Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

thanks in advance for your help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

thanks in advance for your help!

Unread postby jvirgoe » December 31st, 2008, 1:35 am

My topic was closed while I was away for Christmas! I still require help, please. The story so far is at viewtopic.php?f=12&t=37483&start=0&st=0&sk=t&sd=a.

The latest requests were for me to do an Active Scan and GMER scan. I just did them; the Active Scan log is:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-12-31 12:07:43
PROTECTIONS: 3
MALWARE: 15
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.4205.0 No Yes
McAfee Internet Security Suite 2007 9.0 No No
McAfee VirusScan Plus 13.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@mediaplex[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@ad.yieldmanager[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@bs.serving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@ads.pointroll[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\analyst@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Cookies\Low\analyst@questionmarket[2].txt
04426062 Generic Trojan Virus/Trojan No 0 Yes No C:\Users\analyst\Downloads\ComboFix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location =?
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description =?
;===================================================================================================================================================================================
;===================================================================================================================================================================================


The GMER was a bit weird. I ran the program, and it produced the following log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-31 12:25:49
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8E8BA9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8E8BA978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8E8BA98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8E8BAA1C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8E8BAA5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8E8BA950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8E8BA964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8E8BA9F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8E8BAA87]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8E8BAA73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8E8BA9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8E8BA9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8E8BAA4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8E8BAA32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8E8BAA08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8E8BA9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

There was no notice about possible rootkit activity. There was a Scan button (along with Save and Copy buttons), but it didn't respond when I tried to click it.

Looking forward to you advice! Thanks!
jvirgoe
Active Member
 
Posts: 9
Joined: December 10th, 2008, 10:58 pm
Top
Advertisement
Register to Remove

Re: thanks in advance for your help!

Unread postby Katana » January 24th, 2009, 7:59 am

I'm sorry for the delay, please can you post a fresh RSIT log along with a description of the current problems to get me back up to speed.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: thanks in advance for your help!

Unread postby NonSuch » February 4th, 2009, 7:43 pm

Due to lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index