Please Help - ANTIVIRUS 2010 -

[MatthewRM]

Hello,

This is my first time using a forum to help get rid of something and I'm not even sure how I got it...

I have read tons of online instructions but I either don't have the processes running they say to end or I don't have the ability to use the software they tell me to run...

Right Now I am running Windows 7 and my symptoms are that ANTIVIRUS 2010 pops up and it has over the last day changed my desktop background to a system threat pic..., stopped me from running malwarebytes program. and AVG wont find anything either.

If anyone could walk me through a removal program for this I would be very appreciative.

MatthewRM

[kahdah]

Hello MatthewRM

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on OTL to run it.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Under Custom scan's and fixes section paste in the below in bold
  

  
  

  netsvcs
  
  
  %SYSTEMDRIVE%\*.*
  
  
  %systemroot%\system32\*.dll /lockedfiles
  
  
  %systemroot%\Tasks\*.job /lockedfiles
  
  
  %systemroot%\system32\drivers\*.sys /90
  
  
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  
  

• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Please download Rootkit Unhooker and save it to your desktop.

• Double-click RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth Code, Files, and Code Hooks
  
• Uncheck the rest, then click OK
  
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  
• Wait till the scanner has finished then go File > Save Report
  
• Save the report somewhere you can find it, typically your desktop. Click Close
  
• Copy the entire contents of the report and paste it in your next reply.
  

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

[MatthewRM]

I followed the instructions exactly.

Both programs started up fine .... started then scan and then closed themselves, without finishing the tasks.

[kahdah]

Ok please try to rename them to kahdah or to the word something then try to run them.

If they do not work then try the following:

Please download DDS and save it to your desktop.

• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open as well as attach.txt.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

attach.txt

============

If the above does not work then please do the following:

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
  
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  
• You will receive a prompt:
  
  • Do you want to skip supplementary searches?
    click NO
    

  [*]If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.

  [*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)

  [*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[MatthewRM]

As requested here are the contents of the 2 Files ...

Just let me know what to do next ...

First the Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows 7 Enterprise

Boot Device: \Device\HarddiskVolume1

Install Date: 1/18/2010 3:42:04 PM

System Uptime: 10/15/2010 3:48:42 PM (5 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K Premium

Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz | LGA775 | 2997/333mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 186 GiB total, 44.55 GiB free.

D: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: 223 U HS-SM

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-SM&REV_3.60#000223223223&2#

Manufacturer: SMSC

Name: H:\

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-SM&REV_3.60#000223223223&2#

Service: WUDFRd

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Standard PS/2 Keyboard

Device ID: ACPI\PNP0303\4&23F9C1E3&0

Manufacturer: (Standard keyboards)

Name: Standard PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&23F9C1E3&0

Service: i8042prt

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: 223 U HS-CF

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-CF&REV_3.60#000223223223&0#

Manufacturer: SMSC

Name: F:\

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-CF&REV_3.60#000223223223&0#

Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: 223 U HS-MS

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-MS&REV_3.60#000223223223&1#

Manufacturer: SMSC

Name: G:\

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-MS&REV_3.60#000223223223&1#

Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: 223 U HS-SD/MMC

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-SD#MMC&REV_3.60#000223223223&3#

Manufacturer: SMSC

Name: I:\

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMSC&PROD_223_U_HS-SD#MMC&REV_3.60#000223223223&3#

Service: WUDFRd

==== System Restore Points ===================

RP228: 10/15/2010 1:16:27 PM - Installed SpellForce 2 - Shadow Wars

RP229: 10/15/2010 1:32:28 PM - Removed AVG Free 9.0

RP230: 10/15/2010 1:33:48 PM - Installed AVG Free 9.0

RP231: 10/15/2010 2:14:00 PM - Removed SpellForce 2 - Shadow Wars

RP232: 10/15/2010 2:15:17 PM - Installed SpellForce 2 - Shadow Wars

RP233: 10/15/2010 4:11:43 PM - Removed SpellForce 2 - Shadow Wars

RP234: 10/15/2010 4:12:57 PM - Removed Sacred 2 Demo.

