Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

MALWARE BEATDOWN VS REFORMAT

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:21 am

OK, this is very frustrating, I have attempted to post a reply often and it just doesn't go through, I need to copy before I try to submit,...
here is the requested log.txt;
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340016A rev.3.19 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8A610AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005a[0x8A508CA0]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A612940]
kernel: MBR read successfully
user & kernel MBR OK


As to your questions, here's a partial copy of my original post,
The system has been very slugish. Often E-mail is slow to open mail, delete, etc or just freezes. It freezes in Internet Explorer (IE). I have run older AVG Free, found some stuff. Spybot has found nothing, although under TOOL and START UP, Spybot contininualy findy "RAIDY'S TROJAN", which I promply delete from same screen. Spybot said something about not to be confused with the lagit "Windows\System32\ctfmon.exe" name. Sometimes I am not able to open Tsk Mngr, my intensions being to close a frozen program to get to RUN Shutdown. Running AVG and Spybot and removing Raidy's Trojan all help, but it comes back.

I researched and decided I didn't need ctfmon.exe, whether it was lagit or not and tried to remove it all. Think I disabled WINDOWS version but... I installed WINPATROL and heard the bark every few minutes, CTF Loader wanted to load which I continually denied. I keep TSK MNGR open and handy and often find ctfmon.exe has started again. Seems when I stop it, thing get better, but not sure if lagit version is sucking what little resources are left or iligitimat version is sucking the life out.

I found while researching for a cure some of the sights I went to would lock-up, sights like AVG, and other lagitimat malware removal help sights. hmmm, And...I installed the latest AVG Free and soon the UPDATE came back with "General Error". After several days, I updated SpyBot and removed all of any AVG, past and present and attempted to down load fresh AVG Free, this time it failed on several attempts and (running eeeexxxttremely slowly) came back with "C\Doc Settings\Admin\Local Setting\Temp Internet File\couten.IE5\AZIU90EJ\avg_free-stb_all_2011_1153_cnet[1].exe. is not valid Windows 32 application."

I searched register and harddrive for this invalid file but found nothing, but did com across temp files, temporary internet files, and history files that didn't look right, 1st, they weren't empty as I expected, and second, some held folders named with abritary letter/number combos, all capitol. I tried to delete I couldn't remove, they were listed as read only, which I was not allowed to change..."File is in use by a program or other person".
With smoke coming from my ears, I changed the "hide system files", and sure enough more unexplanable ghost or read only files that I don't recognise as system files, looks like I need help.

I thought I had things sorted out but for 1 pesky file in temporary internet file and 1 in history file. The computer was running extremely fast almost like normal!!!...then all hell broke loose and here I am..."

As I had said in replys after my original post, I was not able to open any sights that had words such as "virus", "malware", etc. I was not able to open this sight at all, until I opened history file and clicked on previous malwareremoval.com. Pretty suspicious to me, although I am not an expert or even close to it. I am dangerious at best. The file in temp internet were named similar to "~DWMY4287" something like that. When they appeared, things got worse.

As to the system, I do not know what "release candidte of Service Pack 3" means. I remember about a year or sooner ago having similar problems, although it was with ATI catylist. I researched on the web and found suggestions to reinstall ATI after I removed sevice Pack 3, then reinstalled service pack 3. I was told not to install anything newer. I think it was from Micro Soft web sight that I got the steps to take. It did solve the issues, sorta. As to no other updates installed, please speak plainly. Should I have? I have automatic updates set to 5AM weekly under scheduler. I have to admit, it has been quite some time since I was asked to accept any updates, I have even tried to update manually, but get the reply "no updates availible".

I bought this computer used from a MA&PA computer shop locally November of 2008. I do not have operating system discs to reformat or reinstall. I assume reformating is the same as reinstalling. I'm sure the store would welcome more money from me, but I would rather spend money once and secure the software myself. Can I go to MS web sight and have it re-installed? A son suggested I go to newegg.com and buy Windows 7 instead of XP. Is that a good idea?

