Jump to content

Vundo.H will not go away after reboot!


Recommended Posts

Malwarebytes' Anti-Malware 1.41

Database version: 3128

Windows 5.1.2600 Service Pack 2

11/8/2009 1:34:23 PM

mbam-log-2009-11-08 (13-34-23).txt

Scan type: Quick Scan

Objects scanned: 113538

Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6209829c-a2aa-4fd0-a7f6-3a2e0e59b60b} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fxrmgcrf (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6209829c-a2aa-4fd0-a7f6-3a2e0e59b60b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\yhvglrc.dll (Trojan.Vundo.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:34:53 PM, on 11/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Lexmark 7600 Series\lxdwmon.exe

C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe

C:\WINDOWS\system32\lxdwcoms.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=Li...hEvLsgcnuepXa7M

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6209829C-A2AA-4FD0-A7F6-3A2E0E59B60B} - c:\windows\system32\yhvglrc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sigmatelSysTrayApp] "stsystra.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [secureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe"

O4 - HKLM\..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe"

O4 - HKLM\..\Run: [KADxMain] "C:\WINDOWS\system32\KADxMain.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [igfxTray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/pi...ImageCtrl30.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe

O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 12793 bytes

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll

Close HJT.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - then relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

Link to post
Share on other sites

  • 2 weeks later...
Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll

Close HJT.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - then relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

ARKQ.txt

combofixlog.txt

Link to post
Share on other sites

Sorry I didn't follow the instructions and post these sooner! I thought I'd get an email reading that someone had replied to my post. In either case, thanks for your help! Also, I tried disabling my McAfee Virus sw, but the Combofix program kept saying it was enabled. If I need to go thru the steps again, just let me know. Thanks again!

Link to post
Share on other sites

Please copy and paste your logs into a reply. Thank you!!!

GMER 1.0.15.15227 - http://www.gmer.net

Rootkit quick scan 2009-11-17 21:45:58

Windows 5.1.2600 Service Pack 2

Running: ARK.exe; Driver: C:\DOCUME~1\Z\LOCALS~1\Temp\pxtdypow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA75C087B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA75C07FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA75C08A5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA75C080F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA75C083B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA75C08CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA75C07E7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA75C088F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA75C0825]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA75C0851]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA75C0867]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA75C08E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA75C08B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

ComboFix 09-11-18.04 - Z 11/17/2009 21:59.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1312 [GMT -5:00]

Running from: c:\documents and settings\Z\Desktop\fixit.exe

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-165822833-1632583300-1373009395-210718

c:\windows\AegisP.inf

c:\windows\system32\clauth1.dll

c:\windows\system32\clauth2.dll

c:\windows\system32\drivers\ghzdhhuw.sys

c:\windows\system32\drivers\wbxgazxw.sys

c:\windows\system32\dsshonaq.dll

c:\windows\system32\nsprs.dll

c:\windows\system32\sntbduf.dll

c:\windows\system32\ssprs.dll

c:\windows\system32\yhvglrc.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CYTYZDFR

-------\Legacy_GHZDHHUW

-------\Service_cytyzdfr

-------\Service_ghzdhhuw

((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))

.

2009-11-18 02:44 . 2009-11-18 02:44 291840 ----a-w- C:\ARK.exe

2009-11-18 02:32 . 2009-11-18 02:32 -------- d-----w- C:\rsit

2009-11-16 01:39 . 2009-11-18 02:15 -------- d-----w- c:\program files\Registry Easy

2009-11-08 17:43 . 2009-11-08 17:43 -------- d-----w- c:\program files\Trend Micro

2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\documents and settings\Z\Application Data\Malwarebytes

2009-11-08 15:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-08 15:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-08 15:28 . 2009-11-08 15:53 -------- d-----w- c:\documents and settings\Z\Local Settings\Application Data\jekeeo

2009-10-30 05:13 . 2009-10-30 05:13 174144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-10-19 16:30 . 2009-10-19 16:30 -------- d-----w- c:\program files\Citrix

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-13 11:04 . 2007-12-25 18:50 -------- d-----w- c:\documents and settings\Z\Application Data\Wave Systems Corp

2009-11-13 00:48 . 2008-08-17 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-10-22 12:48 . 2007-12-09 23:36 78360 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-07 00:02 . 2009-10-07 00:02 -------- d-----w- c:\documents and settings\Z\Application Data\Office Genuine Advantage

2009-10-06 23:02 . 2008-08-17 13:18 -------- d-----w- c:\program files\Microsoft Works

2009-09-21 19:24 . 2008-04-13 23:32 -------- d-----w- c:\program files\Hp

2009-09-12 16:32 . 2009-09-12 16:32 127872 ----a-w- c:\documents and settings\Z\Application Data\Move Networks\uninstall.exe

2009-09-12 16:32 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Z\Application Data\Move Networks\plugins\npqmp071503000010.dll

2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-11 23:00 17408 ------w- c:\windows\system32\corpol.dll

2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]

"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]

"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-9 50688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\lxdwcoms.exe"=

"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=

"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11869:TCP"= 11869:TCP:@xpsp2res.dll,-22009

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]

R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]

R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [3/30/2009 5:38 PM 98984]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/29/2007 6:58 PM 24652]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GHZDHHUW

*Deregistered* - ghzdhhuw

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=LitdE1da95oshEvLsgcnuepXa7M

IE: E&xport to Microsoft Excel

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-Aim6 - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-17 22:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2984)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdwcoms.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\StacSV.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msdtc.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2009-11-17 22:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-18 03:13

Pre-Run: 100,132,274,176 bytes free

Post-Run: 99,973,623,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FEC9928953C2063E4CDE7CA5B498F630

Link to post
Share on other sites

OK, now launch MBAM and update it.

Perform a quick scan and post back the scan log.

Because I thought not being able to turn off my McAfee Enterprise would interfere with the debugging, I retraced your steps from the second post and now my computer will not get past the "blue screen of death". In short, it states a problem is as follows:

"STOP: 0x000007B (0xBA4CB524, 0xc0000034, 0x00000000, 0x00000000)"

Has my restlessness totally screwed my computer? :)

Link to post
Share on other sites

Did you run Combofix a second time because your first Combofix log makes no mention of deleting pciide.sys driver?

That is an ide disk controller and if it was deleted it could definitely make your system unbootable.

Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.

If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from

c:\windows\system32\dllcache\pciide.sys

or

c:\i386\pciide.sys

Here are the directions for that

Link to post
Share on other sites

Did you run Combofix a second time because your first Combofix log makes no mention of deleting pciide.sys driver?

That is an ide disk controller and if it was deleted it could definitely make your system unbootable.

Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.

If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from

c:\windows\system32\dllcache\pciide.sys

or

c:\i386\pciide.sys

Here are the directions for that

Yes, I ran combofix a second time since I was retracing your steps after trying to disable McAfee better than the first time. I'll try your directions (I haven't looked at them yet). May take me until tonight to look though. Thanks for all of your help.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.