TechSpot

Followed the 8 steps, posting logs here. Help, Please!

Solved
By SurgeonG
Oct 22, 2010
Topic Status:
Not open for further replies.
  1. Logs are big, attaching them to post. Please advise. I can't connect to windows update site. I am so tired I am ready to buy a new laptop!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have a rootkit. Since you have attached the logs instead of pasting them in, using multiple posts if needed, it will take me 4 time the amount of time needed to check pasted logs.

    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    Please paste all of hese logs in your next replies. If you do not, I will not review them.

    Important!Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    mbr report

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
  4. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    combofix report

    I am not sure if combo fix completed it's run. It got to a screen where it said it was done and finishing up, not to use internet till it was complete then my computer went to a blue background only. I figured it was still working so i let it sit all night like that but was still only a blue background in the morning. here is the report, please let me know if i should re run combofix.



    ComboFix 10-10-22.04 - Will 10/22/2010 20:36:26.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1542 [GMT -7:00]
    Running from: C:\Documents and Settings\Will\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
    .

    2010-10-22 03:41:34 . 2010-10-22 03:41:34 -------- d-----w- C:\Documents and Settings\Will\Application Data\Malwarebytes
    2010-10-22 03:41:27 . 2010-04-29 22:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2010-10-22 03:41:26 . 2010-10-22 03:41:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2010-10-22 03:41:25 . 2010-10-22 03:41:30 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
    2010-10-22 03:41:25 . 2010-04-29 22:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
    2010-10-22 03:31:58 . 2010-09-07 15:12:17 38848 ----a-w- C:\WINDOWS\avastSS.scr
    2010-10-22 03:24:39 . 2010-09-07 14:52:03 165584 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
    2010-10-22 03:24:39 . 2010-09-07 14:47:07 17744 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2010-10-22 03:24:37 . 2010-09-07 14:47:46 23376 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
    2010-10-22 03:24:36 . 2010-09-07 14:52:25 46672 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
    2010-10-22 03:24:35 . 2010-09-07 14:47:19 100176 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
    2010-10-22 03:24:35 . 2010-09-07 14:47:16 94544 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
    2010-10-22 03:24:34 . 2010-09-07 14:46:51 28880 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
    2010-10-22 03:24:20 . 2010-09-07 15:11:54 167592 ----a-w- C:\WINDOWS\system32\aswBoot.exe
    2010-10-22 03:24:14 . 2010-10-22 03:24:14 -------- d-----w- C:\Program Files\Alwil Software
    2010-10-22 03:24:14 . 2010-10-22 03:24:14 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Alwil Software
    2010-10-22 03:07:56 . 2010-10-22 03:07:56 -------- d-----w- C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla
    2010-10-22 01:51:14 . 2010-10-22 01:51:14 -------- d-s---w- C:\Documents and Settings\NetworkService\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ------- Sigcheck -------

    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 07:24:00 20480]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-17 02:29:54 389120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 19:01:14 67584]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08:42 1347584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 21:30:44 282624]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 17:13:32 1032192]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 16:48:02 761947]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 22:41:22 45056]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 01:29:52 49152]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05:00 127035]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 15:44:02 249856]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 15:44:02 81920]
    "avast5"="C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 15:12:02 2838912]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-9-25 24576]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
  5. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    esets report

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-23 04:14:35
    # local_time=2010-10-23 09:14:35 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=42773
    # found=0
    # cleaned=0
    # scan_time=1118
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please update and run Malwarebytes again. The malware entry it found says No Action Taken. Please pay particular attention to the line:
    Be sure that everything is checked, and click Remove Selected.

    The Combofix report isn't complete, so I would like you to run it again: Before you do, please run another MBR check with this:

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni

    Order for programs:
    1. Rescan with Malwarebytes
    2. Run Bootkit Remover
    3. Rescan with Conbofix
    Leave all logs pasted in next replies. Okay to use multiple posts.
  7. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Updated and ran the test again. I checked all the boxes.
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4945

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    10/25/2010 1:43:52 PM
    mbam-log-2010-10-25 (13-43-52).txt

    Scan type: Quick scan
    Objects scanned: 147629
    Time elapsed: 6 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  8. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    bootkit remover

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  9. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    combofix report

    ComboFix 10-10-24.06 - Will 10/25/2010 14:17:53.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1671 [GMT -7:00]
    Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4


    ((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
    .

