Ran DDS in Safe mode (error Windows-Delayed Write Failed)

[titan-nerd]

I started getting 'Windows - Delayed Write Failed...' followed by dozens of cascading 'Hard drive clusters are partly damaged - Segment load failure' messages. Was able to update and run malwarebytes full scan - deleted multiple found viruses - then restarted. Didn't work...I now have all programs, files and icons hidden - the same messages are occurring.

I restarted in safe mode and ran DDS (hope that's okay in safe mode). Logs are attached. Let me know if you need anything else. Please let me know what the next step is - thanks in advance.

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 7.0.5730.11

Run by Owner at 17:59:53 on 2011-10-26

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.350 [GMT -8:00]

.

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: Burn4Free Toolbar Helper: {d187a56b-a33f-4cbe-9d77-459fc0bae012} - c:\program files\burn4free toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL

TB: Burn4Free Toolbar: {4f11acbb-393f-4c86-a214-ff3d0d155cc3} - c:\program files\burn4free toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe

uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [EPSON NX420 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe /fu "c:\windows\temp\E_SF.tmp" /EF "HKCU"

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey

mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [sAUpdate] "c:\program files\comcast\bbclient\programs\SAUpdate.exe"

mRun: [sAClient] "c:\program files\comcast\bbclient\programs\RegCon.exe" /admincheck

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe

mRun: [bJPD HID Control] c:\program files\canon\bjpv\TVMon.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"

mRun: [CEAdYGfMvFO.exe] c:\documents and settings\all users\application data\CEAdYGfMvFO.exe

mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu

dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

dRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

dRunOnce: [sWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1010011

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\137903\program\BackWeb-137903.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpngua~1.lnk - c:\program files\opswat\vpnguard\VPNGuardUI.exe

uPolicies-explorer: NoDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

LSP: SpSubLSP.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: MortCalcApplet - hxxp://www.homeseekers.com/Applets/MortCalcApplet/MortCalcApplet.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1071968150918

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37975.707337963

DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://www.ritzpix.com/net/Uploader/LPUploader41.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://csufvpns.fullerton.edu/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://csufvpns.fullerton.edu/dana-cached/sc/JuniperSetupClient.cab

DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{D0FF4584-CBEF-4670-878E-8260E2DEBDA9} : DhcpNameServer = 209.18.47.61 209.18.47.62

Notify: igfxcui - igfxsrvc.dll

Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2008-9-29 19456]

S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-28 340592]

S1 NEOFLTR_610_13437;Juniper Networks TDI Filter Driver (NEOFLTR_610_13437);c:\windows\system32\drivers\NEOFLTR_610_13437.sys [2008-7-30 64160]

S1 NEOFLTR_700_17289;Juniper Networks TDI Filter Driver (NEOFLTR_700_17289);c:\windows\system32\drivers\NEOFLTR_700_17289.SYS [2011-4-15 84336]

S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-17 368256]

S2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2008-9-22 138616]

S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]

S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-9-29 143088]

S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-9-29 62800]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-28 67904]

S2 mrtRate;mrtRate; [x]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-9-1 24652]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-28 90360]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-28 42424]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-28 64432]

S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]

.

=============== Created Last 30 ================

.

2011-10-26 11:06:02 514538 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-26 03:27:10 432528 ---ha-w- c:\documents and settings\all users\application data\CEAdYGfMvFO.exe

2011-10-10 03:25:12 -------- d--h--w- c:\program files\MSECache

.

==================== Find3M ====================

.

2011-09-26 19:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 19:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll

2011-09-26 19:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys

2011-09-01 01:00:50 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 21:32:17 832512 ---ha-w- c:\windows\system32\wininet.dll

2011-08-17 21:32:16 78336 ---ha-w- c:\windows\system32\ieencode.dll

2011-08-17 21:32:16 1830912 ---ha-w- c:\windows\system32\inetcpl.cpl

2011-08-17 21:32:15 17408 ---ha-w- c:\windows\system32\corpol.dll

2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys

2011-08-17 12:22:23 389120 ---ha-w- c:\windows\system32\html.iec

2011-08-12 21:51:26 26488 ---ha-w- c:\windows\system32\spupdsvc.exe

2007-05-28 07:42:29 2874926 ---ha-w- c:\program files\FLV PlayerRCATSetup.exe

2007-05-28 07:42:23 25990392 ---ha-w- c:\program files\FLV PlayerRCSetup.exe

.

============= FINISH: 18:04:26.78 ===============

attach.txt

dds.txt

[LDTate]

You can use windows sfc (system file checker) You'd need your XP CD to make this work.

Click Start> Run> type sfc /scannow Note the space.

(Note that there is a space between sfc and /scannow)

[titan-nerd]

I am in Safe Mode...as I mentioned, all files, icons and programs are not visible to me. When I click Start, the only visible option is 'About my HP PC'. No option to 'Run'. I can right click Start and get an Explore window - all I see on C: drive is Documents and Settings > Owner > Start Menu. I believe I have a virus that is hiding everything!

I copied dds.scr from a thumb drive into the visible Documents and Settings folder. Can I try the same method to run MBAM or anything else? I do believe I have a virus - I've seen the same 'fake' messages on other posts.

Also, I'll look for my xp cd, but I believe my HP machine stored it on the d: drive - the contents of which are no longer visible. Let me know what I should try next - thanks.

titan-nerd

[LDTate]

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)

Reboot

This will unhide folders/files that were set to be hidden by the infection you had.

Let me know if that solved your problem.

[titan-nerd]

LD...Okay, I ran unhide.exe in safe mode using user Administrator and files/programs are now visible - thanks. I tried the sfc /scannow command - just saw a quick flash - not sure what to expect. I went ahead and rebooted in normal mode and sign in as my default user - got message again (Windows detected a hard disk problem...) and files/programs were hidden.

I rebooted into safe mode and signed in as administrator - files are visible again. But virus seems to reappear in normal mode. Let me know what next step is to remove the virus.

I noticed a new problem - my 'My Documents' folder under my default user is gone, replaced with an empty folder name 'First Last's Documents' (replacing my actual First and Last name for this post). 'My Music' folder also renamed to 'First Last's Music' - also empty. Other user documents seem okay. Not sure if this was caused by the virus or the unhide.exe. Any ideas on recovering my original 'My Documents' folder and all of its contents? Let me know - thanks.

titan-nerd

[LDTate]

Yes, that was caused by the infection.

Did you run unhide in Normal Mode while logged in as default user?

[titan-nerd]

No - just Safe mode as Administrator (I thought the instructions inferred that running as administrator was preferrable). Please confirm that I should try running it in normal mode as default user and what to do after that - thanks.

[LDTate]

Please confirm that I should try running it in normal mode as default user and what to do after that - thanks.

Yes.

Then run a updated MBAM scan

[titan-nerd]

Thanks - I'll try that when I get home this evening.

If I can't do everything in Normal mode as the default user, will it help to do it in Safe mode? Normal mode seemed to reactivate the fake messages, so I'm not sure how much it will let me do. So if I can't run MBAM in normal mode, let me know if MBAM in Safe mode will help - thanks.

[LDTate]

If it won't run in Normal then try Safe Mode

[titan-nerd]

LDTate,

I was able to update and run mbam in normal mode - looks like it took this time and I'm clean again. Thanks for your all your help and patience - it's much appreciated.

t-nerd

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.