Jump to content

Recommended Posts

A few weeks ago I was infected with the fake windows security virus. I can't seem to get the problem fixed. Any help would be greatly appreciated.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Jason Clark at 19:10:47.92 on Sat 05/07/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.437 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\Program Files\Carbonite\CarbonitePreinstaller.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\WebCam\M3000\M3000Mnt.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\igfxext.exe

svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Jason Clark\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0610&m=aspire_one

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\jasonc~1\applic~1\mozilla\firefox\profiles\kr955o2y.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=

FF - component: c:\documents and settings\jason clark\application data\mozilla\firefox\profiles\kr955o2y.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\jason clark\application data\mozilla\firefox\profiles\kr955o2y.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll

FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll

FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-27 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-27 307288]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-27 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-27 42184]

R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-17 363344]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-3-12 237568]

R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-12-2 483688]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-3 38912]

R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-3-30 145408]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-17 20952]

R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]

R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211304]

R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]

R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]

R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-12-2 209768]

S1 MpKsl75f5dfac;MpKsl75f5dfac;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c229d948-7d26-4497-8f92-3d1743360e3e}\mpksl75f5dfac.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c229d948-7d26-4497-8f92-3d1743360e3e}\MpKsl75f5dfac.sys [?]

S1 MpKslf4315c7b;MpKslf4315c7b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3abbaf2a-14d9-4bc8-95cf-60197dad2ea4}\mpkslf4315c7b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3abbaf2a-14d9-4bc8-95cf-60197dad2ea4}\MpKslf4315c7b.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-12 1684736]

S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-3-12 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

.

=============== Created Last 30 ================

.

2011-04-27 20:49:56 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-04-27 20:49:41 40112 ----a-w- c:\windows\avastSS.scr

2011-04-27 20:49:27 -------- d-----w- c:\program files\AVAST Software

2011-04-27 20:49:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-04-27 20:22:26 13994 ----a-w- C:\FixitRegBackup.reg

2011-04-27 19:42:13 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-04-27 19:42:13 -------- d-----w- c:\windows\system32\wbem\Repository

2011-04-27 04:27:01 -------- d-----w- c:\program files\McAfee Online Backup

2011-04-27 04:24:30 -------- d-----w- c:\program files\common files\Mcafee

2011-04-27 04:24:23 -------- d-----w- c:\program files\McAfee.com

2011-04-27 04:23:54 -------- d-----w- c:\program files\McAfee

2011-04-22 22:47:49 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{821d7602-f3f1-48b8-a092-2d53e97c2e47}\mpengine.dll

2011-04-22 15:01:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\VirtualizedApplications

2011-04-22 01:52:49 -------- d-----w- c:\docume~1\jasonc~1\applic~1\TP

2011-04-22 01:40:39 -------- d-----w- c:\docume~1\jasonc~1\locals~1\applic~1\PCHealth

2011-04-22 00:42:26 -------- d-----w- c:\windows\ServicePackFiles

2011-04-20 01:21:08 -------- d-sh--w- c:\documents and settings\jason clark\IECompatCache

2011-04-18 02:38:04 -------- d-----w- C:\users

2011-04-18 02:38:04 -------- d-----w- c:\program files\Kidspiration 3

2011-04-18 02:38:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Acer GameZone Console

2011-04-18 01:31:23 -------- d-sha-r- C:\cmdcons

2011-04-17 17:18:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-17 17:18:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-17 15:43:27 -------- d-sh--w- c:\documents and settings\jason clark\PrivacIE

2011-04-17 15:37:12 -------- d-sh--w- c:\documents and settings\jason clark\IETldCache

2011-04-17 15:29:06 -------- dc-h--w- c:\windows\ie8

2011-04-17 04:29:44 -------- d-----w- c:\docume~1\jasonc~1\applic~1\Malwarebytes

2011-04-17 04:29:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-17 04:28:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-04-04 02:53:03 256 ----a-w- c:\windows\system32\pool.bin

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

.

============= FINISH: 19:15:24.50 ===============

ark.zip

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Sorry about the delay in responding

We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.

Looks like you're running 2 anti-virus programs.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

Microsoft Security Essentials

avast!

Reboot and let me know how it's running

Link to post
Share on other sites

I had uninstalled the Microsoft Security Essentials to install a different virus protection a few weeks ago and the computer went blue. I was able to get it back on and back dated to an earlier date however it made the Microsoft Security Essentials go into a limbo. Kinda there kinda not. I am not able to uninstall from control panel because it doesn't show up.

Sorry about the multiple posts, I thought constantly bringing it to page one would help. Thanks

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Starting the instructions but wanted to let you know 2 things. The error message I'm getting from avast is " a suspicious hidden object(rootkit) has been detected on your system" MBR://Physical Drive also I have noticed that a Hard drive disk Q is showing up when I run malwarebytes.

I brought the laptop to work so I will get started on the instructions.

Thanks

Link to post
Share on other sites

I haven't tried running from the thumb drive I moved it from the thumb drive to the desktop and then tried run it. The green bar loads all the way and then I get the error. I can attempt to run from the thumb drive if that's better then nothing? Not sure I've never had a probelm with it before?

Link to post
Share on other sites

Same error message? I have tried to connect the computer to a network cable (I have before) and it will not detect the cable. I thought I may be able to download it straight to the desktop from the websight. Would safe mode make any difference? My mouse pad doesn't work in safe mode but the buttons do.

Link to post
Share on other sites

I think you have a RootKit that is stopping combofix from running.

You can download this to your thumb drive and copy it over to the laptop.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

Link to post
Share on other sites

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-11 12:42:36

-----------------------------

12:42:36.390 OS Version: Windows 5.1.2600 Service Pack 3

12:42:36.390 Number of processors: 2 586 0x1C02

12:42:36.390 ComputerName: JASON UserName:

12:42:37.140 Initialize success

12:42:45.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

12:42:45.453 Disk 0 Vendor: Hitachi_ FB2O Size: 152627MB BusType: 3

12:42:45.468 Disk 0 MBR read successfully

12:42:45.484 Disk 0 MBR scan

12:42:45.484 Disk 0 TDL4@MBR code has been found

12:42:45.500 Disk 0 MBR hidden

12:42:45.500 Disk 0 MBR [TDL4] **ROOTKIT**

12:42:45.515 Disk 0 trace - called modules:

12:42:45.531 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86f334e7]<<

12:42:45.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4b030]

12:42:45.562 3 CLASSPNP.SYS[f757dfd7] -> nt!IofCallDriver -> \Device\00000070[0x86f64910]

12:42:45.578 5 ACPI.sys[f74f4620] -> nt!IofCallDriver -> [0x86f74030]

12:42:45.593 \Driver\iaStor[0x86f72ae8] -> IRP_MJ_CREATE -> 0x86f334e7

12:42:45.609 Scan finished successfully

12:43:26.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jason Clark\Desktop\MBR.dat"

12:43:26.765 The log file has been saved successfully to "C:\Documents and Settings\Jason Clark\Desktop\aswMBR.txt"

Link to post
Share on other sites

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-11 13:07:23

-----------------------------

13:07:23.875 OS Version: Windows 5.1.2600 Service Pack 3

13:07:23.875 Number of processors: 2 586 0x1C02

13:07:23.875 ComputerName: JASON UserName:

13:07:24.546 Initialize success

13:07:28.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

13:07:28.828 Disk 0 Vendor: Hitachi_ FB2O Size: 152627MB BusType: 3

13:07:28.828 Disk 0 MBR read successfully

13:07:28.843 Disk 0 MBR scan

13:07:28.843 Disk 0 TDL4@MBR code has been found

13:07:28.859 Disk 0 MBR hidden

13:07:28.859 Disk 0 MBR [TDL4] **ROOTKIT**

13:07:28.875 Disk 0 trace - called modules:

13:07:28.890 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86f334e7]<<

13:07:28.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4b030]

13:07:28.921 3 CLASSPNP.SYS[f757dfd7] -> nt!IofCallDriver -> \Device\00000070[0x86f64910]

13:07:28.937 5 ACPI.sys[f74f4620] -> nt!IofCallDriver -> [0x86f74030]

13:07:28.953 \Driver\iaStor[0x86f72ae8] -> IRP_MJ_CREATE -> 0x86f334e7

13:07:28.953 Scan finished successfully

13:07:41.984 Disk 0 fixing MBR ...

13:07:52.015 Disk 0 MBR restored successfully

13:07:52.031 Verifying disinfection

13:08:02.109 Infection fixed successfully - please reboot ASAP

13:09:47.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jason Clark\Desktop\MBR.dat"

13:09:47.250 The log file has been saved successfully to "C:\Documents and Settings\Jason Clark\Desktop\aswMBR2.txt"

Do you want me to reboot?

Link to post
Share on other sites

Well it rebooted clean, it usually gets locked up a few times and so far the message from avast hasn't come up. The Q drive still shows up under superantispyware? I will see here in a bit if I can get on the internet and see if I get the popups or redirected.

Link to post
Share on other sites

I can't see the Q drive anywhere else but when I open up superantispyware to run a scan I have the option to tun it on C drive or Q drive? I am not positive but I don't remember Q drive always being an option just recently in the last few weeks. Q drive does not show up under my computer which I think is very weird. Or when I search through the computer files.

I was able to get on the internet and so far no popups or redirects. I will use it tonight and let you knw if I get anymore.

What virus protection software do you suggest? Any other pointers or software I have I should unistall?

Thanks for all of your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.