Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection + No sound on Internet


  • This topic is locked This topic is locked
22 replies to this topic

#1 mitchellliverpool

mitchellliverpool

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 11 June 2011 - 01:41 PM

In the last week i have had issues with the sound on the internet. It works fine with regards to the windows opening theme, shut down theme etc but wont play sound via the internet.

Also, my main bug bearer, is that when i go via google, yahoo etc and then select my chosen link i get redirected elsewhere to my frustration.

I have, on a couple of occasions, ran malwarebytes and windows defender both normally and when in safe mode. I have picked up a couple of things and had them deleted but still no joy. Starting to consider taking it in to get clened and debugged but gona cost me £35 so thought this would be the last throw of the dice.

Please help.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 11 June 2011 - 02:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 13 June 2011 - 02:47 PM

Sorry for late reply. Hope what ive done so far is as required...

DDS LOG below.

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by laura at 20:15:48 on 2011-06-13
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.986.253 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIEDE.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\wscript.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://www.mytalktalk.co.uk
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: MFSearch: {657e195f-066d-435c-92db-7c261e6fe832} - c:\program files\musicfrost\music frost toolbar\MFSearch.dll
BHO: MediaBar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\bearsh~1\mediabar\toolbar\bsdtxmltbpi.dll
TB: MediaBar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\bearsh~1\mediabar\toolbar\bsdtxmltbpi.dll
TB: !{657E195F-066D-435C-92DB-7C261E6FE832} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [EPSON SX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiede.exe /fu "c:\windows\temp\E_SE983.tmp" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BearShare] "c:\program files\bearshare applications\bearshare\BearShare.exe" --lightmode
uRun: [AdobeUpdater6] "c:\program files\common files\adobe\updater6\Adobe_Updater.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [removeBearSharedatamngr] cmd.exe /c RD /S /Q "c:\program files\bearshare applications\MediaBar"
mRunOnce: [removeBearSharetoolbar] cmd.exe /c RD /S /Q "c:\program files\bearshare applications\mediabar\ToolBar"
mRunOnce: [removeiMeshtoolbar] cmd.exe /c RD /S /Q "c:\program files\imesh applications\mediabar\ToolBar"
StartupFolder: c:\users\laura\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {394D47E0-4F45-41CB-A0C3-70AE44EABF72} - hxxp://wa-184-72-252-254.projectchainsaw.com/webcommon-2.1-b695/downloads/microsetup-web.alive-client.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{42901964-D5BD-46DA-B32C-A387689CA633} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{F3DF89F3-FAB2-4C18-A65A-2866FCE6BD3F} : DhcpNameServer = 192.168.1.1 192.168.1.1
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
.
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_ae0b52e0\AEstSrv.exe [2009-4-4 81920]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-2-24 494368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-10 06:53:40 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b91ad8b6-4636-45a9-ab10-2c575131145b}\mpengine.dll
2011-06-08 07:33:48 -------- d-----w- c:\users\laura\Work
2011-06-06 11:17:05 -------- d-----w- c:\program files\Lavasoft
2011-06-06 06:26:52 -------- d-----w- c:\program files\trend micro
.
==================== Find3M ====================
.
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 20:18:21.84 ===============


GMER LOG below...

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-13 20:44:13
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.0085
Running: gmer.exe; Driver: C:\Users\laura\AppData\Local\Temp\ugloapob.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\drivers\jainm.sys The system cannot find the path specified. !
? C:\Users\laura\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamW 77E8BD25 5 Bytes JMP 69645117 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!CreateWindowExW 77E93D67 5 Bytes JMP 6954DB5C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamW 77EA1FD5 5 Bytes JMP 694754BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamA 77EC80B2 5 Bytes JMP 696450B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamA 77EC83DD 5 Bytes JMP 6964517A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectA 77EDD471 5 Bytes JMP 69645049 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectW 77EDD56B 5 Bytes JMP 69644FDE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!MessageBoxExA 77EDD5D1 5 Bytes JMP 69644F7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] USER32.dll!MessageBoxExW 77EDD5F5 5 Bytes JMP 69644F1A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3900] WININET.dll!HttpAddRequestHeadersA 77C6CF4E 5 Bytes JMP 00466B70
.text C:\Program Files\internet explorer\iexplore.exe[3900] WININET.dll!HttpAddRequestHeadersW 77C6FE49 5 Bytes JMP 00466D70
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!closesocket 772C330C 5 Bytes JMP 0246000A
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!recv 772C343A 5 Bytes JMP 0243000A
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!connect 772C40D9 5 Bytes JMP 0244000A
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!getaddrinfo 772C418A 5 Bytes JMP 0249000A
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!send 772C659B 5 Bytes JMP 0247000A
.text C:\Program Files\internet explorer\iexplore.exe[3900] ws2_32.dll!gethostbyname 772D62D4 5 Bytes JMP 0248000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!SetWindowsHookExW 77E87B69 5 Bytes JMP 69549B01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!CallNextHookEx 77E88C33 5 Bytes JMP 6953D125 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!DialogBoxIndirectParamW 77E8BD25 5 Bytes JMP 69645117 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!CreateWindowExW 77E93D67 5 Bytes JMP 6954DB5C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!DialogBoxParamW 77EA1FD5 5 Bytes JMP 694754BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!UnhookWindowsHookEx 77EB08BE 5 Bytes JMP 694B4664 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!DialogBoxParamA 77EC80B2 5 Bytes JMP 696450B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!DialogBoxIndirectParamA 77EC83DD 5 Bytes JMP 6964517A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!MessageBoxIndirectA 77EDD471 5 Bytes JMP 69645049 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!MessageBoxIndirectW 77EDD56B 5 Bytes JMP 69644FDE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!MessageBoxExA 77EDD5D1 5 Bytes JMP 69644F7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] USER32.dll!MessageBoxExW 77EDD5F5 5 Bytes JMP 69644F1A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] ole32.dll!OleLoadFromStream 77519794 5 Bytes JMP 6964547F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] ole32.dll!CoCreateInstance 7754E2D8 5 Bytes JMP 6954DBB8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!closesocket 772C330C 5 Bytes JMP 00A9000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!recv 772C343A 5 Bytes JMP 00A7000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!connect 772C40D9 5 Bytes JMP 00A8000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!getaddrinfo 772C418A 5 Bytes JMP 0225000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!send 772C659B 5 Bytes JMP 00AA000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WS2_32.dll!gethostbyname 772D62D4 5 Bytes JMP 01BF000A
.text C:\Program Files\internet explorer\iexplore.exe[5404] WININET.dll!HttpAddRequestHeadersA 77C6CF4E 5 Bytes JMP 02236B70
.text C:\Program Files\internet explorer\iexplore.exe[5404] WININET.dll!HttpAddRequestHeadersW 77C6FE49 5 Bytes JMP 02236D70

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor \Device\Ide\iaStor0 857C81ED
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 857C81ED
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 857C81ED

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:272] 857CCE7A
Thread System [4:276] 857CF008

---- EOF - GMER 1.0.15 ----

Thanks again. Hope it makes sense to you!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 13 June 2011 - 04:49 PM

Hello,


Lets get to cleaning your machine.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKILLER log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 14 June 2011 - 01:48 AM

I have tried to run the tds killer yet it wont allow me to. I have saved it to the desktop and tried to run as administrator but no joy. I tried to rename it but again no joy. Then i tried to just run it straight away no joy. I get a prompt asking if id like to continue with run, i click continue but nothing happens.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 14 June 2011 - 03:04 PM

Hello,

No biggie that TDSS will not run. Go ahead and proceed with Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 14 June 2011 - 04:16 PM

ComboFix 11-06-14.01 - laura 14/06/2011 21:50:50.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.986.285 [GMT 1:00]
Running from: c:\users\laura\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\laura\AppData\Roaming\completescan
c:\users\laura\AppData\Roaming\install
.
.
((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))
.
.
2011-06-14 11:33 . 2011-06-14 11:33 -------- d-----w- c:\users\laura\Wedding
2011-06-10 06:53 . 2011-05-24 18:12 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B91AD8B6-4636-45A9-AB10-2C575131145B}\mpengine.dll
2011-06-08 07:33 . 2011-06-08 07:33 -------- d-----w- c:\users\laura\Work
2011-06-06 11:17 . 2011-06-06 11:17 -------- d-----w- c:\program files\Lavasoft
2011-06-06 11:16 . 2011-06-06 11:17 -------- d-----w- c:\programdata\Lavasoft
2011-06-06 06:26 . 2011-06-06 06:29 -------- d-----w- c:\program files\trend micro
2011-06-06 06:26 . 2011-06-06 06:29 -------- d-----w- C:\rsit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-24 18:14 . 2009-10-02 20:12 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-09-04 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-15 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-09 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-09 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-09 154136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
.
c:\users\laura\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-04 01:51 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2010-02-24 494368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [2008-12-15 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-13 c:\windows\Tasks\Web.AliveUpdateTask.job
- c:\program files\web.alive\web.alive-2.5beta.7\System\WebAliveUpdater.exe [2010-10-26 05:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://www.mytalktalk.co.uk
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: {394D47E0-4F45-41CB-A0C3-70AE44EABF72} - hxxp://wa-184-72-252-254.projectchainsaw.com/webcommon-2.1-b695/downloads/microsetup-web.alive-client.exe
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
BHO-{657E195F-066D-435C-92DB-7C261E6FE832} - c:\program files\MusicFrost\Music Frost Toolbar\MFSearch.dll
BHO-{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\bsdtxmltbpi.dll
Toolbar-{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\bsdtxmltbpi.dll
Toolbar-10 - (no file)
Toolbar-!{657E195F-066D-435C-92DB-7C261E6FE832} - (no file)
HKCU-Run-BearShare - c:\program files\BearShare Applications\BearShare\BearShare.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 22:06
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2011-06-14 22:12:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-14 21:12
.
Pre-Run: 86,160,646,144 bytes free
Post-Run: 88,394,125,312 bytes free
.
- - End Of File - - D7BFC6E484D8AE7C462CF3C30F747E12


This is the combofix report. Hope it all makes sense so far. thanks again.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 14 June 2011 - 06:20 PM

Hello,


How is your machine running now? Are you able to burn CD's and have a USB Flash Drive available?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 15 June 2011 - 04:51 PM

That wasn't the issue. I've never been able to burn CDs as it doesn't have a drive to do so, as far as I believe. The issue was that I couldn't have sound via the Internet and that I am being redirected when clicking links via google or yahoo.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 15 June 2011 - 07:28 PM

Hello,

I didn't ask for you if you can burn cd's to see if you can't I just need to know. This infection is a very tricky one and we have to be able to get in your computer without booting into Windows Vista.

Do you have a USB Flash Drive you can use? Do you have The Windows Vista installation disc?


1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 16 June 2011 - 01:28 AM

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-16 07:16:21
-----------------------------
07:16:21.450 OS Version: Windows 6.0.6001 Service Pack 1
07:16:21.450 Number of processors: 1 586 0xF0D
07:16:21.451 ComputerName: LAURA-PC UserName: laura
07:16:41.672 Initialize success
07:16:49.459 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:16:49.461 Disk 0 Vendor: FUJITSU_ 0085 Size: 152627MB BusType: 3
07:16:49.491 Disk 0 MBR read successfully
07:16:49.494 Disk 0 MBR scan
07:16:49.497 Disk 0 unknown MBR code
07:16:49.500 Disk 0 scanning sectors +312579760
07:16:49.540 Disk 0 scanning C:\Windows\system32\drivers
07:16:56.121 Service scanning
07:16:58.082 Disk 0 trace - called modules:
07:16:58.114 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x856031ed]<<
07:16:58.118 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84acc7c8]
07:16:58.121 3 CLASSPNP.SYS[861a5745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83736028]
07:16:58.126 \Driver\iaStor[0x83713940] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x856031ed
07:16:58.130 Scan finished successfully
07:17:55.169 Disk 0 MBR has been saved successfully to "C:\Users\laura\Desktop\MBR.dat"
07:17:55.174 The log file has been saved successfully to "C:\Users\laura\Desktop\aswMBR.txt"


Sorry about previous email. Got my wires crossed a little. I dont have a flash drive unfortunately and in terms of the windows vista cd. I have a Microsoft Works 9 disc, ' licensed only for distibution with a new pc' and an operating system cd, it states that Operating system already installed on system, only use this cd to reinstall the operating system on a Dell computer. This cd is not for reinstallation of programs or drivers.

