1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive reboot loop

Discussion in 'Malware and Virus Removal Archive' started by kjvinson, 2010/10/20.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. 2010/10/31
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    I just did a reboot and it booted in windows with no problems(no boot loop)
    No other issues. I havn't tried to shut down, and then boot up.
    Should I go for it?
     
    kjvinson,
    #21
  2. 2010/10/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go ahead and let me know.
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/10/31
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    No problems!!!!!!
    Thank you so much!
     
    kjvinson,
    #23
  5. 2010/10/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news indeed, but we just barely made your computer more stable.
    We still have things to do.

    Update MBAM, run "Quick scan" and post fresh log.

    See, if GMER will run now. Let me know.
     
    broni,
    #24
  6. 2010/10/31
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    MBAM log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5010

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/31/2010 10:08:54 PM
    mbam-log-2010-10-31 (22-08-54).txt

    Scan type: Quick scan
    Objects scanned: 157971
    Time elapsed: 16 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 48
    Registry Values Infected: 5
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ab3dfa03-f743-4302-81dd-c370bffeca23} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e550dc77-ef3b-474f-b59c-b3e2aa1fa6a5} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Spam Blocker (Adware.Hotbar) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)
     
    kjvinson,
    #25
  7. 2010/10/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let me know about GMER...
     
    broni,
    #26
  8. 2010/11/01
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    I have the GMER log but apparently it is too long, 355120 characters so I am trying to figure out how to split it up to post.
     
    kjvinson,
    #27
  9. 2010/11/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #28
  10. 2010/11/04
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    broni,
    [<a href=http://www.filedropper.com/gmerlog><img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/></a><br /><div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >upload files online</a></div>url]
    or
    http://www.filedropper.com/gmerlog
     
    Last edited by a moderator: 2010/11/04
    kjvinson,
    #29
  11. 2010/11/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    GMER log looks good :)

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/


    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    • Close SUPERAntiSpyware.
    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    • Open SUPERAntiSpyware.
    • Under "Configuration and Preferences ", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan ", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK ".
    • Make sure everything has a checkmark next to it and click "Next ".
    • A notification will appear that "Quarantine and Removal is Complete ". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes ".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Copy and paste the Scan Log results in your next reply with a new HijackThis log.
    • Click Close to exit the program.

    Post SUPERAntiSpyware log.

    ==============================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
    broni,
    #30
  12. 2010/11/05
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    I just posted the Super anti Spyware log but it is not showing.
    here is the MBR Log:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000007fd

