Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

windows diagnostic virus, hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 24th, 2011, 12:15 pm

lso it has not yet asked me if I want to continue scanning
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm
Advertisement
Register to Remove

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 24th, 2011, 3:36 pm

You should begin to see it count various tasks from 1 to 50 or so, then take a while to rollup the report.
Wait (let me know if it doesn't move for 30 min.)
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 24th, 2011, 3:45 pm

It's still not moving, been about 4hrs
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 25th, 2011, 9:23 am

when I got home the window was gone a new file called catchme.log was on desktop

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/24/2011 at 9:36:40.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\verclsid.exe


Rkill completed on 03/24/2011 at 9:36:43.


File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 25th, 2011, 11:07 am

When you can please post the contents of the catchme.log
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 25th, 2011, 11:37 am

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 25th, 2011, 1:17 pm

redbull,

I believe you have a rootkit infection and/or a severely damaged system.
If you have rebooted the machine since you last ran RKill, run it again, but don't bother with any logs it produces.
Then without rebooting, let's see if you can get this one to run:
-----------------------------------------------
Run RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program, or in Vista, right click and choose "Run as administrator"
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select every drive showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running

[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File then Exit to close the program
[*] Post the contents of RootRepeal.txt in your next reply[/list]

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 25th, 2011, 11:49 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/03/25 21:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9DA97000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9CC9A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\melissa\local settings\temp\~dfb082.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

Path: c:\documents and settings\melissa\local settings\temp\~dfb2d6.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\melissa\local settings\temp\~dfbed2.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: C:\System Rollback Data\Restore\Archive\00000045\00000044\0\Target\Documents and Settings\All Users\Application Data\AVG10\Chjw\300648~1.DAT:d10ba13b-56b1-4a0f-9116-b417a99cbd3d
Status: Visible to the Windows API, but not on disk.

Processes
-------------------
Path: C:\WINDOWS\system32\MPK\MPK.exe
PID: 1788 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa3c985c6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa3c985bc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa3c985cb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa3c985d5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa3c985da

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa3c985a8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa3c985ad

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa3c985e4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa3c985df

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa3c985d0

==EOF==
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 26th, 2011, 8:57 am

redbull,
This may be a very recent infection involving the Hard Disk Master Boot Record. We will see.
-----------------------------------------------
Run aswMBR
Download aswMBR.exe to your desktop.
Double click on aswMBR.exe to run it

Image
Click the "Scan" button to start scan

Image
On completion of the scan click save log, save it to your desktop and post in your next reply

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 26th, 2011, 10:56 am

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 08:54:26
-----------------------------
08:54:26.265 OS Version: Windows 5.1.2600 Service Pack 3
08:54:26.265 Number of processors: 2 586 0x1C02
08:54:26.265 ComputerName: PC135561314894 UserName: Melissa
08:54:27.437 Initialize success
08:55:00.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:55:00.484 Disk 0 Vendor: FUJITSU_ 8919 Size: 152627MB BusType: 3
08:55:00.500 Disk 0 MBR read successfully
08:55:00.500 Disk 0 MBR scan
08:55:00.515 Disk 0 scanning sectors +312560640
08:55:00.562 Disk 0 scanning C:\WINDOWS\system32\drivers
08:55:10.234 Service scanning
08:55:11.656 Disk 0 trace - called modules:
08:55:11.656
08:55:11.656 Scan finished successfully
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 26th, 2011, 4:27 pm

redbull,

-------------------------------------------------
Please download RogueKiller.exe and save it to your desktop.

Run RogueKiller
  • Now quit all running programs.
  • Double click RogueKiller.exe to run it.
  • When prompted, type 1 and hit Enter.
  • A RKreport.txt should appear on your desktop.
  • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
  • Please post the contents of the RKreport.txt in your next Reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 27th, 2011, 1:09 am

most of the categories said access denied, run as administrator, I only have XP and no option to run as administrator



RogueKiller V4.3.4 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Melissa [Restricted rights]
Mode: Scan -- Date : 03/26/2011 23:02:17

Bad processes: 0

Registry Entries: 2
[APPDT/TMP/DESKTOP] BackOnTrack Instant Restore Idle.job : rstidle.exe -> FOUND
[APPDT/TMP/DESKTOP] AppleSoftwareUpdate.job : softwareupdate.exe -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V4.3.4 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Melissa [Restricted rights]
Mode: Scan -- Date : 03/26/2011 23:02:17

Bad processes: 0

Registry Entries: 2
[APPDT/TMP/DESKTOP] BackOnTrack Instant Restore Idle.job : rstidle.exe -> FOUND
[APPDT/TMP/DESKTOP] AppleSoftwareUpdate.job : softwareupdate.exe -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 27th, 2011, 7:39 am

Go to Start, Control Panel, and double click on User Accounts.
When you see your account, does it say "Computer Administrator", or does it say "Limited Account"?
Are there any other accounts on the machine that are Administrator accounts, and do you know the passwords?
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: windows diagnostic virus, hijackthis log

Unread postby redbull » March 27th, 2011, 10:35 am

my account says computer administrator, there is a guest account that is off, the only time I had an option for which account was in safe mode, I could choose mine or administrator
redbull
Regular Member
 
Posts: 31
Joined: March 18th, 2011, 11:25 pm

Re: windows diagnostic virus, hijackthis log

Unread postby askey127 » March 27th, 2011, 1:24 pm

---------------------------------------------
Run a Scan with OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, In the Standard Registry box, click All.
  • In Extra registry click Use Safe List
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location
      as OTL (should be on your desktop).
    • Make sure Notepad's Format, Wordwrap is unchecked.
Please copy the contents of OTL.txt , and post it in your next reply.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 310 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware