Win 7 icons lost/task manager disabled

June 30, 2011 at 18:51:23
Specs: Windows 7
I clicked on an e-mail link, and i was redirected, and now my icons are gone, and task manager is disabled. what should i do? i am running mcafee.

See More: Win 7 icons lost/task manager disabled

Report •


#1
June 30, 2011 at 23:01:10
droidus,

Download Unhide.exe and run it.
http://download.bleepingcomputer.co...

If the file does not download, paste the following (without brackets) in the address bar of your browser:
[http://download.bleepingcomputer.com/grinler/unhide.exe]

For Task Manager:

Click the Start button.
In the Search box, type Notepad, and then, in the list of results, double-click Notepad

Copy the ALL of the following code, including the title, to Notepad:


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

[HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

Click on File (upper left) > Save as...
Save the file to the Desktop
Name it: tm.reg
Save as type: All files
Click the Save button
Exit out of Notepad

Right click on the tm.reg file on the Desktop, and select: Merge

Click on Run, Continue (UAC-Vista), or Yes (UAC-Windows 7), Yes, and then OK when prompted.

Restart the computer to apply.

When done, you can right-click > delete the tm.reg file.

Icons and TM OK now?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
July 1, 2011 at 16:00:18
so what i did was a system restore. now in IE, it is redirecting him. is this part of the same issue?

Report •

#3
July 1, 2011 at 19:28:28
... is this part of the same issue?

More than likely.

it is redirecting him

A little confused...Is this your computer, or somebody else's?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Related Solutions

#4
July 1, 2011 at 19:57:47
sorry, its my dad's. i can type in an address, and it does not redirect. but when i google search, for example, then click on a site, such as dell, it redirects me...

Report •

#5
July 1, 2011 at 21:00:54
droidus,

No problem. Was just a little confused...

Please disable McAfee temporarily, so it does not interfere with the programs we are about to run.

Some AntiVirus disabling tips, if needed:
http://www.bleepingcomputer.com/for...


Now, try the following:

Please download TDSSKiller
http://support.kaspersky.com/downlo...
Save it to the Desktop.

Double-click* on TDSSKiller.exe to run the program.
Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Click the 'Start Scan' button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

When the scan finishes it displays a Scan results screen stating whether or not an infection was found on your computer.

To remove the infection, click on the Continue button.
If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button.

Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

Reboot to finish the cleaning process.

If no reboot is requested, click on: Report.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) is created and saved to the root directory (usually Local Disk C:).

>>Please provide the contents of TDSSKiller in your reply.<<


Now, re-start your computer.
Tap the F8 key before Windows starts, to bring up the Windows Advanced Options menu

Use the arrow keys to select Safe Mode with Networking

Press: Enter

In Safe Mode with Networking, download iExplore.exe, which is a renamed copy of RKill:
http://www.bleepingcomputer.com/dow...

[If the file does not download, paste the following, >without the brackets<, in the address bar of your browser:
[http://www.bleepingcomputer.com/download/anti-virus/rkill]

Save the file to the Desktop, and double-click on it.
Ignore any messages, and allow the file to run until the command window closes.


Without a reboot, download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:
http://download.cnet.com/Malwarebyt...

Double-click mbam-setup.exe and follow the prompts to install the program.

Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.


>>Please post the >Malwarebytes log< in your reply.<< so we can see where we are at, and plan any additional removal strategy.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
July 2, 2011 at 00:04:43
Hey buddy I know the solution just download or find "Security Task Manager" software and install it. After running it will show all applications activity the virus which is not allowing the task manager to run will have the highest priority with doubt-full name, version and publisher so just kill that process Then restart the computer.
Note: Maybe viruses is more than 2 or 3.

Report •

#7
July 2, 2011 at 07:31:39
so i can't run tdsskiller in xp. i think it may be blocking it. we are logged on as admin.

Report •

#8
July 2, 2011 at 07:44:12
should i follow this?: http://www.bleepingcomputer.com/for...

Report •

#9
July 2, 2011 at 09:00:26

Go into Safe Mode with Networking, and see if you can run TDSSKiller.

Post back on how if goes.

Are you on a 64bit computer?

If you continue to have problems with TDSSKiller, just follow the rest of the instructions in Post #1.

Would have to look at the link you provided. Each case is different....

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#10
July 2, 2011 at 09:04:34
it's a 32-bit. i tried it in safe mode, but nothing happened. i even tried renaming it.
(i do have tm and my icons.)
i am using superantispyware like they recommended in the post, and it have found 41 things. one is a gen-iexplorer[fake] and two others are trojans.

Report •

#11
July 2, 2011 at 12:37:40
droidus,

SAS is fine.

After the scan is complete, a summary box appears.
Click OK

Make sure everything in the white box has a check next to it, then click: Next
SAS quarantines what it found, and, if it asks if you want to reboot, click: Yes

To obtain the removal information please do the following:
-After reboot, double-click the SuperAntiSpyware icon on your desktop.
-Click Preferences > Statistics/Logs tab.
-Under Scanner Logs, double-click: SuperAntiSpyware Scan Log.
(It will open in your default text editor (preferably Notepad)).
Save the notepad file to your Desktop by clicking (in notepad) File > Save As...
Save the log on the Desktop)

Please Copy and Paste the SAS log, and provide it in your reply!!

We'll determine where to go from its results.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#12
July 3, 2011 at 17:04:09
its kinda funny.. removed the bad stuff, but yet, still have the issue. will post the logs asap.

Report •

#13
July 3, 2011 at 17:17:20
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2011 at 12:32 PM

Application Version : 4.55.1000

Core Rules Database Version : 7365
Trace Rules Database Version: 5177

Scan type : Complete Scan
Total Scan Time : 01:05:13

Memory items scanned : 871
Memory threats detected : 0
Registry items scanned : 11154
Registry threats detected : 2
File items scanned : 37258
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\Cookies\@ads.undertone[3].txt
C:\Documents and Settings\Cookies\NAME@ad.yieldmanager[2].txt
C:\Documents and Settings\Cookies\@media6degrees[2].txt
C:\Documents and Settings\Cookies\@yieldmanager[2].txt
C:\Documents and Settings\Cookies\@revsci[3].txt
C:\Documents and Settings\Cookies\@usatoday1.112.2o7[2].txt
C:\Documents and Settings\Cookies\@ru4[1].txt
C:\Documents and Settings\Cookies\@adbrite[1].txt
C:\Documents and Settings\Cookies\@revsci[4].txt
C:\Documents and Settings\Cookies\@admarketplace[1].txt
C:\Documents and Settings\Cookies\@content.yieldmanager[2].txt
C:\Documents and Settings\Cookies\@doubleclick[1].txt
C:\Documents and Settings\Cookies\@revsci[2].txt
C:\Documents and Settings\Cookies\@bridge1.admarketplace[1].txt
C:\Documents and Settings\Cookies\@pro-market[1].txt
C:\Documents and Settings\Cookies\@content.yieldmanager[3].txt
C:\Documents and Settings\Cookies\@ehg-verizon.hitbox[1].txt
C:\Documents and Settings\Cookies\@peoplefinders[1].txt
C:\Documents and Settings\Cookies\@revsci[1].txt
C:\Documents and Settings\Cookies\@ad.yieldmanager[3].txt
C:\Documents and Settings\Cookies\walter_boguslaw@advertising[2].txt
C:\Documents and Settings\Cookies\@zedo[2].txt
C:\Documents and Settings\Cookies\@serving-sys[1].txt
C:\Documents and Settings\Cookies\@ad.yieldmanager[1].txt
C:\Documents and Settings\Cookies\@yieldmanager[1].txt
C:\Documents and Settings\Cookies\@liveperson[3].txt
C:\Documents and Settings\Cookies\@liveperson[1].txt
C:\Documents and Settings\Cookies\@www.googleadservices[1].txt
C:\Documents and Settings\Cookies\@server.iad.liveperson[1].txt
C:\Documents and Settings\Cookies\@collective-media[2].txt
C:\Documents and Settings\Cookies\@collective-media[1].txt
C:\Documents and Settings\Cookies\@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Cookies\@advertising[1].txt
C:\Documents and Settings\Cookies\@ads.undertone[1].txt
C:\Documents and Settings\Cookies\@ehg.hitbox[1].txt
C:\Documents and Settings\Cookies\@hitbox[1].txt
C:\Documents and Settings\Cookies\@ehg-verizon.hitbox[2].txt

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\NAME\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\NAME\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\EXPLORER.EXE


Report •

#14
July 3, 2011 at 20:10:17
droidus,

When you first posted, this is what you mentioned:

" ...redirected, and now my icons are gone, and task manager is disabled..."

Are you still having all three of these issues, or just the redirections?

Following Post #1 should take care of the icons and TM...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#15
July 4, 2011 at 05:19:47
it is just the redirection now. sorry for the confusion.

Report •

#16
July 4, 2011 at 12:56:35
droidus,

Since your efforts with the different programs available have not been successful in curbing the malware, it/s time to pull out this tool out of the box...


Please download ComboFix:
http://download.bleepingcomputer.co...

Save to your Desktop

Be sure to temporarily disable all antivirus/anti-spyware softwares, while these steps are being completed, to keep them from interfering with the repairs.

This can normally be done by right clicking the software's Taskbar icon, or accessing each software through Start - Programs.