==== Installed Programs ======================

Acrobat.com

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.0

Anki

Apple Application Support

Apple Mobile Device Support

Apple Software Update

BitTorrent

Bonjour

Command & Conquer 3

Company of Heroes

Company of Heroes - FAKEMSI

DivX Setup

Download Manager 2.3.10

Dungeon Siege 2

ffdshow [rev 1723] [2007-12-24]

GameSpy Arcade

GIMP 2.6.10

iTunes

Java 6 Update 20

Junk Mail filter update

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Mount&Blade Warband

Mozilla Firefox (3.6.10)

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML4 Parser

NVIDIA Display Control Panel

NVIDIA Drivers

NVIDIA PhysX

OpenOffice.org 3.2

Pando Media Booster

PerformanceTest v7.0

PVSonyDll

QuickTime

R.U.S.E

Rise of Nations

Rosetta Stone Version 3

Sacred 2: Fallen Angel

Sid Meier's Civilization V

Silverfall

Silverfall: Earth Awakening

Skype

[kahdah]

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt
  

[MatthewRM]

I downloaded combofix, changed the name as i saved it as you said. I ran it and it gave me an error... and a windowed screen labeled admin ... the only option was to click ok. I clicked okay and my computer restarted.

[kahdah]

Hmm ok do you know what it said?

[MatthewRM]

Yeah a box came up and it said error. thats all. and it had an ok box that was my only option to click.

I sent you a message if you care to read it .... in your inbox...

[kahdah]

I saw it but I do not want to use skype, forum help is fine.

Please reboot into Safe mode and try it once more if it will not work then just let me know and we can move on to something else.

[MatthewRM]

It says ...

Please wait.

Combo fix is preparing to run.

Access is denied.

then it just sits there...

[kahdah]

Ok are you running under the administrator account?

Do you have a vista cd or alternatively if the system restarts abruptly do you get a repair your computer option?

[MatthewRM]

I only have 1 user installed .. myself and i have admin rights.

No I am not getting thoes options on the restart .. it goes to the blue screen and restarts. All this started today or late last night when i got this stuff ....

[MatthewRM]

And .. buy "this stuff" I mean the antivirus 2011 ... however it got on my system ...

[MatthewRM]

I'm to bed for the night .. I'll check back first thing in the morning for the next instructions ... Heh i might just be able to clean this up .. unless i'm screwed ...

[MatthewRM]

Okay ... I'm ready to start again if you are !

[kahdah]

I need a bit more info to get going.

Do you have access to a Win 7 disk?

1. Please download mbrcheck from Here
   
2. Save that file to your desktop and double click on it to run it.
   
3. It will show a Black screen with some data on it then hit any key to continue.
   
4. Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
   
5. Please post the contents of that log in your next reply.
   

[MatthewRM]

Here is the log file it made.

No I don't have a Windows 7 Disk, its with my wife, though I might be able to get it, not sure though ...

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Enterprise Edition

Windows Information: (build 7600), 32-bit

Base Board Manufacturer: ASUSTeK Computer INC.

BIOS Manufacturer: American Megatrends Inc.

System Manufacturer: System manufacturer

System Product Name: P5K Premium

Logical Drives Mask: 0x000001ed

Kernel Drivers (total 158):

0x82E37000 \SystemRoot\system32\ntkrnlpa.exe

0x82E00000 \SystemRoot\system32\halmacpi.dll

0x86D18000 \SystemRoot\system32\kdcom.dll

0x8343A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x834B2000 \SystemRoot\system32\PSHED.dll

0x834C3000 \SystemRoot\system32\BOOTVID.dll

0x834CB000 \SystemRoot\system32\CLFS.SYS

0x8350D000 \SystemRoot\system32\CI.dll

0x83605000 \SystemRoot\system32\drivers\Wdf01000.sys

0x83676000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x83684000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x836CC000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x836D5000 \SystemRoot\system32\drivers\fltmgr.sys

0x83709000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x83711000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x8371C000 \SystemRoot\system32\DRIVERS\pci.sys

0x83746000 \SystemRoot\System32\drivers\partmgr.sys

0x8BE36000 \SystemRoot\System32\Drivers\rbytvzmp.sys

0x8BF0A000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x8BF1A000 \SystemRoot\System32\drivers\volmgrx.sys

