.exe
1560 svchost.exe
1668 svchost.exe
1784 C:\WINDOWS\system32\spoolsv.exe
308 C:\WINDOWS\explorer.exe
328 \Device\svchost.exe
480 C:\Program Files\QuickTime\qttask.exe
504 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
524 C:\DOCUME~1\Bill\LOCALS~1\Temp\hvfsys32.exe
532 C:\WINDOWS\system32\ctfmon.exe
544 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
560 C:\WINDOWS\system32\rundll32.exe
628 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
700 svchost.exe
756 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
880 C:\Program Files\Internet Explorer\iexplore.exe
948 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
1604 C:\Program Files\Internet Explorer\iexplore.exe
1680 C:\Program Files\Common Files\Motive\McciCMService.exe
1944 C:\WINDOWS\system32\mfevtps.exe
1964 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
280 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
124 C:\Program Files\Verizon\VSP\ServicepointService.exe
616 C:\WINDOWS\system32\svchost.exe
1228 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
3284 alg.exe
2804 C:\WINDOWS\system32\svchost.exe
2200 C:\WINDOWS\system32\wuauclt.exe
3816 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
152 C:\Program Files\McAfee.com\Agent\mcagent.exe
892 C:\Documents and Settings\Bill\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3160023AS, Rev: 8.12

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


Done!

2. OTL results:
-pasted the custom scan commands into the custom scan box as directed
-clicked Quick Scan...after not even a second, the program closes, and no text files are open or minimized (and not created on the Desktop either - also searched the whole computer for a file called OTL.txt and found nothing.)

Another random note: Can now see the Local Settings/Temp folder (maybe I just needed to eat dinner or something!), and in the Temp folder there is a file called 'syslock32.exe' dated a few weeks ago... pretty sure that's not a good thing to have on there. :)

In a nutshell? "No soup for you! NEXT!"

Movin' right along...
Thanks,
hoosiers23

#13 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2010 - 08:16 PM

by the way, clicking on OTL.exe now gives me that 'access is denied' error I was getting when trying MBAM originally which prompted the creation of this topic. It has assimilated!

-hoosiers23

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:12 PM

Posted 14 November 2010 - 09:32 PM

Hello,

Restore Permissions for (OTL)

Please download Inherit by sUBs

  • Drag and drop OTL.exe onto Inherit
  • This shall restore permissions to the application
  • The application should now run normally
Please indicate in your next post if this was successful.




Delete and download Combofix again don't rename it this time and try the following:


Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Edited by fireman4it, 14 November 2010 - 09:40 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 hoosiers23

hoosiers23
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 15 November 2010 - 07:46 PM

Hello,

-Dragged and dropped OTL.exe into Inherit.exe and it said 'finished' and clicked OK.
-Pasted custom code and clicked Quick Scan button in OTL, with same result as before, meaning...no result.

Next post will have Combo-Fix results from using your latest instructions...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users