Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help removing msa.exe, cannot run or rename hijackthis.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help removing msa.exe, cannot run or rename hijackthis.

Unread postby calabresi » September 29th, 2009, 7:00 pm

Hello,

A friend of mine called me for assistance with her computer, and I went over to help her out.

Avast!'s registration had expired, and therefore something must have gotten in -- anyway, Avast! was disabled, and I couldn't run HJT (even with renaming it), nor MalwareBytes (again, even with renaming it). I renamed and ran ComboFix (because that was the only thing that would function); it detected rootkit activity, rebooted the computer, and then ran. I rebooted again and tried to run MWB or HJT again, no soap. I can't even rename them now, it says that access is denied. I tried running CFix again, but that didn't help. Stupidly, I didn't save the first log, so all I have is the log from the most recent run, included below.

I'm running XP in Safe Mode logged in as Administrator. No networking, no nothing - this box has been quarantined until we sort this.

Thanks in advance for your help,
MC

--ComboFix log follows:

Code: Select all
ComboFix 09-09-28.01 - Kay1 09/29/2009 15:17.2.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.223.5 [GMT -7:00]
Running from: c:\documents and settings\Administrator.KAY\Desktop\cfix.exe
AV: avast! antivirus 4.8.1335 [VPS 090929-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((   Files Created from 2009-08-28 to 2009-09-29  )))))))))))))))))))))))))))))))
.

2009-09-29 20:35 . 2009-09-29 20:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-29 20:35 . 2009-09-29 20:35	--------	d-----w-	c:\documents and settings\Administrator.KAY\Application Data\SUPERAntiSpyware.com
2009-09-29 20:31 . 2009-09-29 20:31	--------	d-----w-	c:\documents and settings\Administrator.KAY\Application Data\Malwarebytes
2009-09-29 20:31 . 2009-09-29 20:31	--------	d-----w-	c:\program files\poo
2009-09-29 19:57 . 2009-09-29 19:57	--------	d-----w-	c:\documents and settings\Kay1\Application Data\Malwarebytes
2009-09-29 19:57 . 2009-09-10 21:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 19:57 . 2009-09-29 20:19	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-09-29 19:57 . 2009-09-29 19:57	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 19:57 . 2009-09-10 21:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-09-28 05:10 . 2009-09-29 20:22	0	----a-r-	c:\windows\win32k.sys
2009-09-09 08:51 . 2009-06-21 21:44	153088	-c----w-	c:\windows\system32\dllcache\triedit.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 22:03 . 2009-02-07 21:49	256	----a-w-	c:\windows\system32\pool.bin
2009-09-29 21:34 . 2009-03-01 01:39	--------	d-----w-	c:\program files\Trend Micro
2009-09-06 01:21 . 2005-04-11 13:48	34528	----a-w-	c:\documents and settings\Kay1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 02:28 . 2009-08-20 19:58	--------	d-----w-	c:\program files\eGames
2009-08-23 00:18 . 2009-08-23 00:18	--------	d-----w-	c:\program files\MSBuild
2009-08-23 00:18 . 2009-08-23 00:18	--------	d-----w-	c:\program files\Reference Assemblies
2009-08-22 23:58 . 2009-08-22 23:58	4096	----a-w-	c:\windows\d3dx.dat
2009-08-05 09:01 . 2003-03-31 12:00	204800	----a-w-	c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-03-31 12:00	58880	----a-w-	c:\windows\system32\atl.dll
2009-07-12 19:21 . 2004-08-16 00:00	233472	----a-w-	c:\windows\system32\wmpdxm.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-09-29_21.12.44   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-29 22:03 . 2009-09-29 22:03	16384              c:\windows\Temp\Perflib_Perfdata_528.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-8-17 1447184]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-5-3 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/28/2009 7:18 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/28/2009 7:18 PM 20560]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://qwest.live.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3384)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-29 15:28
ComboFix-quarantined-files.txt  2009-09-29 22:28
ComboFix2.txt  2009-09-29 21:26

Pre-Run: 27,014,672,384 bytes free
Post-Run: 26,986,725,376 bytes free

99	--- E O F ---	2009-09-09 10:05
calabresi
Active Member
 
Posts: 2
Joined: April 2nd, 2009, 4:38 pm
Advertisement
Register to Remove

Re: Help removing msa.exe, cannot run or rename hijackthis.

Unread postby NonSuch » October 1st, 2009, 1:54 am

I am very sorry, but logs are required in order to assess the infections on a system. If you are unable to create logs of any kind on this system, then the only option is to reformat it and reinstall the operating system.

As no logs can be produced on this system and logs are required for evaluation, this issue will likely need to be be resolved with a reformat; therefore, this topic is now closed.

You can help support this site from this link:
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: ataa92 and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware