If this is malware I'll be relieved

So I've been working on recovering an inaccessible external hard drive (seagate freeagent 500gb) for a second time in the past month.
Last time was on 8/18 and the first thing I did was come here and run through the malware removal process, then mess around trying to get the drive recognized and was eventually successful.
Well on 9/14 I went through the same deal, found no malware, and still haven't gotten the drive up and running again. This is pretty disastrous as it happened when I was only about a quarter of the way through backing up the 350gbs on it.
So now after trying an SATA to USB cable and a bunch of recovery software and seeing only unreadable messages I decided to run through the removal guide again:
CCleaner worked fine, but

Edit: oh, whoops - winxp sp3

 

Tried not to bump (sorry), but couldn't find a way to edit the post - guess it was too late. In any case I just remembered that this:

Found a sinowal infection. Figured that could be helpful info in case that lingered around.

 

See if you can complete this scan:

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Hi
That looked like it found some not so goodies.

 

What makes you say that?

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

The rest of your logs are clean.

__

Can you attach the logs from MBAM, HitmanPro, and TDSSKiller so I can review those as well?

 

Oh, heh, I forgot to specify: I noticed in the first miscinfo file something called "dmboot" as being disabled. From what I can decipher online that has to do with booting disks? Thought (ok, hoped) it might have something to do with my seagate being inaccessible.

Sure thing, I actually halted the process when I received the error in RogueKiller's new version. Wonder what's going on there, the version I downloaded on 9-14 works fine. I'll go through it using that one.

 

Ok, looks like these three are clean - should I rerun with the afflicted drive attached or do these scans only check the primary drive? I've left it disconnected so it's not sitting there spinning for no reason.

Edit: what are these from the mg log "runkeys?"
"Error: Value: "AppInit_DLLs" does not exist!"
and
"Error: Key: regfile\shell\merge\command does not exist!"
Unimportant?

 

Can you upload this file here? C:\Windows\system32\drivers\03381308.sys

 

Hmm, I don't seem to have that one - checked to make sure my folder options are set to allow me to view protected/system files and they are.

 

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  /md5start
  03381308.sys
  /md5stop
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Good mornin!

 

So I connected that drive--using it's normal usb hookup--and ran the scans again this morning starting with RK. 1st thing it spotted was that driver and it almost looked to me like it was identifying itself in that entry.

As for the drive, the scans recognized its existence, in some cases its size, but I didn't spot any reporting its file system as NTFS. Just left it blank. RK actually hung when it tried to get there and I quit the program.

 

There may have been some malware on your computer at one point in time but wouldn't be preventing your external HDD from being recognized.

In any case, here is a fix to remove some junk and that suspicious driver.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
DRV - File not found [File_System | Boot | Stopped] -- system32\drivers\03381308.sys -- (00315333)
SRV - File not found [Disabled | Stopped] --  -- (Symantec Core LC)
SRV - File not found [Disabled | Stopped] --  -- (mi-raysat_3dsMax2009_32)
SRV - File not found [Disabled | Stopped] --  -- (Autodesk Licensing Service)
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E00596C
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Oh very nice, thank you for putting that together -
quick question before I run it: it looks like the first section refers to preferences for addons/plugins I've installed in firefox, this won't remove those guys, will it?

 

It would have. I updated the fix to not remove aything from FireFox. Please refresh this page and use the edited fix from the previous post.

 

Thanks so much, I feel cleaner already

As for the drive I guess I'm bringing it out to a place that does data recovery tomorrow and praying.

 

I wish you the best of luck. I understand how devastating data loss can be.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe