Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP PC infested with unknown malware


  • This topic is locked This topic is locked
53 replies to this topic

#1 Ford.da

Ford.da

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 28 December 2011 - 05:38 PM

Broni tells me I have to get more advanced help, and to post here to ask for it.

This is my father-in-law's PC, connected to my router, and I'm posting from my PC next to it. He had been infested with XP security 2012, I removed it ( I thought) with MalwareBytes and SuperAntiSpyware and cleared the temp files with TFC by oldtimer. But the internet connection issue didn't go away. That's when i came to BleepingComputer and created an account to ask for help! So, here we are...


Here is the link to what Broni and I have done so far...

Am I infected? What do I do?


this is the DDS log...


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by TEMP-Admin at 13:16:38 on 2011-12-28
AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dPolicies-explorer: NoDesktop = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{CCD8F892-602D-4ECF-A5D4-2E988E45E205} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\temp-admin\application data\mozilla\firefox\profiles\f66tfmk5.default\
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-12-28 16:12:18 849 ----a-w- c:\documents and settings\all users\application data\kzrnaaa.tmp
2011-12-28 10:27:55 828 ----a-w- c:\documents and settings\all users\application data\ynylaaa.tmp
2011-12-28 10:27:40 839 ----a-w- c:\documents and settings\all users\application data\znylaaa.tmp
2011-12-28 10:27:34 863 ----a-w- c:\documents and settings\all users\application data\wnylaaa.tmp
2011-12-28 09:29:42 822 ----a-w- c:\documents and settings\all users\application data\aoylaaa.tmp
2011-12-28 01:14:19 853 ----a-w- c:\documents and settings\all users\application data\snwnaaa.tmp
2011-12-28 00:39:52 806 ----a-w- c:\documents and settings\all users\application data\cbynaaa.tmp
2011-12-27 16:33:40 2100 ---ha-w- c:\windows\system32\tmp.reg
2011-12-27 12:43:41 837 ----a-w- c:\documents and settings\all users\application data\favnaaa.tmp
2011-12-27 12:42:55 836 ----a-w- c:\documents and settings\all users\application data\eavnaaa.tmp
2011-12-27 12:42:18 824 ----a-w- c:\documents and settings\all users\application data\iavnaaa.tmp
2011-12-27 12:41:58 835 ----a-w- c:\documents and settings\all users\application data\havnaaa.tmp
2011-12-27 12:34:13 855 ----a-w- c:\documents and settings\all users\application data\gavnaaa.tmp
2011-12-27 02:56:27 -------- d-----w- c:\program files\PC MightyMax 2011
2011-12-27 02:46:10 838 ----a-w- c:\documents and settings\all users\application data\xnylaaa.tmp
2011-12-26 23:32:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-26 23:32:39 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-26 23:24:26 -------- d-----w- c:\program files\ESET
2011-12-26 23:01:45 861 ----a-w- c:\documents and settings\all users\application data\qyonaaa.tmp
2011-12-26 20:00:41 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-26 20:00:41 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-26 20:00:41 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-26 20:00:41 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-26 19:58:24 -------- d--h--w- c:\documents and settings\temp-admin\local settings\application data\Mozilla
2011-12-26 19:57:32 -------- d-sh--w- c:\documents and settings\temp-admin\IECompatCache
2011-12-26 19:52:51 -------- d-sh--w- c:\documents and settings\temp-admin\PrivacIE
2011-12-26 19:32:39 -------- d-----w- c:\documents and settings\temp-admin\application data\Malwarebytes
2011-12-26 19:32:02 -------- d--h--w- c:\documents and settings\temp-admin\local settings\application data\Eastman_Kodak_Company
2011-12-24 18:43:08 837 ----a-w- c:\documents and settings\all users\application data\zxlnaaa.tmp
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ---ha-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-14 22:38:00 456192 ---ha-w- c:\windows\system32\encdec.dll
2011-10-14 12:40:21 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 13:19:08.95 ===============




And this is the GMER log...



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-28 17:34:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3200822AS rev.3.02
Running: GMER.exe; Driver: C:\DOCUME~1\TEMP-A~1\LOCALS~1\Temp\fwdyrpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAllocateVirtualMemory [0xB0B1DAE4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAssignProcessToJobObject [0xB0B1DE4E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwConnectPort [0xB0B1F13E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateFile [0xB0B1E868]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateKey [0xB0B1F5C6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcess [0xB0B1DF98]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcessEx [0xB0B1E01A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateSection [0xB0B1E68C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateThread [0xB0B1D6E6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDeviceIoControlFile [0xB0B1F6C6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDuplicateObject [0xB0B222F4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwFsControlFile [0xB0B1F804]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwLoadDriver [0xB0B2025C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenFile [0xB0B1E77C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenProcess [0xB0B22046]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenSection [0xB0B1E5AC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenThread [0xB0B22174]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwProtectVirtualMemory [0xB0B1D9E2]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwQueueApcThread [0xB0B1DEF0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwReplaceKey [0xB0B1FDBE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestPort [0xB0B1F1CE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestWaitReplyPort [0xB0B1EF6A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRestoreKey [0xB0B1FE2E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSecureConnectPort [0xB0B1F374]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetContextThread [0xB0B1D7D6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetSecurityObject [0xB0B1FD4E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetSystemInformation [0xB0B1DBE8]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendProcess [0xB0B1D944]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendThread [0xB0B1D8A6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSystemDebugControl [0xB0B1DDAC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateProcess [0xB0B21FB6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateThread [0xB0B22402]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwWriteVirtualMemory [0xB0B1D5E4]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C78 80504514 4 Bytes [68, E8, B1, B0]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA4 80504840 4 Bytes CALL 9900FA20
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [44, D9, B1, B0, A6, D8, B1, ...]
? System32\Drivers\114e7f09.sys The system cannot find the path specified. !
? System32\Drivers\6a71e229.sys The system cannot find the path specified. !
? C:\DOCUME~1\TEMP-A~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\DOCUME~1\TEMP-A~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[228] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B44844
.text C:\WINDOWS\system32\SearchIndexer.exe[6776] KERNEL32.dll!WriteFile 7C810E27 7 Bytes JMP 005F5C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[11436] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0122B750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[13480] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1046C909 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[13480] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1046CEBD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys (Trufos Kernel Module/BitDefender S.R.L.)
AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thank you,


Dennis

BC AdBot (Login to Remove)

 


#2 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 28 December 2011 - 05:46 PM

Forgot to attach the log files...



Attached File  GMER.log   8.98KB   0 downloads
Attached File  dds.txt   8.59KB   1 downloads

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 PM

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435023 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 03 January 2012 - 03:05 PM

Long story, short version... Broni and I worked on this PC back on December 27 - 28, you'll find a link to that thread above. On the night of December 29 my Father-in law called and said he had someone over to look at the computer right then, so he came and took it. January 2 I had the PC back with the explanation that this person couldn't do anything with it.

Currently:

I have no idea what was done to it when it was not in my possession.
The PC is now stuck in a reboot loop.


Facts:

This is a HP Media Center PC with Windows XP Media Center edition SP3 ( I think ) 32 bit.
The logs above are the most current that I could produce because of the reboot loop (even safe mode reboots)
I do not have the original Windows XP CD. I think there is a recovery partition on it.



If I missed anything tell me and I try to provide what information I can.




Thank you for your time,


Dennis

#5 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 03 January 2012 - 03:20 PM

On a side note...

I read somewhere on Bleeping Computer that there may be a training program here. If that is the case, I would love to improve my computer security skills and participate in whatever training you may offer! In fact, at some point I may even be able to help out in the forums.

Please let me know if anything like that is available.


Thank you,


Dennis

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 04 January 2012 - 02:44 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 04 January 2012 - 08:26 AM

Thank you for your timely response!



Currently:

I have no idea what was done to it when it was not in my possession.
The PC is now stuck in a reboot loop. <====


Facts:

This is a HP Media Center PC with Windows XP Media Center edition SP3 ( I think ) 32 bit.
The logs above are the most current that I could produce because of the reboot loop (even safe mode reboots) <=====
I do not have the original Windows XP CD. I think there is a recovery partition on it.


From my statements in my post above and quoted here.

The computer is stuck in a reboot loop that I am unable to get to stop, therefore I can not run combofix until the reboot loop gets broken!


Thank you for your time!


Dennis

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 04 January 2012 - 01:06 PM

Burn recovery console cd

  • Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  • Download floppy disk setup package xp Pro for your operating system (XP Pro) and save it to the folder you extracted the zip to.
  • Rename the floppy disk setup package to Bootdisk.exe.
  • Insert a blank cd into your burner.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

  • insert the cd that we made into cd player
  • restart the computer
  • screen will say "Windows set up" just wait
  • at the welcome screen press "R"
  • type 1 to enter c:\windows
  • type in the following and press enter
  • fixmbr

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 07 January 2012 - 12:02 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 08 January 2012 - 01:33 AM

Sorry, its been a LONG work week of 12 hour days! Let me get some sleep and we'll get back to work.


Dennis

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 08 January 2012 - 01:46 AM

I understand and will see you tomarrow


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 09 January 2012 - 11:12 AM

Burn recovery console cd

  • Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  • Download floppy disk setup package xp Pro for your operating system (XP Pro) and save it to the folder you extracted the zip to.
  • Rename the floppy disk setup package to Bootdisk.exe.
  • Insert a blank cd into your burner.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

  • insert the cd that we made into cd player
  • restart the computer
  • screen will say "Windows set up" just wait
  • at the welcome screen press "R"
  • type 1 to enter c:\windows
  • type in the following and press enter
  • fixmbr




When I start up the Recovery Console this is what I see...


1: D:\I386
2: D:\MiniNT
3: C:\WINDOWS

Witch windows installation would you like to log into?

I chose 3 and this is what I saw...

**CAUTION**

This PC has a non-standard or invalid MBR.

FIXMBR may damage your partition tables if you proceed.

This could cause all partitions to become inaccessible.

Are you SURE you want to write a new MBR?


I do not have a windows installation CD for this PC, and I'm unsure if my Father-in-law has it. And I do not wish to damage this PC beyond repair. Please confirm that this is what I should do!!


Dennis

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 09 January 2012 - 11:38 AM

that warning is normal and is ok to continue


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Ford.da

Ford.da
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maumee, Ohio
  • Local time:12:21 PM

Posted 09 January 2012 - 03:26 PM

It's still stuck in the reboot loop. It does make it past the windows loading logo, but just a few seconds past, and then reboots.


Dennis




EDIT: Reboots no matter if in normal mode or in safe mode, and at about the same point.

Edited by Ford.da, 09 January 2012 - 03:29 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 PM

Posted 09 January 2012 - 03:30 PM

Hello


during start up I want you to press f10 and let me know what you see


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users