Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help with Data Restore removal?

  • This topic is locked This topic is locked
4 replies to this topic

#1 koolkota


  • Members
  • 2 posts
  • Local time:01:18 PM

Posted 09 October 2011 - 02:34 PM

This is making me a little crazy, so any help is much appreciated! And I'll bake you cookies!

I really just need to get this machine up and running enough to back up my iTunes library and a few Word files and then I'll just system restore, but at this point all files, programs, and MWAM are hidden. Safe mode is just barely letting me do this.

To make things more complicated:
-I cannot get Defogger to run; I get an "unable to create log" message.
-gmer starts to scan once I've modified the scan settings as specified in the preparation guide, but then shuts down completely and closes its window before creating a report.
-To really top things off, my attach.txt file does not show up on my desktop even though it is saved there, so I can't even attach it here for you. I didn't want to text flood this post by copying and pasting that here too, but if that's initially needed and you want to see it, let me know and I'll post it that way.

I'm sorry I could not get all the prep to run as specified - it wasn't for any lack of effort and number of attempts, but I feel pretty stuck at this point.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Administrator at 14:31:30 on 2011-10-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1662 [GMT -4:00]
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.PC161035812295\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\iexplore.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1011016
StartupFolder: c:\docume~1\admini~1.pc1\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254675522468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{54FC89D3-FEE3-4759-BA99-F6E83C0CE721} : DhcpNameServer =
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-10-4 165456]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-4 17744]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-2 366152]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-24 40384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-2 22216]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
=============== Created Last 30 ================
2011-10-03 19:27:26 -------- d-sh--w- c:\documents and settings\administrator.pc161035812295\PrivacIE
2011-10-03 19:27:21 -------- d-sh--w- c:\documents and settings\administrator.pc161035812295\IETldCache
2011-10-03 19:27:01 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut11_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-03 19:27:01 45056 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{6815fcdd-401d-481e-ba88-31b4754c2b46}\ARPPRODUCTICON.exe
2011-10-03 19:27:00 65536 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-03 19:27:00 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut5_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-03 19:27:00 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut4_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-03 19:27:00 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut3_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-03 19:27:00 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-03 19:27:00 61440 ---ha-r- c:\documents and settings\administrator.pc161035812295\application data\microsoft\installer\{db7e00c9-6def-489a-8112-d8f81614f45a}\NewShortcut1_DB7E00C96DEF489A8112D8F81614F45A.exe
2011-10-02 21:06:23 462336 ---ha-w- c:\documents and settings\all users\application data\PbOVsnXuaBESx.exe
2011-09-28 14:09:03 -------- d--h--w- c:\program files\iPod
2011-09-28 14:08:57 -------- d--h--w- c:\program files\iTunes
==================== Find3M ====================
2011-10-03 18:46:40 41272 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 21:00:50 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-07-12 15:20:54 83816 ---ha-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ---ha-w- c:\windows\system32\dnssd.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_ rev.892C -> Harddisk0\DR0 -> \Device\Ide\iaStor0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x899B6340]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A663848]
3 CLASSPNP[0xF74E7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x899B04D0]
\Driver\00000381[0x899F8248] -> IRP_MJ_CREATE -> 0x899B6340
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHV2080BH_PL____________________892C____#4&e830779&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x89C46AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 14:33:17.01 ===============

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:18 PM

Posted 09 October 2011 - 03:56 PM

Good evening. :)

I really just need to get this machine up and running enough to back up my iTunes library and a few Word files and then I'll just system restore

Do you mean Factory Restore/reformat and reinstall? If so, all you need to is a flashdrive and a blank CD to burn a little program to. The flashdrive will allow you to copy files from the poorly PC using an alternative operating system burned to the blank disc.

Let me know if you have access to a blank disc and flashdrive and i'll post instructions.

So long, and thanks for all the fish.



#3 koolkota

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:18 PM

Posted 09 October 2011 - 05:26 PM

Hi there!

Yes, factory restore is what I'm hoping to make happen if this thing can come partially back to life...or if you have another solution to make the same data backup happen! Yes, I have both of the above, and instructions would be much appreciated!

Thanks for taking the time!

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:18 PM

Posted 10 October 2011 - 03:00 PM

Good evening. :)

I'll split this into parts to make it easier on the eye. If you have any questions, please ask before doing something stupid - you know that makes sense! :P

Step 1 - creating a boot disk with an alternative operating system on it.

Download lupu-525.iso from here and save it to your Desktop. It's a 128 Mb file, so it will take some minutes to download.

You then need to burn the .iso file to disk. My personal choice is InfraRecorder, available here, which is a free, GPL version 3, solution.

  • Run the program and select the Write Image option in the main window.
  • Navigate to the .iso file that you downloaded and double click it.
  • Insert a blank disc into the correct CD drive.
  • Click OK and sit back and relax.
  • The disc will be ejected when the task is complete so, unless you uncheck this option, mind the drawer!

Step 2 - change the boot order, if you need to, so that the PC boots from the new OS rather than Windows.

  • There's a handy pictorial guide here.
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
When you boot the PC, the boot order is the order in which the various possibilities of finding an operating system are checked by your system. Normally the hard drive is first in line as it is usually where the OS resides. By checking this one first the PC will boot in the quickest time possible.
By changing the order the PC will check the CD drive first, and if it finds a disk with an OS on, it will boot from it. If it doesn't find one, it then looks at the second device on the list, which should be the hard drive and it will boot from that.

I change the boot order on all my machines so that if ever I need to boot from a disk I can do so without needing to access the BIOS then and there - there's usually a problem that i'm trying to deal with and adding a second or two to the normal boot time is a price worth paying to be able to instantly boot from a disk rather than have to get into the BIOS when i'm already stressed by a sick PC.

Step 3 - boot from disk and recover files.

  • Insert the newly burned disk and reboot the machine.
  • Wait for Puppy to get it's little tail wagging and the Desktop to appear.
  • Once it's up and running, you'll have the opportunity to customise the keyboad and language settings, which is never a bad idea.
  • Allow the restart of the Desktop to finalise any changes, if you've made any, and that part is done.
  • In the bottom left hand hand corner you should see all the partitions that Puppy has found on your hard drive, which on my system are labelled sda1, sda2, etc..., and sr0 which is the disk that you booted from.
  • Left click each of the sda icons and you should see a window open and a green disk appear over the icon to indicate that it is now accessible.
  • This is the equivalent of Windows Explorer or My Computer depending on how you navigate your PC's file system.
  • Insert your flashdrive and it should autodetect and you'll see an icon appear with the others in the bottom left, mine's called sdb1.
  • Left click it, as with the other icons.
  • Now all you need to do is to find the files that you want to rescue and Copy and Paste them to your flashdrive just as you do within Windows.
  • Once done, click the "Puppy" icon in the bottom left hand corner of the Desktop and select Shutdown > Power-off Computer
  • When prompted to save the session, select <DO NOT SAVE> and the PC should shutdown.

So long, and thanks for all the fish.



#5 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:18 PM

Posted 15 October 2011 - 03:59 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users