0x8BF65000 \SystemRoot\system32\DRIVERS\pciide.sys

0x8BF6C000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS

0x8BF7A000 \SystemRoot\System32\drivers\mountmgr.sys

0x8BF90000 \SystemRoot\system32\DRIVERS\atapi.sys

0x8BF99000 \SystemRoot\system32\DRIVERS\ataport.SYS

0x8BFBC000 \SystemRoot\system32\DRIVERS\amdxata.sys

0x8BFC5000 \SystemRoot\system32\drivers\fileinfo.sys

0x83757000 \SystemRoot\system32\drivers\PCTCore.sys

0x83794000 \SystemRoot\system32\drivers\pctDS.sys

0x8C004000 \SystemRoot\system32\drivers\pctEFA.sys

0x8C0A9000 \SystemRoot\System32\Drivers\Ntfs.sys

0x8BE00000 \SystemRoot\System32\Drivers\msrpc.sys

0x8C1D8000 \SystemRoot\System32\Drivers\ksecdd.sys

0x8C230000 \SystemRoot\System32\Drivers\cng.sys

0x8C28D000 \SystemRoot\System32\drivers\pcw.sys

0x8C29B000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x8C2A4000 \SystemRoot\system32\drivers\ndis.sys

0x8C35B000 \SystemRoot\system32\drivers\NETIO.SYS

0x8C399000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x8C424000 \SystemRoot\System32\drivers\tcpip.sys

0x8C56D000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x8C59E000 \SystemRoot\system32\DRIVERS\vmstorfl.sys

0x8C5A7000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x8C5E6000 \SystemRoot\System32\Drivers\spldr.sys

0x8C3BE000 \SystemRoot\System32\drivers\rdyboost.sys

0x8C5EE000 \SystemRoot\System32\Drivers\mup.sys

0x8C400000 \SystemRoot\System32\drivers\hwpolicy.sys

0x835B8000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x8C408000 \SystemRoot\system32\DRIVERS\disk.sys

0x8C200000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x8BFD6000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x8C3F8000 \SystemRoot\System32\Drivers\Null.SYS

0x8BFF5000 \SystemRoot\System32\Drivers\Beep.SYS

0x837EB000 \SystemRoot\System32\drivers\vga.sys

0x83400000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x83421000 \SystemRoot\System32\drivers\watchdog.sys

0x8BE2B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x837F7000 \SystemRoot\system32\drivers\rdpencdd.sys

0x8342E000 \SystemRoot\system32\drivers\rdprefmp.sys

0x835EA000 \SystemRoot\System32\Drivers\Msfs.SYS

0x90218000 \SystemRoot\System32\Drivers\Npfs.SYS

0x90226000 \SystemRoot\system32\DRIVERS\tdx.sys

0x9023D000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x90248000 \SystemRoot\System32\DRIVERS\netbt.sys

0x9027A000 \SystemRoot\system32\drivers\afd.sys

0x902D4000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x902DB000 \SystemRoot\system32\DRIVERS\pacer.sys

0x902FA000 \SystemRoot\system32\DRIVERS\netbios.sys

0x90308000 \SystemRoot\system32\DRIVERS\serial.sys

0x90322000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x90335000 \SystemRoot\system32\DRIVERS\termdd.sys

0x90345000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x90386000 \SystemRoot\system32\drivers\nsiproxy.sys

0x90390000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x9039A000 \SystemRoot\System32\drivers\discache.sys

0x93204000 \SystemRoot\system32\drivers\csc.sys

0x93268000 \SystemRoot\System32\Drivers\dfsc.sys

0x93280000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x9328E000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x932AF000 \SystemRoot\System32\Drivers\vbmaf29c.SYS

0x932B4000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x98620000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x9909E000 \SystemRoot\system32\DRIVERS\nvBridge.kmd

0x990A0000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x99157000 \SystemRoot\System32\drivers\dxgmms1.sys

0x99190000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x991AF000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x932C6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x991BA000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x991C9000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x93311000 \SystemRoot\system32\DRIVERS\yk62x86.sys

