Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can only boot in safe mode, no search engine


  • This topic is locked This topic is locked
44 replies to this topic

#1 kcwal

kcwal

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 October 2011 - 06:12 PM

About a month ago Windows Defender notified me that I had a virus and supposedly removed it. Then Google started redirecting, and eventually the Google page woundn't load at all. Now no search engine works. Every time I try to boot in normal mode it gets to the desktop and ten seconds later I get the BSOD, except instead of the usual white writing, there are only white streaks. I've run AVG (it came up with agent_r), Malwarebytes (found 9 infected registry keys that were adware and 2 infected registry values: Trojan.Agent and Rogue.OpenCloudSecurity), and TDSSKiller (found a hidden file). Please tell me what I need to do to fix this as I am out of ideas! Thanks!

Logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Kelley at 18:07:25 on 2011-10-18
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1790.1229 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/webhp?complete=0
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [Acer Tour Reminder]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [PaperQuote '01] d:\paperquote\PQ.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService]
mRun: [eDSMSNfix] c:\acer\empowering technology\eDSMSNfix.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [1194862116] c:\progra~1\egames\puzzle~1\register\egames~1.exe /r "c:\progra~1\egames\puzzle~1\register\EGAMES~1.rpd"
mRun: [408809432] c:\progra~1\egames\pengui~1\register\egames~1.exe /r "c:\progra~1\egames\pengui~1\register\EGAMES~1.rpd"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [2273484544] c:\windows\system32\config\systemprofile\appdata\local\exu.exe
StartupFolder: c:\users\kelley\appdata\roaming\micros~1\windows\startm~1\programs\startup\seagat~1.lnk - c:\users\kelley\appdata\roaming\leadertech\powerregister\Seagate 2GE338TW Product Registration.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
Trusted Zone: google.com\www
Trusted Zone: rbcbankusa.com\billpay
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A70AB48E-A208-4C53-A8A2-A8159B920A97} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DA807408-2875-4135-A83D-AF80F25B56EB} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
AppInit_DLLs: eNetHook.dll
mASetup: ccc-core-static - msiexec /fums {35BDA760-4905-19AA-54A0-C118ABB5BF0C} /qb
Hosts: 95.64.61.141 www.google.com
Hosts: 95.64.61.142 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20081028.001\IDSvix86.sys [2008-10-28 270384]
S2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-3-23 50688]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-1 5265248]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-3-23 31232]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-1 1252232]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-11-20 37008]
.
=============== Created Last 30 ================
.
2011-10-18 22:42:12 -------- d-----w- c:\program files\Runtime Software
2011-10-13 05:40:05 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-28 06:57:17 54016 ----a-w- c:\windows\system32\drivers\tdftehd.sys
2011-09-27 07:31:00 54016 ----a-w- c:\windows\system32\drivers\iskl.sys
2011-09-27 07:20:22 -------- d-----w- c:\users\kelley\appdata\roaming\Malwarebytes
2011-09-27 07:20:08 -------- d-----w- c:\programdata\Malwarebytes
2011-09-27 07:20:05 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-27 07:20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-22 07:04:53 -------- d--h--w- C:\$AVG
2011-09-22 06:32:52 -------- d-----w- c:\users\kelley\appdata\roaming\AVG2012
2011-09-22 06:22:20 -------- d-----w- c:\windows\system32\drivers\AVG
2011-09-22 06:22:20 -------- d-----w- c:\programdata\AVG2012
2011-09-22 06:18:29 -------- d-----w- c:\program files\AVG
2011-09-22 05:57:48 -------- d--h--w- c:\programdata\Common Files
2011-09-22 05:56:50 -------- d-----w- c:\programdata\MFAData
2011-09-21 05:43:27 -------- d-----w- c:\programdata\WSTB
2011-09-19 05:33:18 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{da88cdc1-afe6-446b-8001-d17ef183163e}\mpengine.dll
.
==================== Find3M ====================
.
.
============= FINISH: 18:10:26.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 07:23 AM

Hello kcwal,

Welcome to Bleeping computer.

Please update me on the current condition of your computer.

Use F8 at startup to get to Advanced Boot Options. Tell me if you have "Repair your computer" option.

Please tell me if you have a Windows install DVD.

