[Inactive] My friend's PC is really messed up

**MPTech** · March 3rd, 2011, 01:51 AM

My friend called me in a panic because his PC was acting "strangely" and very slow. He said a message popped up informing him that he had a virus and to purchase "Internet Security 2011". I told him absolutely DO NOT click it. I built his PC and helped him before and offered to him him this time. I've spent the last 2 hours trying everything I could think of, to no avail.
I tried running End-it-All, to stop everything from running. It started to execute the first time, then completely vanished. I tried it again and received an message "Windows cannot access the specified device, path, file". I tried booting into SAFE mode and executing it again, same message. I tried running SuperAntiSpyware and received the same message. I renamed it and it started executing, then disappeared after 2 1/2 minutes. I downloaded SuperAntiSpyware Portable to another PC and copied it over, same thing. It ran for 2 1/2 minutes and disappeared.
I then resorted to coming here and following your "sticky" (I followed your directions on Jan 2 this year with my laptop and successfully fixed the problem! Thanks again!).
So, I tried running Malwarebytes and again received "Windows cannot access the specified device, path, file". I tried running GMER and got the same message again!

I ran MBRCheck (it worked!) and received this:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7CC9000 \WINDOWS\system32\KDCOM.DLL
0xF7BD9000 \WINDOWS\system32\BOOTVID.dll
0xF777A000 ACPI.sys
0xF7CCB000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7769000 pci.sys
0xF77C9000 isapnp.sys
0xF7CCD000 viaide.sys
0xF7A49000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF77D9000 MountMgr.sys
0xF774A000 ftdisk.sys
0xF7A51000 PartMgr.sys
0xF77E9000 VolSnap.sys
0xF7732000 atapi.sys
0xF77F9000 disk.sys
0xF7809000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7712000 fltmgr.sys
0xF7700000 sr.sys
0xF7BDD000 PxHelp20.sys
0xF76E9000 KSecDD.sys
0xF765C000 Ntfs.sys
0xF762F000 NDIS.sys
0xF7A59000 viaagp1.sys
0xF7819000 SISAGP.sys
0xF7614000 Mup.sys
0xF7829000 agp440.sys
0xF78F9000 \SystemRoot\System32\Drivers\vbma484e.SYS
0xF7909000 \SystemRoot\System32\DRIVERS\processr.sys
0xF69D3000 \SystemRoot\System32\DRIVERS\s3gnbm.sys
0xF69BF000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF695E000 \SystemRoot\system32\DRIVERS\A3AB.sys
0xF68C9000 \SystemRoot\System32\DRIVERS\ltmdmnt.sys
0xF7B09000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7B11000 \SystemRoot\System32\DRIVERS\RTL8139.SYS
0xF7B19000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF68A6000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7919000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7C85000 \SystemRoot\system32\drivers\pfc.sys
0xF7929000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7939000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF6883000 \SystemRoot\System32\DRIVERS\ks.sys
0xF6656000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6632000 \SystemRoot\system32\drivers\portcls.sys
0xF7949000 \SystemRoot\system32\drivers\drmk.sys
0xF7B21000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7959000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7C91000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF661E000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7969000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7B29000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7B31000 \SystemRoot\System32\DRIVERS\PS2.sys
0xF7B39000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7E4E000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7979000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7C95000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6607000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7989000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7999000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7B41000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF65F6000 \SystemRoot\System32\DRIVERS\psched.sys
0xF79A9000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7B49000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7B51000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7B59000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF79B9000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7CF7000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF65C2000 \SystemRoot\System32\DRIVERS\update.sys
0xF75D4000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF6A4C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7879000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7D41000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7BC1000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7D51000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DE5000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D53000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7BD1000 \SystemRoot\System32\drivers\vga.sys
0xF7D55000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D57000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A71000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A79000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF75E4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF44EF000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF4497000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF446F000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF75DC000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF444D000 \SystemRoot\System32\drivers\afd.sys
0xF7899000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF4388000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF4367000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF78B9000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF7A81000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF433C000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7E0E000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xF42A5000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF78C9000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7E0D000 \SystemRoot\System32\Drivers\BANTExt.sys
0xF4282000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7A91000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF426A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CCF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4536000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7AA1000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E63000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\s3gnb.dll
0xEFB62000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEF8E5000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFA92000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF6B1000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7D5F000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF7B81000 \??\C:\WINDOWS\system32\ANIO.SYS
0xEF632000 \SystemRoot\System32\DRIVERS\srv.sys
0xEF6FD000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEF2A9000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7BC9000 \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
0xEF179000 \??\C:\DOCUME~1\Steve\LOCALS~1\Temp\ffeiakow.sys
0xEEE28000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 27):
0 System Idle Process
4 System
492 C:\WINDOWS\system32\smss.exe
548 csrss.exe
572 C:\WINDOWS\system32\winlogon.exe
616 C:\WINDOWS\system32\services.exe
628 C:\WINDOWS\system32\lsass.exe
656 \Device\svchost.exe
792 C:\WINDOWS\system32\svchost.exe
852 svchost.exe
940 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1112 svchost.exe
1412 C:\WINDOWS\system32\spoolsv.exe
1624 C:\WINDOWS\explorer.exe
1776 svchost.exe
1808 C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
268 C:\Program Files\Google\Update\GoogleUpdate.exe
160 alg.exe
1920 C:\WINDOWS\system32\wuauclt.exe
1964 C:\WINDOWS\system32\ctfmon.exe
1484 C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
1900 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3184 C:\Program Files\Internet Explorer\iexplore.exe
3272 C:\Program Files\Internet Explorer\iexplore.exe
3772 C:\WINDOWS\system32\notepad.exe
456 C:\Documents and Settings\Steve\Desktop\Steve's VIRUS\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`dc8fc000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\G: --> \\.\PhysicalDrive0 at offset 0x00000019`828f9e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSV1204H, Rev: RK100-09

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 7D48A7E764A5D83438A39192BFF3677448B54B84

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

PLEASE help me, help my friend.
Thanks!

**Broni** · March 3rd, 2011, 07:48 PM

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Start with these instructions: http://www.bleepingcomputer.com/viru...-security-2011

**MPTech** · March 3rd, 2011, 09:18 PM

I'm ready.
Please help me, help him.

**Broni** · March 3rd, 2011, 09:19 PM

Did you check a link from my previous reply?

**MPTech** · March 3rd, 2011, 10:39 PM

Yes, I started on it, it's a long one.

Thanks!

**Broni** · March 3rd, 2011, 10:41 PM

Let me know, when you're done and we'll go from there.

**MPTech** · March 4th, 2011, 03:50 PM

The first step of the "Preparation Guide for Use Before Using Malware Removal Tools and Requesting Help" is "Backup your Data!".

Makes sense, so I downloaded Cobian Backup, installed it and started the process. It was running VERY slow (backed up about 2.5g in 2 hours) it flagged up couple errors trying to backup TMP files, so I didn't worry and let it continue running over-night). This morning I went to check on it and the PC was shut-off. I figured the process shut-down after the backup. Tried to reboot and it went to the menu selection to reboot into Safe Mode. I tried several times: Start Windows Normally, Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt, and Last Known Good Configuration. Multiple Times. Nothing worked! It refuses to boot up now.

Any suggestions?

**Broni** · March 4th, 2011, 05:45 PM

How far does it boot?
What happens then? Getting stuck, restarts?
I need more info.

**MPTech** · March 4th, 2011, 06:22 PM

I think I resolved the problem. I took the easy way out, I convinced my friend to let me reformat and re-install XP. The Backup looks like it grabbed everything so I can just copy over the files he wants to keep and reload software.

I printed off the "Remove Internet Security 2011" document (7 pages) and the "Preparation Guide For Use Before Using Malware Removal Tools" (16 pages), then decided that was way too much work and frustration.

I checkened out, but in the long run I think it will be better.

Before I assume incorrectly though, if this RootKit modified the MBR, a reformat should clear it, correct?

Am I over-simplifying this solution?

**Broni** · March 4th, 2011, 06:25 PM

Well, that's one sure way to bring the computer back to normal

if this RootKit modified the MBR, a reformat should clear it, correct?

Correct.

Good luck

Thread: [Inactive] My friend's PC is really messed up

Thread Tools

Search Thread

Display

[Inactive] My friend's PC is really messed up

Things have gone from bad to worse

Thread Information

Users Browsing this Thread

Posting Permissions