I want you to know without a doubt, how much I appreciate your time spent on this issue.
Patrick
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm
Advertisement
Register to Remove

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:22 am

oops, my bad 1. Thought computer was freezing, Im sure I hit submit about 5 times, let see guess we could count...Im erasing the 5 copies of my reply :oops:
Last edited by e129745 on November 26th, 2010, 9:34 am, edited 3 times in total.
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:22 am

Oops, my bad 2
Last edited by e129745 on November 26th, 2010, 9:28 am, edited 1 time in total.
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:22 am

Oops, my bad 3
Last edited by e129745 on November 26th, 2010, 9:32 am, edited 1 time in total.
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:22 am

oops, my bad 4
Last edited by e129745 on November 26th, 2010, 9:32 am, edited 1 time in total.
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 9:24 am

oops, my bad final
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby e129745 » November 26th, 2010, 5:29 pm

The previous replies were the result of thinking my reply submits weren't going through, as you can see after some time they all went through at once. That is probably indication of how slow my box is operationg at times. My appologies.

Following is AVG log after recent scan:

"Scan ""Whole computer scan"" completed."
"Warnings";"37";"37";"0"
"Information";"12"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"Friday, November 26, 2010, 6:10:03 AM"
"Scan finished:";"Friday, November 26, 2010, 7:03:35 AM (53 minute(s) 31 second(s))"
"Total object scanned:";"1050879"
"User who launched the scan:";"Administrator"

"Warnings"
"";"File";"Infection";"Result"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt:\ru4.com.83b89ffa";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt:\ru4.com.82a499d7";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt:\ru4.com.3913033c";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt:\ru4.com.27b1f43d";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc42.txt";"Found Tracking cookie.Ru4";"Healed"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt:\revsci.net.f0067737";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc41.txt";"Found Tracking cookie.Revsci";"Healed"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc4.txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc4.txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc4.txt";"Found Tracking cookie.Yieldmanager";"Healed"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc35.txt:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"";"C:\RECYCLER\S-1-5-21-1085031214-1292428093-839522115-500\Dc35.txt";"Found Tracking cookie.Overture";"Healed"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.ac41fe5a";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\ru4.com.86ebc5e4";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\2o7.net.715b4aa2";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\2o7.net.2c6e910e";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lr1673qo.default\cookies.sqlite";"Found Tracking cookie.247realmedia";"Healed"

"Information"
"";"File";"Information";"Result"
"";"C:\WINDOWS\Installer\dcc3b3.msi";"The file is signed with a broken digital signature, issued by: Apple Inc..";""
"";"C:\WINDOWS\Installer\d1811.msi";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
"";"C:\WINDOWS\Installer\cca36.msi";"The file is signed with a broken digital signature, issued by: AVG Technologies.";""
"";"C:\WINDOWS\Installer\b544957.msi";"The file is signed with a broken digital signature, issued by: Google Inc.";""
"";"C:\WINDOWS\Installer\9f3371b.msi";"The file is signed with a broken digital signature, issued by: ParetoLogic Inc..";""
"";"C:\WINDOWS\Installer\857045b.msi";"The file is signed with a broken digital signature, issued by: Apple Inc..";""
"";"C:\WINDOWS\Installer\7124835.msi";"The file is signed with a broken digital signature, issued by: Apple Inc..";""
"";"C:\WINDOWS\Installer\54f53fbd.msi";"The file is signed with a broken digital signature, issued by: Apple Inc..";""
"";"C:\WINDOWS\Installer\54f53d31.msi";"The file is signed with a broken digital signature, issued by: Apple Inc..";""
"";"C:\WINDOWS\Installer\2889d3d.msi";"The file is signed with a broken digital signature, issued by: Adobe Systems.";""
"";"C:\WINDOWS\Installer\25d13f.msi";"The file is signed with a broken digital signature, issued by: Comcast.";""
"";"C:\WINDOWS\Installer\1eeb3f4.msi";"The file is signed with a broken digital signature, issued by: Adobe Systems.";""
e129745
Regular Member
 
Posts: 16
Joined: November 13th, 2010, 6:49 pm

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby melboy » November 26th, 2010, 6:06 pm

Hi

At this point I believe that the problems you are experiencing are not due to a malware infection. I believe your best course of action would be to reformat the drive and reinstall Windows.

Furthermore, I do have my doubt's that this is a legitimate installation of Windows.

Further help in determining that may be obtained by contacting the computer manufacturer, Microsoft directly or Microsoft Geniuine Advantage support forums.

Customer Service / Contact HP

Microsoft Genuine Advantage Solution Centre

Windows XP Genuine Advantage Validation Issues


To assist you further, your machine may have a Certificate of Authenticity (COA) sticker.
Look under Large Manufacturer Pre-installed Windows COAs > More Information
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: MALWARE BEATDOWN VS REFORMAT

Unread postby Gary R » November 26th, 2010, 6:46 pm

THIS TOPIC IS NOW CLOSED
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware