Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.StartMenuinternet infection


  • This topic is locked This topic is locked
36 replies to this topic

#1 chiasmos

chiasmos

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 11 September 2011 - 01:22 PM

Dear Sir/Madam,

some days ago I started getting brief pop ups saying 'Blank Window2', and my browser kept redirecting to advert sites etc. Soon this got worse and I started getting bluescreens. At one point I had to do a system restore. In safe mode with networking I have operated rkill and malwarebytes, and also spyware doctor. This removed a number of infections, but I am now stuck in a situation which I can't shift:

1. At normal start up after I log in, I get blue screen which lasts a couple of seconds then reboots and I have to go into safe mode (I am using safe mode with networking, hope that is right).
2. Rkill runs okay (though doesn't find any processes terminate).
3. I now can't get Spyware Doctor to run at all. It just doesn't respond, even when run as administrator.
4. Malwarebytes finds one problem, called Hijack.StartMenuinternet, which appears to have something to do with a HKEY to do with internet explorer, and which keeps coming back even though malwarebytes can delete it.
5. As noted above, I can now currently only operate my PC in a safe mode.

According to your recommendations I have

1.Run defogger sucessfully.
2.Created DDS.txt and Attach.text files
3.Tried to scan with GMER, but it froze my computer and I had to reboot it.

I would be very grateful for your help. Thank you! DSS log posted below


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23
Run by Simon at 18:36:20 on 2011-09-11
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1014.666 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0b876028-b388-4f6d-922f-f52faec8535f} - No File
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - c:\program files\winferno\pc confidential\PCCBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SecureBrowsingBho Helper: {7632abca-b104-4fbc-9c70-419c4147061b} - c:\program files\finjan secure browsing\bho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Finjan Secure Browsing: {b99f805c-f0b1-48ea-8c8b-753bfcbed913} - c:\program files\finjan secure browsing\bho.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10m_Plugin.exe -update plugin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\users\public\docume~1\windows\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: &Convert with ImageConverter Plus... - c:\program files\imageconverter plus\icpwebintegration.exe/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: emusic.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5B6F3E38-98D2-4FCD-8D07-B81AECF0F34F} : DhcpNameServer = 100.100.0.111
TCP: Interfaces\{F670CFA5-DD90-4920-8228-28B78DA5D973} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\cj0p03nc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-27 64288]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-21 810320]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]
S3 WefiEngSvc;WeFi Engine Service;c:\program files\wefi\WefiEngSvc.exe [2010-3-16 133976]
.
=============== Created Last 30 ================
.
2011-09-10 16:02:41 767952 ----a-w- c:\windows\BDTSupport.dll
2011-09-10 16:02:41 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-09-10 16:02:41 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-09-10 16:02:41 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-09-10 15:58:41 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-09-10 15:58:41 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-09-10 15:58:40 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-09-10 15:58:40 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-09-10 15:58:38 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-09-10 15:58:38 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-09-10 15:58:34 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-09-10 15:29:45 -------- d-----w- c:\users\simon\appdata\roaming\Registry Mechanic
2011-09-10 15:24:10 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-09-10 15:24:10 506368 ----a-w- c:\windows\system32\msxml.dll
2011-09-10 15:24:10 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-09-10 15:24:10 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-09-10 15:24:10 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-09-10 13:16:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 13:16:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-08 22:33:41 -------- d-----w- c:\program files\Mozilla Firefox(112)
2011-09-08 20:55:49 -------- d-----w- c:\users\simon\appdata\local\Threat Expert
2011-09-06 23:46:04 -------- d-----w- c:\users\simon\appdata\roaming\Bise
2011-09-06 12:00:00 -------- d-----w- c:\users\simon\appdata\roaming\PC Tools
2011-09-06 12:00:00 -------- d-----w- c:\program files\PC Tools Security
2011-09-06 12:00:00 -------- d-----w- c:\program files\common files\PC Tools
2011-09-06 11:47:11 -------- d-----w- c:\programdata\PC Tools
2011-09-04 21:22:53 -------- d-----w- c:\users\simon\appdata\roaming\3F63787E96F6BDF7E837AC415D9620C2
.
==================== Find3M ====================
.
2007-11-13 19:47:02 4364800 ----a-w- c:\program files\openofficeorg23.msi
2007-11-01 20:57:50 319488 ----a-w- c:\program files\setup.exe
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 18:38:05.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 AM

Posted 18 September 2011 - 01:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418485 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 18 September 2011 - 04:27 PM

Thanks for your reply.

I have not used my computer since the frist post and the Blue Screen problem repeated itself. I have done the DDS program. This time the GMER worked ok but it said it was too big to upload (2210KB). Sorry.

Other info required: I do not have Windows Vista Home Premium disk as the computer came with it installed. Here are my logs. Thank you very much for your help.


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23
Run by Simon at 20:37:45 on 2011-09-18
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1014.720 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=73&bd=Pavilion&pf=laptop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0b876028-b388-4f6d-922f-f52faec8535f} - No File
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - c:\program files\winferno\pc confidential\PCCBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SecureBrowsingBho Helper: {7632abca-b104-4fbc-9c70-419c4147061b} - c:\program files\finjan secure browsing\bho.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Finjan Secure Browsing: {b99f805c-f0b1-48ea-8c8b-753bfcbed913} - c:\program files\finjan secure browsing\bho.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10m_Plugin.exe -update plugin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\public\docume~1\windows\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: &Convert with ImageConverter Plus... - c:\program files\imageconverter plus\icpwebintegration.exe/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: emusic.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5B6F3E38-98D2-4FCD-8D07-B81AECF0F34F} : DhcpNameServer = 100.100.0.111
TCP: Interfaces\{F670CFA5-DD90-4920-8228-28B78DA5D973} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\cj0p03nc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-27 64288]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-21 810320]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]
S3 WefiEngSvc;WeFi Engine Service;c:\program files\wefi\WefiEngSvc.exe [2010-3-16 133976]
.
=============== Created Last 30 ================
.
2011-09-10 16:02:41 767952 ----a-w- c:\windows\BDTSupport.dll
2011-09-10 16:02:41 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-09-10 16:02:41 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-09-10 16:02:41 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-09-10 15:58:41 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-09-10 15:58:41 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-09-10 15:58:40 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-09-10 15:58:40 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-09-10 15:58:38 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-09-10 15:58:38 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-09-10 15:58:34 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-09-10 15:29:45 -------- d-----w- c:\users\simon\appdata\roaming\Registry Mechanic
2011-09-10 15:24:10 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-09-10 15:24:10 506368 ----a-w- c:\windows\system32\msxml.dll
2011-09-10 15:24:10 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-09-10 15:24:10 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-09-10 15:24:10 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-09-10 13:16:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 13:16:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-08 22:33:41 -------- d-----w- c:\program files\Mozilla Firefox(112)
2011-09-08 20:55:49 -------- d-----w- c:\users\simon\appdata\local\Threat Expert
2011-09-06 23:46:04 -------- d-----w- c:\users\simon\appdata\roaming\Bise
2011-09-06 12:00:00 -------- d-----w- c:\users\simon\appdata\roaming\PC Tools
2011-09-06 12:00:00 -------- d-----w- c:\program files\PC Tools Security
2011-09-06 12:00:00 -------- d-----w- c:\program files\common files\PC Tools
2011-09-06 11:47:11 -------- d-----w- c:\programdata\PC Tools
2011-09-04 21:22:53 -------- d-----w- c:\users\simon\appdata\roaming\3F63787E96F6BDF7E837AC415D9620C2
.
==================== Find3M ====================
.
2007-11-13 19:47:02 4364800 ----a-w- c:\program files\openofficeorg23.msi
2007-11-01 20:57:50 319488 ----a-w- c:\program files\setup.exe
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 20:40:12.26 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 18 September 2011 - 07:00 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can I just check, did DDS run in normal mode?
Posted Image
m0le is a proud member of UNITE

#5 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 04:31 AM

Hi Mole,

thank you for your help. Yes, I'm still here.

No, I ran DDS in Safe Mode with Networking, because I can't get into the computer in normal mode, it just blue screens once I log in and sends me to the reboot(?) menu, so I have to go in in some sort of safe mode.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 19 September 2011 - 04:50 PM

Okay, that makes some sense. Can you run aswMBR in safe mode now

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 06:59 PM

Thanks. Here it is:



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-20 00:56:01
-----------------------------
00:56:01.942 OS Version: Windows 6.0.6000
00:56:01.942 Number of processors: 2 586 0xE0C
00:56:01.942 ComputerName: SIMON-PC UserName: Simon
00:56:02.690 Initialize success
00:56:13.454 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
00:56:13.454 Disk 0 Vendor: ST9120822AS 3.BHE Size: 114473MB BusType: 3
00:56:15.654 Disk 0 MBR read successfully
00:56:15.654 Disk 0 MBR scan
00:56:15.654 Disk 0 unknown MBR code
00:56:15.779 Disk 0 scanning sectors +234436545
00:56:16.169 Disk 0 scanning C:\Windows\system32\drivers
00:56:56.573 Service scanning
00:56:57.805 Modules scanning
00:57:05.714 Disk 0 trace - called modules:
00:57:05.746 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
00:57:05.761 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83ddc030]
00:57:05.761 3 ntkrnlpa.exe[81cb07e2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x83d44bb0]
00:57:05.761 Scan finished successfully
00:58:03.793 Disk 0 MBR has been saved successfully to "F:\bleeping computer help\MBR.dat"
00:58:03.809 The log file has been saved successfully to "F:\bleeping computer help\aswMBR.txt"

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 19 September 2011 - 07:08 PM

An unknown MBR so now we need to identify this

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 07:24 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP G5000 (GH972EA#ABU)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 118):
0x81C00000 \SystemRoot\system32\ntkrnlpa.exe
0x81FA1000 \SystemRoot\system32\hal.dll
0x802C6000 \SystemRoot\system32\kdcom.dll
0x80266000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8025D000 \SystemRoot\system32\PSHED.dll
0x80255000 \SystemRoot\system32\BOOTVID.dll
0x8021A000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x8020C000 \SystemRoot\system32\DRIVERS\szkg.sys
0x80512000 \SystemRoot\system32\drivers\szkgfs.sys
0x80489000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8047C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80439000 \SystemRoot\system32\drivers\acpi.sys
0x80203000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80431000 \SystemRoot\system32\drivers\msisadrv.sys
0x8040C000 \SystemRoot\system32\drivers\pci.sys
0x807F1000 \SystemRoot\system32\drivers\volmgr.sys
0x80200000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80402000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x807E1000 \SystemRoot\System32\drivers\mountmgr.sys
0x807DA000 \SystemRoot\system32\drivers\intelide.sys
0x807CC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80782000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077A000 \SystemRoot\system32\drivers\atapi.sys
0x8075C000 \SystemRoot\system32\drivers\ataport.SYS
0x80753000 \SystemRoot\system32\drivers\msahci.sys
0x80722000 \SystemRoot\system32\drivers\fltmgr.sys
0x80712000 \SystemRoot\system32\drivers\fileinfo.sys
0x80703000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x81AFC000 \SystemRoot\system32\drivers\ndis.sys
0x806D8000 \SystemRoot\system32\drivers\msrpc.sys
0x8069F000 \SystemRoot\system32\drivers\NETIO.SYS
0x84EF8000 \SystemRoot\System32\Drivers\Ntfs.sys
0x80635000 \SystemRoot\System32\Drivers\ksecdd.sys
0x81AC6000 \SystemRoot\system32\drivers\volsnap.sys
0x8061E000 \SystemRoot\System32\drivers\partmgr.sys
0x8060F000 \SystemRoot\System32\Drivers\mup.sys
0x81AA1000 \SystemRoot\System32\drivers\ecache.sys
0x81A90000 \SystemRoot\system32\drivers\disk.sys
0x81A6F000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80606000 \SystemRoot\system32\drivers\crcdisk.sys
0x87424000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x85C0A000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x87521000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x85820000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x87568000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x85C13000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x87412000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8830A000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8742F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x882CD000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x85D1C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x87401000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0x882BA000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8743A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8828F000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x80600000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x87445000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x88277000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8824C000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8820C000 \SystemRoot\system32\DRIVERS\storport.sys
0x87450000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x88BE9000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8745B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x88BC6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x84EB9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x88AC3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x88AD6000 \SystemRoot\system32\DRIVERS\termdd.sys
0x84E00000 \SystemRoot\system32\DRIVERS\swenum.sys
0x88A99000 \SystemRoot\system32\DRIVERS\ks.sys
0x8755E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x875F3000 \SystemRoot\system32\DRIVERS\umbus.sys
0x85C1C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x88A65000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x85850000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x85C25000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x88390000 \SystemRoot\System32\Drivers\Null.SYS
0x88397000 \SystemRoot\System32\Drivers\Beep.SYS
0x88200000 \SystemRoot\System32\drivers\vga.sys
0x88A34000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x88A27000 \SystemRoot\System32\drivers\watchdog.sys
0x87577000 \SystemRoot\system32\drivers\rdpencdd.sys
0x87466000 \SystemRoot\System32\Drivers\Msfs.SYS
0x85D2A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x85C2E000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x88D2B000 \SystemRoot\System32\drivers\tcpip.sys
0x88D12000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x88CBD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x88CA9000 \SystemRoot\system32\DRIVERS\smb.sys
0x88C62000 \SystemRoot\system32\drivers\afd.sys
0x88C30000 \SystemRoot\System32\DRIVERS\netbt.sys
0x88C1A000 \SystemRoot\system32\DRIVERS\pacer.sys
0x85D38000 \SystemRoot\system32\DRIVERS\netbios.sys
0x88FC5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x88C10000 \SystemRoot\system32\drivers\nsiproxy.sys
0x88FAE000 \SystemRoot\System32\Drivers\dfsc.sys
0x8EA00000 \SystemRoot\System32\win32k.sys
0x88D08000 \SystemRoot\System32\drivers\Dxapi.sys
0x891E0000 \SystemRoot\System32\drivers\dxg.sys
0x89000000 \SystemRoot\System32\TSDDD.dll
0x874D4000 \SystemRoot\System32\Drivers\crashdmp.sys
0x87471000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x85C40000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x89010000 \SystemRoot\System32\framebuf.dll
0x90145000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x88E44000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x90045000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8F062000 \SystemRoot\System32\drivers\mpsdrv.sys
0x90027000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x917C7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x90015000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x91611000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x8839E000 \??\C:\Users\Simon\AppData\Local\Temp\mbr.sys
0x91F46000 \SystemRoot\System32\Drivers\fastfat.SYS
0x91F2D000 \??\C:\Users\Simon\AppData\Local\Temp\agrcypog.sys
0x87492000 \??\C:\Users\Simon\AppData\Local\Temp\aswMBR.sys
0x8F077000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x77700000 \Windows\System32\ntdll.dll