    Kernel Drivers (total 194):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7AD0000 \WINDOWS\system32\KDCOM.DLL
    0xF79E0000 \WINDOWS\system32\BOOTVID.dll
    0xF74A1000 ACPI.sys
    0xF7AD2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7490000 pci.sys
    0xF75D0000 isapnp.sys
    0xF7B98000 pciide.sys
    0xF7850000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7AD4000 aliide.sys
    0xF7AD6000 cmdide.sys
    0xF7AD8000 toside.sys
    0xF7ADA000 viaide.sys
    0xF7ADC000 intelide.sys
    0xF75E0000 MountMgr.sys
    0xF7471000 ftdisk.sys
    0xF7ADE000 dmload.sys
    0xF744B000 dmio.sys
    0xF7858000 PartMgr.sys
    0xF75F0000 VolSnap.sys
    0xF79E4000 cpqarray.sys
    0xF7433000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF741B000 atapi.sys
    0xF79E8000 aha154x.sys
    0xF7860000 sparrow.sys
    0xF79EC000 symc810.sys
    0xF7600000 aic78xx.sys
    0xF79F0000 dac960nt.sys
    0xF7610000 ql10wnt.sys
    0xF79F4000 amsint.sys
    0xF7868000 asc.sys
    0xF79F8000 asc3550.sys
    0xF7870000 mraid35x.sys
    0xF7878000 i2omp.sys
    0xF79FC000 ini910u.sys
    0xF7620000 ql1240.sys
    0xF7630000 aic78u2.sys
    0xF7880000 symc8xx.sys
    0xF7888000 sym_hi.sys
    0xF7890000 sym_u3.sys
    0xF7898000 ABP480N5.SYS
    0xF78A0000 asc3350p.sys
    0xF7AE0000 cd20xrnt.sys
    0xF7640000 ultra.sys
    0xF7402000 adpu160m.sys
    0xF78A8000 dpti2o.sys
    0xF7650000 ql1080.sys
    0xF7660000 ql1280.sys
    0xF7670000 ql12160.sys
    0xF78B0000 perc2.sys
    0xF7AE2000 perc2hib.sys
    0xF78B8000 hpn.sys
    0xF7A00000 cbidf2k.sys
    0xF73D6000 dac2w2k.sys
    0xF7680000 disk.sys
    0xF7690000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF73B6000 fltmgr.sys
    0xF73A4000 sr.sys
    0xF76A0000 PxHelp20.sys
    0xF738D000 KSecDD.sys
    0xF7300000 Ntfs.sys
    0xF72D3000 NDIS.sys
    0xF76B0000 sisagp.sys
    0xF76C0000 viaagp.sys
    0xF76D0000 ohci1394.sys
    0xF76E0000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF72B9000 Mup.sys
    0xF7298000 kmxstart.sys
    0xF76F0000 agp440.sys
    0xF7700000 alim1541.sys
    0xF7710000 amdagp.sys
    0xF7720000 agpCPQ.sys
    0xF77F0000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF71F8000 \SystemRoot\system32\DRIVERS\processr.sys
    0xF6B0E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF6AFA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF79C0000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6AD6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF79C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7750000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF6D1C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF6D0C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6AB3000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6A7D000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xF697E000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xF68D6000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF79D0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF68C4000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
    0xF668E000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF666A000 \SystemRoot\system32\drivers\portcls.sys
    0xF6CFC000 \SystemRoot\system32\drivers\drmk.sys
    0xF79D8000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF6656000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF6CEC000 \SystemRoot\system32\DRIVERS\dfmirage.sys
    0xF7CE1000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF6CDC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7AC0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF663F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF6CCC000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF6CBC000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF78F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF662E000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF6CAC000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF78F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7900000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF65FE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF6C9C000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7908000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7910000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7B12000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF65A0000 \SystemRoot\system32\DRIVERS\update.sys
    0xF71C8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7790000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF77A0000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7B14000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF6FBC000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xEE4A3000 \SystemRoot\System32\DRIVERS\kmxagent.sys
    0xF6FB0000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF77E0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7920000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xEE444000 \SystemRoot\System32\DRIVERS\kmxcfg.sys
    0xEE433000 \SystemRoot\System32\DRIVERS\KmxFile.sys
    0xF7C3E000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
    0xF7C41000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
    0xEE3C3000 \SystemRoot\System32\DRIVERS\kmxfw.sys
    0xF6FA8000 \SystemRoot\System32\Drivers\VETFDDNT.SYS
    0xF7B1E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xEE30F000 \SystemRoot\System32\Drivers\VETEFILE.SYS
    0xF7A80000 \SystemRoot\System32\Drivers\VET-REC.SYS
    0xF7950000 \SystemRoot\System32\Drivers\VET-FILT.SYS
    0xEE2E9000 \SystemRoot\System32\Drivers\VETMONNT.SYS
    0xEE2C9000 \SystemRoot\System32\Drivers\VETEBOOT.SYS
    0xF7C72000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B36000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7938000 \SystemRoot\System32\drivers\vga.sys
    0xF7B46000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B56000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7958000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7960000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xEE568000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEE296000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEE23D000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEE1ED000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE1C7000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xEE1A5000 \SystemRoot\System32\drivers\afd.sys
    0xF7968000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xEE183000 \??\C:\Documents and Settings\Owner.YOUR-BBD3C46115\Desktop\SASKUTIL.SYS
    0xF7238000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF7970000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF7978000 \??\C:\Documents and Settings\Owner.YOUR-BBD3C46115\Desktop\SASDIFSV.SYS
    0xF7228000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xF7980000 \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
    0xF7218000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEE15F000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF7998000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF79A0000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
    0xEE548000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xEE0E4000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xF7AA4000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF79A8000 \SystemRoot\system32\DRIVERS\point32.sys
    0xF7AA8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF7AAC000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF7AB0000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xF79B8000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF7918000 \SystemRoot\system32\DRIVERS\HPZius12.sys
    0xEE538000 \SystemRoot\system32\DRIVERS\HPZid412.sys
    0xF7AB4000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
    0xEE07C000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7AF6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEE229000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEE42B000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C76000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF054000 \SystemRoot\System32\ati2cqag.dll
    0xBF093000 \SystemRoot\System32\atikvmag.dll
    0xBF0C9000 \SystemRoot\System32\ati3duag.dll
    0xBF34D000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xEBE2A000 \SystemRoot\System32\DRIVERS\KmxSbx.sys
    0xEBEA8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEBA3D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7B64000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEB606000 \SystemRoot\System32\DRIVERS\KmxCF.sys
    0xEB587000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEB5F6000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xEB0EA000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEBA7A000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEB19F000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF716F000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB9EC5000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 68):
    0 System Idle Process
    4 System
    576 C:\WINDOWS\system32\smss.exe
    984 csrss.exe
    1204 C:\WINDOWS\system32\winlogon.exe
    1456 C:\WINDOWS\system32\services.exe
    1516 C:\WINDOWS\system32\lsass.exe
    1028 C:\WINDOWS\system32\ati2evxx.exe
    1056 C:\WINDOWS\system32\svchost.exe
    1548 svchost.exe
    1876 C:\WINDOWS\system32\svchost.exe
    236 svchost.exe
    840 svchost.exe
    1620 C:\WINDOWS\system32\spoolsv.exe
    1788 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    1824 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    548 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    672 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    824 svchost.exe
    864 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    1464 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1920 C:\Program Files\Bonjour\mDNSResponder.exe
    452 C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\isafe.exe
    556 C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
    1096 C:\WINDOWS\ehome\ehRecvr.exe
    1420 C:\WINDOWS\ehome\ehSched.exe
    592 C:\WINDOWS\system32\svchost.exe
    536 C:\WINDOWS\system32\svchost.exe
    1284 C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    184 C:\Program Files\Java\jre6\bin\jqs.exe
    636 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    744 C:\WINDOWS\system32\svchost.exe
    2388 C:\WINDOWS\system32\svchost.exe
    2932 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    3748 C:\WINDOWS\system32\svchost.exe
    716 C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\vetmsg.exe
    3528 C:\WINDOWS\system32\dllhost.exe
    3904 C:\WINDOWS\system32\ati2evxx.exe
    2968 alg.exe
    2660 C:\WINDOWS\explorer.exe
    3764 C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
    2964 C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    3176 C:\WINDOWS\system32\wuauclt.exe
    2432 C:\WINDOWS\ehome\ehtray.exe
    2880 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    3852 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    1860 C:\WINDOWS\zHotkey.exe
    2568 C:\WINDOWS\SOUNDMAN.EXE
    3024 C:\WINDOWS\ehome\ehmsas.exe
    1368 C:\Program Files\Microsoft IntelliPoint\point32.exe
    2260 C:\Program Files\Microsoft IntelliType Pro\type32.exe
    416 C:\Program Files\CA\eTrust Internet Security Suite\casc.exe
    3532 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    3928 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    272 C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\cavrid.exe
    3448 C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
    1136 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    2756 C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\CAPPActiveProtection.exe
    2752 C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-7.0.0.517\QOELoader.exe
    3776 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2244 C:\WINDOWS\system32\ctfmon.exe
    2512 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2936 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    3436 C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPCtlPriv.exe
    3540 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    2948 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    3572 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    1084 C:\Documents and Settings\Owner.YOUR-BBD3C46115\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`09b93c00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: WDCWD2000BB-22GUC0, Rev: 08.02D08

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Gateway MBR code detected
    SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD


    Done!
     
    kjvinson,
    #31
  13. 2010/11/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hmmm...try again, please.
     
    broni,
    #32
  14. 2010/11/05
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    broni,
    Maybe it didn't post because I didn't post a "Hijack This" log?
    I don't know what that is.
     
    kjvinson,
    #33
  15. 2010/11/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try to repost Superantispyware log.
     
    broni,
    #34
  16. 2010/11/05
    kjvinson

    kjvinson Inactive Thread Starter

    Joined:
    2010/10/20
    Messages:
    18
    Likes Received:
    0
    SuperAntiSpyware log:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/05/2010 at 08:48 PM

    Application Version : 4.45.1000

    Core Rules Database Version : 5818
    Trace Rules Database Version: 3630

    Scan type : Complete Scan
    Total Scan Time : 07:28:10

    Memory items scanned : 237
    Memory threats detected : 0
    Registry items scanned : 8273
    Registry threats detected : 0
    File items scanned : 131182
    File threats detected : 0
     
    kjvinson,
    #35
  17. 2010/11/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    NOTE.
    If, for some reason, Combofix refuses to run, try the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #36
Page 2 of 2
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...