[Solved] Followed 8 steps, any assistance appreciated

paulhirko · Nov 6, 2010

Thats where I fail. I've done that and when the pc boots I get a black screen stating: Please remove devices and drives. Press any key to restart. No drives are connected (except for the usb) and pressing any key brings straight into windows login. Usb does not seem to be accessed at any point (the LED on the drive does not flash) during this screen.

Broni · Nov 6, 2010

I must be tired and I'm not thinking clearly...LOL

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh MBRCheck log.

paulhirko · Nov 6, 2010

Man, take a break, enjoy your weekend. I didn't think I'd hear from you until Monday. Well I think what you suggested worked but I'll let you're the judge. Here are the results:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 165):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7C67000 \WINDOWS\system32\KDCOM.DLL
0xF7B77000 \WINDOWS\system32\BOOTVID.dll
0xF7718000 ACPI.sys
0xF7C69000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7707000 pci.sys
0xF7767000 isapnp.sys
0xF7B7B000 compbatt.sys
0xF7B7F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7D2F000 pciide.sys
0xF79E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7C6B000 aliide.sys
0xF7C6D000 cmdide.sys
0xF7C6F000 toside.sys
0xF7C71000 viaide.sys
0xF7C73000 intelide.sys
0xF7777000 MountMgr.sys
0xF76E8000 ftdisk.sys
0xF7B83000 ACPIEC.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF79EF000 PartMgr.sys
0xF7787000 VolSnap.sys
0xF7B87000 cpqarray.sys
0xF76D0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF76B8000 atapi.sys
0xF7B8B000 aha154x.sys
0xF79F7000 sparrow.sys
0xF7B8F000 symc810.sys
0xF7797000 aic78xx.sys
0xF7B93000 dac960nt.sys
0xF77A7000 ql10wnt.sys
0xF7B97000 amsint.sys
0xF79FF000 asc.sys
0xF7B9B000 asc3550.sys
0xF7A07000 mraid35x.sys
0xF7A0F000 i2omp.sys
0xF7B9F000 ini910u.sys
0xF77B7000 ql1240.sys
0xF77C7000 aic78u2.sys
0xF7A17000 symc8xx.sys
0xF7A1F000 sym_hi.sys
0xF7A27000 sym_u3.sys
0xF7A2F000 ABP480N5.SYS
0xF7A37000 asc3350p.sys
0xF7C75000 cd20xrnt.sys
0xF77D7000 ultra.sys
0xF769F000 adpu160m.sys
0xF7A3F000 dpti2o.sys
0xF77E7000 ql1080.sys
0xF77F7000 ql1280.sys
0xF7807000 ql12160.sys
0xF7A47000 perc2.sys
0xF7C77000 perc2hib.sys
0xF7A4F000 hpn.sys
0xF7BA3000 cbidf2k.sys
0xF7673000 dac2w2k.sys
0xF7817000 disk.sys
0xF7827000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7653000 fltMgr.sys
0xF7641000 sr.sys
0xF75E4000 mfehidk.sys
0xF75CD000 KSecDD.sys
0xF7540000 Ntfs.sys
0xF7513000 NDIS.sys
0xF7837000 sisagp.sys
0xF7847000 viaagp.sys
0xF74F9000 Mup.sys
0xF7857000 alim1541.sys
0xF7867000 amdagp.sys
0xF7877000 agp440.sys
0xF7887000 agpCPQ.sys
0xF7447000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7C33000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6E31000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6E1D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6DF5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6DDA000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF6C99000 \SystemRoot\system32\DRIVERS\athw.sys
0xF7AAF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C75000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7ADF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7437000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7AFF000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF7B0F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6C3E000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7C87000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B57000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF74C5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7D74000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6C2A000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF7427000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF74B5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6C13000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7417000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7407000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7AD7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BDA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF73F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF6BB6000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF6B6B000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7B37000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B47000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF73E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C91000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B20000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6AC2000 \SystemRoot\system32\DRIVERS\update.sys
0xF7C53000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF73D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
0xF78B7000 \SystemRoot\system32\drivers\drmk.sys
0xF74B1000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C9D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DCA000 \SystemRoot\System32\Drivers\Null.SYS
0xF7CA1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B6F000 \SystemRoot\System32\drivers\vga.sys
0xF7CA5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CA9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A7F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A8F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7494000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1BC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA163000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA150000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xAA12A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA102000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7AF7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA090000 \SystemRoot\System32\drivers\afd.sys
0xF7907000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9EBD000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7B5F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA9E92000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9E22000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7937000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9DD6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9DBE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CC5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6B5F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B4F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D94000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9CA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9A21000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA99E4000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7967000 \SystemRoot\system32\drivers\sysaudio.sys
0xA95AA000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8DF1000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8E5A000 \SystemRoot\system32\drivers\cfwids.sys
0xA8C28000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0xA8BC2000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA8E8A000 \SystemRoot\system32\drivers\mfebopk.sys
0xF7C8B000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0xA821C000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA97AC000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF7A9F000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
1104 C:\WINDOWS\system32\smss.exe
1172 csrss.exe
1204 C:\WINDOWS\system32\winlogon.exe
1248 C:\WINDOWS\system32\services.exe
1260 C:\WINDOWS\system32\lsass.exe
1408 C:\WINDOWS\system32\svchost.exe
1528 svchost.exe
1568 C:\WINDOWS\system32\svchost.exe
1704 svchost.exe
1756 svchost.exe
2044 C:\WINDOWS\system32\spoolsv.exe
264 svchost.exe
700 C:\WINDOWS\explorer.exe
748 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
776 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
848 C:\WINDOWS\system32\mfevtps.exe
880 C:\WINDOWS\system32\svchost.exe
924 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1460 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
292 C:\WINDOWS\system32\igfxtray.exe
1776 C:\WINDOWS\system32\hkcmd.exe
532 C:\WINDOWS\system32\igfxpers.exe
904 C:\WINDOWS\system32\igfxsrvc.exe
892 C:\WINDOWS\RTHDCPL.exe
992 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2128 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
2268 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
2280 C:\Program Files\McAfee.com\Agent\mcagent.exe
2288 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2300 C:\WINDOWS\system32\ctfmon.exe
2684 C:\Program Files\Secunia\PSI\psi.exe
2844 C:\WINDOWS\system32\igfxext.exe
3256 alg.exe
424 C:\DOCUME~1\PAULHI~1\LOCALS~1\Temp\RtkBtMnt.exe
4056 C:\WINDOWS\system32\wuauclt.exe
2236 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3508 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3100 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3868 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4036 C:\Program Files\Mozilla Firefox\firefox.exe
1072 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2792 C:\Program Files\Mozilla Firefox\plugin-container.exe
2916 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2344 C:\Documents and Settings\Paul Hirko\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543212L9A300, Rev: FBBOC40C