Processes (total 24):
0 System Idle Process
4 System
392 C:\Windows\System32\smss.exe
452 csrss.exe
488 csrss.exe
496 C:\Windows\System32\wininit.exe
540 C:\Windows\System32\winlogon.exe
568 C:\Windows\System32\services.exe
584 C:\Windows\System32\lsass.exe
592 C:\Windows\System32\lsm.exe
732 C:\Windows\System32\svchost.exe
784 C:\Windows\System32\svchost.exe
860 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
1100 C:\Windows\System32\svchost.exe
1312 C:\Windows\explorer.exe
1404 C:\Windows\System32\svchost.exe
1880 C:\Windows\System32\wbem\unsecapp.exe
1968 WmiPrvSE.exe
804 C:\Windows\System32\igfxsrvc.exe
1752 C:\Users\Simon\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001a`476a3400 (NTFS)

PhysicalDrive0 Model Number: ST9120822AS, Rev: 3.BHE

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 19 September 2011 - 07:28 PM

If you have an installation disk then...

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.
8. Type Bootrec.exe /FixMbr


If not...

  • Download NTBR_CD by noahdfear to the desktop.
  • Click on the NTBR_CD.exe to extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

If one of those runs then please then rerun MBRCheck and post the log
Posted Image
m0le is a proud member of UNITE

#11 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 07:51 PM

Thanks.

It all worked except when I rebooted with the disc into normal it blue-screened again and I had to go into Safe Mode With Networking once more.

Should I still run MBRcheck in that mode again?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 19 September 2011 - 08:00 PM

Try it again and but reboot without the disk this time.

If that fails, try the NTBR tool.
Posted Image
m0le is a proud member of UNITE

#13 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 08:17 PM

I tried both and got same blue screen.

Sorry, I am not sure what is 'the NTBR tool'. The NTBR folder has BurnCDCC.exe, BurnItCD.cmd and NTBR_CD.iso.

(BTW I will have to go to bed soon, but I really do appreciate all your patient help.)

#14 chiasmos

chiasmos
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 19 September 2011 - 08:23 PM

Very sorry to do two posts in a row but it has occurred to me:

when I try to boot normally and log in, before the screen goes blue it has a message 'PC Confidential is not working. Windows will try to find out the problem'. PC Confidential seems to be some fake scan thing that installed itself on my machine months back and it occasionally starts and runs and I have to stop it. But it hasn't seemed to cause other problems. I wonder if it has any relation to the problem.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 AM

Posted 20 September 2011 - 01:43 PM

We need to boot the machine outside of the Windows operating system to deal with this

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download xPUDtestdisk.exe and save it to the usb device, then double click it to extract the contents. It will create a folder named testdisk on the device.
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear


Now to run TestDisk in the xPUD environment

  • Press File
  • Expand mnt
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive
  • Confirm that you see TestDisk that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
  • Start TestDisk.
  • The first screen will present log options - press Enter to continue.

    Posted Image
  • TestDisk will scan the system and show drive information.
  • If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

    Posted Image
  • Select [Intel] partiton and press Enter to continue.

    Posted Image
  • Select [MBR Code] and press Enter to continue.

    Posted Image
  • Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

    Posted Image
  • Press Q repeatedly until TestDisk exits then remove the USB and reboot.

Edited by m0le, 20 September 2011 - 01:44 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users