Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackthis LOG, please help _OLMARIK


  • Please log in to reply
15 replies to this topic

#1 davidessex

davidessex

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 18 February 2012 - 02:03 PM

Hello guys,

My antivirus ESET NOD32 v5 shows that i am infected with following virus/trojan located in operating memory and is unable to clean:

Operating Memory - Win32/Olmarik.tdl4 trojan

I have ran HiJack this on my system - Windows 7 and got below log, can you please advise what lines is ok to delete? Can i delete all lines with "missing file" posted at the end?

_____________________________________________________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:54 PM, on 2/18/2012
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe
C:\Program Files (x86)\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files\TOTAL COMMANDER\TOTALCMD.EXE
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O4 - Startup: RAT 9 Charge Indicator.lnk = ?
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\ObjectDock\ObjectDock.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://jsam.smith.com/dana-cached/sc/JuniperSetupClient.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045}: NameServer = 78.96.7.88,95.77.94.88
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11119 bytes

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 18 February 2012 - 05:33 PM

Welcome to the forum, davidessex!

Olmarik hides well. Let's do the following and see what is discovered...

Please download RogueKiller
It is the dark blue button next to (Download link) Lien de téléchargement

•Save to the Desktop
•Close all windows and browsers
•Vista/Seven: Right-click the program and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt, and provide it in your reply.

Note:
If RogueKiller is blockedn by the malware, try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.


Also download: aswMBR
Save it to the Desktop.

Right-click the downloaded file and select 'Run as Administrator'

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.

The last line will now say "Scanning" while in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!

Exit the program.

Please post the aswMBR log in your reply.


Last, but not least, for(x32) bit systems please download ListParts
Save to the Desktop
Right-click the downloaded file and select 'Run as Administrator'
Click: Scan

Whe the scan is done, please post the Result.txt in your reply.


Thanks.

Old duck...


#3 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 20 February 2012 - 03:15 PM

Hi there,

Thank you for your quick reply. I will paste below both logs, i did not run the scan for x32 bits system, mine is x64. I also noticed today i new virus detected by ESET, same old Olmarik in operating memory and a in C:\windows\microsoft.net\framework\v.2.0....\vbc.exe - a variant of Fynloski.AA Trojan
______________________________________________________________________________________________________________________________________
aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-20 18:11:55
-----------------------------
18:11:55.628 OS Version: Windows x64 6.1.7601 Service Pack 1
18:11:55.628 Number of processors: 2 586 0xF02
18:11:55.628 ComputerName: SEBY-PC UserName: Seby
18:12:03.646 Initialize success
18:16:45.121 AVAST engine defs: 12022001
18:41:16.505 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-4
18:41:16.508 Disk 0 Vendor: ST3320620AS 3.AAC Size: 305245MB BusType: 3
18:41:16.531 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-8
18:41:16.534 Disk 1 Vendor: WDC_WD2500JS-55MHB1 10.02E01 Size: 238475MB BusType: 3
18:41:16.540 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-7
18:41:16.545 Disk 2 Vendor: ST3200822AS 3.01 Size: 190781MB BusType: 3
18:41:16.566 Disk 0 MBR read successfully
18:41:16.570 Disk 0 MBR scan
18:41:16.663 Disk 0 Windows 7 default MBR code
18:41:16.668 Disk 0 MBR hidden
18:41:16.675 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 305242 MB offset 63
18:41:16.711 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
18:41:16.740 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
18:41:16.750 Service scanning
18:41:42.869 Modules scanning
18:41:42.877 Disk 0 trace - called modules:
18:41:42.895 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800499b334]<<>>UNKNOWN [0xfffffa800430a2c0]<<sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
18:41:42.903 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049846f0]
18:41:42.909 3 CLASSPNP.SYS[fffff8800185a43f] -> nt!IofCallDriver -> [0xfffffa80047e2520]
18:41:42.916 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-4[0xfffffa80047e1680]
18:41:42.923 \Driver\atapi[0xfffffa80043dd8c0] -> IRP_MJ_CREATE -> 0xfffffa800430a2c0
18:41:44.260 AVAST engine scan C:\
18:42:05.160 File: C:\8567 - PREDA SEBASTIAN\ROOT\#Storage\#Clips\~Funny Movies\PROGRAME_HAIOASE\Jokes\HIDEIT.EXE **INFECTED** Win32:CIH-G@dam
18:42:07.687 File: C:\8567 - PREDA SEBASTIAN\ROOT\#Storage\#Clips\~Funny Movies\PROGRAME_HAIOASE\WORDPAD.EXE.mwt **INFECTED** Win32:CIH-G@dam
22:05:04.454 Scan finished successfully
22:07:34.961 Disk 0 MBR has been saved successfully to "C:\Users\Seby\Desktop\MBR.dat"
22:07:34.972 The log file has been saved successfully to "C:\Users\Seby\Desktop\aswMBR.txt"
_______________________________________________________________________________________________________________________________________________________________________________________________________________

RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Seby [Admin rights]
Mode: Scan -- Date: 02/19/2012 22:55:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : JavaUpdate (C:\Users\Seby\AppData\Local\Temp\JavaUpdate.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-3414581432-1102115825-1109480904-1001[...]\Run : JavaUpdate (C:\Users\Seby\AppData\Local\Temp\JavaUpdate.exe) -> FOUND
[SUSP PATH] RAT 9 Charge Indicator.lnk : C:\Users\Seby\AppData\Roaming\Microsoft\Installer\{72A099DE-9782-4679-85AD-0731EF87EA53}\_5B5E5C8CB886861B14F432.exe -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320620AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d5de7fbf5d3c564ccc34ee539d7d3c63
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

+++++ PhysicalDrive1: WDC WD2500JS-55MHB1 ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] b16f9a91c7515d88ad93899627329709
[BSP] 9b73c093ae19c0f92ddf478fc9e8cbc8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo

+++++ PhysicalDrive2: ST3200822AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] a9b182d44b6ae7a681b384b094438d8d
[BSP] 24e24f3e99c2f9d2877f052033f76735 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190779 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt


___________________________________________________________________________________________________________________________________________________________________________________

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 20 February 2012 - 07:54 PM

Thank you for providing the information.

Here is the ListParts64:
http://download.bleepingcomputer.com/farbar/ListParts64.exe

Save to the Desktop
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the Result.txt in your reply.

Please post the above report to complete the 'picture', so to speak.

Also, what is the brand of this computer, Acer, HP, Toshiba, etc.?
The reason for asking is that certain computers have proprietary characteristics, and it helps to know the brand name.
Do not need a serial number, or anything of that nature.


Will get back to you after looking at the reports you already provided.

Edited by Aaflac, 20 February 2012 - 08:03 PM.

Old duck...


#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 20 February 2012 - 08:52 PM

In addition to the information requested above, let's press on with RogueKiller...

•Please quit all programs
•Start RogueKiller.exe...
•Windows Seven: Right-click the program and select 'Run as Administrator'
•Wait until the Prescan finishes

•On the RogueKiller console, click the Registry tab.
•Then, press the [Delete] button.

•Next, click the DNS tab, and then click on the [DNS Fix] button

•Restart the computer, and run RogueKiller again.


In your reply, please provide the new RKreport created on the Desktop.
(The RKreport also opens using the Report button on the console.)

Old duck...


#6 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 21 February 2012 - 11:32 AM

Please find below the scan results, my computer is not a brand, is made up from different parts.

ListParts by Farbar
Ran by Seby on 21-02-2012 at 18:07:29
Windows 7 (X64)
Running From: C:\Users\Seby\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 47%
Total physical RAM: 4094.49 MB
Available physical RAM: 2135.92 MB
Total Pagefile: 8187.18 MB
Available Pagefile: 6016.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

2 Drive c: (System) (Fixed) (Total:298.09 GB) (Free:103.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive d: (Big Boy 4) (Fixed) (Total:232.88 GB) (Free:64.79 GB) NTFS
4 Drive e: (Rack #2) (Fixed) (Total:186.31 GB) (Free:88.42 GB) NTFS
8 Drive j: (TTG) (Fixed) (Total:931.51 GB) (Free:54.41 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 232 GB 1024 KB
Disk 2 Online 186 GB 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 931 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB
Partition 2 Primary 2543 KB 298 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C System NTFS Partition 298 GB Healthy System (partition with boot components)

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Big Boy 4 NTFS Partition 232 GB Healthy

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 186 GB 31 KB

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E Rack #2 NTFS Partition 186 GB Healthy

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB

Disk: 5
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J TTG NTFS Partition 931 GB Healthy



****** End Of Log ******
___________________________________________________________________________________________________________________
FIRST ROGUE KILLER LOG


RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Seby [Admin rights]
Mode: Scan -- Date: 02/21/2012 17:57:39

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : JavaUpdate (C:\Users\Seby\AppData\Local\Temp\JavaUpdate.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-3414581432-1102115825-1109480904-1001[...]\Run : JavaUpdate (C:\Users\Seby\AppData\Local\Temp\JavaUpdate.exe) -> FOUND
[SUSP PATH] RAT 9 Charge Indicator.lnk : C:\Users\Seby\AppData\Roaming\Microsoft\Installer\{72A099DE-9782-4679-85AD-0731EF87EA53}\_5B5E5C8CB886861B14F432.exe -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320620AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d5de7fbf5d3c564ccc34ee539d7d3c63
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

+++++ PhysicalDrive1: WDC WD2500JS-55MHB1 ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] b16f9a91c7515d88ad93899627329709
[BSP] 9b73c093ae19c0f92ddf478fc9e8cbc8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo

+++++ PhysicalDrive2: ST3200822AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] a9b182d44b6ae7a681b384b094438d8d
[BSP] 24e24f3e99c2f9d2877f052033f76735 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190779 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

SECOND LOG

RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Seby [Admin rights]
Mode: Remove -- Date: 02/21/2012 17:58:23

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 14 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : JavaUpdate (C:\Users\Seby\AppData\Local\Temp\JavaUpdate.exe) -> DELETED
[SUSP PATH] RAT 9 Charge Indicator.lnk : C:\Users\Seby\AppData\Roaming\Microsoft\Installer\{72A099DE-9782-4679-85AD-0731EF87EA53}\_5B5E5C8CB886861B14F432.exe -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320620AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d5de7fbf5d3c564ccc34ee539d7d3c63
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

+++++ PhysicalDrive1: WDC WD2500JS-55MHB1 ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] b16f9a91c7515d88ad93899627329709
[BSP] 9b73c093ae19c0f92ddf478fc9e8cbc8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo

+++++ PhysicalDrive2: ST3200822AS ATA Device +++++
--- User ---
[MBR] ef12f5368f8f77015c0b166e86e0577d
[BSP] 60d92a964d6cf61fd00ff5e5c8c3793b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] a9b182d44b6ae7a681b384b094438d8d
[BSP] 24e24f3e99c2f9d2877f052033f76735 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190779 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

THIRD LOG and last:

RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Seby [Admin rights]
Mode: DNSFix -- Date: 02/21/2012 17:58:36

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{AE83CFD1-F35B-4DC2-BA72-6DF617D22045} : NameServer (78.96.7.88,95.77.94.88) -> REPLACED ()

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 21 February 2012 - 03:23 PM

The above shows you have the newest TDL4 infection where a hidden partition overpowers the computer's behavior. We basically need strip down the "power" of the TDL partition, and return it to the partition where it belongs.

Item #1:
Please see if you have the Repair your computer option in the Advanced Boot Options menu:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
Item #2:
If you do not have that option, do you have a Windows Seven installation DVD available?

Item #3:
Also, do you have a USB flash drive available, and do you have access to another computer?

Edited by Aaflac, 21 February 2012 - 03:36 PM.

Old duck...


#8 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 21 February 2012 - 06:32 PM

Well last time i checked i could repair windows or enter safe mode, i also have a Win 7 DVD and access to a different computer - a laptop with Vista. What should i do with the flash drive and please let me know if any of the procedures includes or involves a format of any drives, thanks.

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 21 February 2012 - 08:47 PM

...please let me know if any of the procedures includes or involves a format of any drives.

The procedure used to remove the TDL4 hidden partition does not include or involve a format of any drives.
That said, it is always a good idea to backup your data, as suggested here



If you have:
(1) A USB flash drive
(2) Can access the Repair your computer option in the Advanced Boot Options menu
(3) Have another computer available

Then, press on with the folowing...


Please plug your flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove the flash drive when notified it is done.

Now, you may want to print these instructions so you can access them while this procedure is in progress.

Also, if you have any questions about the information that follows, feel free to ask.



Please plug the flash drive into the infected computer.

Save ListParts64.exe (which should be on the Desktop) to the flash drive.

Next, open Notepad (Press 'Start' orb 'R', and in the Open area, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=1 active
bcdedit
Disk=0 Partition=2 type=07


In Notepad, go to File > Save as...
Save to: the USB flash drive
In File name use: fix.txt
Click: Save


Now, save the fix.txt file on the flash drive, so that you have both ListParts64.exe, and, fix.txt on it.


Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
•Startup Repair
•System Restore
•Windows Complete PC Restore
•Windows Memory Diagnostic Tool
•Scan your computer's memory for errors.
•Command Prompt

  • Select Command Prompt
  • In the Command window, at the blinking cursor, type notepad and press: Enter
  • In Notepad, under the File menu select: Open
  • Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
  • With the flash drive and Notepad open, click the Command window
  • Type e:\listparts64.exe, and press: Enter
    Note: Replace the drive letter e with the drive letter of your flash drive!
  • ListParts64 now shows on the screen.
  • Press the Fix button.
  • When the fix is done, check the List BCD option on the ListParts64 screen, and click: Scan
  • If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run.", click: OK
  • The program saves the Result.txt, on the flash drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Close out of everything else.
  • Back at the System Recovery Options, press: Restart, and boot normally into Windows.


Once back in Windows, open the USB flash drive, copy/paste the Result.txt that was run during the procedure above, and provide it in your reply.


Then, run a new Scan with ListParts64 in normal Windows, and also post the new Result.txt in your reply.


If you encounter any obstacles, go to your other computer and post what is happening, any error messages, etc., so we can work the issue.

Old duck...


#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 23 February 2012 - 08:50 PM

How is it going with the removal of the TDL4 hidden partition?

Old duck...


#11 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 03 March 2012 - 04:13 PM

Hi guys,

I was not able to continue with the dezinfection due to some personal problems, need to solve this RL issue first and hopefully next week i will continue with this.

Thank you for understanding,
SP

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 03 March 2012 - 04:21 PM

Post when you are ready.

Hope the RL issue goes well.

Old duck...


#13 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 March 2012 - 05:04 AM

Hello,

I am back and hope to fix my computer, thanks for the time and effort you are putting into this.

I have tried to work out the steps, i prepared the flash stick as you instructed and after pressing repair my computer option i got the following screen that prevented me from continuing:
(the win disc was inside the cdrom drive)


WINDOWS BOOT MANAGER

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1. Insert your Windows installation disc and restart your comp.
2. Choose your language settings , and then click next
3. Click "Repair your computer"

If you do not have this disc, contact your system adminstrator or computer manufacturer for assistance.

STATUS: 0xc000000F

Info: The bot selection failed because a required device is inaccesible
.

______________________________________________________________________________________________________
PS: as i have mentioned i am using ESET v5 and is fully activated preventing some programs to work as expected, is it OK to disable the following option from ADVANCED SETUP -> WEB AND MAIL -> PROTOCOL FILTERING[This option allows you to check the data transmitted via HTTP and POP3 protocols, employing the ThreatSense scanning technology].

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:56 AM

Posted 15 March 2012 - 08:02 PM

Is your computer configured to start from a CD or DVD?
You may need to check your computer's BIOS settings to find out.

When you start the computer, check the initial boot screen for the setup key. It may say:
Press Delete to enter setup
On some systems you can enter the BIOS by pressing F2

There are more options, but, you get the idea...


Also, have you tried to enter the System Recovery Options from the Advanced Boot Options without using the Windows 7 DVD?
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your Computer menu item.
  • Choose your language settings, and then click: Next
  • Select the operating system you want to repair, and then click: Next
  • Select your user account and click Next....

Edited by Aaflac, 15 March 2012 - 08:23 PM.

Old duck...


#15 davidessex

davidessex
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 16 March 2012 - 08:17 AM

Well this is the issue, when i press F8 and enter the Advanced Boot Options i get the error mentioned above and when i try the second option and boot straight from the CD nothing happens, i checked BIOS and it is set up to boot first from CD, my CD ROM unit is new also and i have tried a different boot cd and still not working, looks like my computer is not booting from other devices, can this be related to the error i have mentioned above???

Edited by davidessex, 16 March 2012 - 03:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users