[Cookiegal]

What was the name of the file that McAfee found and the entire path to it's location please?

[Mackoo]

It gave the name Generic.dx! fes but not sure how to recall that information up again but I know it's quarantined.

[Cookiegal]

Generic is probably based on heuristics and may even be a false positive.

Check your logs for the information please.

[Mackoo]

OK I located it.

Detection name: Generic.dx! fes

File: C:\QooBox\QUARANTINE\C\WINDOWS\SYSTEM32\EVENTLOG.DLL.VIR

[Mackoo]

That is whats on the log actually gives the Generic.dxx! fes twice.

[Mackoo]

Quote:

Originally Posted by Mackoo

That is whats on the log actually gives the Generic.dxx! fes twice.

Correction Generic.dx! fes

[Cookiegal]

I thought it would be something like that. It's a file that has already been quarantined by ComboFix so no longer a threat.

How are things now?

[Mackoo]

Everything appears fine Cookiegal...... BIG HUG TO YOU!! Thank you so much for you help!!

Is there a definite way to know if I am completely clean of this booger or a software that is free that will prevent this Rootkit from possibly reinfesting my computer?

I have been online since 98 and used dialup until a few months ago and never had a Rootkit but when I went to cable Internet I get one ( scratching head)

I do remember a blue screen popping up that had the message that I am seeing this screen because Windows is stopping possible damage to my computer and I should shut the computer down this was maybe a week or two ago.

Previous to this my McAfee would keep popping up that I was not fully protected and I am figuring this Rootkit was making it's entrance while this was happening off and on maybe. I had to constantly go in to McAfee's and fix the problem by clicking fix.

So I am not sure but I may have gotten this my either email or a website that I accidently clicked on before it was to late for this cable is quick and you don't have a chance to make corrections before it's to late but I actually don't really know but it looks like anti virus software would have stopped it.

So far my computer is running quicker and I am still checking it out but scanning is OK now.

Your thoughts?

[Mackoo]

I did a little research on that Blue Screen I was posting about and I understand it's name is Blue Screen of Death and if I am correct that was the starting problem of my McAfee scan problems as I had been getting the pop up that my system isn't fully protected message but this was the first sign of problems before the Blue Screen of Death.

Just a thought.

[Cookiegal]

They are referred to for short as BSODs and often they are caused by drivers/services installed by the rootkit.

I see you already have MalwareBytes installed. Please update it and run a full scan and post that log.

[Mackoo]

Dang not sure what to think on this log

Malwarebytes' Anti-Malware 1.41
Database version: 2833
Windows 5.1.2600 Service Pack 3

9/20/2009 8:20:25 PM
mbam-log-2009-09-20 (20-20-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169046
Time elapsed: 1 hour(s), 23 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\spbho.tiebho (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\ WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\Program Files\Ascentive\Performance Center\ApcMain.exe (Rogue.Ascentive) -> No action taken.
C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.

[Mackoo]

It looks like my McAfees would have detected this.

[Mackoo]

Not sure if this is due to what was found on the last log but I find I have to hit refresh to get pages to either open or they don't open at all or I get the message .The web address you entered is not available and A 50x server error was received attempting to serve your request, indicating that either the server is currently unable to handle the request or the request timed out waiting for a response. The error may have been due to a temporary issue and therefore you could try to access the web address again. Waiting until today still the same results same message.

Mackoo

[Mackoo]

I am not sure what going on but I was able to view pages but then it started popping up that message again. It seems to be running smooth then bam! The message pops up.

[Cookiegal]

What site are you trying to access when you get that message?

Did you have MalwareBytes take action on what it found?