Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkits, redirects, and driver fails


  • This topic is locked This topic is locked
20 replies to this topic

#1 roy h

roy h

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 12:06 AM

This machine has a major infection it seems, but nothing has been able to clean it or even detect the problem. It has a redirect issue that brings up coolchaser and other rogue search sites when clicking valid links.

may be unrelated, but will post for your info in case it helps seeing what the problems ma be relateed. It also lost a PCI device a while back and it no longer can find a driver. It reports the error on boot when doing bios system check berfore actually starting windows, so this may actually be a real hardware failure(the built-in SD cardreader does not work any more).

Hopefully someone can see how to clean this thing up. I was going to reload the OS after I backed up but I don't have the recovery disks.


Thanks in advance.
Roy

Below is the DDS log............................................................

.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 0:14:38.13 on Tue 05/10/2011
Internet Explorer: 9.0.8112.16421
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Toshiba\IVP\ISM\pinger.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WX7GORZ9\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uURLSearchHooks: H - No File
mURLSearchHooks: AmericanSingles Toolbar: {3745af78-a06b-4b5b-adc7-95551713f973} - c:\program files\americansingles\tbAme0.dll
BHO: MRI_DISABLED - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AmericanSingles Toolbar: {3745af78-a06b-4b5b-adc7-95551713f973} - c:\program files\americansingles\tbAme0.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AmericanSingles Toolbar: {3745af78-a06b-4b5b-adc7-95551713f973} - c:\program files\americansingles\tbAme0.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNjE5MTU2OTI2LVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1GOE0xMUUrMS1YTzEwKzEyLUZMMTArMS1MSUMrMjItU1AxKzEtU1VEKzEtUzFJKzEtU1UzKzE"&"prod=55"&"ver=10.0.1325
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
R? CGVPNCliSrvc;CyberGhost VPN Client
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? jswpsapi;Jumpstart Wifi Protected Setup
R? McComponentHostService;McAfee Security Scan Component Host Service
R? TpChoice;Touch Pad Detection Filter driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? ConfigFree Service;ConfigFree Service
S? FontCache;Windows Font Cache Service
S? FreeAgentGoNext Service;Seagate Service
S? jswpslwf;JumpStart Wireless Filter Driver
S? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service
S? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service
.
=============== Created Last 30 ================
.
2011-05-10 03:53:31 -------- d-s---w- C:\ComboFix
2011-05-10 02:41:24 -------- d-----w- c:\progra~2\ErrorEND
2011-05-10 02:41:17 -------- d-----w- c:\program files\ErrorEND
2011-05-10 01:21:20 -------- d-----w- c:\users\admin\appdata\local\ATI
2011-05-10 00:19:33 -------- d-----w- c:\users\admin\appdata\roaming\WinBatch
2011-05-10 00:19:28 -------- d-----w- C:\sa210v230
2011-05-09 23:58:33 -------- d-----w- C:\AVG10
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-10 01:02:43 319456 ----a-w- c:\windows\DIFxAPI.dll
2011-03-30 04:04:23 98816 ----a-w- c:\windows\system32\mfps.dll
2011-03-30 04:02:20 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-30 04:02:20 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-03-30 04:02:20 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-03-30 04:02:19 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-03-30 04:02:19 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-30 04:02:19 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-03-30 04:02:18 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS542516K9SA00 rev.BBCOC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85EA3439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ea97d0]; MOV EAX, [0x85ea984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E52912] -> \Device\Harddisk0\DR0[0x85909AC8]
3 CLASSPNP[0x8270E8B3] -> ntkrnlpa!IofCallDriver[0x81E52912] -> [0x85145A00]
5 acpi[0x806116BC] -> ntkrnlpa!IofCallDriver[0x81E52912] -> [0x8510D528]
\Driver\atapi[0x85B0F0C8] -> IRP_MJ_CREATE -> 0x85EA3439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542516K9SA00_________________BBCOC33P#5&1325ff8b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 0:15:15.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 07:17 AM

:welcome: to BC!

Something I should point out: (as stated by the author of the tool)

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.


What happened when you ran ComboFix?
Did it complete?

If so please post the content of C:\ComboFix.txt in your reply.


Step 1.
Unistall unwanted programs:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

FrostWire 4.21.3

Optional removals
FrostWire and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.
It's up to you if you want to remove the above programs, however I recommend you do.


Step 2.
Things I would like to see in your reply:

  • Answers to the questions in the beginning of this post
  • The content of C:\ComboFix.txt if present.
  • Which softwares were uninstalled in step 1.

Edited by heir, 10 May 2011 - 07:23 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 09:31 AM

Yes, shame on me... I had downloaded combofix some time ago when I first tried to fix this machine.
I tried to run it before coming back to the forums and reading up in detail.
Sorry, I'm back on the reservation now :-)

When it ran, it bluescreened with an IRQ_NOT_LESS_... type message.
That's when I came here and went through the correct procedures using DDS etc.

There are a number of other programs that are uninstalled but still in the uninstall menu.
American singles toolbar is one that isn't installed any more but still appears in the registry.

Another symptom I have is that windows update fails with an error code WindowsUpdate_80072EFE. The system shows an alert in the systray as well.

I have uninstalled all non-essential or non-factory programs:

Frostwire
Bejewed
Frog frenzy
Cyberghost vpn
Jepordy and jepordy super deluxe.
Steam
Pc tools reg mech
Roller coaster tycoon 1, 2, & 3
Text twist
The weather channel (nothing happened, unwise wizard just quit.)
The weather channel toolbar (“cannot open install log”)
Insaniquarion (failed to uninstall, no install.log)

One last symptom I will mention in the event it is related...
When re-booting, sometimes hangs at bios logo screen and never boots. when it DOES work, I get 3 PCI Conflict errors, <F1> to continue.

Thanks for the help.
Roy

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 10:01 AM

Yes, shame on me... I had downloaded combofix some time ago when I first tried to fix this machine.
I tried to run it before coming back to the forums and reading up in detail.
Sorry, I'm back on the reservation now :-)

It's for your own safety. Combofix and other powerful tools can be run in different ways.

When it ran, it bluescreened with an IRQ_NOT_LESS_... type message.

Was that using the old copy of combofix?

Let's take some precautions here before we start removing this.

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WX7GORZ9\dds.scr

DDS was run from a temporary location.
It is essential that you follow the instructions correctly, that is if a file should be placed on the desktop it needs to be there.
Usually tools are and needs to be placed on the desktop to function properly.


Please use this account: admin

Step 1.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 2.
MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 3.
MBR backup:

Open notepad and copy/paste the text in the codebox below into it:

MBRCheck -s 0 -d MBRbckp.dat
del 0%

Save this as bmbr.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on bmbr.bat & allow it to run

A file MBRbckp.dat will be created on your desktop.
Zip MBRbckp.dat and attach that zipped file in a reply.


Step 4.
Filescans:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, click on desktop to the left and then find this file.

    C:\Users\admin\Desktop\mbr.dat

  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please repeat for the following file:

C:\Users\admin\Desktop\MBRbckp.dat



Step 5.
Things I would like to see in your reply:

  • Answer to the question in the beginning of this post.
  • The content of the log from aswMBR in step 1.
  • The content of the log from MBRCheck in step 2.
  • The file MBRbckp.dat from step 3 attached.
  • The links to the results of the filescans in step 4.

Edited by heir, 10 May 2011 - 10:03 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 10:30 AM

Yes ComboFix was from april. It DID perform an update to get the latest version, prior to the bluescreen.

Cannot run aswMBR.exe. Windows messagebox states "The dependency service or group failed to start"

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 10:43 AM

Proceed with the other steps. There will however only be one file to scan at Virustotal.

Edited by heir, 10 May 2011 - 10:43 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 10:52 AM

I get the same message when trying to execute MBRCHeck... "The dependency service or group failed to start"

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 10:54 AM

If you right click and run as administrator

Start from step 1. with aswMBR.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 11:00 AM

Arrrrghhhh...

tried running 1, 2, & 3 as administrator, but got that same message for each.

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 11:04 AM

Let's use this tool then.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and right-click on TDSSKiller.exe and chose run as administrator to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 11:14 AM

Sorry, 'fraid it gives the same message...

#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 11:19 AM

This was strange. I need to look into that.

It looks as one of your logs Attach.txt has been cut off in the top.

Please find and attach this file in your reply:

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WX7GORZ9\Attach.txt



Also what brand and model is it on that computer?
What operating system is running Vista or Windows 7?

Edited by heir, 10 May 2011 - 11:20 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 11:33 AM

That folder no longer contains the attach.txt file. I believe IE9 is set to clear temprary internet file on exit...

This is a Toshiba Satellite, model A215-S5837, running Windows Vista Home Premium 32bit SP2 .


Here is the text of that file from the desktop:
.
==== Installed Programs ======================
.
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player
ALPS Touch Pad Driver
AmericanSingles Toolbar
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
ATI Catalyst Install Manager
Bejeweled Twist (remove only)
Big Fish Games: Game Manager
Bluetooth Stack for Windows by Toshiba
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
CustomerResearchQFolder
CyberGhost VPN
D1500
D1500_Help
DeviceDiscovery
DeviceManagementQFolder
DJ_SF_03_D1500_ProductContext
DJ_SF_03_D1500_Software
DJ_SF_03_D1500_Software_Min
DVD MovieFactory for TOSHIBA
ErrorEND
eSupportQFolder
Family Feud
Family Feud (remove only)
Frog Frenzy 1
FrostWire 4.21.3
GearDrvs
GIMP 2.6.11
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hoyle Casino 2006 (remove only)
HP Customer Participation Program 10.0
HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing 4.60
HP Solution Center 10.0
HP Update
HPProductAssistant
HPSSupply
Insaniquarium Deluxe 1.0
Java Auto Updater
Java™ 6 Update 24
JEOPARDY! (remove only)
JEOPARDY! Super Deluxe (remove only)
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Malwarebytes' Anti-Malware
MarketResearch
McAfee Security Scan Plus
Memeo AutoBackup
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 4.5
Microsoft Works Calendar 1.0
Microsoft Works Setup Launcher
Microsoft XML Parser
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nanny Mania
Nanny Mania (remove only)
Norton 360
OpenOffice.org Installer 1.0
Pac-Man Adventures in Time
Picasa 3
PSSWCORE
QuickBooks Financial Center
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Registry Mechanic 10.0
Roller Coaster Tycoon
RollerCoaster Tycoon 2
RollerCoaster Tycoon 3
Seagate Manager Installer
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Shop for HP Supplies
Skins
SmartWebPrinting
SolutionCenter
Status
Steam
Texas Instruments PCIxx21/x515/xx12 drivers.
Text Twist (remove only)
The Weather Channel Desktop 6
The Weather Channel Toolbar
TIPCI
Toolbox
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Games
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Utility Common Driver
VideoToolkit01
W Photo Studio
WebReg
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Yahoo! Messenger
Zuma Deluxe
.
==== End Of File ===========================

#14 roy h

roy h
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 May 2011 - 11:35 AM

I could re-run now that i have uninstalled many of these programs, if that will make it easier to move forward...

#15 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 PM

Posted 10 May 2011 - 11:36 AM

Do you have the installation CD/DVD for Windows Vista Home Premium?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users