also @ TechSpot: Android 4.0: Tracking Ice Cream Sandwich's Availability on Smartphones

TechSpot

[Active] Virus? Safe mode screen is 3/4 blocked

Discussion in 'Virus and Malware Removal' started by steveow, Nov 22, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Bobbye Helper on the Fringe

    If you're not using the program, it should be uninstalled. That does not mean you have to delete any of the pictures. When you transfer pictures from the camera, the Hardware Wizard will open for the camera and you allow the computer to accept it. Be sure the PlugNPlay Service is set to Automatic Startup. But any image folders won't be affected. If you have old images still on the system, you can delete what you want yourself.

    Following the processes for you to check in HJT, please refer to Startup Cleanup to finish. Please print it out to make it easier to follow.

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (See Note 1)
    C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (See Note 2)
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (See Note 3)
    O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O20 - Winlogon Notify: !SASWinLogon - Invalid registry found (Note 2)
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe     (Note 1)

    Close all Windows except HijackThis ans click on "Fix Checked."
    ============================================
    Descriptions:
    Note 1:The ACDaemon is automatically started when the ArcSoft Connect application is started. This program is a non-essential system process. Removing it from startup can significantly increase your computer’s performance and reliability.

    Note 2: I'm having you remove Superantispyware because it has bad Registry entry. You can download the free version again HERE, but know that SUPERAntiSpyware Free Edition does not include real-time blocking or scheduled scanning.

    Note 3: "HP's exclusive Share-to-Web software makes it easy to share content with others through our affiliate Internet websites." In other words an application that allows users to upload scanned images to their personal webpages if desired. Available via Start -> Programs
    =================================
    Startup Cleanup
    NOTE: I'm using NAME of PROGRAM as an example below because I wanted to give you the path for a related Service.. But the same path and process can be used for any program. I wanted you to understand where to look and what to do.

    • [1].Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      [2]. Take off Startup: All of the image related processes, all Askbar/Ask.com entries
    • Start> Run> type in msconfig>enter> Selective Startup> Startup menu>
    • Uncheck any process you don't want to start on boot>
    • When finished with all the unchecking> click on Apply> OK
      (Example: you decide you don't need NAME of PROGRAM to start on boot: so you Uncheck NAME of Process

      [3]. Uninstall a program: Nikon, Olympus, ARCSoft, Askbar
    • Start> Settings> Control Panel> Add/Remove Programs> uninstall here> Close
      (But you don't want to uninstall the EasyShare so you leave it- you can start it as needed)

      [4]. Remove program folder (only if program is uninstalled (Nikon, Olympus, ARCSoft, Ask)>
    • Access Windows Explorer:[/B] Right click on Start> Explore:
    • Open My Computer> double click on Local Drive (C)> Programs
    • Find the folder for any program you uninstalled> do a right click> Delete on each folder.
    • Close Windows Explorer.

      [5]. Change Service Startup type
    • Start> Run> type in services.msc
    • Double click the Service> Change the Startup type as follows:
      [o]For a Service related to a program you will use as needed but does no start on boot> Manual ( if Kodak EasyShare or PhotoExplosion has a Service, set to Manual
      [o]For a Service related to a program you have uninstalled> Disable Startup type> stop Service (ArcSoft Connect Daemon)
    • Close Services.
    (Example:C:\Program Files NAME [/b] has a Service that will start it automatically, but you want to change that: so you find SERVICE name in the Services and double-click:Change Automatic to Manual)

    Reboot the computer back into Normal Mode: NOTE: the first time you reboot after using msconfig, you get a nag message that you can ignore and close after checking 'don show this message again.' Stay in Selective Startup.

    Summary:

    • [1]. Boot into Safe Mode first.
      [2]. Uncheck the process on the Start menu to stop the process from starting on boot.
      [3]. uninstall any program or app you don't need or use,
      [4]..Remove the program folder if you uninstalled the program.
      [5]. Change any associated Service to either Disabled or Manual Startup.

    This is not complicated! It's step by step, easy to follow.
    Let me know when you've finished and we'll clean up.
    Bobbye, Dec 5, 2010
    #21

  2. steveow Newcomer, in training

    OK, bobbye, it's done. However, some programs in Add/Romove would not remove while in safe mode. The ones that didn't I went to normal mode and then right back to safe mode.
    Now in safe mode Services.msc I accidentally single clicked on the manual/auto tab and everything went to auto. I then reclicked it hoping to get back to how it was, but no dice as it changed everything to manual. Not sure how, but the first 30 or 40 are in manual and then some are disabled and then the rest are auto. I don't know what to do there. Is it possible that they were restored to how they were when I got there but just in order of manual or auto?
    Most of those programs I don't even know what the heck they are.
    Now what?
    steveow, Dec 9, 2010
    #22

  3. steveow Newcomer, in training

    Fri. 4:22pm. I just turned my computer on for the first time since last night and that dang $1000 Walmart Winner banner appeared again. And for some reason most of the spam garbage is entering my sbcglobal.net email.
    I will head over to the restricted sites and see if that works. I'm learning
    steveow, Dec 10, 2010
    #23

  4. Bobbye Helper on the Fringe

    If you didn't put these domains in the restricted Sites, please do it now.

    Where does the Walmart banner appear? When it does:
    • Click on Start> Run> type in taskmgr> OK.
    • Double click on the frame at the top of the Processes column to sort
    • Find hotfix.exe and click to Highlight >>> see if this appears
    • Click on End Task

    I need to know if Think Point is still on the system. I'd also like you to try and run the scans in Normal Mode. As you probably know, all the processes don't run in Safe Mode.

    What did you do of the instructions I gave you in my Reply #21? Did you reboot the computer after finishing it? 5 days ago, I listed entries in the HJT log to be checked. Did you do that? Then I followed with Startup Cleanup How much of this did you do- if any?

    I "assumed", that the Walmart banner stopped after you restricted the Domains, but now it sound like my assumption was wrong- it was only a 'coincidence', making the 'a out of you and me', as it tends to do!

    Please run the Eset scan again. It will require internet connection..

    If you still have Combofix on the desktop, I'd like you to rescan with it, after update: Follow this since you already have it:
    • .Close any open browsers.
    • . Double click combofix.exe & follow the prompts to run.
      [o]. If Combofix asks you to update the program, always allow.
    • Before you click on continuing to Scan: Disable the security.
    • Click on Scan
    • A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Regarding spam in the mail-
    Isn't sbcglobal.net email. web-based email? A web based email is only as good as the filters from the ISP.
    Bobbye, Dec 11, 2010
    #24

  5. steveow Newcomer, in training

    Thank you for your reply, Bobbye.
    I'm on a friends computer. Couldn't get back Sat as I had a boat parade to attend.

    Everything was done up to #5. During that process is when it didn't go as planned. I accidentally clicked the column that turned everything into auto. I then clicked it again hoping to get a return to what it was but of course it wouldn't. The first app. 30 or so said auto and the next app. 10 or 15 said manual and then a few disabled. When I went back to normal mode there was a message that appeared with an apostrophe, a period, a bold dot and another apostrophe. The message said it could not run that set of marks "specified in the registry" I'd X it out and it would come back again.

    Normal mode gets the desktop background picture and that's it. Safe mode is very very slow and very little opens.
    Now what?
    steveow, Dec 12, 2010
    #25

  6. Bobbye Helper on the Fringe

    I think I figured out what you're referring to here and no harm done!! You just sorted the Services into groups for Automatic, Manual and Disabled. I click sorts in Ascending order, double click sorts in Descending order. If you scroll down the column, you should see the other groups.

    Let me give you something comparable so you'll understand how sorting works:
    Right click on the Taskbar> Task Manager> Processes tab> click once on the frame above the Memory column>> the column will sort in ascending order with the higher numbers as you go down. If you double click the same column, now you'll sort the memory usage with the most at the top, getting less as you go down the column.

