Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Script Errors, Audio Ads, browser re-directs


  • This topic is locked This topic is locked
17 replies to this topic

#1 Gage13

Gage13

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 11 April 2011 - 01:16 PM

Hello,

I was recently infected with the fake "Windows Recovery" virus. I do run a firewall provided by Computer Associates, but it never detected or attempted to stop the infection. Upon researching, I found this site and followed the directions for removal. Everything seemed to go OK and I thought I was out of the woods. However, it seems that I have some other problems as well. I get random Audio ads, even when I am not doing anything. I also get script errors (I believe caused by these same audio ads although I can not be sure). I also have issues with my browsers re-directing me to other sites when clicking on links.

I see that other people have had similar issues, but I don't want to follow the fixes for them as I know that each case can be different.

So I am coming to you guys for help. I would greatly appreciate any that you can offer.

I followed the directions for preparing to submit a problem and here is all the relevant information:

DDS Report
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 12:56:41.45 on Mon 04/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.170 [GMT -4:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\Sound Blaster X-Fi Notebook\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\svcprs32.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Documents and Settings\Administrator\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Octoshape Streaming Services] "c:\documents and settings\administrator\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CTAPR2] "c:\program files\creative\sound blaster x-fi notebook\console launcher\CTAPR2.exe" /r
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi notebook\volume panel\VolPanlu.exe" /r
mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun
mRun: [Creative KSRun Persistence Module] RunDll32 KSRun.dll,RunDLLEntry
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241545624578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\fxvgapqo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-6-9 61008]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-5-3 115792]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\caamsvc.exe [2011-2-22 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2011-2-22 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2011-2-22 206160]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-5-3 146000]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-4-13 61008]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R2 WinExtManager;WinSock Extention Manager;c:\windows\system32\mdmcls32.exe [2011-2-22 2347760]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2011-2-22 1377008]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-29 79360]
S3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2011-3-20 183589]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-5-23 18560]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-5-29 434304]
S3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [2009-5-29 1684736]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-04-11 16:21:16 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Sunbelt Software
2011-04-11 16:19:01 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-11 16:17:59 -------- d-----w- c:\program files\Lavasoft
2011-04-11 06:05:31 553150 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-11 03:44:21 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-11 03:44:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-11 03:44:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-11 03:44:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-11 02:40:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-07 03:28:55 35136 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2011-04-07 03:28:28 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-07 03:28:27 49152 ----a-w- c:\program files\mozilla firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
2011-04-07 03:28:24 8704 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-07 03:28:24 774144 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-07 03:28:24 1867776 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-07 03:28:23 720896 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-07 03:28:23 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-07 03:28:23 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-07 03:28:23 135168 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-21 03:22:28 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:21:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters Inc
2011-03-21 03:21:33 -------- d-----w- c:\program files\MSN Toolbar Installer
2011-03-21 03:18:21 -------- d-----w- c:\docume~1\admini~1\applic~1\GetRightToGo
2011-03-21 03:10:53 49152 ----a-w- c:\windows\system32\wcvfw.dll
2011-03-21 03:10:53 49152 ----a-w- c:\windows\system32\wcvex.dll
2011-03-21 03:10:53 45056 ----a-w- c:\windows\system32\wcpin.crl
2011-03-21 03:10:53 43037 ----a-w- c:\windows\system32\wcdsx.ax
2011-03-21 03:10:53 28672 ----a-w- c:\windows\system32\wcpin.dll
2011-03-21 03:10:53 24534 ----a-w- c:\windows\system32\drivers\wccam.sys
2011-03-21 03:10:53 200968 ----a-w- c:\windows\vfwupd.exe
2011-03-21 03:10:53 183589 ----a-w- c:\windows\system32\drivers\wcvid.sys
2011-03-21 03:10:53 16450 ----a-w- c:\windows\system32\wcusd.dll
2011-03-21 03:10:53 -------- d-----w- C:\CtDriverInstTemp
.
==================== Find3M ====================
.
2011-02-22 17:20:41 7 ----a-w- c:\windows\system32\mkghj.dll
2011-02-22 16:44:49 5845744 ----a-w- c:\windows\system32\win32cpr.dll
2011-02-22 16:44:48 1872624 ----a-w- c:\windows\system32\winsflt.dll
2011-02-04 22:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 12:58:09.31 ===============


Thanks again for all your help.

Attached Files


Edited by Gage13, 11 April 2011 - 01:21 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 11 April 2011 - 03:07 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 12 April 2011 - 11:13 AM

Hello Noviciate,

Thanks for your reply. I downloaded the zipped file for TDSSKILLER and extracted it to my desktop. However, I don't seem to be able to get it to open. When double clicking on the TDSSKILLER icon I get a brief hourglass and then nothing. I tried it both in regular and in safe mode. Then I tried disabling my virus protection and re-downloading and extracting, and got the same result. It seems to be downloading and extracting fine. The file shows as a 1.31 MB "application" file.

Not sure how to proceed. Any suggestions?

Edit: I also tried renaming the file to something else, and that didn't seem to work either.

Edited by Gage13, 12 April 2011 - 12:34 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 12 April 2011 - 02:11 PM

Good evening. :)

Plan B...Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 12 April 2011 - 02:49 PM

Thanks again Noviciate.

Here is the scan report.

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-12 15:46:23
-----------------------------
15:46:23.016 OS Version: Windows 5.1.2600 Service Pack 3
15:46:23.016 Number of processors: 2 586 0xE08
15:46:23.016 ComputerName: VALUED-922800F4 UserName: Administrator
15:46:30.188 Initialize success
15:46:46.110 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:46:46.157 Disk 0 Vendor: ST9100824AS 8.03 Size: 93958MB BusType: 3
15:46:48.266 Disk 0 MBR read successfully
15:46:48.266 Disk 0 MBR scan
15:46:50.266 Disk 0 scanning sectors +192410505
15:46:50.344 Disk 0 scanning C:\WINDOWS\system32\drivers
15:47:01.516 Service scanning
15:47:03.157 Disk 0 trace - called modules:
15:47:03.172 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86d0f1ed]<<
15:47:03.172 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87100ab8]
15:47:03.172 3 CLASSPNP.SYS[f7631fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8717a510]
15:47:03.172 5 ACPI.sys[f74a8620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87179940]
15:47:03.172 \Driver\atapi[0x8717b448] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86d0f1ed
15:47:03.172 Scan finished successfully

Attached Files


Edited by Gage13, 12 April 2011 - 02:51 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 12 April 2011 - 04:28 PM

Run aswMBR.exe again.

  • Click the Scan button as before.
  • Once the scan has completed, then FixMBR button should become active - click it.
  • Once complete, click Save log as before, save it to your desktop and post in your next reply.

So long, and thanks for all the fish.

 

 


#7 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 13 April 2011 - 09:57 AM

Here it is Noviciate:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-13 10:54:31
-----------------------------
10:54:31.968 OS Version: Windows 5.1.2600 Service Pack 3
10:54:31.968 Number of processors: 2 586 0xE08
10:54:31.968 ComputerName: VALUED-922800F4 UserName: Administrator
10:54:37.062 Initialize success
10:54:39.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:54:39.078 Disk 0 Vendor: ST9100824AS 8.03 Size: 93958MB BusType: 3
10:54:41.078 Disk 0 MBR read successfully
10:54:41.078 Disk 0 MBR scan
10:54:43.078 Disk 0 scanning sectors +192410505
10:54:43.171 Disk 0 scanning C:\WINDOWS\system32\drivers
10:54:51.250 Service scanning
10:54:52.984 Disk 0 trace - called modules:
10:54:53.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86d0d1ed]<<
10:54:53.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8717cab8]
10:54:53.078 3 CLASSPNP.SYS[f7631fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8717f510]
10:54:53.078 5 ACPI.sys[f74a8620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87162940]
10:54:53.078 \Driver\atapi[0x8716e568] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86d0d1ed
10:54:53.078 Scan finished successfully
10:55:10.062 Disk 0 Windows 501 MBR fixed successfully

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 13 April 2011 - 01:24 PM

Good evening. :)

Will you delete your copy of TDSSKiller and then download a fresh copy and try those instructions again.

