Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Recovery virus - fixes won't work


  • Please log in to reply
8 replies to this topic

#1 MVPExchange

MVPExchange

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 31 January 2012 - 06:45 PM

I have the Windows Recovery Virus. I have followed several different instructions on how to fix it but it is not working.

When I run the TDSS killer, no infections are found.
When I run the Malwarebytes Anti Malware program the only thing that comes up is the PUM.Hijack.startmenu, which doesn't seem to be the problem.

I have tried everything in both normal mode and safe mode but nothing is locating the actual virus.

Any help would be appreciated. I am running Windows 7.

Thanks,
Jon

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 31 January 2012 - 09:22 PM

Hello Jon,did you run RKill first... then without rebooting and then run TDSS and MBAM?
Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Post the TDSS and MBAM logs.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


Instead... Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 31 January 2012 - 09:23 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MVPExchange

MVPExchange
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 31 January 2012 - 10:48 PM

Hey thanks for your help.

Here is the MBAM log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.31.08

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Owner :: OWNER-PC [administrator]

Protection: Disabled

1/31/2012 4:03:29 PM
mbam-log-2012-01-31 (16-03-29).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 365234
Time elapsed: 40 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 31 January 2012 - 11:36 PM

Actually should gave also run Rkill/Tdss also. do that please.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MVPExchange

MVPExchange
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 February 2012 - 12:00 AM

ok, I am running thru your instructions. Here are the results of the mini toolbox:


MiniToolBox by Farbar Version: 18-01-2012
Ran by Owner (administrator) on 31-01-2012 at 23:57:37
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Nerwork
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® WiFi Link 1000 BGN = Wireless Network Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Owner-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hsd1.nj.comcast.net.
Description . . . . . . . . . . . : Intel® WiFi Link 1000 BGN
Physical Address. . . . . . . . . : 00-26-C7-04-73-20
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f84a:2d62:200f:93a7%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, January 31, 2012 5:01:01 PM
Lease Expires . . . . . . . . . . : Wednesday, February 01, 2012 12:56:00 AM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 318777031
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-04-31-5D-C8-0A-A9-09-D5-FF
DNS Servers . . . . . . . . . . . : 209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{F17E00A7-E099-43D1-9843-74CF14DBFBF8}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.hsd1.nj.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {DE57DAEC-5C63-45A6-BED5-FF1CF89337F3}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 74.125.113.103
74.125.113.104
74.125.113.105
74.125.113.106
74.125.113.147
74.125.113.99


Pinging google.com [74.125.113.105] with 32 bytes of data:
Reply from 74.125.113.105: bytes=32 time=51ms TTL=52
Reply from 74.125.113.105: bytes=32 time=52ms TTL=52

Ping statistics for 74.125.113.105:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 52ms, Average = 51ms
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 98.139.180.149
209.191.122.70
72.30.2.43
98.137.149.56


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=86ms TTL=51
Reply from 209.191.122.70: bytes=32 time=79ms TTL=51

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 79ms, Maximum = 86ms, Average = 82ms
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
13...00 26 c7 04 73 20 ......Intel® WiFi Link 1000 BGN
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.10 281
192.168.0.10 255.255.255.255 On-link 192.168.0.10 281
192.168.0.255 255.255.255.255 On-link 192.168.0.10 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.10 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.10 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 281 fe80::/64 On-link
13 281 fe80::f84a:2d62:200f:93a7/128
On-link
1 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/31/2012 01:13:48 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/27/2012 06:26:13 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/25/2012 06:32:07 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/24/2012 11:41:18 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/18/2012 05:45:02 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/14/2012 03:05:10 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/13/2012 05:12:40 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/13/2012 01:39:31 AM) (Source: Application Error) (User: )
Description: Faulting application name: EXCEL.EXE, version: 14.0.5130.5003, time stamp: 0x4d3061c8
Faulting module name: EXCEL.EXE, version: 14.0.5130.5003, time stamp: 0x4d3061c8
Exception code: 0xc0000005
Fault offset: 0x0080ff9e
Faulting process id: 0x1228
Faulting application start time: 0xEXCEL.EXE0
Faulting application path: EXCEL.EXE1
Faulting module path: EXCEL.EXE2
Report Id: EXCEL.EXE3

Error: (01/12/2012 01:08:58 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/11/2012 04:37:19 PM) (Source: MsiInstaller) (User: Owner)Owner
Description: Product: Kaspersky Anti-Virus 2010 -- Error 1310.Error writing to file: C:\Config.Msi\e730006.rbf. System error 5. Verify that you have access to that folder.