    2010-10-25 20:05 . 2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32
    2010-10-25 19:58 . 2004-08-04 06:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-10-23 15:47 . 2010-10-23 15:47 -------- d-----w- c:\program files\ESET
    2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
    2010-10-22 03:41 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-22 03:41 . 2010-10-25 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-22 03:41 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-22 03:31 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-10-22 03:24 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-10-22 03:24 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-10-22 03:24 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-10-22 03:24 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-10-22 03:24 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-10-22 03:24 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-10-22 03:24 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-10-22 03:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\program files\Alwil Software
    2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-10-22 03:07 . 2010-10-22 03:07 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Mozilla
    2010-10-22 01:51 . 2010-10-22 01:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-23_04.20.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-25 21:23 . 2010-10-25 21:23 16384 c:\windows\Temp\Perflib_Perfdata_888.dat
    + 2005-08-16 09:18 . 2010-10-25 20:39 61590 c:\windows\system32\perfc009.dat
    - 2005-08-16 09:18 . 2010-10-23 03:07 61590 c:\windows\system32\perfc009.dat
    + 2010-10-25 19:58 . 2004-08-04 06:08 26496 c:\windows\system32\drivers\USBSTOR.SYS
    + 2010-10-25 19:45 . 2010-10-25 21:22 2580 c:\windows\SoftwareDistribution\EventCache\{E619B0B5-62FB-436E-AA67-284E5EC2B7BB}.bin
    + 2010-10-24 13:48 . 2010-10-24 21:23 2580 c:\windows\SoftwareDistribution\EventCache\{A1A57006-0910-47D1-8C36-AA5DFC1F16F1}.bin
    + 2005-08-16 09:18 . 2010-10-25 20:39 400090 c:\windows\system32\perfh009.dat
    - 2005-08-16 09:18 . 2010-10-23 03:07 400090 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-25 24576]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 8:24 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 8:24 PM 17744]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-25 14:23
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
    Windows 5.1.2600

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D80446]<<
    1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x89E01AB8]
    2 ntkrnlpa[0x804EEF9C] -> CLASSPNP.SYS[0xBA0E905B] -> \Device\Harddisk0\DR0[0x89E01AB8]
    3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> [0x89DE89A8]
    \Driver\atapi[0x89D91270] -> IRP_MJ_CREATE -> 0x89D80446
    4 ntkrnlpa[0x804EEF9C] -> UNKNOWN[0x89D80449] -> [0x89DE89A8]
    kernel: MBR read successfully
    detected hooks:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS541612J9SA00_________________SBDOC74P#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    \Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
    \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
    \Driver\atapi DriverStartIo -> 0x89D80292
    \Driver\atapi -> atapi.sys @ 0xb9f117b4
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
    SecurityProcedure -> ntkrnlpa.exe @ 0x80582a26
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
    SecurityProcedure -> ntkrnlpa.exe @ 0x80582a26
    NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e09ba0
    PacketIndicateHandler -> NDIS.sys @ 0xb9e16b21
    SendHandler -> NDIS.sys @ 0xb9df487b
    user != kernel MBR !!!
    sectors 231496394 (+255): user != kernel

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(888)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\stsystra.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\eHome\ehmsas.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-25 14:26:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-25 21:25

    Pre-Run: 73,141,604,352 bytes free
    Post-Run: 73,063,165,952 bytes free

    - - End Of File - - 85B62259481FD7FF5A21015F01A6DF8E
  10. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Please let me know if I did something wrong. And thank you very much for all your help!
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You didn't do anything wrong- I'm just running behind.
    Please do the following:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix \.\PhysicalDrive0    
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!

    Checking Combofix now.

    EDIT: Please don't do anymore downloading while I'm working with you unless I instruct you to: (2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32)
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    Firefox::
    Firefox-: - Profile - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\
    
    DDS::
    uSearch Bar = 
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    mRun: [<NO NAME>] 
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Both the Adobe Reader and Java are out of date. Please install the newest versions of each. Then go to Add/Remove Programs and uninstall any earlier versions of each:
    Visit this Adobe Reader site
    Check this site .Java Updates
  13. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  14. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    ComboFix 10-10-27.A3 - Will 10/28/2010 11:58:19.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1672 [GMT -7:00]
    Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll"
    "c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk
    c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    c:\program files\java\jre1.5.0_06\bin\ssv.dll
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
    .