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Much appreciated,
Paul

P.S. No redirects, or pop ups on any computer any time today.

Broni · Nov 6, 2010

Good job and good news

I can't take a break, because there are too many bad guys out there to kill....LOL

We'll run couple more scans to make sure, all is cool

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

paulhirko · Nov 6, 2010

Does this look like a full combofix run:

ComboFix 10-11-07.01 - Paul Hirko 11/06/2010 22:18:28.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.649 [GMT -4:00]
Running from: C:\Documents and Settings\Paul Hirko\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

paulhirko · Nov 6, 2010

and here is the rkill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Paul Hirko on 11/06/2010 at 22:53:37.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\DOCUME~1\PAULHI~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\My Documents\Downloads\rkill.com

Rkill completed on 11/06/2010 at 22:53:49.

Broni · Nov 6, 2010

Re-run rKill and Combofix, please.

paulhirko · Nov 7, 2010

Here's the combofix run, looks much better than last time. I didn't realize but I got the blue screen of death the first time I ran it. I deleted it and re-downloaded it.

ComboFix 10-11-07.04 - Paul Hirko 11/07/2010 13:03:17.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.579 [GMT -5:00]
Running from: c:\documents and settings\Paul Hirko\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-07 17:56 . 2010-11-07 17:56 -------- d-----w- C:\c7f2cae681e19342cb805e1614177499
2010-11-07 16:58 . 2010-11-07 16:58 -------- d-----w- C:\3b5dbbff8213111a0fabea2b
2010-11-06 22:23 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-11-06 22:22 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-11-06 22:22 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-11-06 22:22 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-05 18:28 . 2010-11-05 18:28 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-05 18:28 . 2010-11-05 18:28 -------- d-----w- c:\program files\MSBuild
2010-11-05 18:27 . 2010-11-05 18:27 -------- d-----w- c:\program files\Reference Assemblies
2010-11-05 18:26 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-05 18:24 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-05 18:24 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-05 18:24 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-05 18:24 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-05 18:24 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-05 18:24 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-05 18:24 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-05 18:24 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-05 18:24 . 2010-11-05 18:26 -------- d-----w- C:\d74f1a4f90b880523d77c467b01d5b7f
2010-11-05 16:45 . 2010-11-05 16:46 -------- d-----w- C:\2706fec52d06eafcff73d7a7f852a7fa
2010-11-05 16:45 . 2010-11-05 17:12 -------- d-----w- C:\2b9becaaa34d5018922d1b12
2010-11-04 15:39 . 2010-11-04 15:39 -------- d-----w- c:\program files\Common Files\Skype
2010-11-04 15:38 . 2010-11-04 19:49 -------- d-----r- c:\program files\Skype
2010-11-04 15:06 . 2010-10-27 06:09 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 14:51 . 2010-11-04 14:51 -------- d-----w- c:\program files\FileHippo.com
2010-11-04 01:49 . 2010-11-04 01:49 -------- d-----w- c:\program files\Secunia
2010-11-02 14:31 . 2010-11-02 14:29 75208 ----a-w- c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
2010-11-02 14:31 . 2010-11-02 14:31 -------- d-----w- c:\program files\Foxit Software
2010-11-02 01:11 . 2010-11-02 01:11 -------- d-----w- c:\program files\ESET
2010-10-28 22:27 . 2008-04-15 03:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-28 22:25 . 2010-10-28 22:25 -------- d-----w- c:\windows\system32\LogFiles
2010-10-22 15:48 . 2010-10-22 15:48 -------- d-----w- C:\jolicloud
2010-10-20 15:37 . 2010-10-20 15:37 -------- d-----w- c:\windows\system32\NtmsData
2010-10-20 05:17 . 2010-10-20 05:17 -------- d-----w- c:\program files\Google
2010-10-20 05:15 . 2010-10-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\documents and settings\Administrator
2010-10-13 22:24 . 2008-03-02 10:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-10-13 22:20 . 2010-10-13 22:20 -------- d-----w- c:\documents and settings\Paul Hirko\log
2010-10-13 21:59 . 2010-11-04 19:51 -------- d-----w- c:\program files\Trend Micro
2010-10-13 18:19 . 2010-10-13 18:19 -------- d-----w- c:\documents and settings\Paul Hirko\Application Data\Malwarebytes
2010-10-13 18:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 18:19 . 2010-10-13 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 18:19 . 2010-11-05 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 18:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 16:59 . 2010-10-12 16:59 -------- d-----w- c:\windows\Sun
2010-10-12 16:17 . 2010-10-12 16:17 -------- d-----w- c:\program files\Common Files\Java
2010-10-12 16:16 . 2010-09-15 11:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-12 16:16 . 2010-09-15 11:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-12 16:16 . 2010-09-15 09:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-12 16:15 . 2010-10-30 03:00 -------- d-----w- c:\program files\Java
2010-10-12 15:56 . 2010-10-12 15:56 -------- d-----w- c:\documents and settings\Paul Hirko\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 02:28 . 2010-10-06 03:51 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-14 02:28 . 2010-10-06 03:51 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-14 02:28 . 2010-10-06 03:51 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-14 02:28 . 2010-10-06 03:51 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-14 02:28 . 2010-10-06 03:51 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-14 02:28 . 2010-10-06 03:51 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-14 02:28 . 2010-10-06 03:51 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-14 02:28 . 2010-10-06 03:51 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-14 02:28 . 2010-10-06 03:38 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-14 02:28 . 2010-08-24 21:57 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 02:28 . 2010-08-24 21:57 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-10-06 02:50 . 2008-07-08 18:17 125 ----a-w- c:\windows\xUninstall.bat
2010-10-06 01:00 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2010-10-06 01:00 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2010-09-18 19:23 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-15 03:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-15 03:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2008-04-15 03:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-15 03:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-04-15 03:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2008-04-15 03:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-15 03:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-15 03:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-15 03:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-15 03:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-10-06 03:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-15 03:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-15 03:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-10-14 02:28 . 2010-10-06 03:51 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-05 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Paul Hirko\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-10-11 20:49 14940040 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/5/2010 10:51 PM 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [10/5/2010 10:52 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/5/2010 10:38 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/5/2010 10:51 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/5/2010 10:51 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/5/2010 10:51 PM 88544]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/5/2010 10:51 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/5/2010 10:51 PM 84264]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 5:24 PM 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 5:24 PM 206608]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1387451018-1133999177-4260046075-1006Core.job
- c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-05 01:22]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1387451018-1133999177-4260046075-1006UA.job
- c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-05 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Paul Hirko\Application Data\Mozilla\Firefox\Profiles\kbeud32e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-TMRUBottedTray - c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-07 13:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-11-07 13:30:02
ComboFix-quarantined-files.txt 2010-11-07 18:29

Pre-Run: 79,046,062,080 bytes free
Post-Run: 78,964,752,384 bytes free

- - End Of File - - AC276C0980F5FA33BBADEAE78CCA5797

paulhirko · Nov 7, 2010

and here is rkill log. Let me know what you think.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Paul Hirko on 11/07/2010 at 13:34:30.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Desktop\rkill.com

Rkill completed on 11/07/2010 at 13:34:37.

Thanks,
Paul

Broni · Nov 7, 2010

It looks fine.

No redirections?

You can delete Combofix file.

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

paulhirko · Nov 7, 2010

No found threats on eset nor am I having any redirects/popups. Does that sound good to you?

Broni · Nov 7, 2010

It sounds wonderful to me...LOL

Make sure to reset system restore (turn it off, restart computer and turn it back on) and you should be good to go

paulhirko · Nov 7, 2010

Hmmm. Could you tell me those steps. Not sure I know how to do that.

Thanks,
Paul.

Broni · Nov 7, 2010

http://support.microsoft.com/kb/310405

TechSpot

[Solved] Followed 8 steps, any assistance appreciated

paulhirko Newcomer, in training

Broni Malware Annihilator

paulhirko Newcomer, in training

Broni Malware Annihilator

paulhirko Newcomer, in training

paulhirko Newcomer, in training

Broni Malware Annihilator

paulhirko Newcomer, in training

paulhirko Newcomer, in training

Broni Malware Annihilator

paulhirko Newcomer, in training

Broni Malware Annihilator

paulhirko Newcomer, in training

Broni Malware Annihilator