Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic Dropper


  • Please log in to reply
17 replies to this topic

#1 jmdowns

jmdowns

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 09:18 AM

I need help removing the Trojan Horse Generic Dropper bug from my computer. I have tried several novice things I read online, and have AVG, but cannot get it removed. We have removed most all of our files & even tried to reset the computer to factory settings but it is still here. I just want to wipe it out, install a better security program, and start all over. If not possible, then I will buy a new laptop but of course would like to prevent that if possible. Thanks for your help in advance!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 17 September 2012 - 10:16 AM

Hello and welcome. I moved this to the Am I Infected forum for now..
What did you run?

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.





Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.

Edited by boopme, 17 September 2012 - 10:16 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 10:59 AM

Hi, thanks for your reply. I have MalwareBytes but it doesnt seem to get rid of it, nor does AVG. Here is what I got with the MiniToolBar:

MiniToolBox by Farbar Version: 23-07-2012
Ran by DOWNS-Laptop (administrator) on 17-09-2012 at 11:55:47
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Atheros AR9285 802.11b/g/n WiFi Adapter = Wireless Network Connection (Connected)
Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="Local Area Connection 2" address=169.254.38.1


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : DOWNS-Laptop-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : carolina.rr.com

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : D6-17-FE-3A-D4-35
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : carolina.rr.com
Description . . . . . . . . . . . : Atheros AR9285 802.11b/g/n WiFi Adapter
Physical Address. . . . . . . . . : C4-17-FE-3A-D4-35
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e4a1:109d:64cb:129e%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, September 17, 2012 8:02:47 AM
Lease Expires . . . . . . . . . . : Tuesday, September 18, 2012 11:51:38 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 331618302
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-FE-0A-F2-00-26-2D-B9-64-E1
DNS Servers . . . . . . . . . . . : 209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 00-26-2D-B9-64-E1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [74.125.134.100] with 32 bytes of data:
Reply from 74.125.134.100: bytes=32 time=31ms TTL=48
Reply from 74.125.134.100: bytes=32 time=27ms TTL=48

Ping statistics for 74.125.134.100:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 31ms, Average = 29ms

Pinging yahoo.com [72.30.38.140] with 32 bytes of data:
Reply from 72.30.38.140: bytes=32 time=1286ms TTL=52
Request timed out.

Ping statistics for 72.30.38.140:
Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 1286ms, Maximum = 1286ms, Average = 1286ms

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Request timed out.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
15...d6 17 fe 3a d4 35 ......Microsoft Virtual WiFi Miniport Adapter
13...c4 17 fe 3a d4 35 ......Atheros AR9285 802.11b/g/n WiFi Adapter
11...00 26 2d b9 64 e1 ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 281
192.168.1.101 255.255.255.255 On-link 192.168.1.101 281
192.168.1.255 255.255.255.255 On-link 192.168.1.101 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.101 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.101 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 281 fe80::/64 On-link
13 281 fe80::e4a1:109d:64cb:129e/128
On-link
1 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Catalog5 02 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

x64-Catalog5 02 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/14/2012 11:38:46 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 09/14/2012 11:38:46.277;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [1696];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: DOWNS-LAPTOP-PC;
Application Domain: HPAdvisor.exe;
Process Id: 4172;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (09/12/2012 00:27:40 PM) (Source: ESENT) (User: )
Description: wlmail (3536) WindowsLiveMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (09/12/2012 00:27:40 PM) (Source: ESENT) (User: )
Description: wlmail (3536) WindowsLiveMail0: Error (-1032) during backup of a database (file C:\Users\Downs Family\AppData\Local\Microsoft\Windows Live Mail\Mail.MSMessageStore). The database will be unable to restore.

Error: (09/12/2012 00:27:40 PM) (Source: ESENT) (User: )
Description: wlmail (3536) WindowsLiveMail0: An attempt to create the file "C:\Users\Downs Family\AppData\Local\Microsoft\Windows Live Mail\Mail.pat" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).

Error: (09/11/2012 09:25:21 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 09/11/2012 09:25:20.937;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [2288];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: DOWNS-LAPTOP-PC;
Application Domain: HPAdvisor.exe;
Process Id: 1872;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (09/11/2012 08:35:11 AM) (Source: MsiInstaller) (User: NT AUTHORITY)NT AUTHORITY
Description: SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2012 -- SA_Error25101: StandardAction(0xC007620D): We have detected that Norton Internet Security, is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Error: (09/10/2012 08:51:51 PM) (Source: HP Advisor) (User: )
Description: Timestamp: 09/10/2012 20:51:51.047;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [3304];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: DOWNS-LAPTOP-PC;
Application Domain: HPAdvisor.exe;
Process Id: 3104;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (09/05/2012 08:24:36 PM) (Source: HP Advisor) (User: )
Description: Timestamp: 09/05/2012 20:24:35.768;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [5644];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: DOWNS-LAPTOP-PC;
Application Domain: HPAdvisor.exe;
Process Id: 5496;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (09/01/2012 11:44:53 AM) (Source: Application Error) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7600.16385, time stamp: 0x4a5bd3ca
Faulting module name: ntdll.dll, version: 6.1.7600.16915, time stamp: 0x4ec4b137
Exception code: 0xc0000710
Fault offset: 0x000000000006dc89
Faulting process id: 0x364
Faulting application start time: 0xsplwow64.exe0
Faulting application path: splwow64.exe1
Faulting module path: splwow64.exe2
Report Id: splwow64.exe3


System errors:
=============
Error: (09/17/2012 11:52:24 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume .

Error: (09/17/2012 11:52:24 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume .

Error: (09/17/2012 11:51:48 AM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (09/17/2012 11:51:48 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (09/17/2012 09:15:13 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (09/17/2012 09:15:13 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (09/17/2012 09:15:00 AM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (09/17/2012 09:15:00 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (09/17/2012 09:14:04 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume .

Error: (09/17/2012 08:03:26 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume .


Microsoft Office Sessions:
=========================
Error: (07/16/2012 09:22:27 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2850 seconds with 660 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
2010 Tax Program (Version: 2010.00)
2011 Tax Program (Version: 2011.00)
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 3.0.0.4080)
Adobe Flash Player 11 Plugin (Version: 11.3.300.270)
Adobe Reader 9.5.0 (Version: 9.5.0)
Adobe Shockwave Player (Version: 11.0)
Atheros Driver Installation Program (Version: 9.0)
AVG 2012 (Version: 12.0.2197)
AVG 2012 (Version: 12.0.2221)
AVG 2012 (Version: 12.0.2437)
AVG 2012 (Version: 2012.0.2221)
BlackBerry Device Software Updater (Version: 6.0.1.37)
CameraHelperMsi (Version: 13.10.1217.0)
Citrix online plug-in - web (Version: 11.2.0.31560)
Citrix online plug-in (DV) (Version: 11.2.0.31560)
Citrix online plug-in (HDX) (Version: 11.2.0.31560)
Citrix online plug-in (USB) (Version: 11.2.0.31560)
Citrix online plug-in (Web) (Version: 11.2.0.31560)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Conexant HD Audio (Version: 4.98.60.50)
CyberLink DVD Suite (Version: 7.0.2111)
CyberLink MediaShow (Version: 4.1.3325)
CyberLink PowerDVD 8 (Version: 8.0.1.1005)
D3DX10 (Version: 15.4.2368.0902)
DHTML Editing Component (Version: 6.02.0001)
Driver Whiz (Version: 8.0.1)
erLT (Version: 1.20.138.34)
Google Chrome (Version: 21.0.1180.89)
Google Drive (Version: 1.3.3209.2688)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.115)
HDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.80.4.50)
Hewlett-Packard ACLM.NET v1.1.2.0 (Version: 1.00.0000)
HL-2270DW (Version: 1.0.5.0)
HP Advisor (Version: 3.4.12850.3526)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Games (Version: 1.0.0.71)
HP Quick Launch Buttons (Version: 6.50.15.1)
HP Setup (Version: 1.2.3560.3170)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Support Assistant (Version: 6.1.12.1)
HP Update (Version: 5.001.000.014)
HP User Guides 0156 (Version: 1.02.0001)
HP Wireless Assistant (Version: 3.50.9.1)
InstallIQ Updater (Version: 1.4.3.0)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2202)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 15 (64-bit) (Version: 6.0.150)
Java™ 6 Update 23 (Version: 6.0.230)
Java™ SE Development Kit 6 Update 15 (64-bit) (Version: 1.6.0.150)
Juniper Networks Setup Client Activex Control (Version: 2.1.1.1)
Junk Mail filter update (Version: 15.4.3502.0922)
LabelPrint (Version: 2.5.2111)
Lexmark 7100 Series
Logitech Vid HD (Version: 7.2 (7240))
Logitech Webcam Software (Version: 2.0)
LWS Facebook (Version: 13.10.1216.0)
LWS Gallery (Version: 13.10.1216.0)
LWS Help_main (Version: 13.10.1224.0)
LWS Launcher (Version: 13.10.1224.0)
LWS Motion Detection (Version: 13.10.1218.0)
LWS Pictures And Video (Version: 13.10.1218.0)
LWS Twitter (Version: 13.00.1216.0)
LWS Video Mask Maker (Version: 13.10.1216.0)
LWS VideoEffects (Version: 13.00.1774.0)
LWS Webcam Software (Version: 13.00.1774.0)
LWS WLM Plugin (Version: 1.10.1222.0)
LWS YouTube Plugin (Version: 13.10.1216.0)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Live Search Toolbar (Version: 3.0.566.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft Works (Version: 9.7.0621)
Mozilla Firefox 5.0.1 (x86 en-US) (Version: 5.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
muvee Reveal (Version: 7.0.43.12698)
Norton Internet Security (Version: 17.0.0.136)
Norton Online Backup (Version: 1.2.20.0)
Outlook Setup Tool (Version: 2.0.14)
PC MightyMax 2012
Power2Go (Version: 6.0.3311)
PowerDirector (Version: 7.0.3311)
QLBCASL (Version: 6.40.17.2)
QuickBooks (Version: 22.0.4009.2206)
QuickBooks Premier: Accountant Edition 2012 (Version: 22.0.4009.2206)
Realtek 8136 8168 8169 Ethernet Driver (Version: 1.00.0007)
Realtek USB 2.0 Card Reader (Version: 6.1.7100.30093)
Recovery Manager (Version: 5.5.2202)
SampleTestInstall (Version: 1.0.0.0)
Skype™ 5.5 (Version: 5.5.113)
SmartWebPrinting (Version: 140.0.186.000)
SUPERAntiSpyware (Version: 5.5.1012)
SupportSoft Assisted Service (Version: 15)
Synaptics Pointing Device Driver (Version: 13.2.2.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VO Scan client for Citrix (Version: 2009.3.0)
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0) (Version: 11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)

========================= Memory info: ===================================

Percentage of memory in use: 75%
Total physical RAM: 1979.2 MB
Available physical RAM: 493.1 MB
Total Pagefile: 3958.39 MB
Available Pagefile: 1854.96 MB
Total Virtual: 4095.88 MB
Available Virtual: 3976.71 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:220.4 GB) (Free:142.27 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:12.29 GB) (Free:2.05 GB) NTFS
3 Drive e: (DRAKE11_C2B12) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\DOWNS-LAPTOP-PC

Administrator Downs Family DOWNS-Laptop
Guest


**** End of log ****

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 17 September 2012 - 11:48 AM

OK, when you run MBAM ,malwarebytes.. run RKill first then immediately run MBAM.

Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 12:58 PM

I apologize~ Malwarebytes has either been deleted or is corrupt now. When I try to click on the link to download it again, I am taken to "majorgeeks.com"...is that legit or is that the virus redirecting me again? Thanks!

#6 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 01:24 PM

Nevermind, go Malwarebytes downloaded again and here are the results:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.17.08

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
DOWNS-Laptop :: DOWNS-LAPTOP-PC [administrator]

9/17/2012 2:10:04 PM
mbam-log-2012-09-17 (14-10-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246397
Time elapsed: 12 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^‰^ -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Downs (TrojanProxy.Agent) -> Quarantined and deleted successfully.
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\80000000.@ (Rootkit.0Access.64) -> Quarantined and deleted successfully.

(end)


Should I still run Rkill or should i do ESET?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 17 September 2012 - 02:29 PM

OK,.. I'm a little busy today...

Yes let's run RKill then these to be sure there are no more 0access malware.

Run Rkill

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



Now......

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 04:50 PM

No problem, thanks! I had already started the ESET Scan, so here are those results:

C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\255e9c1-1d24dddb multiple threats deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\6645dad2-2671f3ad a variant of Java/Exploit.Agent.NDH trojan deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\722d13d5-464a6dd8 Java/Exploit.CVE-2012-1723.AV trojan cleaned by deleting - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\2ec7ab03-3c08de46 Java/TrojanDownloader.Agent.NCA trojan deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\6fa220ed-16f46345 multiple threats deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\36ba8db1-37263f85 multiple threats deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4816b93a-6990e55f multiple threats deleted - quarantined
C:\Users\Downs Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\52254d07-1f0ad519 multiple threats deleted - quarantined
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\Windows\Installer\{19373efe-0217-4ef7-eb0b-a0a55ad8667d}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined


I will run the TDSSKiller next. Thanks!

#9 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 04:54 PM

That file won't run actually. It let me save & extract, but won't open.

#10 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 06:14 PM

Rkill:

Rkill 2.3.15 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/17/2012 07:12:45 PM in x64 mode.
Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Program Files\Java\jre6\bin\jusched.exe (PID: 2916) [FI]

1 proccess terminated!

Possibly Patched Files.

* C:\Windows\system32\services.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* C:\Windows\System32\services.exe [NoSig]
+-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 09:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]

Program finished at: 09/17/2012 07:14:15 PM
Execution time: 0 hours(s), 1 minute(s), and 30 seconds(s)

#11 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 06:17 PM

Ran Rkill, but can't get the TDSSKiller to open/run.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 17 September 2012 - 06:38 PM

Well ESET did find more of it... so lets try this



Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode

Run Rkill again


Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 07:24 PM

Unfortunately, it won't let me run the FixTDSS either. I double click & nothing happens. Tried to right click & run, asked me if I wanted to run, clicked yes, and again nothing happened. As I was trying to reply to this it redirected me to a random website.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 17 September 2012 - 07:30 PM

Hmmm....
Let's try TDSSKiller from Command Prompt

Use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
Open Command Prompt in XP = click Start >> Run,type cmd
copy and paste this at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt

OR
Please, try to use attached version of TDSSKiller

tdsskiller.zip


EDIT: Or run aswNBR first

Edited by boopme, 17 September 2012 - 07:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 jmdowns

jmdowns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 September 2012 - 08:01 PM

Here is what I got from command prompt:

Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\DOWNS-Laptop>TDSSKiller.exe -l report.txt
'TDSSKiller.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\DOWNS-Laptop>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users