    You didn't change any settings- just the order they were in. That's what you did in the Services Startup column! When the contents of a column are text, it will sort alphabetically and Automatic starts with A so that is the first group. Whew!! It took me a while to figure that one out! So Services have not been changed. When you want to actually change the Startup type of a Service, you need to double click on the Service itself, not the column. Once it's open, you can make the change there.

    OK?
    Bobbye, Dec 13, 2010
    #26

  7. steveow Newcomer, in training

    Ok, Bobbye,
    I kind of figured the "auto/manual" mess up was not too serious since it was only my preference during start up.

    Some progress:
    By accident this afternoon I found that if I wait about 10 minutes Normal mode desktop appears. So I was able to run ESET and TDSS.

    I cannot connect to the Net and there's not much else I can do in normal mode, however, I was able to view and pencil down the meat and potatoes of the scans and post them using the other computer for you . Like before I did not clean ESET. TDSS scan was moved to quarantine.

    ESET:
    remove_checked=false
    archives_checked=false
    unwanted_checked=true
    unsafe_checked=false
    anti-stealth_checked=true
    UTC_time=2010-12-13 7:42:04
    local time=11:42:04
    US
    Lang 1033 Service Pack 3
    compatibility=mode-crash
    scanned 112587
    Found 1
    cleaned=0
    c:\Documents&Settings\networkservice.NT\authority\localsettings\tempfiles\content.IE5\LitozBJ8\dsgfhfsgju[2].htm

    TDSS:
    ROOTKIT.WIN32.Backboot.gen\HardDisk0 copied to quarantine

    I hope this helps.
    And I sure do appreciate you taking the time to help me with this. You're right this malware is very tenacious.
    steveow
    steveow, Dec 13, 2010
    #27

  8. Bobbye Helper on the Fringe

    What was the malware found on this entry?
    c:\Documents&Settings\networkservice.NT\authority\localsettings\tempfiles\c ontent.IE5\LitozBJ8\dsgfhfsgju[2].htm

    For instance, I found one Eset log with the same entry, followed by the name of the malware- like this:
    #
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLH0Z8QF\dsgfhfsgju[1].htm JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    #
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLH0Z8QF\dsgfhfsgju[2].htm JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    I need to know because there may be a special way to clean, such if it's the JSTrojan Downloader/
    =======================================
    Will you please give me a description of the current problems you are having? What has improved- is anything?
    Where is the TDSSKiller log? Where is the Combofix rescan?
    Bobbye, Dec 14, 2010
    #28

  9. steveow Newcomer, in training

    crap! Forgot to turn the page for the rest of the eset results.

    ESET.....JS/TROJANDOWNLOADER.AGENT.NWG.trojan 00000000000000000000000000 I

    TDSS LOG: Had to get a flash drive for this.

    2010/12/14 18:29:52.0421 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2010/12/14 18:29:52.0421 ================================================================================
    2010/12/14 18:29:52.0421 SystemInfo:
    2010/12/14 18:29:52.0421
    2010/12/14 18:29:52.0421 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/14 18:29:52.0421 Product type: Workstation
    2010/12/14 18:29:52.0421 ComputerName: STEVE-0B6026E53
    2010/12/14 18:29:52.0421 UserName: steve r warner
    2010/12/14 18:29:52.0421 Windows directory: C:\WINDOWS
    2010/12/14 18:29:52.0421 System windows directory: C:\WINDOWS
    2010/12/14 18:29:52.0421 Processor architecture: Intel x86
    2010/12/14 18:29:52.0421 Number of processors: 2
    2010/12/14 18:29:52.0421 Page size: 0x1000
    2010/12/14 18:29:52.0421 Boot type: Normal boot
    2010/12/14 18:29:52.0421 ================================================================================
    2010/12/14 18:29:52.0608 Initialize success
    2010/12/14 18:30:29.0306 ================================================================================
    2010/12/14 18:30:29.0306 Scan started
    2010/12/14 18:30:29.0306 Mode: Manual;
    2010/12/14 18:30:29.0306 ================================================================================
    2010/12/14 18:30:30.0212 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/14 18:30:30.0290 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/14 18:30:30.0399 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/14 18:30:30.0493 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/14 18:30:30.0618 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2010/12/14 18:30:30.0977 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/14 18:30:31.0212 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/14 18:30:31.0243 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/14 18:30:31.0352 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/14 18:30:31.0415 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/14 18:30:31.0602 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
    2010/12/14 18:30:31.0680 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
    2010/12/14 18:30:31.0790 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/14 18:30:31.0915 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/14 18:30:32.0024 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/14 18:30:32.0196 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/14 18:30:32.0680 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/14 18:30:33.0243 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/14 18:30:33.0352 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/14 18:30:33.0399 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/14 18:30:33.0461 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/14 18:30:33.0555 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/14 18:30:33.0649 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/14 18:30:33.0743 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/14 18:30:33.0868 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/14 18:30:33.0930 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/14 18:30:34.0024 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/14 18:30:34.0055 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/14 18:30:34.0133 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/14 18:30:34.0227 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
    2010/12/14 18:30:34.0258 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/14 18:30:34.0321 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/14 18:30:34.0414 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/12/14 18:30:34.0461 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/14 18:30:34.0571 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
    2010/12/14 18:30:34.0649 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/14 18:30:34.0727 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/14 18:30:34.0899 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/14 18:30:35.0055 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/14 18:30:35.0117 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/14 18:30:35.0367 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/14 18:30:35.0414 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/14 18:30:35.0492 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/14 18:30:35.0539 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/14 18:30:35.0602 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/14 18:30:35.0664 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/14 18:30:35.0696 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/14 18:30:35.0758 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/14 18:30:35.0836 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/14 18:30:35.0883 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/14 18:30:35.0930 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/14 18:30:35.0977 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/14 18:30:36.0055 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/14 18:30:36.0117 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/14 18:30:36.0367 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/14 18:30:36.0461 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/14 18:30:36.0524 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/14 18:30:36.0570 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/14 18:30:36.0617 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/14 18:30:36.0695 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/14 18:30:36.0805 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/14 18:30:36.0883 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/14 18:30:36.0945 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/14 18:30:37.0008 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/14 18:30:37.0055 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/14 18:30:37.0148 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/14 18:30:37.0195 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/14 18:30:37.0242 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/14 18:30:37.0320 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/14 18:30:37.0367 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/14 18:30:37.0398 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/14 18:30:37.0461 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/14 18:30:37.0492 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/14 18:30:37.0601 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/14 18:30:37.0758 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/14 18:30:37.0805 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/14 18:30:37.0883 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/14 18:30:38.0039 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/14 18:30:38.0180 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/14 18:30:38.0242 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/14 18:30:38.0289 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/14 18:30:38.0336 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/14 18:30:38.0383 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/14 18:30:38.0445 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/14 18:30:38.0476 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/14 18:30:38.0586 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/12/14 18:30:38.0648 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/14 18:30:38.0992 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
    2010/12/14 18:30:39.0086 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/14 18:30:39.0148 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/14 18:30:39.0195 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/14 18:30:39.0445 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/14 18:30:39.0523 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/14 18:30:39.0570 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/14 18:30:39.0632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/14 18:30:39.0679 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/14 18:30:39.0726 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/14 18:30:39.0789 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/14 18:30:39.0882 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/14 18:30:40.0414 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/14 18:30:40.0664 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2010/12/14 18:30:40.0757 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2010/12/14 18:30:40.0976 SASDIFSV (c030c9a39e85b6f04a8dd25d1a50258a) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/12/14 18:30:41.0038 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2010/12/14 18:30:41.0085 SASKUTIL (64c100dbf57c6cb6e7d5d24153f5e444) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2010/12/14 18:30:41.0195 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/14 18:30:41.0304 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/12/14 18:30:41.0413 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/14 18:30:41.0570 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/14 18:30:41.0648 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/14 18:30:41.0757 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/14 18:30:41.0866 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2010/12/14 18:30:41.0960 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/14 18:30:41.0991 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/14 18:30:42.0273 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/14 18:30:42.0398 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/14 18:30:42.0476 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/14 18:30:42.0507 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/14 18:30:42.0569 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/14 18:30:42.0788 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/14 18:30:42.0882 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/14 18:30:42.0991 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    2010/12/14 18:30:43.0069 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/14 18:30:43.0132 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    2010/12/14 18:30:43.0194 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/14 18:30:43.0288 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/14 18:30:43.0335 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    2010/12/14 18:30:43.0429 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/14 18:30:43.0522 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/14 18:30:43.0554 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/14 18:30:43.0616 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/14 18:30:43.0663 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/14 18:30:43.0804 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/14 18:30:43.0944 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/14 18:30:44.0054 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/14 18:30:44.0319 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/14 18:30:44.0429 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/14 18:30:44.0475 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/14 18:30:44.0804 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
    2010/12/14 18:30:44.0866 ================================================================================
    2010/12/14 18:30:44.0866 Scan finished
    2010/12/14 18:30:44.0866 ================================================================================
    2010/12/14 18:30:44.0897 Detected object count: 1
    2010/12/14 18:31:04.0176 \HardDisk0 - copied to quarantine
    2010/12/14 18:31:04.0176 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Quarantine

    The Combofix I have no idea what that is. It's not on my computer.

    The problems I'm having now are:
    I can't get on the internet.
    Normal Mode (app 10-15 for desktop to appear) is very very slow except the Start Tab...Acc, My PC, Control Panel etc etc....all is fast there.
    I can run all the Scans quickly, but SAS will only scan 1 file per minute in Memory. After 19 files ( and 17mins) of scanning I closed it. Same thing in Safe Mode.

    Here's one more thing that may be a problem. When I went to burn CD's last week (just before my PC went on the blink again) it would only burn the 1st song and then tell me to put in a blank CD...many times over.......NOW** once from my music library a damn porno started via Windows Media Player. What the heck is that doing in my music library?

    There you go, bobbye.
    steveow, Dec 14, 2010
    #29

  10. steveow Newcomer, in training

    I was able to connect. Not sure how, but it did. I can connect almost everytime now and sometimes I get redirected (walmart) and sometimes not. And my desktop comes up quick too.

    I downloaded ComboFix.exe from BleepingComputer and it will not run because there is a
    Virus Ranger 3.6 that is running. Internet said that's an infection. I thought I'd give it a go, but ComboFix said it's corrupted and can't run.
    steveow, Dec 15, 2010
    #30

  11. Bobbye Helper on the Fringe

    This is also known as VirusBurst which is a anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. The program is generally installed by a Trojan that automatically downloads and installs the program.

    If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of VirusBurst. These warnings are fake and are a goad to have you buy the commercial version of this software. The current text for these alerts is "System detected virus activities. They may cause critical system failure. Please, use antimalware software to clean and protect your system from parasite programs. Click this baloon to get all available software."

    This is an example of the alert:
    [IMG]
    Courtesy bleepingcomputer:

    Please go to this section Automated Removal Instructions on THIS SITE and follow the automatic removal instructions.

    You will be guided through downloading and running Tools Needed for this fix:
    * Roguescanfix (VirusBurst Removal Tool)
    * smitRem.exe
    * FixVB.reg

    Please follow this well-written guide. When completed, come back and we'll try to have you do what you cannot do now.
    Bobbye, Dec 15, 2010
    #31

  12. steveow Newcomer, in training

    Roguescanfix will not download. The other 2 are on my desktop waiting.
    When I click the highlighted Roguescanfix_setup.exe I'm directed to the Bleeping Computer sign in page to their forums.
    I've tried it many many times and the same thing. It looks like the manual doesn't need it, but I'd prefer the Automatic method.

