TechSpot

5 step virus removal error

Solved
By jmmybttm
Jan 31, 2012
  1. hello everyone, newbie here -

    A quick summary, if possible, of events.
    I was surfing the web w/o anti virsus software installed when i suddenly got about 12 windows opening informing me of a corrupt entry in system 32 lib.
    Then i got a System Check window basically saying i have everything possible wrong with my machine, i.e. hardware, software, registry errors. Upon reboot, i got MISSING OS SYSTEM. As a last resort, i cleaned my machine, which has helped things in the past, and it was dirty. Loaded the Recovery Console, DSKCHK ran ok, no problems supposedly. I did a FIXMBR cmd which finished in a micro sec.
    Surprisingly, on reboot, it saw the hard disk & loaded. My desktop was missing many items so i ran a system restore to a recent good checkpoint successfully which brought back my desktop icons. My browsers, FireFox & IE, will not start. They enter PROCESSES in task manager but leave shortly afterwards w/o doing nothing, no window opens. I loaded AVG 2012 free anti-virsus and did a whole computer scan. That software removed 18 items to the Virsus Vault. Here is a sysnopsis of that run which i did before coming here.

    AVG 2012 anti-virsus, free edition, whole computer scan follows...

    ======================= infections follow ==================
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199282.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199157.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199103.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP345\A0198012.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197955.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197954.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197907.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197906.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP340\A0197853.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP339\A0196821.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
    "";"C:\Documents and Settings\dad\removeme.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
    "";"C:\Documents and Settings\dad\Local Settings\Temp\gigiti.exe";"Trojan horse Downloader.Zlob.BFZG";"Moved to Virus Vault"
    "";"C:\Documents and Settings\All Users\Application Data\isecurity.exe";"Trojan horse Dropper.Generic5.YRY";"Moved to Virus Vault"
    ==================== spyware follows ======================
    "";"C:\WINDOWS\basra1.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199281.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
    ==================== warnings follows =====================
    "";"C:\WINDOWS\system32\TFTP964";"Corrupted executable file";"Moved to Virus Vault"
    "";"C:\WINDOWS\system32\randomiser.exe";"Corrupted executable file";"Moved to Virus Vault"
    "";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199280.exe";"Corrupted executable file";"Moved to Virus Vault"
    ===========================================================

    Then sometime later during a reboot i got stuck in a CHKDSK loop. Safe Mode would not complete loading. Loaded the Recovery Console and reran CHKDSK. This time it reported an error on the drive. Ran it again with the -p option ok, then ran with the -r option ok. System loaded finally. I did run a cleanup utility called Cleanup.exe, i haved used it often in the past. My browsers still will not load, i am able to load it & use it by navigatiing to Start/Help & Support/Use Tools/clicking on a link to Go To A Windows Newsgroup, then it loads, i haven't used any tools although my disk shows needing defragmentation which i haven't done. Also, IE loads thru Start/Control Panel/Automatic Updates and clicking on the link for the microsoft update site. I then ran Malwarebytes Anti-Malware in the 5 step solution for virsuses malware spyware, Here is that log;

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.27.07

    Windows XP Service Pack 2 x86 FAT32
    Internet Explorer 8.0.6001.18702
    dad :: PREFERRE-406GQB [administrator]

    1/27/2012 4:27:58 PM
    mbam-log-2012-01-27 (16-27-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 431570
    Time elapsed: 24 minute(s), 10 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 20
    HKCR\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCR\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCR\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 14
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.

    Files Detected: 42
    C:\Documents and Settings\nate\My Documents\Downloads\Retrogamer.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
    C:\Documents and Settings\dad\Local Settings\Temp\8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.
    C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

    (end)

    Tried running GMER next but i get a LoadDriver (C:\Docs & Settings\dad\local settings\Temp\awncapoc.sys) error 0xc000010E: cannot create a stable subkey under a volatile parent key. Pressing OK & GMER1.0.15.15641 window opens. Press the scan key and get C:\windows\system32\config\system, process cant access the file because it is being used by another process. Press OK, and same message but this time for system32\config\software. Only a few boxes are checked in GMER, the Services, Registry, Files is checked. Below that, C:\ is checked. Below that, ADS is checked. And finally GMER hasn't found any system modification. Don't believe it ran at all. That is where i am at in that procedure, any help greatly appreciated. System ran better afterwards, was getting 100% cpu in task manager, mostly the SERVICES & CSRSS execs, before running. It dropped down sigficiantly afterwards but was unable to continue. Today, it is the CSRSS exec at 20+% and avgwdsvc.exe at 70+%. What should i do next? my mind is dazed & confused, thanks in advance.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =========================================================

    Your MBAM is a bit outdated.
    Update it, run another scan and post new log.

    Will DDS run?
     
  3. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    hi Broni - tanks for responding. When i logged in today, cpu utilization looked good. I had turned Windows Updates on to automatic, i had it set before to download and notify me. So, windows update ran first thing and downloaded a few updates, some worked, some didn't. I shut off Windows Update afterwards and came here.

    I'll check it, thanks, back in a bit, later, jimmy
     
  4. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    ...
     
  5. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    hi again, No, i did not run DDS yet, i stopped because GMER didn't load. I updated MBAM & re-ran, log follows...