0x991CF000 \SystemRoot\system32\DRIVERS\1394ohci.sys

0x93361000 \SystemRoot\system32\DRIVERS\Rt86win7.sys

0x98600000 \SystemRoot\system32\DRIVERS\fdc.sys

0x9860B000 \SystemRoot\system32\DRIVERS\ASACPI.sys

0x9860D000 \SystemRoot\system32\DRIVERS\serenum.sys

0x9339E000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x933AB000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x933B8000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x933CA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x933E2000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x903A6000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x903C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x903E0000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x90200000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x933ED000 \SystemRoot\system32\DRIVERS\rdpbus.sys

0x93C35000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x93C42000 \SystemRoot\system32\DRIVERS\swenum.sys

0x93C44000 \SystemRoot\system32\DRIVERS\ks.sys

0x93C78000 \SystemRoot\system32\DRIVERS\umbus.sys

0x93C86000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x93CCA000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0x93CD4000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x93CE5000 \SystemRoot\system32\drivers\HdAudio.sys

0x93D35000 \SystemRoot\system32\drivers\portcls.sys

0x93D64000 \SystemRoot\system32\drivers\drmk.sys

0x93D7D000 \SystemRoot\System32\Drivers\crashdmp.sys

0x93D8A000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x93D95000 \SystemRoot\System32\Drivers\dump_atapi.sys

0x93D9E000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x94620000 \SystemRoot\system32\DRIVERS\RTL8187.sys

0x95600000 \SystemRoot\System32\win32k.sys

0x9467B000 \SystemRoot\System32\drivers\Dxapi.sys

0x94685000 \SystemRoot\system32\DRIVERS\monitor.sys

0x94690000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x9469B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x946AE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x946B5000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x946B7000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x946C2000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x946D9000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x95860000 \SystemRoot\System32\TSDDD.dll

0x946E5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0x946FC000 \SystemRoot\system32\drivers\luafv.sys

0x94717000 \SystemRoot\system32\drivers\WudfPf.sys

0x94731000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x94741000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x94787000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x94797000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x9B228000 \SystemRoot\system32\drivers\HTTP.sys

0x9B2AD000 \SystemRoot\system32\DRIVERS\bowser.sys

0x9B2C6000 \SystemRoot\System32\drivers\mpsdrv.sys

0x9B2D8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x9B2FB000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x9B336000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x9B392000 \SystemRoot\system32\DRIVERS\lirsgt.sys

0x9BC17000 \SystemRoot\system32\drivers\peauth.sys

0x9BCAE000 \SystemRoot\System32\Drivers\secdrv.SYS

0x9BCB8000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x9BCD9000 \SystemRoot\System32\drivers\tcpipreg.sys

0x9BCE6000 \SystemRoot\System32\DRIVERS\srv2.sys

0x9BD35000 \SystemRoot\System32\DRIVERS\srv.sys

0x9BDF0000 \SystemRoot\system32\DRIVERS\asyncmac.sys

0x95910000 \SystemRoot\System32\cdd.dll

0x77D30000 \Windows\System32\ntdll.dll

0x48510000 \Windows\System32\smss.exe

0x77F70000 \Windows\System32\apisetschema.dll

0x00F20000 \Windows\System32\autochk.exe

Processes (total 93):

0 System Idle Process

4 System

288 C:\Windows\System32\smss.exe

364 csrss.exe

416 C:\Windows\System32\wininit.exe

436 csrss.exe

492 C:\Windows\System32\services.exe

516 C:\Windows\System32\lsass.exe

524 C:\Windows\System32\lsm.exe

684 C:\Windows\System32\svchost.exe

752 C:\Windows\System32\nvvsvc.exe

792 C:\Windows\System32\svchost.exe

852 C:\Windows\System32\svchost.exe

932 C:\Windows\System32\svchost.exe

1156 C:\Windows\System32\svchost.exe

1352 C:\Windows\System32\svchost.exe

1496 C:\Windows\System32\spoolsv.exe

1540 C:\Windows\System32\svchost.exe

1652 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1684 C:\Program Files\Bonjour\mDNSResponder.exe