System errors:
=============
Error: (01/31/2012 11:56:02 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:56:02 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:56:02 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:56:00 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:56:00 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:56:00 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:53:32 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:53:32 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:53:32 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/31/2012 11:51:24 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (01/31/2012 01:13:48 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/27/2012 06:26:13 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/25/2012 06:32:07 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/24/2012 11:41:18 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/18/2012 05:45:02 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/14/2012 03:05:10 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/13/2012 05:12:40 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/13/2012 01:39:31 AM) (Source: Application Error)(User: )
Description: EXCEL.EXE14.0.5130.50034d3061c8EXCEL.EXE14.0.5130.50034d3061c8c00000050080ff9e122801ccd1bcbdd7164aC:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXEC:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE589137fb-3db1-11e1-b2af-94163fb87894

Error: (01/12/2012 01:08:58 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/11/2012 04:37:19 PM) (Source: MsiInstaller)(User: Owner)Owner
Description: Product: Kaspersky Anti-Virus 2010 -- Error 1310.Error writing to file: C:\Config.Msi\e730006.rbf. System error 5. Verify that you have access to that folder.(NULL)(NULL)(NULL)(NULL)(NULL)


=========================== Installed Programs ============================

3ivx MPEG-4 5.0.3 (remove only) (Version: 5.0.3)
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.34)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.1.102.55)
Adobe Reader 9.1 MUI (Version: 9.1.0)
Adobe Shockwave Player (Version: 11.5.1.601)
Adobe Shockwave Player 11.6 (Version: 11.6.0.626)
Apple Application Support (Version: 2.0.1)
Apple Software Update (Version: 2.1.3.127)
Aunsoft SWF Converter version 2.1.1.74
Click to Call with Skype (Version: 5.6.8153)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
CyberLink DVD Suite (Version: 7.0.2216)
Definition update for Microsoft Office 2010 (KB982726)
Dropbox (Version: 1.2.49)
DVD Menu Pack for HP MediaSmart Video (Version: 3.1.3224)
ENE CIR Receiver Driver (Version: 2.7.4.0)
ESU for Microsoft Windows 7 (Version: 1.0.0)
Flash-SWF to AVI-GIF 2.1 (Version: 2.1)
Flash-SWF to AVI GIF Converter v2.10 (Release date: 07-08-14 Fu
FlipShare (Version: 4.5.0.39816)
Google AdWords Editor (Version: 7.6.1)
Google Earth Plug-in (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Google Update Helper (Version: 1.3.21.79)
HP 3D DriveGuard (Version: 4.0.3.1)
HP Advisor (Version: 3.3.9512.3162)
HP Customer Experience Enhancements (Version: 6.0.1.3)
HP Games (Version: 1.0.0.71)
HP MediaSmart DVD (Version: 3.1.3509)
HP MediaSmart Internet TV (Version: 3.1.2125)
HP MediaSmart Live TV (Version: 3.1.2206)
HP MediaSmart Music/Photo/Video (Version: 3.1.3405)
HP MediaSmart SlingPlayer (Version: 3.0.1.64)
HP MediaSmart SmartMenu (Version: 3.1.0.1)
HP MediaSmart Software Notebook Demo (Version: 1.00.0000)
HP MediaSmart Webcam (Version: 3.1.2207)
HP MediaSmart/TouchSmart Netflix (Version: 1.0.2.0)
HP Quick Launch Buttons (Version: 6.50.7.1)
HP Setup (Version: 1.2.3560.3170)
HP Smart Web Printing (Version: 131.1.35898)
HP Support Assistant (Version: 4.3.1.2)
HP Update (Version: 5.001.000.014)
HP User Guides 0154 (Version: 1.01.0001)
HP Wireless Assistant (Version: 3.50.9.1)
Hulu Desktop (Version: 0.9.7)
IDT Audio (Version: 1.0.6249.0)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1968)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Matrix Storage Manager
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 15 (64-bit) (Version: 6.0.150)
Java™ 6 Update 23 (Version: 6.0.230)
Java™ SE Development Kit 6 Update 15 (64-bit) (Version: 1.6.0.150)
Junk Mail filter update (Version: 14.0.8089.726)
Kaspersky Anti-Virus 2012 (Version: 12.0.0.374)
LabelPrint (Version: 2.5.2215)
LightScribe System Software (Version: 1.18.8.1)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Live Search Toolbar (Version: 3.0.566.0)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Home and Student 2010 (Version: 14.0.4763.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Single Image 2010 (Version: 14.0.4763.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Silverlight (Version: 4.0.60310.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Works (Version: 9.7.0621)
Movie Theme Pack for HP MediaSmart Video (Version: 3.1.3310)
Mozilla Firefox 9.0.1 (x86 en-US) (Version: 9.0.1)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton Online Backup (Version: 1.2.20.0)
PdaNet for Android 2.45
Power2Go (Version: 6.0.3415)
PowerDirector (Version: 7.0.3420)
QLBCASL (Version: 6.40.17.2)
QuickTime (Version: 7.70.80.34)
RAD Video Tools
Realtek Ethernet Controller Driver (Version: 1.00.0008)
Realtek USB 2.0 Card Reader (Version: 6.1.7600.30104)
Recovery Manager (Version: 5.5.2214)
Skype™ 5.5 (Version: 5.5.114)
StuffIt 2010 (Version: 14.0.0)
SWF & FLV Toolbox 4.0 (build 4.0.479) (Version: 4.0.479)
SWF To Image (Version: 1.43)
Synaptics Pointing Device Driver (Version: 14.0.0.3)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft OneNote 2010 (KB2493983)
Update for Microsoft Outlook Social Connector (KB2441641)
Update Installer for WildTangent Games App
WildTangent Games App (HP Games) (Version: 4.0.5.36)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)
WModem Driver Installer (Version: 2.0.6.7)

========================= Devices: ================================

Name: Consumer IR Devices
Description: Consumer IR Devices
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: circlass
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 20%
Total physical RAM: 3894.87 MB
Available physical RAM: 3081.48 MB
Total Pagefile: 7787.88 MB
Available Pagefile: 7018.43 MB
Total Virtual: 4095.88 MB
Available Virtual: 3965.98 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:452.34 GB) (Free:395.3 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:13.13 GB) (Free:2.19 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

========================= Users: ========================================

User accounts for \\OWNER-PC

Administrator Guest Owner

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#6 MVPExchange

MVPExchange
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 February 2012 - 12:04 AM

and here is the aswMBR log:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 00:01:53
-----------------------------
00:01:53.739 OS Version: Windows x64 6.1.7600
00:01:53.739 Number of processors: 4 586 0x2502
00:01:53.739 ComputerName: OWNER-PC UserName: Owner
00:01:55.408 Initialize success
00:02:29.619 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:02:29.619 Disk 0 Vendor: ST950042 0006 Size: 476940MB BusType: 3
00:02:29.635 Disk 0 MBR read successfully
00:02:29.650 Disk 0 MBR scan
00:02:29.650 Disk 0 unknown MBR code
00:02:29.650 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
00:02:29.666 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 463193 MB offset 409600
00:02:29.697 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13443 MB offset 949028864
00:02:29.728 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
00:02:29.728 Service scanning
00:02:30.805 Modules scanning
00:02:30.805 Disk 0 trace - called modules:
00:02:30.820 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
00:02:30.820 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800574a060]
00:02:30.820 3 CLASSPNP.SYS[fffff8800109f43f] -> nt!IofCallDriver -> [0xfffffa8004a769c0]
00:02:30.852 5 hpdskflt.sys[fffff88002296289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800491b050]
00:02:30.852 Scan finished successfully
00:02:56.124 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
00:02:56.139 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 01 February 2012 - 12:05 AM

Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.



Download theFixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

I have to go,Jury Duty in the am... Will look back then.

Edited by boopme, 01 February 2012 - 12:11 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 MVPExchange

MVPExchange
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 February 2012 - 12:28 AM

I was getting ready to run HOSTS step above. I went back into normal mode, and I was not bombarded with 100 pop up and error screens. If I didn't know any better I would say that it has been fixed and there is nothing wrong with it. So how can I test it now to make sure? What files should I delete? Or is it not fixed and it just looks that way?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 01 February 2012 - 11:18 AM

Hopefullu all else is good. But looking at the Minitool log you see the Hosts is empty ,so we should replace it. The Fix it is fast.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users