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.01.05

    Windows XP Service Pack 2 x86 FAT32
    Internet Explorer 8.0.6001.18702
    dad :: PREFERRE-406GQB [administrator]

    2/1/2012 11:02:23 AM
    mbam-log-2012-02-01 (11-02-23).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 430769
    Time elapsed: 21 minute(s), 27 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    I tried re-running GMER after disabling AVG & turning off the firewall & disconnecting internet with basically same result. Got the LoadDriver error for the same file mentioned before with the same error code. Hit OK to loaddriver error msg and got the system32\config\system message about another process using it. Clicked OK to that & app closed. That is where i stand now, any advice mucho appreciated, later, jimmy
     
  6. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Skip GMER.
    Try DDS.
     
  7. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    Will do, back in a bit. jimmy
     
  8. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    Sorry for taking so long to get back but i experienced problems trying to get DDS to complete. It was helpful though because it led to me realizing i still had a file system problem, got stuck in DSKCHK loop again. I was using a friend's XP install disc as mine got tossed out in the last move i made and i was using that for recovery which didn't do the job completely. Read up on DSKCHK and realized where i made my mistake. Configuring MSCONFIG to boot into Safemode really helped as i could use the DSKCHK on my machine. Anyway, i am ready now to run DSKCHK /F today. Hopefully, i will be back late afternoon with GMER & DDS logs, feeling good today, fingers crossed. jimmy
     
  9. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    No problem :)
     
  10. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    I almost ran out of space with chkdsk dumps while working on the file system. So i did a few things you say not to do but i was forced really. I ran AVG whole computer scan clean & then i uninstalled it successfully. I turned off System Monitoring for restore points to flush them all. Been running that Cleanup.exe to flush temp datasets. Took a while but my file system is clean now, bootup looks normal and response is crisp, Don't really see any obvious symptoms of a problem outside of, IE will not load normally, goes into task manager/processes for a tic or two and then exits. Oh, CPU utilization looks normal now too. I am running Windows XP SP2 with an Athlon XP 2200+ processor. I re-ran a whole computer scan with MBAM today and it was clean. After recovering files i wanted and the ones i flushed, Defragmenter now says a defrag is not required, freed up quite a bit of space on my single partition C: drive. Rebooted into Safe Mode and tried rerunning GMER, it still has the same error LoadDriver error,same code. Then i tried DDS which ran the scan part but took longer than 3 minutes before the program just goes to sleep, mouse doesn't freeze but is useless in trying to attempt to logoff,shutdown. Task manager can not be invoked either, no response, i/o light on tower is out, no activity, let set 20 mins and i have to power off via the on/off button on tower. That is where i am at at the present moment. Any suggestions? tanks, jimmy
     
  11. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
     
  12. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    Downloaded aswMBR to desktop, when i click to open, it enters task manager/processes for a micro sec and exits, no window opens. I stopped there.
     
  13. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    p.s. - during one of the DDS runs, it stopped on MBR.dat, f.y.i.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Go on with Bootkit Remover.
     
  15. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    Here is the BootKit Remover log;

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  16. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    OK...

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  17. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    ListParts by Farbar
    Ran by dad on 08-02-2012 at 13:41:05
    Windows XP (X86)
    Running From: C:\Documents and Settings\dad\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 49%
    Total physical RAM: 511.48 MB
    Available physical RAM: 260.35 MB
    Total Pagefile: 1247.5 MB
    Available Pagefile: 961.82 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1999.45 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:74.51 GB) (Free:57.59 GB) FAT32 ==>[Drive with boot components (Windows XP)]
    5 Drive g: (New Volume) (Fixed) (Total:232.88 GB) (Free:12.61 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 75 GB 0 B
    Disk 1 Online 233 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 75 GB 32 KB
    Partition 2 Unknown 11 MB 75 GB

    Disk: 0
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C FAT32 Partition 75 GB Healthy Boot

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 32 KB

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 G New Volume NTFS Partition 233 GB Healthy


    ****** End Of Log ******
     
  18. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    p.s. - i turned off my external NTFS drive, listed as Vol 3 in scan.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    We have TDL rootkit there.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Press Tool at the top
    • Choose Open Terminal
    • Type parted /dev/sda set 1 boot on
    • Press Enter
    • Type parted /dev/sda rm 2
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
     
  20. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    Nothing happens when i click on GETxPUD.exe, don't even see it enter the processes in task manager, system sitting 99% idle.? ideas?
     
  21. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Create the CD on another healthy computer and then boot BAD computer from it.
     
  22. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    OK, i shutdown & reloaded normally ok. Double clicking the exe did produce a GETxPUD folder, but it said not all files extracted, think i got antsy and double click the exe a 2nd time. Anyhow, that folder has 3 files in it.

    get&burn.bat 1KB
    BurnCDCC.exe 144KB
    WGET.EXE 325KB

    did i get all the files, waiting to proceed, thanks.
     
  23. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    p.s. - gonna shutdown & reload again and try the exe again.
     
  24. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    [​IMG]
     
  25. jmmybttm

    jmmybttm TS Rookie Topic Starter Posts: 47

    ok, got ya!:blackeye:

    But i did shutdown & reload & rerun GETxPUD ok, and it produced a GETxPUD folder. And i proceeded all the way to burning a CD successfully before checking back here. Do you still want me to create on a healthly machine?, he said as he ducked.

    And another question regarding the instructions, looks like the commands are set to remove Partition 2, is that right? The previous log showed Partition 2 of disk 0 as suspicous, is that right? I want to be sure i have the right idea before doing this.

    Thanks for the help thus far, waiting response, thanks. jimmy
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.