1776 C:\Windows\System32\svchost.exe

1816 C:\Windows\System32\lxdncoms.exe

316 C:\Users\Ryan Milne\AppData\Local\TVersity\Media Server\MediaServer.exe

808 \Device\svchost.exe

2680 C:\Windows\System32\svchost.exe

2920 C:\Windows\System32\svchost.exe

2932 C:\Windows\System32\svchost.exe

2636 C:\Program Files\Windows Media Player\wmpnetwk.exe

4284 C:\Windows\System32\svchost.exe

5104 C:\Windows\System32\svchost.exe

4828 iexplore.exe

4808 C:\Program Files\Internet Explorer\iexplore.exe

2180 C:\Windows\System32\audiodg.exe

5488 C:\Windows\System32\svchost.exe

896 C:\Program Files\Internet Explorer\iexplore.exe

5408 C:\Program Files\Internet Explorer\iexplore.exe

5384 C:\Program Files\Internet Explorer\iexplore.exe

1996 C:\Windows\System32\taskeng.exe

368 C:\Windows\Temp\Vlr.exe

4972 C:\Windows\Temp\Vls.exe

3716 csrss.exe

2900 C:\Windows\System32\winlogon.exe

5484 C:\Windows\System32\nvvsvc.exe

2492 C:\Windows\System32\taskhost.exe

2140 C:\Windows\System32\dwm.exe

3444 C:\Windows\explorer.exe

5084 C:\Program Files\DivX\DivX Update\DivXUpdate.exe

4040 C:\Windows\System32\rundll32.exe

724 C:\Windows\avp.exe

4580 C:\Windows\services.exe

5640 C:\Windows\win16.exe

4964 C:\Windows\smss.exe

5032 C:\Windows\user.exe

3156 C:\Windows\wininst.exe

5896 C:\Program Files\Steam\Steam.exe

5008 C:\Program Files\Windows Sidebar\sidebar.exe

4376 C:\Program Files\Skype\Phone\Skype.exe

3252 C:\Windows\avp.exe

2856 C:\Windows\user.exe

3576 C:\Windows\wininst.exe

5768 C:\Windows\smss.exe

4000 C:\Windows\services.exe

2528 C:\Windows\win16.exe

2948 C:\Windows\System32\rundll32.exe

2988 C:\Users\Ryan Milne\AppData\Local\Temp\drweb.exe

2992 C:\Users\Ryan Milne\AppData\Local\Temp\gdi32.exe

5684 C:\Users\Ryan Milne\AppData\Local\Temp\winlogon.exe

3240 C:\Users\Ryan Milne\AppData\Local\Temp\services.exe

2736 C:\Users\Ryan Milne\AppData\Local\Temp\taskmgr.exe

5672 C:\Users\Ryan Milne\AppData\Local\Temp\iexplarer.exe

3976 C:\Users\Ryan Milne\AppData\Local\Temp\sysedit.exe

1972 C:\Users\Ryan Milne\AppData\Local\Temp\user.exe

1940 C:\Users\Ryan Milne\AppData\Local\Temp\drweb.exe

3972 C:\Users\Ryan Milne\AppData\Local\Temp\sysedit.exe

5876 C:\Users\Ryan Milne\AppData\Local\Temp\iexplarer.exe

2216 C:\Users\Ryan Milne\AppData\Local\Temp\taskmgr.exe

728 C:\Users\Ryan Milne\AppData\Local\Temp\gdi32.exe

4052 C:\Users\Ryan Milne\AppData\Local\Temp\services.exe

3924 C:\Users\Ryan Milne\AppData\Local\Temp\winlogon.exe

3968 C:\Users\Ryan Milne\AppData\Local\Temp\user.exe

3068 C:\Users\RYANMI~1\AppData\Local\Temp\lsass.exe

2828 C:\Users\RYANMI~1\AppData\Local\Temp\win.exe

1092 C:\Users\RYANMI~1\AppData\Local\Temp\nvsvc32.exe

2808 C:\Users\RYANMI~1\AppData\Local\Temp\wininst.exe

5196 C:\Program Files\Skype\Plugin Manager\skypePM.exe

3152 C:\Program Files\Common Files\Steam\SteamService.exe

5116 C:\Program Files\Internet Explorer\iexplore.exe

2144 C:\Program Files\Internet Explorer\iexplore.exe

3516 C:\Windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe

6124 C:\Program Files\Internet Explorer\iexplore.exe

3880 C:\Users\Ryan Milne\Desktop\MBRCheck.exe

4084 C:\Windows\System32\conhost.exe

6112 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2000JD-22HBC0, Rev: 08.02D08

Size Device Name MBR Status

--------------------------------------------

186 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Done!

[kahdah]

@iloveamylee this is someone else's thread please start your own if you want help.

Don't post anymore in this thread.

Thank you for understanding.

==================

@MatthewRM let's get started.

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Users\Ryan Milne\AppData\Local\Temp
c:\Program Files\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010

Files to delete:
C:\Windows\avp.exe
C:\Windows\services.exe
C:\Windows\win16.exe
C:\Windows\smss.exe
C:\Windows\user.exe
C:\Windows\wininst.exe
c:\windows\system32\config\systemprofile\appdata\local\KBDBDapd.dll
c:\Documents and Settings\All Users\Application Data\.wtav
c:\WINDOWS\system32\mswmqnei.dll
c:\WINDOWS\system32\drivers\vbma22b4.sys
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk

Drivers to delete:
DFBCFDBA
userinit

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

[MatthewRM]

I did as you asked ....

On a side not .. my computer (desktop) can no longer go to this site. So i had to set up a laptop to read the post. Sorry it took so long.

Here is the txt it made:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Folder "C:\Users\Ryan Milne\AppData\Local\Temp" deleted successfully.

Error: folder "c:\Program Files\AV2010" not found!

Deletion of folder "c:\Program Files\AV2010" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open folder "c:\Documents and Settings\All Users\Start Menu\Programs\AV2010"

Deletion of folder "c:\Documents and Settings\All Users\Start Menu\Programs\AV2010" failed!

Status: 0xc0000715

File "C:\Windows\avp.exe" deleted successfully.

File "C:\Windows\services.exe" deleted successfully.

File "C:\Windows\win16.exe" deleted successfully.

File "C:\Windows\smss.exe" deleted successfully.

File "C:\Windows\user.exe" deleted successfully.

File "C:\Windows\wininst.exe" deleted successfully.

Error: file "c:\windows\system32\config\systemprofile\appdata\local\KBDBDapd.dll" not found!

Deletion of file "c:\windows\system32\config\systemprofile\appdata\local\KBDBDapd.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "c:\Documents and Settings\All Users\Application Data\.wtav"

Deletion of file "c:\Documents and Settings\All Users\Application Data\.wtav" failed!

Status: 0xc0000715

Error: file "c:\WINDOWS\system32\mswmqnei.dll" not found!

Deletion of file "c:\WINDOWS\system32\mswmqnei.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\WINDOWS\system32\drivers\vbma22b4.sys" not found!

Deletion of file "c:\WINDOWS\system32\drivers\vbma22b4.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\WINDOWS\system32\IEDefender.dll" not found!

Deletion of file "c:\WINDOWS\system32\IEDefender.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\WINDOWS\system32\wingamma.exe" not found!

Deletion of file "c:\WINDOWS\system32\wingamma.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "c:\Documents and Settings\All Users\Desktop\AV2010.lnk"

Deletion of file "c:\Documents and Settings\All Users\Desktop\AV2010.lnk" failed!

Status: 0xc0000715

Driver "DFBCFDBA" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\userinit" not found!

Deletion of driver "userinit" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

[kahdah]

No worries please proceed with Combofix and see if it will run.

Let it update if asked (if possible)

[MatthewRM]

It got a little farther than last time but .... this is what it said this time:

Please wait

Combofix is preparing to run.

Attempting to creat a new restore point.

Access is denied.

[kahdah]

Hmm ok try to do it this way.

go to the Win7 start orb and then type in run, then click on run to open it.

In that box type in the following "%userprofile%\desktop\kahdah.exe" /killall then hit ok.

See then if it completes.

[MatthewRM]

When I type that in the run window it writes Access denied 5 times in the combofix application window ... like this

Access Denied

Access Denied

Access Denied

Access Denied

Access Denied

and a windows box pops up that says

"Windows cannot find C:\Users\Ryan'. Make sure you typed the name correctly, and then try again."

[MatthewRM]

Then ComboFix says ...

Scanning for infected files. . .

This typically doesn't take more than a few minutes

However scan times for badly infected machines may easily double

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

At this point nothing else happens...