Posts by PhilliePhan

Any other ideas?

Let's whack at it from a different direction:

Download RootRepeal.exe and save it on the root of C drive ---> C:\RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

-- Open RootRepeal and click the Report Tab
-- Click the Scan Button.
-- Check ALL Seven Boxes
-- Click OK.
-- Check the box for your main system drive (Usually C:\) and Click OK.
-- Allow the scan to run for as long as it takes. When it finishes, Click Save Report.
Save the log to your desktop where you can find it easily and post it for me.

--Then, please run a fresh DDS scan and post the DDS.txt. I do not need to see Attach.txt.

Cheers :)
PP

Okay, I had no issue running the two Kaspersky scans (Computer+Critical Areas) . . . . Requesting help on what to do now.

Kaspersky looks good.

With GMER, you pretty much need to let it run and don't touch anything while it scans, otherwise you can have problems such as what you experienced.

Reboot and see how things are running. I'd say based on the Kaspersky scan that you are probably good to go.

PP:)

Sorry for double post. GMER has been scanning over 2 hours now, it didn't look like anything was found, but obviously the computer just froze when I tried to move the mouse and check on the progress.. :( Whatever this is, HW or a virus, or both, I'm afraid it beat me. Unless there are other suggestions I will probably reformat everything and start clean

I would guess you have one of the popular MBR Rootkits that is making the rounds lately.
People seem to be having trouble with GMER lately - you pretty much need to leave the compy alone while it runs.

Let's try this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for us.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let's see what that tells us.

PP:)

I am running the GMER scan right now.

I am having a problem with the Kaspersky though. . . .

OK - let me know how it shakes out.

I thought the new Kaspersky scan might be easier since it runs "in browser."
If no luck there, we can try something different.

Cheers :)
PP

Well . . .Shoot.

Looks like crunchie and I are going in two different directions.

I am going to leave my post up since I think it is a valid way to proceed + that temp file is iffy.....

@crunchie - since you were here first, feel free to delete my post. No worries :)

PP

Your HJT log looks OK for the most part, though HJT alone is inadequate to diagnose today's malware.

Do you know what this is?
C:\WINDOWS\TEMP\GNCF1E.EXE

Since your other scans have not turned up anything, please try the following and post the logs for us:

FIRST:

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

THEN:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a …

I hope this is what you are looking for.

That'll work :)

To start, please go into Add / Remove Programs and Uninstall these:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Messenger Plus! 3
Messenger Plus! Live

Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

--- Has your Norton AV Subscription lapsed? You'll need up to date AV.....

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me.

Will check back as time permits.

Cheers :)
PP

As an FYI, Symantec Endpoint Protection needs to be completely removed inorder to run combofix. I tried to diable it and run it but it wouldn't so my only option was to completely remove it.

That's interesting - there is a command we can use to start combofix that may address this.....

Interestingly enough, I didn't see what I expected to see. So, let's try this:

First - DELETE this ---> c:\windows\system32\fjhdyfhsn.bat

Then:

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choos to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

Let's also do a more thorough …

I installed the Comodo AV+Firewall and removed Norton.

I also ran the Comodo scan and it turned up nothing.

Great!

I'd like to run two final scans to make sure everything is OK.

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choos to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.


THEN:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button …

Hi all -- after some recent (and still on-going -- see my thread elsewhere in this forum =P) virus/malware trouble, I'm trying to make sure I've got decent AV/FW software. I get my AV -- McAfee VirusScan Enterpise 8.0 -- free through my university affiliation; are any of the free options out there superior to it?
And I recently installed ZoneAlarm after using only the Windows Firewall; is Comodo superior enough to it to make switching worth the relatively minor trouble?

That's a pretty subjective question - very open to opinion.

If you are getting McAfee for free, I'd probably stick with that for the time being. Just keep it up to date! If you add some complementary "real-time" anti-malware protection such as WinPatrol, that might help as well....

If I am not mistaken, the McAfee suite also includes a firewall, so running an additional firewall could be problematic. I could be wrong - you'd need to verify this in McAfee.

-- Hopefully one of the volunteers will be able to have a look at your thread and advise you further. Rough going this time of the year with the holidays and all....

Cheers :)
PP

Thanks a ton. Computer is running at 100% now. Only problem is, it didnt delete my system restore. Hence i get spammed with "virus's found in C:\system recovery"

Let's try manually flushing System Restore and see if that helps.
Just turn System Restore off and then back on as per the following linky:
http://support.microsoft.com/kb/310405

Now, if you still get that message after doing this, we'll have to look further.....

--- Is that the exact message? C:\System Recovery is a different animal than System Restore.

PP:)

Hi Nate,

Things are looking better, but there is another tool I'd like to run.
-- BTW - run only one scan at a time to avoid complications.

First, though, we need to uninstall and remove Norton. If the subscription has lapsed and it doesn't have fresh definitions, then it is pretty useless.

Remove the Norton and install this Free AV + Firewall from Comodo.

. . . Or something different if you prefer - But you need to get that squared away and then we'll go from there.

Cheers :)
PP

Hi thanks for your help.
I'm working my way through your suggestions.

Allrightythen!

PP:)

PP, is combofix back up and running?

It seems so - let's give that a go and see what shakes out.

If you already have Combofix on your machine, DELETE it.

Here are the instructions to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (as you did on the other machine) and disable any security programs or Anti-Virus programs as per the linky before running Combofix!

Will check back as time permits.

Cheers :)
PP

I was reading something on another thread how registry cleaners are not good; i use 2 of them, should i not be? And also, how can i stop this from happening. My antivirus programs/scans are:

I don't care too much for registry cleaners - often they do more harm than good and you'd be hard pressed to see any improvements after using them.
More and more people are infected by P2P stuff each day - you might consider this the new front line for malware. It is easy to infect a machine when it is inviting you to do so.... That would be the first place to take preventive measures to not get infected again.

-- A defrag every day is a bit of overkill. Even once a month is overkill in my book. Although, if you add and remove a lot of data on a regular basis, you might need to do this more often.

-- Be sure to keep your Norton up to date.
-- MBAM once a week with updated builds and definitions is a good idea.
I might replace SpybotSD with SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
A bit of a different tool - similar to Spybot's "immunize" feature.

-- I also like Erunt as an alternative to System Restore, though using both won't hurt anything:
http://www.larshederer.homepage.t-online.de/erunt/

-- Some good "real-time" protection is a must. I like WinPatrol:
http://www.winpatrol.com/

I also like A-Squared, though I …

Hi Nate,

I need you to run the ESET and MBAM scans again and this time Remove the baddies :)

Also, it looks as though you tried some repair steps yesterday - what did you do?

-- Is your Norton AV subscription valid or did you let it lapse?

-- Please go into Add / Remove programs and Uninstall these two items:

Adobe Reader 7.0.5
J2SE Runtime Environment 5.0 Update 5

Then, reinstall the latest and much more secure versions:
http://get.adobe.com/reader/ - No need for McAfee Security Scan, but up to you.
http://java.com/en

Post me the fresh logs with the baddies removed and give me another DDS from AFTER the new runs of MBAM and ESET.
Be sure to Reboot after running MBAM.

Cheers :)
PP

Hi, I think my computer has some problrms.
Please help if you can.

You've got some baddies.

-- Please delete your current HJT. It is outdated. No need for new version at this time.

-- Please post the scanlogs requested in the linky below and I or one of the other volunteers will have a look as time permits.

http://www.daniweb.com/forums/thread134865.html

Things are a bit hectic this time of year, so responses may be a bit slow.

PP:)

Hi Nate,

Please post the scanlogs requested in the linky below and I or one of the other volunteers will have a look as time permits.

http://www.daniweb.com/forums/thread134865.html

Things are a bit hectic this time of year, so responses may be a bit slow.

PP:)

Is there anyone out there who can help ? I have an Acer 1644 laptop, lately the laptop has been getting very hot. Now however when the laptop gets hot it has started loosing the output to the screen, is there anything I can do or is it on it's way out ?

If you're game, you can try some of the suggestions in the linkys below.
Or have a shop look at it....

http://www.informationweek.com/news/hardware/showArticle.jhtml?articleID=60300177

http://www.fonerbooks.com/lap_fan.htm

There ought to be a number of detailed resources on the web - probably even "how to" videos.

Best Luck :)
PP

Thanks for all your time PP!

You're welcome :)

I think its gone for good. Only thing that annoys me is my antivirus sometimes pops up that i have virus in the systemrestore folder

Great!

-- Did you adjust your security settings in IE to deal with the error message?

-- Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Flushing System Restore will stop those AV messages.
If combofix does not uninstall properly (due to beta or that it is not on desktop) let me know.

Cheers :)
PP

I'd be just as inclined to ignore it as I did before but I just wanted to see if it was a known problem. Kaspersky reports in as being alive and well from its own control panel.

This is a known problem for many AV products - I think more to do with Security Center and Vista than the AV.

There are a few different programs available to reset Security Center, if you care to search for them.
Often, it helps if you uninstall your AV before resetting Security Center. Then, Reboot after the uninstall / run the reset tool or manually reset Security Center / Reboot again / reinstall AV product.
That often does the trick.

'Course, that is a bit of a hassle to go through when your AV is reporting that it is functioning properly.

Cheers :)
PP

Okay, so i forgot to extract the contents to the desktop (it was in file folder) so i had to rerun avenger...glad i actually read the log :D.

Great - Go ahead and delete those two files.
If you are more comfortable renaming c:\windows\system32\fbhco.dll to fbhco.OLD rather than deleting it, then do that.

The other one obviously needs to go.

Other than those and this folder - c:\program files\Common Files\tya62hfb - I think you are good to go now.

How are things running?

PP:)

Is there an easy scan for me to tell if the other 6 terminals are infected? I do run MBAM everyonce in awhile but is that going to tell me if that is infected with this? All my other machines are acting normal at this point.

MBAM is good. The Kaspersky or ESET online scans are good, too.

DDS is quick and will show many baddies.
The GMER Quick scan is good to try in conjunction with DDS. But both of these require interpretation by somebody used to reading the logs to pick out most baddies.

PP:)

I am not sure what Viewpoint is used for. Can I just remove it?

I am not sure what that file and folder are. I will have to check with some of the other terminals on the network and see if I can see similar folders and files. Most of the computers were all from the same time frame and that looks like a sstem file so maybe the other will have it. You are going to have to re-instruct me as to how to use combofix when it is back up.

Let me know when we are good to go.

Thanks

No worries - Hopefully it'll be back up for general download soon.

-- I hope you don't have a network of infected machines . . . This one is worse than the last, or close to it.

You can just uninstall Viewpoint Media Player via Add / Remove programs. Not that big a deal.

The Adobe and Java updates are much more critical for security. You probably need for all machines to help keep the Vundo away.

PP:)

the best thing now u can do is just format an re-install the os

Really?
Please explain the reasoning for that.

PP:)

Dude! Ya' think?! Anyone have the latest scoop on antivirus software / suites?
Help please
Happy Holidays
Eva5

Best "for pay" options:
ESET Smart Security 4
Kaspersky Internet Security 2010

Best free option:
Comodo Firewall + AV

Cheers :)
PP

or is it still possible that something has severed the ties between Windows and the AV or worse?

It's probably just Vista being Vista....

If you haven't solved this already, you can try this:

-- Open an Elevated Command Prompt
-- At the prompt, type: net stop winmgmt ENTER

Keep the command prompt open.

-- Navigate to C:\Windows\System32\Wbem\Repository
Then, either delete the Repository Folder or, better yet, Rename it to Repository_OLD

-- Go back to your command prompt and type: net start winmgmt ENTER and close the prompt.

Give it some time to rebuild and you ought to be good to go.

Cheers :)
PP

Well . . . That still leaves a mess.

I'd like to wait until combofix is back up (non-beta) and then have a go with that.

In the meantime, you should update Adobe / Java as with previous compy and remove the old versions.
Also, remove Viewpoint, if you so desire.

-- Do you know what this is? What's in the dirfut folder?
c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe

PP:)

Thanks for the reply, and i really appreciate you helping me even with all the work you gotta do :).
Im going to go ahead and say its safe to use
"I'm reasonably satisfied that the BETA is safe for use by forum helpers."

Happy to help - my worry is that I'll get sloppy when pressed for time and miss something.

Anyhoo, that log looks OK to me outside of a couple things.
I do not know what these are:

c:\windows\system32\dpunicor.dll
c:\windows\system32\fbhco.dll
RightClick on these and see what property and version info is listed, if any. You'll need to have the Viewing of Hidden Files enabled to see them it not already enabled.

Better yet, go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis. Let me know what you find. If even one scanner reports malware, let me know.

S2 7abs3rho7;nmahnds;"c:\program files\Common Files\tya62hfb\zmaodn92.exe"
I think this might be related to Viewpoint foistware, but not sure.
You'll need to check the Folder as well - what else is in that folder?

It looks as though TDSSKill "cured" the infected atapi.sys, but I'd like to do this anyway:

-- Download the attached File.zip and extract the contents to the Desktop

If you don't still have this on hand, download The Avenger …

Oh yeah, I do have full internet access and it is not blocking sites like it was before.

OK - see if you can update and run MBAM and post the log for me.

Looks like a bunch of Vundo + others. You'll definitely need to get that Java updated on all vulnerable machines on the network.

Let's see what MBAM can remove and go from there.

PP:)

do you think ill be fine using the "CF Beta"
http://twitter.com/BleepinComputer

That's your call.

I'm sure sUBs would not release it at this point unless he was confident it was working properly - but again, there are no guarantees.

I would still like to get a handle on what exactly is still infected here as the various logs tell a varying story.

-- There is no rush on my end as I am pretty swamped with work these days. Ball's in your court - if you want to go ahead with kittyfix, it's up to you.

PP:)

Hi Scott,

That looks like an extremely nasty infection with many possibly modified system files.

-- Any way to get a more current version of MBAM to run? That's an old build with ancient definitions.

-- Can you tell me what this is? Do you recognize it as business related and tailored to your user? --> mikekafka.exe
c:\documents and settings\mikekafka\mikekafka.exe

With combofix down, we'll need to try a few other things. Let me know about the above.

PP:)

The file you mention is part of an Enterprise product that I do not support. I would suggest that you either contact Symantec Enterprise Support and/or join the Symantec Forums and post your question there.

As an unpaid volunteer like most of us in the forums, I have neither the time nor the inclination to do that.
Hopefully Symantec has noted this problem and will address it.

Cheers :)
PP

Thanks. In the meanwhile, i want to throw out that im still constantly getting a "virus" found in C:\system restore (75% of time), or in the C:\ drivers.

That is to be expected. Once we get this sorted out, we'll flush System Restore. Just ignore that for now - not going to hurt anything and it's good to have a restore point on hand if needed. Even an infected one.
Atapi.sys and others are probably still infected - that's where the drivers folder comes in. We'll need to replace the infected drivers. Combofix will usually do this, though we might have to DL fresh copies of the infected drivers.

And also 75% of the time i open IE7 (i thought it was 8) i get popup "ad.yieldmanager.com" Its blank thought..and IE 7 said pop-up blocked.

I wouldn't worry about that at the moment - bigger fish to fry....

Edit: is there any programs that stand out "Uninstall now!!"
http://img.photobucket.com/albums/v439/Tug_bran612/programs.jpg

Remove Adobe Reader 7 and then update to Adobe Reader 9 for better security.
http://www.adobe.com/products/reader/

Remove J2SE Runtime 5.0 and Java 6 Update 7

Leave Java 6 Update 17 alone - that is the one you want to keep right now.

PP:)

Thanks for the reply...but

Yeah - that happens now and then. Usually due to a bad interaction with a piece of malware. Not sure if that's the case this time as I was away from compy for much of the weekend.
Go ahead and delete your current copy of combofix - no reason to have that on hand.

Guess we'll have to wait until sUBs addresses the issue and makes it available again.

PP:)

Still at work =\, but do you know how i got this? Like, i thought the antivirus/spywares/etc. was doing the job. Would you care to look at my program list and tell me what i should get rid of?

It is hard to say how you got infected - looks to me as though much was cleaned before you posted here.
A lot of times I see a ton of P2P clients/apps on infected compys. Also, could be some sort of "drive by" download.

We can have a look at updating/removing stuff once we get this sorted out.

Volume in drive C is PRESARIO
Volume Serial Number is

CMD said file is not found.

That is odd, since combofix noted it was infected. We may need to download new copies if they have been removed.

Let's try this again and see what shakes out:

Please Delete your current copy of Combofix
Then follow the instructions in the link below as you did before to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure all AV and anti-spyware are temporarily disable for the run. Please post me the log.

Cheers :)
PP

Norton products do not disable or interfere with the monitoring of System Restore points.

Thanks, Mike.

I am assuming SrtETmp is some sort of protected file? Judy has a recent thread with the same error, so I'm a bit curious....

It clearly states the SR has stopped monitoring - I imagine then that deleting SrtETmp is out of the question?

12/6/2009 7:34:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

PP:)

I doubleclicked the EXE and ran it instead of going into CMD and running it. I thought i was suppose to copy what you typed and paste it in the program you posted.

Ok - it ran and cleaned the first time through. The only difference between that and the command I posted was the log output.

The second run was clean, so we're good there.

But once im in the Recovery Console, what do i want to do there?

Hold off on that for now and let me see that Look.txt from previous post.

PP:)

uhh also i ran this wrong, and re-ran it >< I dont know if thats the original log

How did you run it wrong? Did it prompt you to delete anything?

The log you posted is clean - otherwise it would have shown something like "atapi.sys is infected by TDSS rootkit" and then cured it.

-- Please open a command prompt START > RUN > type cmd ENTER
At the prompt, type dir /a /s "iaStor.sys" >C:\Look.txt
and hit ENTER.

Please post me the Look.txt.

Also, you never told me if you tried the Recovery Console and the fixmbr command.

PP:)

I just want to say here and now, i really appreciate the help. And no problem in posting late...at least its not like a regular forum where people read it, and no one help. This really is a nice fourm.

There are a lot of good forums, but most are overwhelmed with requests for help and have few regular volunteers. Factor in the holidays and you might have quite a wait.
I have a friend who runs the malware forum at another site and, while they offer excellent advice, they run 2-3 days between replies....

I copied the first one in CMD, but it said it couldn't find the second one though, but i carried on.

That's what I figured - we'll need to look for it. Probably need to come up with two uninfected copies.....

-- Did you try the Recovery Console and fixmbr? We'll have to do that again once we get rid of the modified files.

Then i left my computer running, and came back to this screen.
http://img.photobucket.com/albums/v439/Tug_bran612/found-1.jpg

That is not surprising - we may need to download a clean copy.

Let's first try whacking at this with a different tool:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. …

Sorry for the late reply - really tied up with work these days.

Please try the following:

Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:

Copy C:\windows\ServicePackFiles\i386\atapi.sys C:\

Then, with the command prompt still open, do the same for this one:

Copy C:\windows\ServicePackFiles\i386\iaStor.sys C:\

NEXT:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\iaStor.sys | C:\windows\system32\drivers\iaStor.sys
C:\atapi.sys | C:\windows\system32\drivers\atapi.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:
Reboot into the Recovery Console (you should now have the option to select that option on reboot).

-- At the command prompt, type fixmbr and hit ENTER.

Then reboot to Normal Windows and …

Any help would be greatly appreciated

Do you have any reason to suspect malware?

Let's try this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

I or another volunteer will check back as time permits.

PP:)

he took it away to do some checks on it, brought it back and suggested that the hard drive needed to be formatted so that the system files could be reinstalled free of viruses, Avast also said the same thing.

A reformat is probably the best course of action in your case.
In some cases, though, that is problematic - not having a copy of your Windows CD is one of those cases....

I would like to know what happens with my Win XP licence if I reformat the hard drive, version 3 update has already been installed,

Because of the Windows Genuine Advantage software, you would not be able to get the critical updates needed to keep your system secure.
Also, you would be unable to receive support in many security forums due to an "illegal" OS....
You might be able to contact M$ for assistance - if you do have a valid product key, they might be able to help.

I would prefer to have a genuine copy of Windows XP than a pirated program, I had a look in the PC World website for one but could not find one. Is it worth buying a new copy because it will be obselete fairly soon.

That depends on a number of factors. Personally, I have some programs that run optimally with XP and they are no longer supported - So I'll keep XP for those.
If you do decide to move up …

. . . . This process requires that certain system level files be "locked-down" which is why the System Restore feature may fail.
. . . . as the instructions clearly state that if you do need to carry out a System Restore, that the Norton Product Tamper Protection feature will only be temporarily disabled. . . . .
Let me know if you have any further questions.

Hi Mike - thanks for jumping in :)

I do have a question - If Norton disables System Restore monitoring as noted in the Event Log message, then there are no viable Restore Points being created thus defeating the purpose of the System Restore function. This is less than desireable.
How do we stop that from happening?

PP:)

IE8 is working, but sometimes when i open it, i get some popups and sometimes it opens my C drive?

Well . . . That combofix log is ugly. You have some nasty rootkitted malware. Probably not responsible for the IE8 issues since other browsers work, but definitely more serious and worrisome....

• Do you have your Windows CD?
• Are you able to make backups of your important data (music / pictures / work product and the like)?

You should keep this computer offline as much as possible and, if it is part of a network, disconnect it from the network until it can be cleaned.

I'd like to have a more detailed look as some things:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

• DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.

  • When GMER opens, it should automatically do a quick scan for rootkits.
  • When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.

• If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

• Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)

• Along the Right Side of the GMER GUI there will be a number of checked boxes (GMER GUI. Please Uncheck the following:

  • Sections
  • IAT/EAT
  • Drives or Partitions other than your Systemdrive (usually C:)
  • Show All (be sure this …

PP,
everytime I start up that terminal I get my desktop and a window of explorer opens that is C:\Program Files\Adobe\Acrobat.com.

Well . . . There are a number of ways to stop this. You could uninstall the Acrobat.com component, but I would try that last.
Let's first see if we can remove the startup registry entry.

Please download HijackThis

Start HJT & press the "Do a system scan and save a log file" button. Please post that log for me.

PP :)

Im pretty sure i have a virus/malware of some sort.
I cannot get IE to work, some programs i cant update (or connect to internet). Thing is, i cant find anything thats wrong with the computer. Several scans show nothing, but i wish i could go into safe mode and scan there...but i cant =\

Well, there is some malware showing in that log, so let's try this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions in the linky very carefully to run it and then post the combofix log for me.

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Will try to check back as time permits.

PP:)

:( anything i can do to get this thing eliminated? I looked at the sticky's, and tried running those programs, but no luck. I also cant go into safe mode. It just restarts.

Sorry for the lack of replies - it's the holidays and most of the regular volunteers are pretty busy. That and most IE8 issues are hard to track down if not obviously due to malware....

Not sure about your IE8 issues.
If IE7 works OK, the IE8 troubles are probably not malware-related.
Did you try reinstalling it? Seems to be a lot of this going around.

Honestly, while this is not a solution, go with Firefox or Opera - Both are much better browsers.......

I'd be more worried about not being able to get into Safe Mode at this time.
Were you infected with malware recently?

PP:)

Ok, please tell me what I should do now.

If you are going to re-format and re-install windows, you'll need to buy a legal copy of XP (or whatever OS you desire) in order to get all the critical updates and patches.
M$ has really cracked down on piracy in the last few years with Windows Genuine Advantage . . . .

As for Avast! being demolished by the malware - You really need to have some sort of good anti-malware program running in conjunction with your AV to be properly protected.
Some AV products deal with Trojans / Worms and other "non-viral" malware better than others. The Kaspersky Security suite is pretty solid in this regard.

-- Have you tried running MBAM or combofix to address your infestation?

PP:)