    I'm getting tempted to backup my files and pictures etc and toss the hard drive in the trash.
    steveow, Dec 16, 2010
    #32

  13. Bobbye Helper on the Fringe

    Sorry I didn't get back to you sooner. If you had the setup on the desktop, something must have downloaded. But after doing a trip around the internet, I see that you cannot get the valid exe file for the roguescanfix setup.exe starting with that link. Sometimes these authors go elsewhere and the link becomes invalid. But I found him and his program:

    http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe

    Please delete the one you have on your desktop, then download this and proceed with the double click to run it. The directions there are pretty straight forward:
    1. Download roguescanfix_setup.
    2. Double click roguescanfix_setup to install it.
    3. After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
    4. When you start roguescanfix.bat you'll see a menu:
      1. Run Roguescanfix
      2. Run sharedtasksrem
    5. Choose option 1 by typing "1".

    Let me know if that works for you. I've sent a note to bleepingcomputer to let them know the link is no good.
    Bobbye, Dec 24, 2010
    #33

  14. steveow Newcomer, in training

    No biggy, Bobbye. Grandma passed..funeral...parents in town...Xmas.....Whew!

    Update: I haven't been able to connect with my PC to the net for several days now. I was getting that "Virus Alert....blah blah...Please download" etc. I'd use task manager to stop it by ending the random lettered process. After many times it finally shut down task manager. Just today I decided to mess with it again and in safe mode (normal mode froze) I went to Hijack and found that same task manager's random lettered jibberish in two spots. At this time I was in the mindset to copy my pictures etc and buy a new hard drive and start over, so I ran Hijack's 'Fix Selected' not really caring if I'd screw something up. Well, now I'm able to bring up desktop in normal mode. So I guess let's fix this PC.

    One thing....I can't connect to the net, so what do I do now?
    One more thing. I tried to run ESET the other day and it said the proxy is not configured. That was just before I was hammered with the task manager headache.

    thanks!
    steveo
    steveow, Dec 28, 2010
    #34

  15. steveow Newcomer, in training

    Well what do I do about connecting to the net to download the Roguescanfix program? Don't know if this helps, but in Task Manager "System Idle Process" is running 99%. everything else is 00. However, I was finally able to get SAS to run after I was in Hijack and found a WinLogon Notify !SASWinLogon-Invalid Registry. I hit fix selected and now my SAS is running full speed, which hasn't happened in weeks.

    Now, how do we know if lsass.exe is the small i or Isass is the ligitimate small L? Reading up on here about this isass infection. It is on my Task Manager and don't know if it's legit or not.
    steveow, Dec 29, 2010
    #35

  16. steveow Newcomer, in training

    Bobbye,

    Forget the above jibberish, what I really need is some instruction how to connect to the internet so I can get to the RogueScanFix download. When I try it always say's, "Internet Explore can't display web page." All connections to router etc are diagnosed as working.

    I've done some investigation for my own learning interests (not deleting anything or changing any setting that I can't go right back to) and my PC tells me HTTP-port 80, HTTPS port 443 and FTB port 21 is(?) the problem due to firewall settings. In CP> Windows Firewall ..it just says it's on. My knowledge ends there. Hope that info helps.

    Here's something interesting regarding ESET. Last night I was milling around my PC I went to ESET again and I hit scan and then focused on the TV football games, well, I dozed off a while and saw that ESET found and deleted 2 infections. This time It did not stop the scan due to bad Proxy. I wished I'd of not cleaned them so you could see....if it even matters at this point. I'm now running another one without cleaning just in case you may want to see it.

    steveo
    steveow, Dec 30, 2010
    #36

  17. Bobbye Helper on the Fringe

    My sympathy for the passing of your loved one.

    We should now try to get back on course. It would be best if you not run scans unless I instruct you to and that you follow the directions specifically. Hopefully I'll pick up whatever the Eset scan found previously. Perhaps you now see why one of the directions for that scan is not to remove entries that are found.
    Bobbye, Dec 31, 2010
    #37

  18. steveow Newcomer, in training

    I'll have to get a flash drive to transfer the scans.
    I should have it pasted here Sun or Mon.

    thanks
    steveow, Jan 1, 2011
    #38
Page 2 of 2
Thread Status:
Not open for further replies.