So long, and thanks for all the fish.

 

 


#9 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 13 April 2011 - 02:16 PM

OK Noviciate,

Deleted and re-downloaded/extracted, but still not able to get it to run.

Same result. Double-click, brief hourglass (half second), but nothing happens.

Bleeping Computer! :wink:

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 13 April 2011 - 03:05 PM

Bleeping Computer! :wink:

Ain't that the truth! :smash:

Could be that the file just doesn't like your PC. Will you run aswMBR again and just Scan as you did originally. I'd like to see if that is detecting the issue still or if has sorted it.

So long, and thanks for all the fish.

 

 


#11 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 13 April 2011 - 03:20 PM

Here you are:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-13 16:18:41
-----------------------------
16:18:41.589 OS Version: Windows 5.1.2600 Service Pack 3
16:18:41.589 Number of processors: 2 586 0xE08
16:18:41.589 ComputerName: VALUED-922800F4 UserName: Administrator
16:18:43.605 Initialize success
16:18:46.183 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:18:46.214 Disk 0 Vendor: ST9100824AS 8.03 Size: 93958MB BusType: 3
16:18:48.215 Disk 0 MBR read successfully
16:18:48.215 Disk 0 MBR scan
16:18:50.230 Disk 0 scanning sectors +192410505
16:18:50.309 Disk 0 scanning C:\WINDOWS\system32\drivers
16:18:58.856 Service scanning
16:19:00.981 Disk 0 trace - called modules:
16:19:01.044 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x870e21ed]<<
16:19:01.044 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8714bab8]
16:19:01.044 3 CLASSPNP.SYS[f7631fd7] -> nt!IofCallDriver -> \Device\0000006e[0x87172490]
16:19:01.044 5 ACPI.sys[f74a8620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8714e940]
16:19:01.044 \Driver\atapi[0x8714f568] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> aswMBR.sys[0xaebc1404]
16:19:01.059 Scan finished successfully

Attached Files



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 13 April 2011 - 04:21 PM

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    volsnap.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#13 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 14 April 2011 - 12:03 PM

Once again, thanks for your help Noviciate.

Here is results of the scan:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:57 on 14/04/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.*"
C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys -----c- 52352 bytes [18:11 05/05/2009] [12:00 10/08/2004] EE4660083DEBA849FF6C485D944B379B
C:\WINDOWS\inf\volsnap.inf --a---- 1095 bytes [12:00 10/08/2004] [12:00 10/08/2004] 1C43F4D998567C9D2463E18669F33A3C
C:\WINDOWS\inf\volsnap.PNF --a---- 4964 bytes [11:21 06/03/2008] [13:49 07/03/2011] FE04FF34A25B5B3585924012C3EE9221
C:\WINDOWS\ServicePackFiles\i386\volsnap.sys ------- 52352 bytes [18:07 05/05/2009] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\drivers\volsnap.sys --a---- 52352 bytes [12:00 10/08/2004] [18:41 13/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:21 PM

Posted 14 April 2011 - 02:00 PM

Good evening. :)

Dubious though the honour is, you've been "lucky" enough to pick up a new version of a known nasty and it doesn't go quite as easily as it's earlier relatives. In order to shift this we are going to need to boot the PC from a different operating system to Windows, which isn't as exciting or difficult as it might seem.
All you need is either a flashdrive of at least 126 Mb (which is tiny), or the ability to burn some files to a blank CD. I'd prefer if we went with the flashdrive as it offers some extra options, should they be necessary (and they may not), but we can work with a CD in all likelihood.

Do you have access to a flashdrive, which you'll need to be able to wipe clean, or a to burn a CD?

So long, and thanks for all the fish.

 

 


#15 Gage13

Gage13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 14 April 2011 - 03:08 PM

Wow, lucky me. :crazy:

Yes, I should have a flash drive around here somewhere.

Regardless, if you are kind enough to guide me through it, I will make it happen one way or another.

If I can't find mine and I have to buy one, so be it.

Edited by Gage13, 14 April 2011 - 03:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users