Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - contiually rebooting


  • This topic is locked This topic is locked
21 replies to this topic

#1 reboot608

reboot608

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 29 January 2011 - 03:49 PM

I have never had to seek out help like this before, but I think I have come across a problem I cannot solve (embarrassed). So, if someone can help me, I will gladly (and humbly) accept.

My home built PC has run fine for 4 or 5 years. But the other morning I found it rebooting over and over. The system (Windows XP - MCE) was left on overnight. The reboot sequence would stall on the Windows splash screen with the little moving slider bar freezing after 3/4 of the first slide. Attempting to reboot in another mode revealed it freezing while trying to load JGOGO.sys, which is right after mup.sys. I could not get the system to boot into any mode - SAFE, SAFE w/ net, Last Known Good Config, etc.

Next I tried booting to a CD I had made a couple years ago to fix a "missing NTLDR" problem. I was able to start-up and access the PC using this CD (I am booted to it now). My research on JGOGO.SYS and mups.sys did not help. My McAfee AV would keep turning off. So I ran MalwareBytes and McAfee scans they found some infections but (supposedly) cleaned them up. Here are some they found:

McAfee Log:
1 - FakeAlert-SpyPro.gen.bb (Trojan) - McAfee repaired and removed
2 - Hiloti.gen.i (Trojan) - McAfee repaired and removed
3 - Generic FakeAlert.am (Trojan) - McAfee repaired and removed
4 - Exploit-ByteVerify Trojan, Exploit-ByteVerify Trojan, Exploit-ByteVerify - McAfee Quarantined
5 - FakeAlert-FakeSpy!env.d - McAfee removed - restart required

MalwareBytes Log:
Files Infected:
c:\system volume information\_restore{55e9962d-7ac7-4edd-83cf-367e57029ddf}\rp171\a0021354.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\system volume information\_restore{55e9962d-7ac7-4edd-83cf-367e57029ddf}\rp171\a0021355.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{55e9962d-7ac7-4edd-83cf-367e57029ddf}\rp171\a0021356.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{55e9962d-7ac7-4edd-83cf-367e57029ddf}\rp171\a0021357.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

So, my problem does not seem to be a hardware issue as my PC runs OK when booted from the CD. But it still will not boot normally from the C:\ Hard drive after running the scans to cleanup the PC. Hence my visit here. Please let me know if there is nay other information you may need about my PC, the software I use, ,y home network configuration etc... I am hoping to avoid a complete re-installation of Windows, programs drivers, etc.


In preparation for this post I've followed all the instructions (they were great - Thanks!) and will now paste in the DDS.txt file log and attach the DDS Attach.txt and GMER ark.txt log files.

DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Tim at 13:47:24.46 on Sat 01/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1045 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\System32\svchost.exe -k netsvcs
P:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
P:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
P:\Program Files\LogMeIn\x86\RaMaint.exe
P:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
svchost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
P:\Program Files\Logitech\iTouch\iTouch.exe
P:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\ehome\ehtray.exe
P:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\ASUS\PC Probe II\Probe2.exe
P:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\WINDOWS\eHome\ehmsas.exe
P:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ASUS\AASP\1.00.25\aaCenter.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
P:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Windows\system32\ctfmon.exe
P:\PROGRA~1\MICROS~3\rapimgr.exe
P:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
P:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee Online Backup\MOBKstat.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
P:\Program Files\Mozilla Firefox\firefox.exe
P:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\Windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Windows\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\Tim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program

files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} -

c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program

files\jzip\WebmailPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common

files\mcafee\systemcore\ScriptSn.20101111220155.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - p:\program

files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program

files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program

files\vshare\vshare_toolbar.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "p:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Skype] "p:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [SAPostInstallPage] iexplore.exe

http://www.siteadvisor.com/download/postinstall.html?pip=false&premium=false&client_uid=79734

9168&client_ver=3.3.0.176&client_type=IEPlugin&suite=true&aff_id=0-202&locale=en_us&os_ver=5.

1.3.0&postflow=3&installchoice=2
mRun: [Windows Defender] "d:\program files\windows defender\MSASCui.exe" -hide
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [zBrowser Launcher] p:\program files\logitech\itouch\iTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [InCD] p:\program files\ahead\incd\InCD.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common

files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Launch PC Probe II] "d:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [HP Software Update] p:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Ai Nap] "d:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [LogMeIn GUI] "p:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [UpdatePDRShortCut] "p:\program

files\cyberlink\powerdirector\powerdirector\muitransfer\muistartmenu.exe" "p:\program

files\cyberlink\powerdirector\powerdirector" updatewithcreateonce

"software\cyberlink\powerdirector\7.0"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MBkLogonHook]
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "p:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - p:\program

files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - p:\program

files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program

files\mcafee online backup\MOBKstat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - p:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

p:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

p:\progra~1\micros~3\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -

p:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

p:\progra~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: asus.com\vip
Trusted Zone: buy.com\www
Trusted Zone: google.com\picasaweb
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: uwbadgers.com\www
Trusted Zone: windowsupdate.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAContro

l.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263180

282814
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263180

224127
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program

files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - p:\program

files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program

files\vshare\vshare_toolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

d:\progra~1\window~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} -

c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.0.15 HP000D9D04205F

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\3o8d4ab2.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee

Privacy Service

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-1 386840]
R1 FD;FD;c:\windows\system32\drivers\FD.sys [2008-3-16 24179]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-1 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-1-29 54776]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-3-15

14336]
R2 LMIGuardianSvc;LMIGuardianSvc;p:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1

374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;p:\program files\logmein\x86\rainfo.sys [2008-7-24

12856]
R2 LMIRfsDriver;LogMeIn Remote File System

Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-26 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program

files\mcafee\siteadvisor\McSACore.exe [2008-9-26 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-1

171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common

files\mcafee\systemcore\mfefire.exe [2010-5-1 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common

files\mcafee\systemcore\mfevtps.exe [2010-5-1 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe

[2010-4-13 229688]
R2 WinDefend;Windows Defender;d:\program files\windows defender\MsMpEng.exe [2006-11-3

13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet

Controller;c:\windows\system32\drivers\l151x86.sys [2007-11-1 37376]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-1 55840]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2010-1-31 18864]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-4-13

384896]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-1 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-1 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-1 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88544]
S2 0056451296320714mcinstcleanup;McAfee Application Installer Cleanup

(0056451296320714);c:\docume~1\tim\locals~1\temp\005645~1.exe

c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service -->

c:\docume~1\tim\locals~1\temp\005645~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini

-cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-1-12 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys

[2010-5-1 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-1 84264]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-01-29 17:05:11 -------- d-----w- c:\program files\McAfeeMOBK
2011-01-29 17:05:00 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-01-29 17:04:57 -------- d-----w- c:\program files\McAfee Online Backup
2011-01-28 15:00:34 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows

defender\definition updates\{c4811e8d-d7f5-452e-9b83-39761f21d153}\mpengine.dll
2011-01-27 03:06:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-27 03:06:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-01-02 22:14:22 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

==================== Find3M ====================

2010-12-08 19:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 03:44:04 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

============= FINISH: 13:48:03.09 ===============

Attached Files


Edited by reboot608, 29 January 2011 - 05:02 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:51 AM

Posted 04 February 2011 - 05:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 04 February 2011 - 01:04 PM

Hello Georgi:

Thanks for helping out. I will run the program scans and create logs for posting here tonight after work. Hopefully we can get this resolved over the weekend. Until then

Tim

#4 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 04 February 2011 - 08:09 PM

Hello Georgi. And thanks again for lending me your assistance with my problem.

I am still having the same problem with my PC that I describe in my original post. The bottom line is that my PC will not complete the boot to Windows. I am able to start it up and run Windows using a CD.

Here some information on my PC and Windows Operating System:

System Information report written at: 02/04/11 17:51:28
System Name: TIMS-MCE-PC
[System Summary]

Item Value
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name TIMS-MCE-PC
System Manufacturer System manufacturer
System Model System Product Name
System Type X86-based PC
Processor x86 Family 6 Model 15 Stepping 6 GenuineIntel ~2401 Mhz
BIOS Version/Date American Megatrends Inc. 1704, 11/27/2007
SMBIOS Version 2.4
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name TIMS-MCE-PC\Tim
Time Zone Central Standard Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 1,019.35 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.90 GB
Page File Space 3.85 GB
Page File E:\pagefile.sys


I DO have my original Windows CDs available.

Here is a new DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Tim at 18:03:17.68 on Fri 02/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1171 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*

============== Running Processes ===============

C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\System32\svchost.exe -k netsvcs
P:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
P:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
P:\Program Files\LogMeIn\x86\RaMaint.exe
P:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\Explorer.EXE
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
svchost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
P:\Program Files\Logitech\iTouch\iTouch.exe
P:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\ehome\ehtray.exe
P:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Windows\system32\ctfmon.exe
D:\Program Files\ASUS\PC Probe II\Probe2.exe
P:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
P:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPHipm09.exe
P:\Program Files\Microsoft ActiveSync\Wcescomm.exe
P:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
P:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\AASP\1.00.25\aaCenter.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
P:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Online Backup\MOBKstat.exe
P:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
P:\Program Files\Mozilla Firefox\firefox.exe
P:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wscntfy.exe
C:\Documents and Settings\Tim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program files\jzip\WebmailPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101111220155.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - p:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "p:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Skype] "p:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [Windows Defender] "d:\program files\windows defender\MSASCui.exe" -hide
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [zBrowser Launcher] p:\program files\logitech\itouch\iTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [InCD] p:\program files\ahead\incd\InCD.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Launch PC Probe II] "d:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [HP Software Update] p:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Ai Nap] "d:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [LogMeIn GUI] "p:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [UpdatePDRShortCut] "p:\program files\cyberlink\powerdirector\powerdirector\muitransfer\muistartmenu.exe" "p:\program files\cyberlink\powerdirector\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MBkLogonHook]
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "p:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - p:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - p:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee online backup\MOBKstat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - p:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - p:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - p:\progra~1\micros~3\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - p:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - p:\progra~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: asus.com\vip
Trusted Zone: buy.com\www
Trusted Zone: google.com\picasaweb
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: uwbadgers.com\www
Trusted Zone: windowsupdate.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263180282814
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263180224127
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - p:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - d:\progra~1\window~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 192.168.0.15 HP000D9D04205F

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\3o8d4ab2.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-1 386840]
R1 FD;FD;c:\windows\system32\drivers\FD.sys [2008-3-16 24179]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-1 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-1-29 54776]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-3-15 14336]
R2 LMIGuardianSvc;LMIGuardianSvc;p:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;p:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-26 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-1 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-1 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-1 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 WinDefend;Windows Defender;d:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-1 55840]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2010-1-31 18864]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-4-13 384896]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-1 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-1 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-12 135664]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2007-11-1 37376]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-1 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-1 84264]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-04 18:52:41 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{66d198e2-cc51-46a3-a0b1-b1ffbb902c3e}\mpengine.dll
2011-01-30 16:06:58 -------- d-----w- c:\program files\LightScribe Diagnostic Utility
2011-01-30 04:18:31 -------- d-----w- c:\program files\LightScribe
2011-01-30 04:14:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\LightScribe
2011-01-29 17:05:11 -------- d-----w- c:\program files\McAfeeMOBK
2011-01-29 17:05:00 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-01-29 17:04:57 -------- d-----w- c:\program files\McAfee Online Backup
2011-01-27 03:06:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-27 03:06:30 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-12-08 19:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 03:44:04 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 18:03:37.98 ===============


And finally, I attach the DDS generated "attach.txt" and the GMER generated "ark.txt" files for your inspection.

I will check back periodically for further instructions.

If there is any further information you need, just ask.

Thanks again for your help.

Tim
:thumbup2:

Attached Files



#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 05 February 2011 - 09:26 AM

Hello reboot608

Welcome to BleepingComputer :)
==========================
Hi just to confirm do you still get a reboot loop when you try to boot normally?
Is this a raid setup?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 05 February 2011 - 10:36 AM

Hello reboot608

Welcome to BleepingComputer :)
==========================
Hi just to confirm do you still get a reboot loop when you try to boot normally?
Is this a raid setup?


Thanks for the reply kahdah.

Yes, my PC is still stuck in a reboot loop when I try to boot normally from the hard drive. I must use a CD I made a few years ago to boot up to get access to all drives and programs. In my initial post you will see some of the virus issues found after the reboot problem started (overnight).

No, the hard drives are not setup in a RAID array. The MB has RAID capabilities (ASUS P5B-E), but I do not have it set up for RAID. I have three HDDs connected as 'normal' SATA drives. They are partitioned as follows:

Disk0 - 298.09 GB (320) - C:-O/S (55.88 GB), three other partitions for programs, Vista (never installed) and data. All are "healthy" per Computer Management.
Disk1 - 69.24 GB (74) - no partition. This drive is devoted to MCE video recording. "Healthy" per Computer Management.
Disk3 - 465.75 GB (500) - three partitions for programs, My Docs (my XP default docs folders), and long-term video storage. All are "healthy" per Computer Management.

Tim

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 05 February 2011 - 10:41 AM

OK just checking on the raid to rule it out.
Please do the following so I can know more about the issue.
Restart the machine and as soon as the post screen flashes start tapping the F8 key repeatedly until you see a list of boot options.
One will say Disable automatic restart on system failure highlight it using your arrows then once it is selected press enter.
Then it should force it to blue screen.
Please type the stop error code and the file it references (If any) here for me to see.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 05 February 2011 - 01:08 PM

OK just checking on the raid to rule it out.
Please do the following so I can know more about the issue.
Restart the machine and as soon as the post screen flashes start tapping the F8 key repeatedly until you see a list of boot options.
One will say Disable automatic restart on system failure highlight it using your arrows then once it is selected press enter.
Then it should force it to blue screen.
Please type the stop error code and the file it references (If any) here for me to see.


Hello again kahdah:

I have followed your instructions.

1 - Removed my startup CD
2 - Restarted - booting from c:\ HD
3 - F8 to boot options
4 - Selected "Disable automatic restart on system failure" and pressed Enter
5 - Prompted to "Please select operating system to start:"
6 - Selected only one listed - "Windows XP Media Center Edition" and pressed Enter
7 - booted to BSOD with message about "A problem has been detected..."
8 - Stop error code is:

***STOP: 0X0000007B (0XBA4C7524, 0XC00000034, 0X00000000, 0X00000000)


I hope this is helpful.

Tim

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 06 February 2011 - 06:43 AM

It does help a little can you get into the recovery console from that cd that you boot with?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 06 February 2011 - 09:09 AM

Not with the boot CD I have been using. But I can use a UBCD4WinXP that I built by slipstreaming my original Win XP MCE disk and an MS XP SP3 disk.

I have the system booted to the Windows Recovery console now. I am signed in as the Admin and sitting at a prompt of C:\Windows.

I keep it there until I get further instructions. If I do not respond later today, it's because of the Super Bowl. I'll be at a party later. :gathering: :tvhappy: :P

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 06 February 2011 - 12:01 PM

Great type this at the prompt chkdsk /r then hit enter.
It will take a while to run through the diagnostics type exit then hit enter when it finishes and see if it will boot into normal windows then.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 06 February 2011 - 05:56 PM

Great type this at the prompt chkdsk /r then hit enter.
It will take a while to run through the diagnostics type exit then hit enter when it finishes and see if it will boot into normal windows then.


Hi kahdah:

I ran chkdsk /r from C:\WINDOWS (Recovery Console) and the process finished without reporting any errors or problems.

Then I exited Recovery Console, removed the CD and tried to reboot from the C:\ HDD but ended up with the same snag up. Windows XP splash screen starts, the slider bar goes about 3/4 across the first pass, the system freezes there for 5 or 10 seconds and then it reboots - over, and over, and over....

Next?

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 07 February 2011 - 05:53 AM

OK please boot again to the recovery console and this time type in fixmbr then hit enter.
Then exit again and see if it will boot then.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 reboot608

reboot608
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 07 February 2011 - 07:48 PM

kahdah:

OK. I have run fixmbr from Windows Recovery Console tonight and now the system boots up - Start Windows Normally.

I logged on to the Administrator account on the first boot and am running a McAfee AV Scan just in case. After that I will run a MalwareBytes scan. Is there anything else we need to check now to make sure the PC is free of trojans, viruses and the like? I'd hate to end up back in the same boat a few days or weeks from now.

I'll report the results of the scans tomorrow.

Let me know if you want to check anything else out.

Thanks,

Tim

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:51 PM

Posted 08 February 2011 - 08:10 AM

Great yes I would like to take a deeper look into the machine please do the following:

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users