Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Motherboard virus? 2 hard-drives reinstalled still infected


  • This topic is locked This topic is locked
144 replies to this topic

#1 Bobbinet

Bobbinet

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 27 June 2012 - 10:47 AM

Can a computer have a virus beyond the harddrive? After fighting with the virus for a month, I did a complete restore. I did it correctly. It had the same issues as before. It had names of all the virus scans I had previously used under programs. I then put in the original hard-drive I thought was no good. It booted right up with the programs that were on it when lasted used. I had not used it since 2010. It also showed things from recent scans. How can this be? I then reinstalled it with my factory disk. This virus goes in deep. It has altered the entire system. I am at a loss. How can I wipe it clean to start new. On both of the installs I never gained access to the internet but using the search box, it showed all sorts of changes and updates for the date. Google Chrome, which I wasnt using and had completely removed, Malwarebytes, Unhide, Hijack this, and many more. I didnt run any scans to post yet. I am leary of going online with it. The virus I have was always connected and blocking me from help sites. Mail was blocked and sometimes read before I received it. I have two computers down now in little over a month. Can it go through the router? Do I need to change all my emails now? Is the computer now toast? I had bought a external harddrive and saved my pictures and medical to it prior to the reinstalls, how can I clean it, and also a flash drive? I am using a different computer to post this.
Thankyou to whoever changed my password so I could get back on. I hope it continues to work.
This computer is a HP DV1000 with XP home.

Edited by Bobbinet, 27 June 2012 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 27 June 2012 - 07:24 PM

I cant seem to get online. But the virus was sending tiny bites through 1394? I wanted to ad that I think the whole system has been over-written and even though I did a complete restore it is changing the files to its settings. When I powered it up today there was 633 hits on the search for the date. Many of them in the recycle bin. And the legit ones are empty folders. I went into some and "iis6" file says... Initial thread Locale=409, returned from France fix with locale 409 then many entries for OC_. the NTUSER readme has lots of strange things like "I see you now" and "nerds are cool". There is no string valu's and data value 06290bd0-48aa-11d2-8432-006008c3fbfc. I wish I could upload some of these. Is it safe to transfer via a flash drive from a clean computer? I cant go to safe mode or change any registry entry's. I cant upload drivers, it has it's own and wont boot just keep restarting. I have no icons on desktop and it keeps resetting to 800x600. I cant get my needed driver for the wireless but I am trying. If I get it online I can post some things. It is a EVIL AND WELL EXECUTED VIRUS! It records everything. It owns everything. I am hoping you can ID it by some of it's properties.

#3 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 30 June 2012 - 08:17 PM

I got the computer online. I cant run any scans or exe programs. My taskmanager shows IEXPLORE.EXE which I know isnt correct. While searching today it encountered errors and had to be closed. Microsoft suggested I do a chkdsk. I tried last night from cmd prompt and couldnt do anything as the system was in use by another process. I did it today by following there directions. It took forever. When it came back up I now have version 6 of explorer running (was 7). I saw that there was a new virus discovered late last year that writes to the bios and completely takes over. It then adds multiple issues to the computer. I need help to run any scans, they only flash. Also sadly the computer I was using (#3) has also been hit. The virus seems to jump from laptop to laptop. We have 3 that are badly infected in the last month, all with slightly different issues but all running on different OS. I have a process running " L.exe " , Also a WOW folder with many entries such as ... " %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 " , I have the Phoenix motherboard and wonder if this is the " Mebromi virus ". :(

Edited by Bobbinet, 30 June 2012 - 09:20 PM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 02 July 2012 - 10:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/458525 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 02 July 2012 - 02:59 PM