    2010-10-25 23:28 . 2010-10-25 23:29 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Adobe
    2010-10-25 20:05 . 2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32
    2010-10-25 19:58 . 2004-08-04 06:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-10-23 15:47 . 2010-10-23 15:47 -------- d-----w- c:\program files\ESET
    2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
    2010-10-22 03:41 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-22 03:41 . 2010-10-25 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-22 03:41 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-22 03:31 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-10-22 03:24 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-10-22 03:24 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-10-22 03:24 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-10-22 03:24 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-10-22 03:24 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-10-22 03:24 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-10-22 03:24 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-10-22 03:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\program files\Alwil Software
    2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-10-22 03:07 . 2010-10-22 03:07 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Mozilla
    2010-10-22 01:51 . 2010-10-22 01:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-23_04.20.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-28 18:57 . 2010-10-28 18:57 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
    - 2005-08-16 09:18 . 2010-10-23 03:07 61590 c:\windows\system32\perfc009.dat
    + 2005-08-16 09:18 . 2010-10-25 20:39 61590 c:\windows\system32\perfc009.dat
    + 2010-10-25 19:58 . 2004-08-04 06:08 26496 c:\windows\system32\drivers\USBSTOR.SYS
    + 2010-10-26 20:06 . 2010-10-26 20:06 2580 c:\windows\SoftwareDistribution\EventCache\{E71E3D8D-0177-48B9-974B-23613D167D6D}.bin
    + 2010-10-25 19:45 . 2010-10-26 02:24 3866 c:\windows\SoftwareDistribution\EventCache\{E619B0B5-62FB-436E-AA67-284E5EC2B7BB}.bin
    + 2010-10-24 13:48 . 2010-10-24 21:23 2580 c:\windows\SoftwareDistribution\EventCache\{A1A57006-0910-47D1-8C36-AA5DFC1F16F1}.bin
    + 2010-10-28 18:46 . 2010-10-28 18:46 2580 c:\windows\SoftwareDistribution\EventCache\{1127E945-02AD-489B-B85A-65D3783E9AEF}.bin
    - 2005-08-16 09:18 . 2010-10-23 03:07 400090 c:\windows\system32\perfh009.dat
    + 2005-08-16 09:18 . 2010-10-25 20:39 400090 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-25 24576]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 8:24 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 8:24 PM 17744]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-28 12:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D7C446]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(888)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2010-10-28 12:03:40
    ComboFix-quarantined-files.txt 2010-10-28 19:03
    ComboFix2.txt 2010-10-25 21:26

    Pre-Run: 72,874,745,856 bytes free
    Post-Run: 72,867,119,104 bytes free

    - - End Of File - - 34FBCAA3990E1FEB64B1B3943454E09C
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix \.\PhysicalDrive0    
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
    ===========================================
    The only problem you mentioned was not being able to get the Windows update. Has that improved? Do you have a malware-related problem?
  16. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    I still can not access windows updates. when I try it cant find the website. My computer will run for about 20 min before i get a system 32 or something like that error and windows stops working. If i go to goggle and search for something when i click on the results every single link will open at some advertisement site even if the result shows an official link.
    i tried to restore an image from ghost but the problem remains. I have a dvd saved with ghost image of my computer when it was fresh out the box and if i restore that image the problem persist. should I format my hard drive then boot to ghost start up disk and restore the image? I wish you could take over my computer like the support people at work do.
    than you again for all your help.


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're not going to find that on a free forum that is staffed with volunteers!

    Part of the problem is that you are attempting to work on the system while I am in the process of trying to help you. And when you comment "i get a system 32 or something like that error", that doesn't help either one of us! I'd like you to do the following in the order I have set up> and nothing else:

    1. Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    2. Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    (Courtesy rev-Olie)
    =============================================
    Please repeat removal.exe- I had some extra digits in the code:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      @ECHO OFF
      START 
      remover.exe fix \.\PhysicalDrive0    
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
    =============================================
    I notice you still have SP2> are you tryig to get SP3?
    Don't attempt to get the updates- let me check these logs and see if we can narrow the problem down. If you want to get remote assistance, call the Geek Squad, but be prepared to pay for the help. Most of those support people get paid by someone and remote assistance is more in depth than help on a free forum like this, where we are all volunteers with different levels of experience.
  18. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    est log

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-23 04:14:35
    # local_time=2010-10-23 09:14:35 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=42773
    # found=0
    # cleaned=0
    # scan_time=1118
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-10-31 01:56:09
    # local_time=2010-10-30 06:56:09 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=46164
    # found=0
    # cleaned=0
    # scan_time=1875
  19. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    test