Some tips if needed:
http://www.bleepingcomputer.com/for...

~~~~
Now, right-click ComboFix.exe and select 'Run as administrator' to run the program.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your Desktop, and if interrupted may leave your Desktop disabled. If this occurs, please reboot to restore the Desktop.

When the scan completes, and it may take a while, a text window with the CF log opens on your Desktop. The CF log is also found at C:\ComboFix.txt

>>Please post this log in your reply to analyze it, and let you know what to do next.<<

However, because of the potential size of this report, please upload ComboFix.txt to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix.txt file, and click: 'Open'

You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Copy the 'Download link' provided, and post it in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#17
July 4, 2011 at 15:35:08
it had an error writing to explorer.exe. what should i do? abort or ignore?

also, should i turn off my router since i won't have any of my virus protection on?


Report •

#18
July 4, 2011 at 17:15:02
Do not run ComboFix.

Instead, do the following:

Right-click the TaskBar, and select: Start Task Manager > Processes tab
Is explorer.exe running there? (Yes or No)


The following queries what entry is currently in the key responsible for launching explorer.exe as your shell at startup.

Please open Notepad ( Start > All Programs > Accessories > Notepad)

Copy all the text below to Notepad
Go to File > Save
Save to the Desktop
Save as expkey.bat
Save as type ‘All files‘
Click the Save button…
Close out of Notepad, and go to the Desktop


reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell >C:\expkey.txt
start C:\expkey.txt


On the Desktop, if using Vista/W 7, right-click expkey.bat and select: Run as Administrator

If using XP, double-click the file and allow it to run.

Please post the contents of the file C:\expkey.txt

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#19
July 4, 2011 at 19:05:32
ComboFix 11-07-03.04 - name 07/03/2011 20:56:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1244 [GMT -4:00]
Running from: c:\documents and settings\name\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\name\GoToAssistDownloadHelper.exe
c:\documents and settings\name\Local Settings\Temporary Internet Files\HP_169.254.136.71_MY8AGBC01N04ZX
c:\documents and settings\name\Local Settings\Temporary Internet Files\HP_192.168.1.5_MY8AGBC01N04ZX
c:\documents and settings\name\Local Settings\Temporary Internet Files\HP_192.168.1.8_MY8AGBC01N04ZX
.
.
((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))
.
.
2011-07-01 16:51 . 2011-07-01 16:51 -------- d-----w- c:\program files\ESET
2011-07-01 15:40 . 2011-07-01 15:40 -------- d-----w- c:\documents and settings\name\Local Settings\Application Data\Mozilla
2011-07-01 15:22 . 2011-07-01 15:22 -------- d-----w- c:\documents and settings\name\Application Data\SUPERAntiSpyware.com
2011-07-01 15:22 . 2011-07-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-01 15:21 . 2011-07-01 15:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-01 15:20 . 2011-07-01 15:20 -------- d-----w- c:\program files\CCleaner
2011-07-01 14:37 . 2011-07-01 14:37 -------- d-----w- c:\windows\Performance
2011-07-01 14:36 . 2011-07-01 14:36 -------- d-----w- c:\documents and settings\name\Local Settings\Application Data\Microsoft Corporation
2011-07-01 14:35 . 2011-07-01 14:35 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-07-01 02:20 . 2011-07-01 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 00:08 . 2011-07-01 00:08 -------- d-----w- c:\documents and settings\name\Application Data\Malwarebytes
2011-07-01 00:08 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 00:08 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 03:16 . 2011-06-30 03:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-18 17:42 . 2011-06-18 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\McAfee Anti-Theft
2011-06-18 17:41 . 2010-04-14 00:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-06-18 17:41 . 2011-06-18 17:41 -------- d-----w- c:\program files\McAfee Online Backup
2011-06-18 17:40 . 2011-04-11 18:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-06-18 17:39 . 2011-03-13 15:20 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-06-18 17:39 . 2011-03-13 15:20 89368 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-06-18 17:39 . 2011-03-13 15:20 85984 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-06-18 17:39 . 2011-03-13 15:20 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-06-18 17:39 . 2011-03-13 15:20 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-06-18 17:39 . 2011-03-13 15:20 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-06-18 17:39 . 2011-03-13 15:20 337912 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-06-18 17:39 . 2011-03-13 15:20 179248 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-06-18 17:39 . 2011-06-18 17:40 -------- d-----w- c:\program files\Common Files\Mcafee
2011-06-18 17:39 . 2011-06-18 17:39 -------- d-----w- c:\program files\McAfee.com
2011-06-18 17:27 . 2011-03-13 15:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 01:34 . 2008-12-06 22:28 0 ----a-w- c:\documents and settings\name\Local Settings\Application Data\WavXMapDrive.bat
2011-06-01 23:14 . 2011-06-01 23:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-25 16:16 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-25 16:16 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-06-16 04:17 . 2011-07-01 15:39 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8466432]
"nwiz"="nwiz.exe" [2007-08-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-08-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-26 1306216]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-1 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-17 809488]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-2-14 118784]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-11-8 3986944]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-08-01 19:52 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
backup=c:\windows\pss\McAfee Online Backup Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^name^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\name\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^name^Start Menu^Programs^Startup^SolidWorks Task Scheduler Engine.lnk]
path=c:\documents and settings\name\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-07-27 15:10 1133040 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [6/18/2011 1:40 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/18/2011 1:39 PM 89368]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [6/18/2011 1:41 PM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/17/2009 11:13 AM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/30/2011 8:08 PM 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/18/2011 1:39 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/18/2011 1:27 PM 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 MSSQL$SANDVIK2005;SQL Server (SANDVIK2005);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [12/10/2010 7:29 PM 29293408]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [12/3/2007 2:44 PM 245760]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [7/11/2008 1:02 AM 328992]
R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [1/2/2010 6:22 PM 668912]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/25/2008 12:16 PM 5120]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/8/2010 12:40 PM 237568]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [11/8/2010 12:43 PM 1060352]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [11/8/2010 12:43 PM 484352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [6/18/2011 1:39 PM 57432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/30/2011 8:08 PM 22712]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [6/18/2011 1:39 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [6/18/2011 1:39 PM 83688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/29/2009 10:37 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/29/2009 10:37 AM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [6/18/2011 1:39 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/18/2011 1:39 PM 85984]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/6/2011 6:45 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-13 12:13]
.
2011-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:36]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:36]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{3F53B419-88DF-41B6-A323-520246CBA9A3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.usatoday.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
FF - ProfilePath - c:\documents and settings\name\Application Data\Mozilla\Firefox\Profiles\b9mjhff9.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 21:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1140)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(5476)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\msdtc.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-07-03 21:55:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-04 01:55
.
Pre-Run: 19,693,273,088 bytes free
Post-Run: 20,547,313,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9236EDB9EA9B33B0C2AE6EFE994E177A

Report •

#20
July 4, 2011 at 19:06:11
* i took out the name, and replaced with, "name"

Report •

#21
July 4, 2011 at 19:13:34
Please provide the information requested on Post #18.

Also, what did you do to get ComboFix to run?

If I do not know what you are doing, it is hard to help. My crystal ball is broken!!!

Still getting redirected?


~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#22
July 5, 2011 at 04:40:49
i actually go iexplorer to close.
it is weird though. whenever i open firefox, it asks me if i would like to make it my default browser. and every time i say yes...
i tried doing the notepad thing, but when i save, it says that the path does not exist... verify the correct path was given.
and yes, the redirect is still happening

Report •

#23
July 5, 2011 at 09:32:14
Go to Post ##5, and try to run TDSSKiller again.

If no-go, remove the file on your Desktop, and download a new file, however, rename it as you download it using the Save prompt. Give it a random name with a .com extension, like 4242.com

If still no-go, try running TDSSKiller in Safe Mode:
-Start your computer.
-Tap the F8 key before Windows starts, to bring up the Windows Advanced Options menu
-Use the arrow keys to select Safe Mode with Networking
-Press: Enter

Please post the TDSSKiller report, as previously requested (Post #5).

Also, try running the expkey.bat file in Post #18 once again...made a correction to it.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#24
July 5, 2011 at 11:38:07
why do 2 sessions of iexplorer.exe run at the startup of the computer? is that part of the issue?

it said that the program is too big to fit in the memory. yes, i tried it in safe mode. didn't work. and why can't i connect to the internet with safe mode and networking? is it a security thing?


Report •

#25
July 5, 2011 at 14:40:21
Do the 2 instances run when you are not browsing?

When you end the processes, do they come back?

Do you have IE 8 installed?

Press on with the following:

Download MBRCheck:
http://ad13.geekstogo.com/MBRCheck.exe
Save to the Destop

Double click MBRCheck.exe to run
It will show a black screen with some data on it.

A report called MBRcheckxxxx.txt will be on your Desktop
Open this report and post its content in your reply.

Also download TFC:
http://oldtimer.geekstogo.com/TFC.exe
Save to the Desktop

Double-click TFC.exe to run it.
TFC closes all programs when run, so make sure you saved all your work before you begin.

Click the Start button to begin the cleaning process.
Please allow TFC to run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer to ensure a complete cleaning.

Next, delete your current version of ComboFix and download it again:
http://download.bleepingcomputer.co...

It is important that the file is saved directly to your Desktop!

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Make sure you temporarily disable your AntiVirus and any AntiSpyware real time protection before performing the scan.

Double click combofix.exe and follow the prompts.

Important: Do not mouse-click ComboFix's window while it is running. That action may cause it to stall.


For XP, install the Recovery Console if presented with the opportunity to do so.

When finished ComboFix produces a log that you need to make available for review:
Upload ComboFix.txt to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix.txt file, and click: 'Open'

You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Copy the 'Download link' provided, and post it in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#26
July 5, 2011 at 17:09:50
i have 8. and when i end them, they do not come back. it seems like when i start up the computer, i always get 2 instances of it going though.
will do scans and report back.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 169):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9E4D000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E2D000 fltMgr.sys
0xB9E1B000 sr.sys
0xB9DAD000 mfehidk.sys
0xBA5AC000 DLACDBHM.SYS
0xB9D96000 DRVMCDB.SYS
0xBA0F8000 PxHelp20.sys
0xB9D7F000 KSecDD.sys
0xB9CF2000 Ntfs.sys
0xB9CC5000 NDIS.sys
0xBA108000 PBADRV.sys
0xBA118000 ohci1394.sys
0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9CAB000 Mup.sys
0xB9C97000 McPvDrv.sys
0xBA248000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB796E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB795A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB7936000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA370000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB790E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB77D3000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB77BF000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA288000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA298000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB776E000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB7739000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA608000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA378000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA380000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7716000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8B37000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB8B2F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB8B2B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB7645000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBA7A4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB7632000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xBA614000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA398000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB761B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB760A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8083000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB75E0000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB7567000 \SystemRoot\system32\drivers\mfefirek.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB7537000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8073000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA618000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB74D9000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C57000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\WaveFDE.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\btport.sys
0xB7459000 \SystemRoot\system32\drivers\btaudio.sys
0xB7435000 \SystemRoot\system32\drivers\portcls.sys
0xB8033000 \SystemRoot\system32\drivers\drmk.sys
0xB8023000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9511000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB4E86000 \SystemRoot\system32\drivers\sthda.sys
0xB4E52000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB4D4A000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB4C97000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xB6247000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB1E4D000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xBA66E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB2E6B000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5B2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB34DF000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xB34D7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB61DB000 \SystemRoot\System32\drivers\vga.sys
0xBA5B4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5B6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB2CEC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB2CE4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB5040000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1E1A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1DC1000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1DAC000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xB1D86000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB1D5E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB33C9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB1D3C000 \SystemRoot\System32\drivers\afd.sys
0xB33B9000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB2C62000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB1D1A000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xB2CDC000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB1CEF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1C7F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB2C52000 \SystemRoot\System32\Drivers\Fips.SYS
0xB2FF9000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xAF46A000 \SystemRoot\System32\Drivers\tcusb.sys
0xAEF35000 \SystemRoot\System32\Drivers\oz776.sys
0xB2FF5000 \SystemRoot\System32\Drivers\SMCLIB.SYS
0xAE540000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAF1ED000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAE882000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAE098000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xAE852000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAC22E000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xAF1E5000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAE088000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xBA1A8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9930000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5BE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4968000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA448000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA737000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF589000 \SystemRoot\System32\ATMFD.DLL
0xA5609000 \SystemRoot\system32\DRIVERS\WavxDMgr.sys
0xB0041000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xABDDC000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA7F2000 \SystemRoot\System32\Drivers\DLADResM.SYS
0xA55F0000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
0xBA470000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
0xB9C22000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
0xBA480000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
0xBA430000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
0xA55DA000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
0xA55C3000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
0xB037E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5513000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA54D6000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xB46EA000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xA53DE000 \SystemRoot\system32\DRIVERS\srv.sys
0xA5446000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA4E79000 \SystemRoot\system32\drivers\wdmaud.sys
0xA5016000 \SystemRoot\system32\drivers\sysaudio.sys
0xA31A9000 \SystemRoot\System32\Drivers\HTTP.sys
0xA35F2000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xA2CF5000 \SystemRoot\system32\drivers\kmixer.sys
0xA2C85000 \SystemRoot\system32\drivers\cfwids.sys
0xA2AF9000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA4648000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 95):
0 System Idle Process
4 System
1008 C:\WINDOWS\system32\smss.exe
1112 csrss.exe
1140 C:\WINDOWS\system32\winlogon.exe
1184 C:\WINDOWS\system32\services.exe
1196 C:\WINDOWS\system32\lsass.exe
1400 C:\WINDOWS\system32\svchost.exe
1468 svchost.exe
1508 C:\WINDOWS\system32\svchost.exe
1532 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1636 svchost.exe
1676 svchost.exe
1848 C:\WINDOWS\system32\WLTRYSVC.EXE
1884 C:\WINDOWS\system32\BCMWLTRY.EXE
1952 C:\WINDOWS\system32\spoolsv.exe
232 scardsvr.exe
304 svchost.exe
364 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
380 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
400 C:\Program Files\Bonjour\mDNSResponder.exe
560 C:\WINDOWS\system32\svchost.exe
616 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
732 C:\Program Files\Java\jre6\bin\jqs.exe
768 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
868 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
928 C:\Program Files\Common Files\Motive\McciCMService.exe
132 C:\WINDOWS\system32\mfevtps.exe
1032 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
1544 C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
1596 C:\WINDOWS\system32\svchost.exe
1616 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
1716 C:\WINDOWS\system32\nvsvc32.exe
1728 C:\WINDOWS\system32\svchost.exe
1748 C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
2824 C:\WINDOWS\explorer.exe
2928 C:\WINDOWS\system32\rundll32.exe
3188 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3196 C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
3232 C:\WINDOWS\system32\rundll32.exe
3248 C:\WINDOWS\system32\rundll32.exe
3256 C:\Program Files\Dell\QuickSet\quickset.exe
3464 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
3500 C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
3564 C:\WINDOWS\system32\WLTRAY.EXE
3636 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
3692 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3724 C:\Program Files\Verizon\McciTrayApp.exe
3732 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
3740 C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
3772 C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
3780 C:\Program Files\McAfee.com\Agent\mcagent.exe
3824 C:\Program Files\McAfee\MAT\McPvTray.exe
3876 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
3896 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
3948 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3968 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
3972 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
4036 C:\Program Files\Verizon\VSP\ServicepointService.exe
4068 C:\WINDOWS\system32\ctfmon.exe
4092 C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
468 sqlbrowser.exe
800 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
1052 C:\Program Files\Digital Line Detect\DLG.exe
1116 C:\WINDOWS\system32\svchost.exe
1084 C:\Program Files\Logitech\SetPoint\SetPoint.exe
1456 tcsd_win32.exe
644 C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
2052 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
2360 C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
2492 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
1092 C:\WINDOWS\system32\dllhost.exe
3316 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
3508 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
3348 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
1836 C:\WINDOWS\system32\searchindexer.exe
5452 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
4268 wmiprvse.exe
3100 C:\WINDOWS\system32\svchost.exe
4156 C:\WINDOWS\system32\vssvc.exe
1584 wmiprvse.exe
6052 C:\WINDOWS\system32\dllhost.exe
5072 alg.exe
6112 C:\WINDOWS\system32\wuauclt.exe
312 msdtc.exe
676 C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
188 C:\WINDOWS\system32\svchost.exe
3440 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
3488 C:\Program Files\Mozilla Firefox\firefox.exe
2660 C:\Program Files\Internet Explorer\iexplore.exe
8068 C:\Program Files\Internet Explorer\iexplore.exe
5712 C:\WINDOWS\system32\searchprotocolhost.exe
6100 searchfilterhost.exe
7488 C:\Documents and Settings\name\Desktop\MBRCheck.exe
7664 C:\WINDOWS\system32\searchprotocolhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`05e21800 (NTFS)

PhysicalDrive0 Model Number: ST980411ASG, Rev: DE13

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:


what does it mean if the mbr code is faked?


Report •

#27
July 5, 2011 at 18:07:24
You may have a BootKit, but the results of only one program are not the final answer. The issue needs to be confirmed.

Do run TFC and ComboFix as instructed in Post # 25.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#28
July 5, 2011 at 19:02:08
ComboFix 11-07-05.03 - name 07/04/2011 21:09:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1116 [GMT -4:00]
Running from: c:\documents and settings\name\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
.
.
2011-07-01 16:51 . 2011-07-01 16:51 -------- d-----w- c:\program files\ESET
2011-07-01 15:40 . 2011-07-01 15:40 -------- d-----w- c:\documents and settings\name\Local Settings\Application Data\Mozilla
2011-07-01 15:22 . 2011-07-01 15:22 -------- d-----w- c:\documents and settings\ name\Application Data\SUPERAntiSpyware.com
2011-07-01 15:22 . 2011-07-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-01 15:21 . 2011-07-01 15:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-01 15:20 . 2011-07-01 15:20 -------- d-----w- c:\program files\CCleaner
2011-07-01 14:37 . 2011-07-01 14:37 -------- d-----w- c:\windows\Performance
2011-07-01 14:36 . 2011-07-01 14:36 -------- d-----w- c:\documents and settings\name\Local Settings\Application Data\Microsoft Corporation
2011-07-01 14:35 . 2011-07-01 14:35 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-07-01 02:20 . 2011-07-01 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 00:08 . 2011-07-01 00:08 -------- d-----w- c:\documents and settings\name\Application Data\Malwarebytes