History of this computer is... I bought it two years ago used and not able to power on. It was in near new condition with all the stickers still attached and the accessory bag still sealed with all the disk/cd's. It was diagnosed as motherboard failure. I purchased a new motherboard and paid someone to install it. I used it about 6 months and one day it went to a black screen that was either dumping or creating files rapidly. I shut it off. It would not boot back up. I thought the hard drive failed so I bought a "New" one off ebay. I installed all the disk and it seemed ok. Then one day the sound became choppy. I did a sound check but everything was fine. My daughter gave me her Dell laptop so I quit using it for a while. The Dell was hit by a virus and I could not get online so I went back to this one. It just wasnt acting right, seemed busy and I noticed it showed networking on the task manager. I then noticed I could not download updates and even if I disabled items in msconfig or services they continued to run. I could not do a chkdsk or file check because the process was in use by another process. I could not register at helpsites because I would not get the emails. The ones I did get I was not able to log on to. I used to get so many emails and I was getting very few. It also appeared they were already read because they didnt show up highlighted, and sometimes they were in the deleted folder. Since I had all the disk, I decided to do a complete restore. When finished it seemed I had the same issues. I only put in the xp restore disk and never used the drivers or works disk but they were already installed and looked and acted differently. I tried to install the driver cd but It would not use them after loading them in. I then got the old hard drive and put it in and amazingly it still had some of the programs still on it and booted right up. I reinstalled xp on it and had the very same results as the other drive. I cannot open most help sites or sites that could offer help. The computer will say cant open the page, even though you can plainly see it. Some times it would just shut down IE. The firewall even though enabled and allowing no sharing, continues to share. I have had three computers to fail in 1 month. I managed to get this one back online but I dont feel it is under my control. I dont have any AV installed, but I find Avast4 in the searches. There are so many issues. I am overwhelmed. The computer (#3) that I actually started this thread with, our "clean" one was hit by this one the day I got it back online. It is a Dell d620. I had never put any passwords in it and I went to power it up and the desktop was a little different and wanted a logon password. I kept clicking on it and it came up to a new logon page with copyright Microsoft 1985-2000. What ever is on this either goes deeper than the hard drive or bypassed the xp disks on the reinstall. I think the OS is OC as indicated by my files. Chinese version. Confused? me too. Its almost too much to put into words. If we could first make this thing not on a group or domain I would feel better. I was able to run the scans but I doubt they show only what my hijacker will allow. I disabled the firewall and used defogger prior to the scans. I have no AV to disable.

Attached Files



#6 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 03 July 2012 - 07:03 PM

Is this normal? " HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\CINTLGNT " or " HKEY_USERS\S-1-5-21-1292428093-1390067357-682003330-1003\Software\Microsoft\Windows\CurrentVersion\TINTLGNT " and many more TINTLGNT, PINTLGNT, CINTLGNT
HKEY_USERS\S-1-5-21-1292428093-1390067357-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenResFixer - AdjustRecycleBinPosition value=2
I have so many cookies and tmp files I cant delete. In use....

All my system icon look vintage.

Today most sites I go into are busy with a fast clicking noise and then even though I can see the page, a box pops up Cant open the page. It is some fb remnant.

Also should desktop.ini be under admin tools? (Below)

[LocalizedFileNames]
Component Services.lnk=@C:\WINDOWS\system32\comres.dll,-661
Computer Management.lnk=@%SystemRoot%\system32\shell32.dll,-22023
Event Viewer.lnk=@%SystemRoot%\system32\shell32.dll,-22029
Performance.lnk=@%SystemRoot%\system32\shell32.dll,-22055
Data Sources (ODBC).lnk=@%SystemRoot%\system32\shell32.dll,-22025
Services.lnk=@%SystemRoot%\system32\shell32.dll,-22059
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21762

Edited by Bobbinet, 03 July 2012 - 08:38 PM.