    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 30/10/2010 7:38:54 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 30/10/2010 6:37:23 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.
  20. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Log: 'Application' Date/Time: 30/10/2010 6:28:50 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.
  21. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 30/10/2010 7:38:54 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 30/10/2010 6:37:23 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 30/10/2010 6:28:50 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 30/10/2010 6:20:38 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

    Log: 'Application' Date/Time: 30/10/2010 6:20:38 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

    Log: 'Application' Date/Time: 30/10/2010 6:18:03 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

    Log: 'Application' Date/Time: 30/10/2010 6:18:03 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

    Log: 'Application' Date/Time: 30/10/2010 6:05:18 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 30/10/2010 10:54:40 AM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

    Log: 'Application' Date/Time: 30/10/2010 10:54:40 AM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

    Log: 'Application' Date/Time: 30/10/2010 9:52:14 AM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 29/10/2010 7:37:57 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

    Log: 'Application' Date/Time: 29/10/2010 7:37:56 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

    Log: 'Application' Date/Time: 29/10/2010 7:25:11 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 29/10/2010 7:19:14 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 29/10/2010 6:58:12 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 28/10/2010 12:18:55 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 28/10/2010 12:10:13 PM
    Type: error Category: 0
    Event: 5 Source: crypt32
    Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt> with error: The connection with the server was terminated abnormally

    Log: 'Application' Date/Time: 28/10/2010 12:07:55 PM
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00021260.

    Log: 'Application' Date/Time: 28/10/2010 11:45:30 AM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    Log: 'Application' Date/Time: 27/10/2010 9:13:06 PM
    Type: error Category: 0
    Event: 2004 Source: PerfNet
    Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 30/10/2010 6:06:16 PM
    Type: error Category: 6
    Event: 16 Source: Windows Update Agent
    Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

    Log: 'System' Date/Time: 28/10/2010 11:57:54 AM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 28/10/2010 11:50:53 AM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 27/10/2010 9:26:10 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 27/10/2010 6:37:55 PM
    Type: error Category: 6
    Event: 16 Source: Windows Update Agent
    Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

    Log: 'System' Date/Time: 25/10/2010 2:17:41 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 25/10/2010 2:14:14 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 25/10/2010 1:35:08 PM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Network Security service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 25/10/2010 1:34:45 PM
    Type: error Category: 0
    Event: 1 Source: sr
    The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

    Log: 'System' Date/Time: 24/10/2010 6:48:02 AM
    Type: error Category: 6
    Event: 16 Source: Windows Update Agent
    Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

    Log: 'System' Date/Time: 21/10/2010 8:33:58 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The MSSQL$MICROSOFTSMLBIZ service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:33:58 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:33:57 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:33:57 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:31:59 PM
    Type: error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

    Log: 'System' Date/Time: 21/10/2010 8:31:59 PM
    Type: error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

    Log: 'System' Date/Time: 21/10/2010 8:31:58 PM
    Type: error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

    Log: 'System' Date/Time: 21/10/2010 8:25:17 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The MSSQL$MICROSOFTSMLBIZ service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:25:17 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 21/10/2010 8:25:16 PM
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
  22. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    sorry about pasting parts of the vew log before pasting the complete log. my computer was timing out when i tried to post the entire log so i had to use a friends computer to post it.
  23. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  24. SurgeonG

    SurgeonG TS Rookie Topic Starter Posts: 32

    Bobbye,
    I may have been messing something up. When you tell me to run the remover.exe I have been clicking on the bootkit_remover application. it opens up a little black box realy fast then ends. it always list drive c as controlled by a rootkit. to says that to disinfect the master boot sector , use the following command: remover.ece fix <device name>

    is that something i should be doing? if so where do i go to type that in? i am sorry if i should have been doing that all along and wasting your time. i really do appeciate your help and time.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There are 3 parts to the Bootkit Remover:

    1. The scan which give the information about the MBR
    2. Creating a batch file, saving, naming.
    This is what is saved as fix.bat
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT

    The command begins with @ECHO and ends with EXIT and is named fix.bat. The device is PhysicalDrive0

    3. The 'remover' part is when you double click on the fix.bat file to run it..

    So here the the last part:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START remover.exe fix \\.\PhysicalDrive0    
      EXIT
      
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output. It is possible that when you run it again, it may mot be fixed and may require other action. Just be sure the code in fix.bat is correct.

    Do NOT reboot computer!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.