So it doesnt look like ive helped you much there sorry.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 16 June 2011 - 07:02 PM

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.


Things to include in your next reply:
aswmbr log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 17 June 2011 - 02:02 PM

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-16 07:16:21
-----------------------------
07:16:21.450 OS Version: Windows 6.0.6001 Service Pack 1
07:16:21.450 Number of processors: 1 586 0xF0D
07:16:21.451 ComputerName: LAURA-PC UserName: laura
07:16:41.672 Initialize success
07:16:49.459 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:16:49.461 Disk 0 Vendor: FUJITSU_ 0085 Size: 152627MB BusType: 3
07:16:49.491 Disk 0 MBR read successfully
07:16:49.494 Disk 0 MBR scan
07:16:49.497 Disk 0 unknown MBR code
07:16:49.500 Disk 0 scanning sectors +312579760
07:16:49.540 Disk 0 scanning C:\Windows\system32\drivers
07:16:56.121 Service scanning
07:16:58.082 Disk 0 trace - called modules:
07:16:58.114 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x856031ed]<<
07:16:58.118 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84acc7c8]
07:16:58.121 3 CLASSPNP.SYS[861a5745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83736028]
07:16:58.126 \Driver\iaStor[0x83713940] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x856031ed
07:16:58.130 Scan finished successfully
07:17:55.169 Disk 0 MBR has been saved successfully to "C:\Users\laura\Desktop\MBR.dat"
07:17:55.174 The log file has been saved successfully to "C:\Users\laura\Desktop\aswMBR.txt"


aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 19:46:42
-----------------------------
19:46:42.377 OS Version: Windows 6.0.6001 Service Pack 1
19:46:42.377 Number of processors: 1 586 0xF0D
19:46:42.377 ComputerName: LAURA-PC UserName: laura
19:47:22.964 Initialize success
19:47:31.657 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:47:31.659 Disk 0 Vendor: FUJITSU_ 0085 Size: 152627MB BusType: 3
19:47:31.824 Disk 0 MBR read successfully
19:47:31.827 Disk 0 MBR scan
19:47:31.832 Disk 0 unknown MBR code
19:47:31.874 Disk 0 scanning sectors +312579760
19:47:32.141 Disk 0 scanning C:\Windows\system32\drivers
19:48:18.118 Service scanning
19:48:28.495 Disk 0 trace - called modules:
19:48:28.541 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x856031ed]<<
19:48:28.544 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84acc7c8]
19:48:28.550 3 CLASSPNP.SYS[861a5745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83736028]
19:48:28.553 \Driver\iaStor[0x83713940] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x856031ed
19:48:28.557 Scan finished successfully
19:49:20.287 Disk 0 Windows 600 MBR fixed successfully
19:53:29.444 Disk 0 Windows 600 MBR fixed successfully
19:54:02.588 Disk 0 MBR has been saved successfully to "C:\Users\laura\Desktop\MBR.dat"
19:54:03.001 The log file has been saved successfully to "C:\Users\laura\Desktop\aswMBR.txt"

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 PM

Posted 17 June 2011 - 04:58 PM

Hello,

Please delte the copy of TDSSKIller you have on your desktop. We will now download a fresh copy of it and run it in Safemode.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Now Boot into Safemode
    Now reboot into Safe Mode.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option without networking support.
    Please see here for additional details.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 mitchellliverpool

mitchellliverpool
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 19 June 2011 - 04:36 AM

Reply 5 - 'I have tried to run the tds killer yet it wont allow me to. I have saved it to the desktop and tried to run as administrator but no joy. I tried to rename it but again no joy. Then i tried to just run it straight away no joy. I get a prompt asking if id like to continue with run, i click continue but nothing happens.'

This is still the same case. TDSS Killer wont open up on my computer for what ever reason. Once ive double clicked it provides a prompt for me to continue which i select and then nothing. Ive tried it in all the ways suggested but no joy. Sorry.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users