2011-07-01 00:08 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 00:08 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 03:16 . 2011-06-30 03:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-18 17:42 . 2011-06-18 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\McAfee Anti-Theft
2011-06-18 17:41 . 2010-04-14 00:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-06-18 17:41 . 2011-06-18 17:41 -------- d-----w- c:\program files\McAfee Online Backup
2011-06-18 17:40 . 2011-04-11 18:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-06-18 17:39 . 2011-03-13 15:20 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-06-18 17:39 . 2011-03-13 15:20 89368 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-06-18 17:39 . 2011-03-13 15:20 85984 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-06-18 17:39 . 2011-03-13 15:20 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-06-18 17:39 . 2011-03-13 15:20 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-06-18 17:39 . 2011-03-13 15:20 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-06-18 17:39 . 2011-03-13 15:20 337912 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-06-18 17:39 . 2011-03-13 15:20 179248 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-06-18 17:39 . 2011-06-18 17:40 -------- d-----w- c:\program files\Common Files\Mcafee
2011-06-18 17:39 . 2011-06-18 17:39 -------- d-----w- c:\program files\McAfee.com
2011-06-18 17:27 . 2011-03-13 15:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-05 00:45 . 2008-12-06 22:28 0 ----a-w- c:\documents and settings\name\Local Settings\Application Data\WavXMapDrive.bat
2011-06-01 23:14 . 2011-06-01 23:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-25 16:16 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-25 16:16 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-06-16 04:17 . 2011-07-01 15:39 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-04_01.36.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-05 00:45 . 2011-07-05 00:45 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2011-07-05 00:45 . 2011-07-05 00:45 16384 c:\windows\Temp\Perflib_Perfdata_3f8.dat
+ 2011-07-05 00:45 . 2011-07-05 00:45 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat
- 2008-04-25 09:22 . 2008-04-14 12:00 69120 c:\windows\system32\dllcache\notepad.exe
+ 2008-04-25 16:16 . 2008-04-14 12:00 69120 c:\windows\system32\dllcache\notepad.exe
- 2008-12-06 22:17 . 2011-07-03 22:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-06 22:17 . 2011-07-04 17:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-06 22:17 . 2011-07-03 22:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-04 11:42 . 2011-07-04 17:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-02 12:14 . 2011-07-04 17:51 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-05-02 12:14 . 2011-07-03 22:04 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8466432]
"nwiz"="nwiz.exe" [2007-08-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-08-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-26 1306216]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-1 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-17 809488]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-08-01 19:52 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
backup=c:\windows\pss\McAfee Online Backup Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Name^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\name\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^name^Start Menu^Programs^Startup^SolidWorks Task Scheduler Engine.lnk]
path=c:\documents and settings\name\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:12 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-07-27 15:10 1133040 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [6/18/2011 1:40 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/18/2011 1:39 PM 89368]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [6/18/2011 1:41 PM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/17/2009 11:13 AM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/30/2011 8:08 PM 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/18/2011 1:39 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/18/2011 1:39 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/18/2011 1:27 PM 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 MSSQL$SANDVIK2005;SQL Server (SANDVIK2005);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [12/10/2010 7:29 PM 29293408]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [12/3/2007 2:44 PM 245760]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [7/11/2008 1:02 AM 328992]
R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [1/2/2010 6:22 PM 668912]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/25/2008 12:16 PM 5120]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/8/2010 12:40 PM 237568]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [11/8/2010 12:43 PM 1060352]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [11/8/2010 12:43 PM 484352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [6/18/2011 1:39 PM 57432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/30/2011 8:08 PM 22712]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [6/18/2011 1:39 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [6/18/2011 1:39 PM 83688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/29/2009 10:37 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/29/2009 10:37 AM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [6/18/2011 1:39 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/18/2011 1:39 PM 85984]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/6/2011 6:45 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-07-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-13 12:13]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:36]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:36]
.
2011-07-04 c:\windows\Tasks\User_Feed_Synchronization-{3F53B419-88DF-41B6-A323-520246CBA9A3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.usatoday.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\name\Application Data\Mozilla\Firefox\Profiles\b9mjhff9.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-04 21:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1140)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(4896)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-04 21:56:14
ComboFix-quarantined-files.txt 2011-07-05 01:55
ComboFix2.txt 2011-07-04 01:55
.
Pre-Run: 21,620,912,128 bytes free
Post-Run: 21,626,777,600 bytes free
.
- - End Of File - - F95447F9BC67F7C1F915D8B89EEE44D7

Report •

#29
July 5, 2011 at 19:41:00
MBR rootkit hooks were not detected…
No unknown or hidden files detected…
Geeeshhh!!!!


Try TDSSKiller once again, and see if it runs.

If no-go, do the following:

Download GMER:
http://gmer.net/download.php

[Downloads a randomly named file. (Recommended)]

Disconnect from the Internet and close all running programs.

Temporarily disable any real-time active protection so your security programs do not conflict with gmer's driver.

Double-click on the randomly named GMER file (i.e. n7gmo46c.exe)
Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the >Scan< button.
If you see a RootKit warning, click OK.

When the scan finishes, click the 'Save...' button to save the scan results to your Desktop.

Save the file as >gmer.log<

>>Click the Copy button and Paste the results of the GMER log in your reply.<<

Note: Please, do not take action on any of the information on the GMER report!!

If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/...
If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.

Now, download mbr.exe
http://www2.gmer.net/mbr/mbr.exe
Save the file to your Desktop.
Double-click >mbr.exe< and follow the prompts.
When mbr.exe is done, it creates a log.
>>Also copy and paste contents of the mbr.exe log in your reply.<<


Next, download aswMBR:
http://public.avast.com/~gmerek/asw...

Save to your Desktop.
Double click the aswMBR.exe icon to run it

Click the Scan button to start the scan

Upon completion of the scan, click the Save Log button
>>Save the aswMBR log to your Desktop, and post it in your reply.<<


Post all of these results:
1. The GMER log
2. The mbr.exe log
3. The aswMBR log
4. If you get TDSSKiller to run, post it also.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#30
July 5, 2011 at 21:46:55
Is this computer a Dell?

Model Number i.e.: Inspiron 1234

If so, does it have a recovery partition?

Do you have an XP Pro CD for it?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#31
July 6, 2011 at 11:53:55
yes, it is a dell precision m6300.

so what harm does this do to this computer, besides browser redirecting? is a it a keylogger as well? should he be concerned with any of his personal things, such as banking accounts, taxes?

i went to my computer, and i did not see any other partitions (no recovery either)

my dad cannot find the cd for xp. we thought about doing a system fix or whatever the feature is called on the cd. would that fix it? we also considered getting windows 7 as probably the best route, if this thing will work with it. (have to check that yet). he has an external wd drive that he backed up his computer a few days ago, so i will manually put things back over when we get his computer like new.

will do what you recommend in post # 29, and post back with results.

p.s. i ran that test above in safe mode... i don't know if it matters...


Report •

#32
July 6, 2011 at 12:22:48
i was just informed that mcafee blocked a "risky connection". the IP address is 64.120.141.163. the program is IE. is this the virus, or whatever, trying to speak the the hacker's computer?

(i actually have a fat and nfts partition... don't know if that helps... when into disk management)


Report •

#33
July 6, 2011 at 12:42:14
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-05 15:36:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST980411ASG rev.DE13
Running: 2wke6w95.exe; Driver: C:\DOCUME~1\name~1\LOCALS~1\Temp\pxlyapob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DECD70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DECD84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DECDB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DECE06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DECD5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DECD34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DECD48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DECD9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DECDDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DECDC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DECE30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DECE1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DECDF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:112] 8A5ED0B3
Thread System [4:124] 8A5EE7FB

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Mozilla Firefox\firefox.exe (*** hidden *** ) 2092

---- EOF - GMER 1.0.15 ----


Report •

#34
July 6, 2011 at 14:18:48
i got several pop-ups from mcafee; it says that microsoft OS is trying to do something, but it says the source is clickanybody.org, or some weird website like that. and it blocks it.

Report •

#35
July 6, 2011 at 14:28:57
http://www.mediafire.com/?a4v86lwal... - here is the report of sites the computer is trying to access... it keeps on increasing though. i am up to 67 now
i think when i try to load a site, it tries to load those sites as well. it usually increases when i try to load a website (which can usually take a while!)

Report •

#36
July 6, 2011 at 21:06:24
Names like findsmell.org, findstation.org, searchbreeze.org, clickcareful.org (64.120.141.163), clickanybody.org, etc. are associated with malware.

There is ‘something’ in the system, but, so far, it has been evasive. Some of the diagnostics neede to pinpoint the issue are quite large, and that would not be an option here.

The fact that TDSSKiller does not run is not good.

There may be a BootKit involved, but, this is a Dell computer, and has a non-standard Master Boot Record (MBR). Most times an attempt at rewriting the MBR is done without any problems, but, some infections can react unexpectedly and result in the PC not being bootable. There is no Dell installation CD available for this computer, and under those circumstances, that is something I am not willing to attempt.

Let’s do one more step...

Please download the Kaspersky Virus Removal Tool:
http://support.kaspersky.com/viruse...

Save it to your Desktop
Double-click the downloaded setup file go run it

At the main screen of the tool, in the AutoScan tab, make sure the first three options are checked
Next, scroll down to check the box next to the C:/ drive

Click on Start Scan

When the scan is finished, click on: Report (at the bottom)

In the Detailed Report screen, make sure the three buttons at the top are set to:
Autoscan, Do not group, and, Important events
Click on Save, and save to the Desktop

Please provide the Kaspersky Virus Removal Tool in your reply.


When done with the tool, uninstall it by doing the following:
In the bottom right corner of the main window, click the Exit button
Click the Yes button on the prompt to uninstall
Restart the computer to delete the Kaspersky Virus Removal Tool.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#37
July 7, 2011 at 13:25:09
if this doesn't fix it, can i get my money back? =D

and here is a picture of the mcafee block that i get... http://www.mediafire.com/?9sijdymr6... hah! windows os...


Report •

#38
July 7, 2011 at 13:44:02
It just dawned on me...have you been logging in to the infected account to run these tools, or are you using an account which does not have administrator rights?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#39
July 7, 2011 at 14:10:32
i have been logging on as admin.

Report •

#40
July 7, 2011 at 17:49:58
Let’s give this a try, and see if it works:

First, TDSSKiller got updated, so, remove the version you have, and download a new file. Then, try to run it.

If still no-go, download the appropriate version (32-bit or 64-bit) of the Microsoft Standalone System Sweeper to a clean computer:

http://majorgeeks.com/Microsoft_Sta...

[32 bit or 64 bit info of the infected computer:
Start > right click on Computer, and click on Properties]

1. Save to the Desktop

2. Double-click to run the downloaded mssstoolxx.exe file, and click on Next.

3. To create a Bootable CD or DVD:
a) Insert a blank CD or DVD into the CD/DVD drive.
NOTE: If a AutoPlay window opens afterwards, close it.

b) In the Select Media prompt, select/dot: Use a blank CD or a blank DVD, and click on Next.

c) In Select CD or DVD drive select the drive with the blank CD/DVD in it, and click on Next.

d) When done, a prompt with: Bootable CD or DVD successfully created, click on Finish. You will now be able to boot from the CD or DVD created.

4. Insert the CD or DVD to the infected computer that you will be scanning at boot.

5. Be sure it is set to boot from the CD/DVD, and boot from it.

6. When the Standalone System Sweeper has booted, you are able to click on Scan (toolbar) and select what type of scan you would like to run on the infected computer. Select: Start Full Scan

7. To Update the Standalone System Sweeper Definitions, click to the drop arrow to the right of the Help (Question (?) icon)
Click on: Check for updates.
Then, click on: Download

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#41
July 7, 2011 at 18:23:51
the scanner froze, when using the Kaspersky Virus Removal Tool. it found two things, and was about 60% done. i believe that they were .exes in a java file.

Report •

#42
July 7, 2011 at 19:54:13
Which scanner froze, TDSSKiller?

New approach:

Delete any old version of TDSSKiller!!

Download from here:
http://support.kaspersky.com/downlo...
Right-click and select: Extract all…
Save TDSSKiller.exe to your Desktop, but first rename it to WINlogON.exe

Now, create the following batch file, and place it next to TDSSKiller:


Open Notepad (Start > Programs > Accessories > Notepad) and copy/paste all the text below to it:

@ECHO OFF
START /WAIT WINlogON.exe -l Logit.txt -v
START Logit.txt
del %0


In the Save prompt:
Save to the Desktop
Save as fix.bat
Save type as: All Files

On the Desktop, it should look like this:
http://i266.photobucket.com/albums/...

Double click on fix.bat and allow it to run

Post back the results.

If still no-go, try the Microsoft Standalone System Sweeper.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#43
July 8, 2011 at 05:47:42
it said that windows could not find 'Logit.txt.". will try to run the kasperskey virus removal tool again...
still can't run tdsskiller... i did download the file, then rename it...

Report •

#44
July 8, 2011 at 08:32:26
kaspersky found something... http://www.mediafire.com/?fgzyn4lj9...

i removed/disinfected it. NO MORE REDIRECTING!!!! but how do i know if the system is actually clean, and that there is no more malware on it? (i can run tdsskiller now!)

also, should i uninstall mcafee, then install another better security suite? what would you recommend? kaspersky seems really good since they have a lot of tools.


Report •

#45
July 8, 2011 at 09:40:10
Can barely see what it reported…
Is it: MEM:rootkit.win32.Sst.a ??

At least we have something more solid to work with!

If so, do the following:

Re-run the Kaspersky Virus Removal Tool

When it starts, to the right of Security Level click Recommended, and select: Settings.
-In the window that opens (Autoscan), in the ‘Scope’ tab, place a checkmark to the left of Parse email formats.
-Click the ‘Additional tab’ and click to place a checkmark by ’RootKit Scan’, and ‘Deep Scan‘, then click OK.

Select all the scan-able drives, except for CD-ROM drives, and click the ‘Start Scan’ button

If malware is detected, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or Disinfect if the button is active).

After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the ‘Neutralize all’ button.

In the window that opens, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or Disinfect if the button is active).

If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.

In the Scan window click the ‘Reports’ button and select ‘Save to file‘.
Name the report kvrt.txt, and save it to the Desktop.
Close the program.

Please copy/paste the report (Detected) that you saved in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#46
July 8, 2011 at 09:47:19
that is the one.

Report •

#47
July 8, 2011 at 10:01:04
When you get done with KVRT, go to Post #40, and follow the instructions to burn and use the CD for the Microsoft Standalone System Sweeper (MSSS).

KVRT may not be able to remove the MEM RootKit.

So far, MSSS has proved to be a good tool, and starts working when you boot.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#48
July 8, 2011 at 10:05:42
i think it removed it... it restarted (the computer) and the computer feels like it's fixed... no more redirecting.

some of the files that i am scanning, are password protected... i guess that is fine?


Report •

#49
July 8, 2011 at 10:13:05
KVRT report, please!!!

This is a memory virus...surprised it would go down so fast with KVRT.

Also, try running TDSSKiller. >>This is the 'acid test'! << ;-)

Need to go out for a while. Will be back later.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#50
July 8, 2011 at 10:25:04
the kaspersky scan is running.
tdsskiller ran, but didn't find anything. kaspersky removed it, i guess.

Report •

#51
July 8, 2011 at 11:46:30
When you get done with KVRT, go to Post #40, and follow the instructions to burn and use the CD for the >>>>Microsoft Standalone System Sweeper (MSSS).<<<<

It will scan you when you boot.

Sometimes this RootKit shows up with TDSS. Guess you dodged that bullet, or KVRT took care of it.

When you post it, the KVRT report should look something like the following:

"Disinfect active threats: completed 11 minutes ago (events: 7, objects: 4847, time: 00:02:22)
23/06/2011 3:27:42 PM Task started
23/06/2011 3:27:45 PM Detected: MEM:Rootkit.Win32.Sst.a System Memory
23/06/2011 3:27:45 PM Disinfected: MEM:Rootkit.Win32.Sst.a System Memory
23/06/2011 3:28:47 PM Detected: Virus.Win32.TDSS.e C:\windows\system32\drivers\volsnap.sys
23/06/2011 3:28:52 PM Will be deleted on system restart: Virus.Win32.TDSS.e C:\windows\system32\drivers\volsnap.sys
23/06/2011 3:30:04 PM Task completed"

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#52
July 9, 2011 at 05:05:57
kaspersky results:
Status: Vulnerability (events: 2)
7/7/2011 1:36:01 PM Vulnerability vulnerability http://www.securelist.com/en/adviso... C:\Program Files\Java\jre1.6.0_07\bin\java.exe Low
7/7/2011 1:36:27 PM Vulnerability vulnerability http://www.securelist.com/en/adviso... C:\Program Files\Java\jre6\bin\java.exe Low

Report •

#53
July 9, 2011 at 05:11:29
i don't know how to create the bootable cd. i don't get any "select media prompts."

my dad will now be talking to you through this forum, and he is not as literate. just go easy on him with the terms! =D


Report •

#54
July 10, 2011 at 19:15:05
No problem with your father. Will be glad to have him come onboard at any time.

Going to try the Microsoft Standalone System Sweeper on an XP computer, and see if the prompts are different.

Will let you know.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#55
July 10, 2011 at 19:36:14
Works OK with XP, but must install KB932716 first.

Description of the Image Mastering API v2.0 (IMAPIv2.0) update package that is dated June 26, 2007:
http://support.microsoft.com/kb/932716

Image Mastering API v2.0 (IMAPIv2.0) for Windows XP (KB932716):
http://www.microsoft.com/download/e...

Also, need SP3. Does the computer have SP3 installed?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#56
July 16, 2011 at 07:54:08
yes, it has sp3. will download, and try to get the microsoft scan to run.
by the way, some other questions, meanwhile:

1) how can we be 100% sure that there is no trace of any keyloggers/malware on this computer? like i mentioned before, he does a lot of tax and banking tasks on here, so this is important. would it be better just to totally wipe out the computer, and reinstall? or could some of this malware stay behind somehow?
2) he has two other kids beside me. he has to protect them with parental controls. i noticed that mcafee was rated well by av. is what i got from the website, hard to detect? what would you recommend in his situation, for a good protection suite? i have him using firefox, with some ad-ons, such as: ad block plus, better privacy, no script (i think, the most important, to protect harmful scripts from running, as well as re-directs, and WOT). any recommendations?


Report •

#57
July 16, 2011 at 09:28:44
i also installed the update, but nothing pops-up when i insert the dvd.

Report •

#58
July 16, 2011 at 22:25:59
At this point, if the computer is working normally, and there are no redirections, etc., it appears to be clean. However, a guarantee of 100% clean is not possible.
An infection by a RootKit opens the door for trojans, backdoors and other nasty infections used to steal user credentials or to get access to infected PCs.
Lots of information is needed to come to the decision that a computer is 100% clean. We just touched the tip of the iceberg.

This computer could have gotten infected because someone possibly went to a gaming website, or to a P2P file sharing network, or, several other possibilities...
If this computer is used for lots of tax work and banking tasks, and there are three younger individuals using it also, we may have a dichotomy of interests.
Maybe your father may want to consider getting a laptop or Desktop of his own, and then password protecting it so that only he can use it.

As far as McAfee goes, it can miss detections, just like Norton, or any other AV program. Not aware of any single AV program that is perfect. Malware creators are normally ahead of the game, and AV companies are many times playing catch-up. Some RootKits, like what you had, are notorious for evading detection.


Malware is very frequently installed through vulnerabilities found in out-dated and insecure programs. Try using the Secunia Personal Software Inspector to scan for vulnerable programs on your computer:
http://secunia.com/vulnerability_sc...

A tutorial on how to use the Secunia Personal Software Inspector to scan for vulnerable programs is found here:
http://www.bleepingcomputer.com/tut...


Also, here is an extensive list of suggestions to help you maintain a clean system:
http://www.techsupportforum.com/for...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#59
July 17, 2011 at 11:39:42
ok, and with the microsoft scan, is there an alternate route to getting to burn a bootable cd?

Report •

#60
July 17, 2011 at 18:50:42
Is the BIOS (Setup) set to boot from CD/DVD?

Press F2 (I think?) when computer starts
Go to the Boot Sequence
Select the CD Drive
Save the changes

If it is already set to boot from the CD drive, then, something may have gone wrong with the making of the CD/DVD.

Do you have another laptop or Desktop where you can test the CD/DVD? If it doesn't boot there either, that is your confirmation that there is something wrong with it.

I tested a CD on an XP box, and it booted right up.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#61
July 18, 2011 at 08:58:02
oh ok. i did burn it, but i wasn't sure if you had to change some options to make it a bootable cd/dvd.

Report •

#62
July 18, 2011 at 20:24:13
got it to work; didn't find anything.

Report •

#63
July 19, 2011 at 12:11:38
does this work with windows 7? i tried it, but it just ran to my OS

Report •

#64
July 19, 2011 at 14:42:50
Is your Windows 7 a 64 bit system?

It is no-go if the CD for XP is 32 bit.

You would have to create a 64 bit CD for W7.

Also, the BIOS (Setup) must also be set to boot from CD/DVD in W7.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#65
July 20, 2011 at 05:49:10
hm, did all that but it still doesn't run... weird!

Report •


Ask Question