#3 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 02:35 PM

Hi farbar,

I do have the "repair your computer" option, but I don't have a Windows Install DVD. The computer's condition hasn't changed. I get the BSOD right after I reach the desktop in normal mode, so I'm in safe mode. The Google homepage still won't load and no search engine works. Do you want me to try "repair your computer"? Thanks for your help!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 02:49 PM

Thanks for the feedback. :thumbup2:

The computer is infected with different rootkits. We might be able to fix them all in one fix and then remove the leftovers from normal boot. But before doing that I need a log.

Yours is x86 version.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#5 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 03:41 PM

Thanks for the quick response! Unfortunately, the only computer I have access to today is the infected computer, but tomorrow I'll have access to a clean computer, so I'll be able to do the download to a flash drive then. I should be able to get the logs posted tomorrow afternoon. Thanks!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 03:48 PM

You don't have internet access with the infected computer? If not then before running the scan check the "List Drivers MD5" option.

BTW how are you communicating now?

Edited by farbar, 24 October 2011 - 03:49 PM.


#7 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 04:00 PM

:oopsign: I'm sorry. I was under the impression that the download to the flash drive needed to be done from a clean computer. I do have internet on the infected computer, so I'll go ahead and do the download from here if that's okay. Sorry for the confusion!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 04:04 PM

No worries.:)

As far as you can download and run the tool doesn't matter from where you are downloading. Since you can boot to Safe Mode you can even download the tool and save it to the root of C drive. Then after booting to System recovery Options instead of e:\frst.exe type c:\frst.exe and run the tool.

#9 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 04:34 PM

I restarted the computer and selected "repair your computer," but it just gave me the option to select "other user," not my user account. I tried that but it wanted a user name and password, and I don't have that information. I've never had a password for this computer. Should I try putting in the user name on my account and use "password" for the password (maybe it's the default)? Sorry for the minute-by-minute questions!

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 04:40 PM

Try your own user name and leave the password box blank if you have no password.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 05:01 PM

FYI: It is too late here and I'm going to sleep. Tomorrow we resolve this issue with or without that log. :thumbup2:

#12 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 05:21 PM

I tried my user name and the blank password and I received the message, "The specified domain either does not exist of could not be contacted." The only option was to press OK, which went right back to the user name/password screen. I shut off the computer to get out, and when it came back, safe mode with networking was not an option, only "Launch Start-up Repair" or "Start Windows Normally." As I'm sure you can guess, launching start-up repair took me right back to the user name/password screen. The next time I went with start Windows normally which gave me the same BSOD with white streaks! So that's what took so long. Here's hoping the computer is more cooperative tomorrow! Have a good night.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 06:24 PM

"The specified domain either does not exist of could not be contacted."


I believe this is a password issue. Did you selected US as the keyboard language?

Anyway we try the Safe Mode with networking.

  • Please download DummyCreator.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:

      C:\Windows\2789336608
    • Press Create button and post the result.
  • Important: Restart the computer and boot to Safe Mode again.

    Please download MiniRegTool.zip and unzip it.
    it.
    • Run the tool.
    • Copy and paste the following into the edit box:
      HKLM\SYSTEM\CurrentControlSet\Services\20e641a6
      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell
      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit
    • Check the List Only Null-embedded radio button.
    • Press Go button and post the result.
  • Run Command Prompt as administrator:
    • Click on Start button.
    • Type Cmd in the Start Search text box.
    • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
    • Copy the following lines one by one, paste it in the command windows (right-click in the command window and select Paste) and press Enter after each line:

      bcdedit /set {default} winpe no

      It should notify you that the operation is completed successfully

      echo.127.0.0.1 localhost>c:\windows\system32\drivers\etc\hosts

      This should not give a notification unless there is an error. Please proceed if it gave you error.

      move /y c:\windows\system32\config\systemprofile\appdata\local\exu.exe "%temp%"

      This should not give a notification unless there is an error. Please proceed if it gave you error.
  • Delete your copy of TDSSKiller. Please download the latest TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

Important note: Regardless of if TDSSKiller needed a reboot or not, please reboot the computer to normal mode anyway and let me know if you could boot normally.

Edited by farbar, 24 October 2011 - 06:57 PM.


#14 kcwal

kcwal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 October 2011 - 06:50 PM

The link for DummyCreator.zip led to a "HTTP 404 Not Found" page. I tried both clicking the link and copy and paste into the address bar, both with the same result. As for the keyboard language, the "repair your computer" section never gave the option to choose a language or select the operating system to repair, just the user name/password. Should I continue to the MiniRegTool.zip?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:54 PM

Posted 24 October 2011 - 06:58 PM

My bad. I edited the link. It should be working now. Please do this step and reboot then do the rest.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users