#7 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 05:11 PM

I quess I needed to attach?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Owner at 13:42:55 on 2012-07-02
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341101584578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341241926390
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1E64A6E9-C577-427A-97A3-0BA97443FE91} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-02 15:14:07 -------- d-----w- c:\program files\ACW
2012-07-01 21:27:06 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-01 03:53:22 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2012-06-30 03:11:20 -------- d-sh--w- c:\documents and settings\owner\UserData
2012-06-29 05:26:17 -------- d-----w- c:\documents and settings\all users\application data\hpqwmi
2012-06-28 04:47:16 157056 ----a-r- c:\windows\system32\drivers\tifm21.sys
2012-06-28 02:39:06 86016 ----a-r- c:\windows\system32\mdmxsdk.dll
2012-06-28 02:39:06 39018 ----a-r- c:\windows\system32\hsfci012.dll
2012-06-28 02:39:06 -------- d-----w- c:\program files\CONEXANT
2012-06-28 02:39:05 703232 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2012-06-28 02:39:05 207232 ----a-r- c:\windows\system32\drivers\HSFHWICH.sys
2012-06-28 02:39:05 13059 ----a-r- c:\windows\system32\drivers\mdmxsdk.sys
2012-06-28 02:39:05 1038208 ----a-r- c:\windows\system32\drivers\HSF_DP.sys
2012-06-28 00:19:47 163840 ----a-r- c:\windows\system32\igfxres.dll
2012-06-28 00:19:47 -------- d-----w- C:\Intel
2012-06-27 23:48:05 -------- d-----w- c:\program files\Hp
2012-06-27 23:46:47 819200 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2012-06-27 23:45:56 -------- d-----w- c:\windows\RegisteredPackages
2012-06-27 23:45:41 86016 ----a-w- c:\windows\system32\WACntlPnl.cpl
2012-06-27 23:45:22 -------- d-----w- c:\program files\common files\SureThing Shared
2012-06-27 23:43:43 -------- d-----w- c:\program files\common files\TiVo Shared
2012-06-27 23:43:40 -------- d-----w- c:\program files\Sonic
2012-06-27 23:42:20 -------- d-----w- c:\program files\common files\Sonic Shared
2012-06-27 23:41:10 526848 ----a-w- c:\windows\system32\hhctrl.ocx
2012-06-27 23:38:30 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2012-06-27 23:38:28 32356 ------w- c:\windows\system32\pusbfd1.sys
2012-06-27 23:38:28 26629 ------w- c:\windows\system32\pusbfd2.vxd
2012-06-27 23:38:27 -------- d-----w- C:\swsetup
2012-06-27 23:38:22 561664 ----a-w- c:\windows\system32\dllcache\msobmain.dll
2012-06-27 23:38:00 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2012-06-27 23:38:00 35328 ----a-w- c:\windows\system32\drivers\processr.sys
2012-06-27 23:37:26 65536 ----a-w- c:\windows\system32\hpqactn.dll
2012-06-27 23:37:26 425984 ----a-w- c:\windows\system32\hpqPres.dll
2012-06-27 23:37:26 32768 ----a-w- c:\windows\system32\eabhbrn8.dll
2012-06-27 23:37:26 225280 ----a-w- c:\windows\system32\cpqinfo.dll
2012-06-27 23:37:15 7432 ----a-w- c:\windows\system32\drivers\eabfiltr.sys
2012-06-27 23:37:15 52736 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-06-27 23:37:15 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-06-27 23:37:15 24576 -c--a-w- c:\windows\system32\dllcache\kbdclass.sys
2012-06-27 23:37:15 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2012-06-27 23:37:10 5220 ----a-w- c:\windows\system32\drivers\EabUsb.sys
2012-06-27 23:36:20 -------- d-----w- c:\program files\muvee Technologies
2012-06-27 23:36:20 -------- d-----w- c:\program files\common files\muvee Technologies
2012-06-27 23:35:45 -------- d-----w- c:\program files\Zone.com
2012-06-27 23:28:32 749568 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iKernel.dll
2012-06-27 23:28:32 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\ctor.dll
2012-06-27 23:28:32 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\DotNetInstaller.exe
2012-06-27 23:28:32 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iscript.dll
2012-06-27 23:28:32 192644 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iGdi.dll
2012-06-27 23:28:32 180224 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iuser.dll
2012-06-27 23:28:31 323716 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\setup.dll
2012-06-27 23:27:40 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2012-06-27 23:27:40 20480 ----a-w- c:\windows\system32\IVIresize.dll
2012-06-27 23:27:40 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2012-06-27 23:27:40 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2012-06-27 23:27:40 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2012-06-27 23:27:40 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2012-06-27 23:27:30 -------- d-----w- c:\program files\InterVideo
2012-06-27 23:27:20 212992 ------w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-06-27 23:25:53 -------- d-----w- c:\documents and settings\owner\local settings\application data\ApplicationHistory
2012-06-27 23:23:37 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2012-06-27 23:21:59 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2012-06-27 23:17:59 -------- d-----w- C:\SYSTEM.SAV
2012-06-27 23:07:14 -------- d-----w- c:\windows\system32\NtmsData
2012-06-27 21:56:05 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-06-27 20:43:47 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-06-04 22:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
.
============= FINISH: 13:43:56.01 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Broadcom 802.11 Wireless LAN Adapter
Conexant AC-Link Audio
Hotfix for Windows XP (KB915865)
HP Help and Support
HP Software Update
HP User Guides 0001
HP Wireless Assistant
Intel® Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
muvee autoProducer 4.0 - SE
Quick Launch Buttons 5.10 B2
REALTEK Gigabit and Fast Ethernet NIC Driver
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Synaptics Pointing Device Driver
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Zone Deluxe Games
.
==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-07-02 14:00:36

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 IC25N060ATMR04-0 rev.MO3OAD5A

Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwldrpob.sys

 

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF803DABF]

? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

---- EOF - GMER 1.0.15 ----





#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 04 July 2012 - 06:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 06:37 PM

I am here, will try to run scans now...

#10 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 06:41 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-04 18:39:23
-----------------------------
18:39:23.031 OS Version: Windows 5.1.2600 Service Pack 2
18:39:23.031 Number of processors: 1 586 0xD08
18:39:23.031 ComputerName: KENNYANDDORIS UserName: Owner
18:39:25.000 Initialize success
18:39:35.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:39:35.453 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD5A Size: 57231MB BusType: 3
18:39:35.484 Disk 0 MBR read successfully
18:39:35.484 Disk 0 MBR scan
18:39:35.484 Disk 0 Windows XP default MBR code
18:39:35.500 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57223 MB offset 63
18:39:35.515 Disk 0 scanning sectors +117194175
18:39:35.671 Disk 0 scanning C:\WINDOWS\system32\drivers
18:39:43.453 Service scanning
18:39:56.640 Modules scanning
18:40:03.125 Disk 0 trace - called modules:
18:40:03.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
18:40:03.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x829d3370]
18:40:03.187 3 CLASSPNP.SYS[f851505b] -> nt!IofCallDriver -> \Device\0000005e[0x829d2ae8]
18:40:03.718 5 ACPI.sys[f838b620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x829d38e8]
18:40:03.734 Scan finished successfully
18:40:20.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:40:20.890 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"






#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 04 July 2012 - 06:50 PM

Your MBR is fine. If you have carried out the reinstall correctly then you must be clean.

I notice that some of your comments are actually not accurate which might be causing you a bit of PC paranoia - don't worry it happens to us all. For example:

My taskmanager shows IEXPLORE.EXE which I know isnt correct


That's a legitimate system file.


It might be a good idea to run some straightforward tools to see what comes up. If the reinstall was done correctly these will both be clean

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then an online scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#12 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 07:34 PM

Here is the MB log... I dont think the other (ESET) is working. When does it start working. Also I thought iexplore.exe was normal, not IEXPLORE.EXE which runs at 99% cpu till I end it.
Also while watching mbam scan, there was all sorts of programs I had before I did a reinstall that are not here. I dont understand that.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.04.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: KENNYANDDORIS [administrator]

7/4/2012 7:12:01 PM
mbam-log-2012-07-04 (19-12-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System |

Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196636
Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




#13 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 07:51 PM

I had to go find the program in my c drive and double click it. It is downloading now... There was no start button till I did this.

Also why in the log is their ""Scan options disabled: P2P""??

Edited by Bobbinet, 04 July 2012 - 07:55 PM.


#14 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:08:44 AM

Posted 04 July 2012 - 08:32 PM

It ran without finding anything. I know something is wrong, shame it doesnt show up. I cant get updates. I cant use Microsoft fixit, I cant install adobe reader, I cant install free pdf reader. I just opened a new live mail account and it has been viewed 64 times (As of yesterday) I have not been in there that many times. I am not getting my mail (Outlook). I had to get you guys to reset my password, I never got the emails, it was done via facebook communications. I have no icons on the desktop except for ones I put there. I had two unknown users today that I deleted via registry help. Can you please tell me how to reformat a hard-drive and reinstall fresh without programs I had previously already installed. And tell me how to stop the "group" and have a single connection to the router. I also had registered at two other help sites and never received the emails to activate them. My mail was already read before I would open them. And is the NTUSER read me really suppose to have "" "I see you now" and "nerds are cool". ??? My desktop is controlled by "User". The global sharing is on regardless of my firewall settings of no sharing and no exceptions. When I did the reinstalls the cd drive rarely had activity. It was like it did it from the hard drive and not the cd drive. I just dont understand.... Yes I am paranoid now after 3 laptops in one month.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 05 July 2012 - 05:24 PM

[quote]Also I thought iexplore.exe was normal, not IEXPLORE.EXE[/quote]

Windows is not case sensitive so whether it's capitalised or not it's the same file.

[quote]It ran without finding anything. I know something is wrong.[/quote]

The logs seem to suggest there isn't anything wrong

[quote]Yes I am paranoid [/quote]

Yes, you appear to be.

[quote]I cant get updates. [/quote]

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


[quote]I cant use Microsoft fixit[/quote]

It might not be working so if the fixit is for the updates then it wouldn't work. That's why we're running FSS

[quote]I cant install free pdf reader.[/quote]

Why? What happens?

[quote]I just opened a new live mail account and it has been viewed 64 times (As of yesterday) I have not been in there that many times. [/quote]

If you think someone has hacked your email then change the passwords on a clean computer

[quote]I have no icons on the desktop except for ones I put there. [/quote]

Which icons do you think should be there and who puts them there?


[quote]I had two unknown users today that I deleted via registry help.[/quote]

Unknown users where? What is registry help?

[quote]Can you please tell me how to reformat a hard-drive and reinstall fresh without programs I had previously already installed. [/quote]
A clean reformat and reinstall will leave only the programs that were loaded at the factory

[quote]And is the NTUSER read me really suppose to have "" "I see you now" and "nerds are cool". ???[/quote]

I don't know, but nerds love in-jokes

[quote]My desktop is controlled by "User". The global sharing is on regardless of my firewall settings of no sharing and no exceptions. When I did the reinstalls the cd drive rarely had activity. It was like it did it from the hard drive and not the cd drive. I just dont understand.... [/quote]

A clean reformat and reinstall removes all malware except for the MBR infections and we have checked that and it was clean
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users