[dvk01]

I think it is probably something blocking the MBR scan in combofix
lets see if thsi will do anything & get rid of a few probabale suspects

Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill All Processes]
[Unregister Dlls]
[Modules - No Company Name]
YY -> sfamcc00001.dll -> C:\Documents and Settings\Daddy\Local Settings\Temp\sfamcc00001.dll
YY -> sfareca00001.dll -> C:\Documents and Settings\Daddy\Local Settings\Temp\sfareca00001.dll
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\AVG\AVG8\avgemc.exe" -> [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe]
YN -> "C:\Program Files\AVG\AVG8\avgupd.exe" -> [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe]
YN -> "C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe]
YN -> "C:\Program Files\Grisoft\AVG7\avgcc.exe" -> [C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe]
YN -> "C:\Program Files\Grisoft\AVG7\avginet.exe" -> [C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe]
[Files/Folders - Created Within 30 Days]
NY ->  18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  sfrpruqi.sys -> C:\WINDOWS\System32\drivers\sfrpruqi.sys
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp
NY ->  1 C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp
[Files - No Company Name]
NY ->  sfrpruqi.sys -> C:\WINDOWS\System32\drivers\sfrpruqi.sys
NY ->  bnsre.sys -> C:\WINDOWS\System32\drivers\bnsre.sys
[Alternate Data Streams]
NY -> @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9171F21
NY -> @Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B755D674
NY -> @Alternate Data Stream - 152 bytes -> C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe:SummaryInformation
NY -> @Alternate Data Stream - 48 bytes -> C:\WINDOWS:002453FAB82A0404
[Empty Temp Folders]
[EmptyFlash]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[awa13]

Uh oh. Um, please don't get angry and please don't abandon me, but in the interim last evening I ran a utility from AVG that reset the Windows Security Center so that it would no longer show AVG's scanner was active that ComboFix was picking up. It worked too, cause ComboFix didn't give me that error when I tried to run it again all those times.

Then after uninstalling Avast, I updated Spybot S&D (because I wanted to turn on the system protection settings because I had to go to my banking website and did not want to be without any form of protection at all) and after the update I proceeded to the next step which was to immunize and when I did, I got a window popping up telling me that not everything could be immunized because I had some sort of Anti-Virus program or the like, blocking those entries (see attached) even though any/all of my anti-virus programs have been uninstalled.

THEN, thinking it may be SuperAnti-Spyware, I uninstalled that program also because of the WINLOGON entry - which was successful.

Oh jeez, I just couldn't sit still. So anyway, I am telling you all of this right now because I did not know if any of the things I just mentioned would interfere (or no longer even be relevant - like AVG) with the script you just wrote for me.

{sigh} - I hope you are somehow laughing and don't close this ticket (but I had to take care of some things at my bank's website).

Please reply and let me know if I should still implement that script you kindly wrote for me into OTS.


(Spybot's "Teatimer" is no longer running - I turned it off)

[dvk01]

run teh OTS fix but make sure spybot teatimer is off otherwise, it will block any fixes

[awa13]

you got it. Running it now. Thank you.

[awa13]

This is definately not my day. I accidentally closed the log file that was created - any chance it is saved somewhere?

I noticed success on most things and also noticed some failures before I lost the window.

Attached is the new OTS log.

Sorry (again).

---------------

Continuing problems with computer:

- Don't know if ComboFix will work now or not
- Computer dragging a little, but improves with time
- Computer takes a LONG time to boot from the Computer Logo through Windows logo & progress bar, to user sign on screen. It's like something is scanning in the background cause the computer revs up. Wish we could see what's going on.
- After closing Internet Explorer, sometimes iexplorer.exe or two still remains in Task Manager Processes indefinately with high mem usage (must manually kill it).
_________________________________

Did I screw it up, or is that notepad with log of actions saved somewhere so I can post it back here?

[awa13]

Well, tried ComboFix again and this time it crashed earlier than usual. When I rebooted my computer, this time I got that error about Windows recovering from a serious error .. blah blah ... and had to restore my desktop.

[awa13]

Found the OTS LOG! Here are the results:

All Processes Killed
[Modules - No Company Name]
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AVG\AVG8\avgemc.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AVG\AVG8\avgupd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgamsvr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgcc.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avginet.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET10.tmp deleted successfully.
C:\WINDOWS\System32\SET11.tmp deleted successfully.
C:\WINDOWS\System32\SET15.tmp deleted successfully.
C:\WINDOWS\System32\SET16.tmp deleted successfully.
C:\WINDOWS\System32\SET19.tmp deleted successfully.
C:\WINDOWS\System32\SET1A.tmp deleted successfully.
C:\WINDOWS\System32\SET1B.tmp deleted successfully.
C:\WINDOWS\System32\SET1E.tmp deleted successfully.
C:\WINDOWS\System32\SET20.tmp deleted successfully.
C:\WINDOWS\System32\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\SETA31.tmp deleted successfully.
C:\WINDOWS\System32\SETA32.tmp deleted successfully.
C:\WINDOWS\System32\SETA34.tmp deleted successfully.
C:\WINDOWS\System32\SETA82.tmp deleted successfully.
C:\WINDOWS\System32\SETA8E.tmp deleted successfully.
C:\WINDOWS\System32\SETE.tmp deleted successfully.
C:\WINDOWS\System32\SETF.tmp deleted successfully.
C:\WINDOWS\003584_.tmp deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\drivers\sfrpruqi.sys moved successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\DIO9.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\MAR5.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\MAR6.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\SFCA.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\SFCB.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\~DF525.tmp deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp deleted successfully.
File delete failed. C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp scheduled to be deleted on reboot.
[Files - No Company Name]
File C:\WINDOWS\System32\drivers\sfrpruqi.sys not found!
C:\WINDOWS\System32\drivers\bnsre.sys moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A9171F21 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B755D674 deleted successfully.
ADS C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe:SummaryInformation deleted successfully.
ADS C:\WINDOWS:002453FAB82A0404 deleted successfully.
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users
->Flash cache emptied: 148 bytes

User: Daddy
->Temp folder emptied: 343848 bytes
->Temporary Internet Files folder emptied: 35378553 bytes
->Java cache emptied: 123992 bytes
->Flash cache emptied: 511 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28643 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 307573842 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 328.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users
->Flash cache emptied: 0 bytes

User: Daddy
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 04282012_075053

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_420.dat not found!

Registry entries deleted on Reboot...

[dvk01]

I am trying to see what else might be blocking Combofix
I will get back to you as soon as I get soem ideas from the developer

[dvk01]

go to start/run & type in this line ( be careful to leave a space between the X & / ) and then press enter

ComboFix /nombr

Hopefully combofix will run fully & we can have a go at clearing up this

[awa13]

That was painful.

Got a present for you. See attached.

[dvk01]

how is it now
is it still taking ages to reboot or is it slow etc

It looks like Combofix has deleted what at first glance loo like genuine files
I think we need to examoine them to see what it has deleted them
can you please go to C:\qoobox & right click the quarantine folder, select send to compressed(zip) folders
that will make a zipped copy of the quarantine folder
then
please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files and submit to antivirus companies if needed

Just press new topic, fill in the needed details
In the subject box please put: Files for DVK01

In the body of the post paste the contents of the code box:

Code:

combofix Quarantine folder from 
http://forums.techguy.org/virus-other-malware-removal/1050724-please-help-virus-residing-memory-2.html#post8337603

& then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file

[awa13]

OK, why is it that I cannot find the "new topic" button?

[awa13]

There is no New Topic button.

[awa13]

Pay no attention to me please. I am following your instructions now ..

[awa13]

[QUOTE=dvk01;8337622]how is it now
is it still taking ages to reboot or is it slow etc

----------------------------

Computer is completely unstable. Takes forever to boot and running slow and jumpy. Audio garbled. I can't even upload that file you want me to at the Spykiller site because the computer is crashing. Trying to type this fast before it happens again.

Bad crash - just shut off.

More later - will try to complete your request.

Please help.