MalWare Removal Forum

lso it has not yet asked me if I want to continue scanning

You should begin to see it count various tasks from 1 to 50 or so, then take a while to rollup the report.
Wait (let me know if it doesn't move for 30 min.)
_________________

It's still not moving, been about 4hrs

when I got home the window was gone a new file called catchme.log was on desktop

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/24/2011 at 9:36:40.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\verclsid.exe


Rkill completed on 03/24/2011 at 9:36:43.


File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
_________________

When you can please post the contents of the catchme.log

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared

redbull,

I believe you have a rootkit infection and/or a severely damaged system.
If you have rebooted the machine since you last ran RKill, run it again, but don't bother with any logs it produces.
Then without rebooting, let's see if you can get this one to run:
-----------------------------------------------
Run RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.

• Double click RootRepeal.exe to start the program, or in Vista, right click and choose "Run as administrator"
• Click the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  Drivers
  Files
  Processes
  SSDT
  Stealth Objects
  Hidden Services
• Click the OK button
• In the next dialog, select every drive showing
• Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File then Exit to close the program
[*] Post the contents of RootRepeal.txt in your next reply[/list]

askey127

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/03/25 21:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9DA97000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9CC9A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\melissa\local settings\temp\~dfb082.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

Path: c:\documents and settings\melissa\local settings\temp\~dfb2d6.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\melissa\local settings\temp\~dfbed2.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: C:\System Rollback Data\Restore\Archive\00000045\00000044\0\Target\Documents and Settings\All Users\Application Data\AVG10\Chjw\300648~1.DAT:d10ba13b-56b1-4a0f-9116-b417a99cbd3d
Status: Visible to the Windows API, but not on disk.

Processes
-------------------
Path: C:\WINDOWS\system32\MPK\MPK.exe
PID: 1788 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa3c985c6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa3c985bc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa3c985cb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa3c985d5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa3c985da

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa3c985a8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa3c985ad

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa3c985e4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa3c985df

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa3c985d0

==EOF==

redbull,
This may be a very recent infection involving the Hard Disk Master Boot Record. We will see.
-----------------------------------------------
Run aswMBR
Download aswMBR.exe to your desktop.
Double click on aswMBR.exe to run it


Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

askey127

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 08:54:26
-----------------------------
08:54:26.265 OS Version: Windows 5.1.2600 Service Pack 3
08:54:26.265 Number of processors: 2 586 0x1C02
08:54:26.265 ComputerName: PC135561314894 UserName: Melissa
08:54:27.437 Initialize success
08:55:00.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:55:00.484 Disk 0 Vendor: FUJITSU_ 8919 Size: 152627MB BusType: 3
08:55:00.500 Disk 0 MBR read successfully
08:55:00.500 Disk 0 MBR scan
08:55:00.515 Disk 0 scanning sectors +312560640
08:55:00.562 Disk 0 scanning C:\WINDOWS\system32\drivers
08:55:10.234 Service scanning
08:55:11.656 Disk 0 trace - called modules:
08:55:11.656
08:55:11.656 Scan finished successfully

redbull,

-------------------------------------------------
Please download RogueKiller.exe and save it to your desktop.

Run RogueKiller

• Now quit all running programs.
• Double click RogueKiller.exe to run it.
• When prompted, type 1 and hit Enter.
• A RKreport.txt should appear on your desktop.
• Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
• Please post the contents of the RKreport.txt in your next Reply.

askey127

most of the categories said access denied, run as administrator, I only have XP and no option to run as administrator



RogueKiller V4.3.4 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Melissa [Restricted rights]
Mode: Scan -- Date : 03/26/2011 23:02:17

Bad processes: 0

Registry Entries: 2
[APPDT/TMP/DESKTOP] BackOnTrack Instant Restore Idle.job : rstidle.exe -> FOUND
[APPDT/TMP/DESKTOP] AppleSoftwareUpdate.job : softwareupdate.exe -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V4.3.4 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Melissa [Restricted rights]
Mode: Scan -- Date : 03/26/2011 23:02:17

Bad processes: 0

Registry Entries: 2
[APPDT/TMP/DESKTOP] BackOnTrack Instant Restore Idle.job : rstidle.exe -> FOUND
[APPDT/TMP/DESKTOP] AppleSoftwareUpdate.job : softwareupdate.exe -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

Go to Start, Control Panel, and double click on User Accounts.
When you see your account, does it say "Computer Administrator", or does it say "Limited Account"?
Are there any other accounts on the machine that are Administrator accounts, and do you know the passwords?

my account says computer administrator, there is a guest account that is off, the only time I had an option for which account was in safe mode, I could choose mine or administrator

---------------------------------------------
Run a Scan with OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
• When the window appears, In the Standard Registry box, click All.
• In Extra registry click Use Safe List
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location
    as OTL (should be on your desktop).
  • Make sure Notepad's Format, Wordwrap is unchecked.

Please copy the contents of OTL.txt , and post it in your next reply.