AumHa Forums

O k, restore ntldr, ntdetect and fix Boot.ini did the trick. I was able to reboot and my system is back, I was able to connect to the internet, access my files and even my anti-virus went thru its automatic updates. Shutdown my system and turned it back-on with no problems .... I think I'm ready to continue with malware removal.

Thanks,

Glad you got the system booted back up. What I'd like for you to do now is follow my last set of instructions from prior to your boot problems. I'll include them below for convenience.

Keep in mind that until I tell you that your system is free of malware, it is not We'll get there and are getting there.

Pay close attention to the details in the instruction set (e.g. disabling your AV when running ESET) I provide. Details matter

Run ComboFix
Let's re-run ComboFix as follows:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:



A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once

Re-activate your protection programs at this time

Reboot now, please

ESET Online Scanner
Click => here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic

Post Back
Please post back with the following:

1. New Combo-Fix report;
2. Results from ESET online scan;
3. How is your system running now???

Note that I'll need to help you clean up after the applications I've had you used once I'm sure that all malware has been removed.

Good Luck

After all the cleanup my system is somehow running faster. However, it is still a bit slow at startup.
The new sets of logs are as follows :

ComboFix 10-07-21.01 - Marco 07/21/2010 16:06:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.98 [GMT -4:00]
Running from: c:\documents and settings\Marco\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Marco\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWLNKFLTT
-------\Service_NWLNKFLTT


((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-14 20:02 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 01:25 . 2010-07-14 01:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 22:26 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 22:26 . 2010-07-12 22:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 20:25 . 2010-07-12 20:25 -------- d-----w- C:\_OTL
2010-07-11 15:31 . 2010-07-11 15:31 -------- d-----w- c:\documents and settings\Marco\Application Data\Yahoo!
2010-07-10 20:04 . 2010-07-10 20:04 -------- d-----w- C:\wilddeep
2010-07-10 01:47 . 2010-07-10 01:48 -------- d-----w- C:\wilddinosour
2010-07-10 00:54 . 2010-07-10 00:56 -------- d-----w- C:\wildnorthamerica
2010-07-08 17:38 . 2010-07-08 17:38 -------- d-----w- c:\documents and settings\Carmen\Local Settings\Application Data\Identities
2010-07-04 23:28 . 2010-07-04 23:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-03 22:18 . 2010-07-03 22:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-03 19:41 . 2010-07-03 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-03 19:40 . 2010-07-03 19:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-28 21:14 . 2010-06-28 21:14 -------- d-sh--w- c:\documents and settings\Carmen\IECompatCache
2010-06-26 16:49 . 2010-06-26 23:08 -------- d-----w- C:\pottersorcererstone
2010-06-25 22:50 . 2010-06-25 22:50 -------- d-----w- c:\documents and settings\Carmen\Application Data\Malwarebytes
2010-06-25 21:52 . 2010-06-25 21:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 21:00 . 2009-04-10 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-14 01:34 . 2003-10-28 00:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-14 01:26 . 2010-07-14 01:26 503808 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\msvcp71.dll
2010-07-14 01:26 . 2010-07-14 01:26 499712 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\jmc.dll
2010-07-14 01:26 . 2010-07-14 01:26 348160 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\msvcr71.dll
2010-07-14 01:26 . 2010-07-14 01:26 12800 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2aa5cdfe-n\decora-d3d.dll
2010-07-14 01:26 . 2010-07-14 01:26 61440 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2aa5cdfe-n\decora-sse.dll
2010-07-14 01:23 . 2003-10-28 00:17 -------- d-----w- c:\program files\Java
2010-07-09 23:09 . 2003-10-30 22:51 69560 ----a-w- c:\documents and settings\Marco\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-04 22:52 . 2006-02-05 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-03 22:18 . 2010-07-03 19:34 69560 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-03 00:01 . 2003-10-28 00:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 23:57 . 2003-10-28 00:28 -------- d-----w- c:\program files\Real
2010-07-02 23:57 . 2003-10-28 00:28 -------- d-----w- c:\program files\Common Files\Real
2010-06-14 14:31 . 2002-08-29 11:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-21 18:14 . 2009-10-02 22:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-03-23 1111040]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-11 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 0220621276989528mcinstcleanup;McAfee Application Installer Cleanup (0220621276989528);c:\windows\TEMP\022062~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\022062~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard77002003-08-20 19:57Y3B7211ZPK5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 19:57]

2010-07-21 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-01-25 21:23]

2003-10-30 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2009-12-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-19 17:22]

2009-12-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-19 17:22]

2010-07-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1556)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-07-21 16:37:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 20:37

Pre-Run: 40,810,786,816 bytes free
Post-Run: 40,724,115,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /Fastdetect

- - End Of File - - 70D4BE86794E22F01A77B1356E11E0E0

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=20a5d761f4742349aca5f7ab7370b40c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-21 10:35:34
# local_time=2010-07-21 06:35:34 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 64024431 64024431 0 0
# compatibility_mode=5121 16776869 100 96 1833700 31753082 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=80943
# found=0
# cleaned=0
# scan_time=3790

You backed up all your 'can't lose' data, correct If not, do so now

We need to do two things now.

MBR Check
Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

Run ComboFix
Let's re-run ComboFix as follows:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:



A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once

Re-activate your protection programs at this time

Reboot now, please

Post Back
Please post back with the following:

1. New Combo-Fix report;
2. MBRCheck result;
3. How is your system running now???

Note that I'll need to help you clean up after the applications I've had you used once I'm sure that all malware has been removed. Keep an eye on your boot times to see if they improve, which they should after a couple reboots.

Good Luck

ok, while browsing thru this board message on the internet, I noticed my antivirus had an alert about a trojan. later, after running all the procedures and while typing this message another windows pop-up, it was my antivirus alerting me about another trojan. looked at antivirus logs and this is what i saw :

one or more iteems were detected on your computer.
Detection Name : Artemis!CE0E60A44F1D (Trojan), Artemis!CE0E60A44F1D (Trojan)
File: G:\Combo-Fix.exe
Process: C:\WINDOWS\Explorer.EXE
Process Description: Windows Explorer

one or more iteems were detected on your computer.
Detection Name : Artemis!EB488A5BC4D2 (Trojan), Artemis!EB488A5BC4D2 (Trojan)
File: C:\Documents and Settings\Marco\Desktop\Combo-Fix.exe
Process: C:\WINDOWS\explorer.exe
Process Description: Windows Explorer

I think now my computer is running normal, slightly faster at startup, however, i would like to eliminate Kodak Easyshare from startup without removing the software, is there a way i can do that ?

Combofix and mbr check log reports are as follows :

ComboFix 10-07-22.01 - Marco 07/22/2010 18:28:00.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.102 [GMT -4:00]
Running from: c:\documents and settings\Marco\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Marco\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0220621276989528MCINSTCLEANUP
-------\Service_0220621276989528mcinstcleanup


((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-14 20:02 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 01:25 . 2010-07-14 01:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 22:26 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 22:26 . 2010-07-12 22:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 20:25 . 2010-07-12 20:25 -------- d-----w- C:\_OTL
2010-07-11 15:31 . 2010-07-11 15:31 -------- d-----w- c:\documents and settings\Marco\Application Data\Yahoo!
2010-07-10 20:04 . 2010-07-10 20:04 -------- d-----w- C:\wilddeep
2010-07-10 01:47 . 2010-07-10 01:48 -------- d-----w- C:\wilddinosour
2010-07-10 00:54 . 2010-07-10 00:56 -------- d-----w- C:\wildnorthamerica
2010-07-08 17:38 . 2010-07-08 17:38 -------- d-----w- c:\documents and settings\Carmen\Local Settings\Application Data\Identities
2010-07-04 23:28 . 2010-07-04 23:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-03 22:18 . 2010-07-03 22:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-03 19:41 . 2010-07-03 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-03 19:40 . 2010-07-03 19:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-28 21:14 . 2010-06-28 21:14 -------- d-sh--w- c:\documents and settings\Carmen\IECompatCache
2010-06-26 16:49 . 2010-06-26 23:08 -------- d-----w- C:\pottersorcererstone
2010-06-25 22:50 . 2010-06-25 22:50 -------- d-----w- c:\documents and settings\Carmen\Application Data\Malwarebytes
2010-06-25 21:52 . 2010-06-25 21:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 21:00 . 2009-04-10 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-14 01:34 . 2003-10-28 00:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-14 01:26 . 2010-07-14 01:26 503808 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\msvcp71.dll
2010-07-14 01:26 . 2010-07-14 01:26 499712 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\jmc.dll
2010-07-14 01:26 . 2010-07-14 01:26 348160 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3de5a688-n\msvcr71.dll
2010-07-14 01:26 . 2010-07-14 01:26 12800 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2aa5cdfe-n\decora-d3d.dll
2010-07-14 01:26 . 2010-07-14 01:26 61440 ----a-w- c:\documents and settings\Marco\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2aa5cdfe-n\decora-sse.dll
2010-07-14 01:23 . 2003-10-28 00:17 -------- d-----w- c:\program files\Java
2010-07-09 23:09 . 2003-10-30 22:51 69560 ----a-w- c:\documents and settings\Marco\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-04 22:52 . 2006-02-05 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-03 22:18 . 2010-07-03 19:34 69560 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-03 00:01 . 2003-10-28 00:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 23:57 . 2003-10-28 00:28 -------- d-----w- c:\program files\Real
2010-07-02 23:57 . 2003-10-28 00:28 -------- d-----w- c:\program files\Common Files\Real
2010-06-14 14:31 . 2002-08-29 11:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-21 18:14 . 2009-10-02 22:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-03-23 1111040]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-11 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard77002003-08-20 19:57Y3B7211ZPK5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 19:57]

2010-07-22 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-01-25 21:23]

2003-10-30 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2009-12-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-19 17:22]

2009-12-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-19 17:22]

2010-07-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1832)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\windows\System32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-07-22 18:56:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 22:56
ComboFix2.txt 2010-07-21 20:37

Pre-Run: 40,595,980,288 bytes free
Post-Run: 40,680,333,312 bytes free

- - End Of File - - 623CE437456BC189FECA681A4973382F

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...

Don't worry about the McAfee findings for Combo-Fix. I'll help you take care of that shortly.

For now, sit tight and wait, Milwaukee is getting hammered by storms (i.e. 5+ inches of rain in two or three hours) and I'm a bit tied up with making sure my castle doesn't get sunk at the moment.

I'll provide directions for you tomorrow.

Let's cleanup after the applications I've had you use, shall we Following your reply, I'll provide some final finishing touches.

Uninstall ESET Online Scanner
Go to Add or Remove Programs and uninstall this one, please.

Uninstall Malwarebytes' Antimalware
Go to Add or Remove Programs and uninstall this one too, please.

Delete files/logs
You can delete the OTL application and any logs it created.

ComboFix Cleanup Step #1
Re-name Combo-Fix.exe that you have on your desktop to Uninstall.exe. Then, with all other applications closed, double click on it and let it run.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

ComboFix Cleanup Step #2
Please use Windows Explorer to manually delete the following folders marked in Red below, if they are found:

C:\Qoobox <= This may be left from ComboFix, go ahead and delete the folder should it exist.
C:\ComboFix <= This may be left from ComboFix, go ahead and delete the folder should it exist.

Delete Others
You can also safely delete any logs found on your desktop.

Kodak Startup
Start - Run - (type in) msconfig - ok.

Hit the startup tab near the top right and find the Kodak entry you want to disable from running at startup. Un-check it, hit the ok button at the lower left, then hit the apply button.

Reboot when prompted to do so.

Note that you'll receive a message when you re-boot notifying you that you've modified your settings. You can check the box to not show the message again if you like.

Post Back
Please post back that you've finished the above and let me know how the system is running.

Good Luck

Thanks for your instructions. I hope your house didn't get any damages from the storms, we've been having this crazy weather here in Michigan too ..... I cleaned all the files you mentioned, even disabled Easyshare from startup which I think was slowing dowm my system. My computer is running fine and a little faster now. One thing I had to mention though, my antivirus (mcafee) have this computer maintenance feature where cookies, temp files and junk gets removed from my system. Once I used this maintenance feature and reboot my system, it bring me to the NTLDR issue which now that I think about it, it caused the same error rebooting I had previously. I don't think this is normal behavior and would like to know if there's any way that we can resolve this issue. I used your instructions about copy ntldr, ntdetect, anf fixboot you recommended to bring back my system.
Thanks,

Yes, using my earlier instructions to bring back your system was the right choice. Don't use the maintenance feature McAfee offers for now.

Do you have the original installation media (e.g. CD) to re-install McAfee if we choose to uninstall it, run the McAfee cleanup tool and re-install?

Don't mess with it without me providing directions

Let me know when you're back and if you have the media to re-install McAfee, please.

Good Luck

Yes, my system is running after I restored ntldr, ntdtect and fix boot.ini. I don't have installation cd for antivirus software because it was offered by my broker thru download on-line. As per your instructions, first run the antivirus cleanup feature and then unistall-reinstall ?
Thanks,

See this page: http://service.mcafee.com/FAQDocument.aspx?id=TS100507 for frequently asked questions.

Do these steps in the order specified:

1. Download the McAfee removal tool ( http://download.mcafee.com/products/lic ... s/MCPR.exe ) to your desktop.

2. Physically disconnect the machine from the internet and any networks
(router).

3. Uninstall McAfee Security Center via Add or Remove Programs.

4. Enable the Windows Firewall Guidance in doing so can be found here => http://www.microsoft.com/windowsxp/usin ... ewall.mspx

5. Double-click on the removal tool you saved in #1 above; reboot twice after the tool completes.

6. Making certain that the Windows Firewall is enabled, reconnect to the
internet and reinstall McAfee Security Center.

7. Reboot & make certain that the Windows Firewall is *disabled* and the
McAfee Firewall is *enabled*.

8. Manually update McAfee Security Center until you get a "no more updates"
prompt.

Post back and let me know if McAfee is working properly now.

Good Luck

Sorry for the long dely, I was out of town for work ..... followed your procedures and re-installed antivirus and it is pretty much up to date. Antivirus (mcafee) is running normally, but my system is still a little slow but functional.

Can you elaborate on that?

What's slow? Is it the internet, opening documents, running applications or ??? Is the system running as well as it did before you posted for help here at AumHa?

Let me know, please.

Good Luck

I can see that my system takes a bit of time at startup, but I guess thats normal. Also, I have a basic dsl connection which is probably why navigating thru the net is slow. In addittion, antivirus does its updates and runs in the background which also contributes to my system being slow but I think I have no way out of that one ... My computer is running much better after your assistance, I thank you very much, I have no problems running my programs, ie, excel, word, etc.

Is the system back to the level of performance it had prior to your malware infection?