Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting RootKit Virus, Really Bad


  • This topic is locked This topic is locked
30 replies to this topic

#1 Knight526806

Knight526806

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 02 October 2012 - 03:23 PM

Okay so for the past 2 weeks I have been trying to get rid of this RootKit. When I click on a link in google search, I often, but not always, get redirected to some random website, often Scour.com. Moreover, Avast is constantly telling me that it is blocking malware content when I'm connected to the internet. I have been looking through the forums and have tried almost everything. I have tried using TDSS Killer, but it will not load (yes I did try changing the name and adding the .com extension, and I tried it in Safe mode and Safe mode with networking); aswMBR will not load either. Moreover, I have used FixTDSS and Rkill, they found nothing. I have done scans with Malwarebytes and Avast. Malwarebytes did not find anything, and although Avast finds MBR:SST[Rtk] in boot-time scan and deletes it (supposably), it always comes right back. I have deleted my temp internet files and caches. Lastly, I tried a system restore to a time before I had the virus and still did not work. I feel now that the only way to fix this is to reinstall Windows which I don't mind doing except that I don't have the disk and would rather not have to purchase one.

Please help,
Josh

here is my DDS log and the Attach and Gmer log are attached
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Joshua at 15:26:55 on 2012-10-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4084.2341 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\system32\dleacoms.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.com/
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - C:\Program Files\Dell Printable Web\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Face recognition web login for FastAccess: {da5bce70-d057-4d63-943d-5f3927ec59f1} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - C:\Program Files\Dell Printable Web\toolband.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [EasyTether] "C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [FAStartup]
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
StartupFolder: C:\Users\JOSHUA~1.000\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\system32\RunDll32.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://uac.gmu.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 129.174.97.3 129.174.68.227 129.174.1.3
TCP: Interfaces\{4B29635B-5B14-4D7C-ACAD-FF48FF4283B9} : DhcpNameServer = 129.174.97.3 129.174.68.227 129.174.1.3
TCP: Interfaces\{4B29635B-5B14-4D7C-ACAD-FF48FF4283B9}\B40543E453 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4B29635B-5B14-4D7C-ACAD-FF48FF4283B9}\C696E6B6379737F5355435F51373631303 : DhcpNameServer = 75.104.128.61
TCP: Interfaces\{4B29635B-5B14-4D7C-ACAD-FF48FF4283B9}\D41637F6E6 : DhcpNameServer = 129.174.97.3 129.174.68.227 129.174.1.3
TCP: Interfaces\{BEFC2897-9A45-4597-B5CE-98B2802F6A88} : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{E45E4F0B-F207-4A76-A6CF-1DAD6F43EB75} : DhcpNameServer = 129.174.97.3 129.174.68.227 129.174.192.3
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: FastAccess - C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll
LSA: Notification Packages = scecli FAPassSync
BHO-X64: Dell Toolbar: {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Printable Web\toolband.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Face recognition web login for FastAccess: {DA5BCE70-D057-4D63-943D-5F3927EC59F1} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll
BHO-X64: SSOIEAddonBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: Dell Toolbar: {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Printable Web\toolband.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [FAStartup]
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun-x64: [UpdReg] C:\Windows\UpdReg.EXE
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2010-5-29 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-9-20 44808]
R2 dlea_device;dlea_device;C:\Windows\system32\dleacoms.exe -service --> C:\Windows\system32\dleacoms.exe -service [?]
R2 FAService;FAService;C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe [2011-4-23 2412728]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-22 399432]
R2 PenCommService;Livescribe Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2010-7-28 444928]
R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
R2 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-7-2 705856]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 bpenum;bpenum;C:\Windows\system32\DRIVERS\bpenum.sys --> C:\Windows\system32\DRIVERS\bpenum.sys [?]
R3 bpmp;bpmp;C:\Windows\system32\DRIVERS\bpmp.sys --> C:\Windows\system32\DRIVERS\bpmp.sys [?]
R3 bpusb;bpusb;C:\Windows\system32\Drivers\bpusb.sys --> C:\Windows\system32\Drivers\bpusb.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 easytether;easytether;C:\Windows\system32\DRIVERS\easytthr.sys --> C:\Windows\system32\DRIVERS\easytthr.sys [?]
R3 FACAP;facap, FastAccess Video Capture;C:\Windows\system32\DRIVERS\facap.sys --> C:\Windows\system32\DRIVERS\facap.sys [?]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\dleaserv.exe [2010-8-26 33448]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;"C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe" --> C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [?]
S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe --> C:\Program Files\Dell\DellDock\DockLogin.exe [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-6 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-22 676936]
S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;"C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe" --> C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 250288]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-7-2 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-7-2 79360]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-6 136176]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe --> C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [?]
S3 PulseUsb;Livescribe Smartpen USB Driver;C:\Windows\system32\DRIVERS\PulseUsb.sys --> C:\Windows\system32\DRIVERS\PulseUsb.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2010-7-2 79360]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;"C:\Program Files\Intel\TurboBoost\TurboBoost.exe" --> C:\Program Files\Intel\TurboBoost\TurboBoost.exe [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-10-02 15:26:30 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F1A89E96-9957-43B2-B5E8-35A6734479CA}\mpengine.dll
2012-09-26 12:29:45 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-09-25 18:41:14 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2012-09-22 22:53:30 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Roaming\Malwarebytes
2012-09-22 22:53:12 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-22 22:53:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-21 19:29:33 9573296 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-09-20 16:46:44 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-09-20 16:46:41 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-09-20 16:46:36 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-09-20 16:46:18 41224 ----a-w- C:\Windows\avastSS.scr
2012-09-20 16:46:08 -------- d-----w- C:\ProgramData\AVAST Software
2012-09-20 16:46:08 -------- d-----w- C:\Program Files\AVAST Software
2012-09-20 16:35:58 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-09-20 16:29:54 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-20 16:29:53 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-20 16:29:53 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-20 16:29:52 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-20 16:29:51 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-20 16:29:51 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-20 16:29:51 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-19 14:13:16 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-09-19 14:13:16 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-09-19 14:10:10 -------- d-----w- C:\Program Files\ATI Technologies
2012-09-19 14:10:04 -------- d-----w- C:\Program Files\ATI
2012-09-19 14:08:58 -------- d-----w- C:\AMD
2012-09-19 13:07:27 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Roaming\AVG2013
2012-09-19 13:06:46 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Local\AVG Secure Search
2012-09-19 13:06:35 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Roaming\TuneUp Software
2012-09-19 13:06:30 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-09-19 13:06:04 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-09-19 13:06:04 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-09-19 13:04:43 -------- d-----w- C:\ProgramData\AVG2013
2012-09-19 13:02:12 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Local\MFAData
2012-09-19 13:02:12 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Local\Avg2013
2012-09-06 20:42:57 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Roaming\SSH
2012-09-06 20:40:42 -------- d-----w- C:\Program Files (x86)\SSH Communications Security
2012-09-06 14:31:56 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Roaming\HpUpdate
2012-09-06 14:31:22 778088 ----a-w- C:\Windows\System32\HPDiscoPMa011.dll
2012-09-06 14:30:26 -------- d-----w- C:\Program Files (x86)\HP
2012-09-06 14:27:47 -------- d-----w- C:\Program Files\HP
2012-09-06 14:26:40 -------- d-----w- C:\Users\Joshua.Joshua-PC.000\AppData\Local\HP
2012-09-05 05:36:36 -------- d-----r- C:\Program Files (x86)\Skype
.
==================== Find3M ====================
.
2012-09-21 19:29:40 73136 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-21 19:29:40 696240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-07-28 04:09:20 5538984 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-07-28 04:07:44 10278912 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-07-28 03:43:12 70144 ----a-w- C:\Windows\System32\coinst_8.982.dll
2012-07-28 03:19:34 24935424 ----a-w- C:\Windows\System32\atio6axx.dll
2012-07-28 02:50:10 20546560 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-07-28 02:47:40 187392 ----a-w- C:\Windows\System32\clinfo.exe
2012-07-28 02:47:24 75776 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-07-28 02:47:16 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-07-28 02:47:10 63488 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-07-28 02:47:06 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-07-28 02:46:56 16464896 ----a-w- C:\Windows\System32\amdocl64.dll
2012-07-28 02:46:06 13013504 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-07-28 02:44:56 54784 ----a-w- C:\Windows\System32\OpenCL.dll
2012-07-28 02:44:42 50176 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-07-28 02:15:50 163840 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-07-28 02:15:42 931328 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-07-28 02:13:56 1100288 ----a-w- C:\Windows\System32\aticfx64.dll
2012-07-28 02:10:40 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-07-28 02:10:34 534528 ----a-w- C:\Windows\System32\atieclxx.exe
2012-07-28 02:09:44 239616 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-07-28 02:08:20 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-07-28 02:08:04 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-07-28 02:07:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-07-28 02:07:52 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-07-28 02:07:10 6430208 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-07-28 01:51:12 7052288 ----a-w- C:\Windows\System32\atidxx64.dll
2012-07-28 01:41:32 4266496 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-07-28 01:35:10 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-07-28 01:35:08 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-07-28 01:35:02 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-07-28 01:35:00 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-07-28 01:34:48 16034304 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-07-28 01:32:32 4751872 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-07-28 01:30:10 13605888 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-07-28 01:25:52 6676480 ----a-w- C:\Windows\System32\atiumd64.dll
2012-07-28 01:15:32 540160 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-07-28 01:15:22 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-07-28 01:15:12 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-07-28 01:15:08 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-07-28 01:15:08 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-07-28 01:15:04 41984 ----a-w- C:\Windows\System32\atig6txx.dll
2012-07-28 01:14:56 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-07-28 01:14:46 368640 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-07-28 01:13:54 129536 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-07-28 01:13:48 109568 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-07-28 01:13:40 103936 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-07-28 01:13:32 83456 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-07-28 01:12:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-07-28 01:08:42 56320 ----a-w- C:\Windows\System32\atimpc64.dll
2012-07-28 01:08:42 56320 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-07-28 01:08:36 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-07-28 01:08:36 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-06 20:07:42 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys
2012-07-05 21:02:14 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-07-05 21:02:14 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-07-04 22:16:43 73216 ----a-w- C:\Windows\System32\netapi32(382).dll
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser(296).dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
.
============= FINISH: 15:35:13.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 08:21 AM

Greetings Knight526806 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. May I call you Josh?


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 08:34 AM

Thank you Gary, and yes, you may call me Josh.

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 08:58 AM

Hi Josh.

Welcome and let's get down to business. The first thing I would like to do is get a good look at your Master Boot Record. It appears you have Ubuntu installed so we will use that program to get the information we need. You may skip the download part and references to the CD if it is not required.

Please do this for me.


===================================================


Master Boot Record Dump Using Ubuntu

--------------

  • Download Ubuntu Live onto your desktop (from a clean computer if you need to). This is a large file so allow it some time to download
  • Insert a CD into your CD player
  • Double click on the Ubuntu icon
  • Click Burn, then Close when completed
  • With the disk in the infected computer's CD restart your computer
  • If your computer does not automatically boot from the CD please see here
  • Once the Ubuntu desktop is loaded please select English and then Try Ubuntu (be patient while the program loads)


    Posted Image

  • In the upper right corner to the left of the speaker icon click the fan shaped icon to connect to the internet, including your network security key if necessary. If you are unable to connect to the internet see the note at the end, skipping the Firefox instructions
  • Click the Dash Home icon on the left side at the top
  • Type terminal in the search box and hit Enter
  • A command prompt window will open
  • Type the following line and press Enter. Please be sure there is a space between the different colors.

    sudo dd if=/dev/sda of=mbr.txt bs=512 count=1
  • If successful you will see a notation 512 bytes copied
  • Click on the Firefox icon on the left side to launch the browser
  • Type the following in the address bar and hit Enter to bring up this topic

    http://www.bleepingcomputer.com/forums/topic470533.html
  • To access the Home folder click the third icon from the top in the left panel (Home Folder). You will see some folders there, as well as the mbr.txt file you just created
  • Attach mbr.txt in your next reply
  • Click the power button icon in the upper right hand corner of the screen and select Shut Down
  • Remove the CD and reboot your computer
Note: If you do not have internet access you will need to insert a USB device into the computer, copy and paste mbr.txt onto the device, and attach the file from another computer.


===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 01:04 PM

Here is the mbr.txt file.

Attached Files

  • Attached File  mbr.txt   512bytes   1 downloads


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 02:04 PM

Hi Josh,

You have a malicious hidden partition we need to take care of.

Please try to run TDSSKiller as described below.


===================================================


Run TDSSKiller by Kaspersky With Changed Parameters From Malwarebytes Folder

--------------------

  • Locate the TDSSKiller icon on your desktop, right click, and select Delete
  • If you do not already have Malwarebytes Anti-Malware please download and install it on your computer but do not run the program
  • Download a new copy of TDSSKiller and save it in the following location

    • C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
  • Press the windows key Posted Image + r on your keyboard at the same time
  • Type cmd and press Enter
  • Copy and paste the following after the command prompt and press Enter

    "C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o
  • A black DOS prompt will appear with a prompt to press any key to continue, please do.
  • Using Windows Explorer navigate to and double click on the following file:

    C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\TDSSKiller.exe
  • Click on Change parameters


    Posted Image

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • Click OK


    Posted Image

  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • If Suspicious objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • Click Continue then click Reboot now
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 03:50 PM

When I try to save TDSSKiller to the Chameleon file, I get an error saying that I do not have permission to save a file here and that I need to contact the administrator. I tried logging in as an Administrator but then when I clicked "Save as" no window popped up for me to direct the file to.

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 03:52 PM

Save it to your desktop then try to cut/paste it into the Chameleon folder.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 04:07 PM

After running the DOS window and finding TDSSKiller in the Chameleon file, I double clicked it and even tried run as administrator, but it did not open up.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 04:10 PM

OK, please give me a bit of time and I will provide steps for a work around.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 05:29 PM

Greetings Josh,

Please run this program for me.


===================================================


ListParts by Farbar for 64 bit Systems

--------------------

  • Please download ListParts.exe (for 64 bit systems) and save it to your desktop
  • Double click the Posted Image icon
  • Select Run
  • Select Scan
  • Select OK and wait for a Result - Notepad document to open on your desktop
  • Please copy and paste the contents in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 05:38 PM

Here is the result.txt log

ListParts by Farbar Version: 02-10-2012
Ran by Joshua (administrator) on 03-10-2012 at 18:36:12
Windows 7 (X64)
Running From: C:\Users\Joshua.Joshua-PC.000\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 48%
Total physical RAM: 4084.48 MB
Available physical RAM: 2084.18 MB
Total Pagefile: 8167.15 MB
Available Pagefile: 5772.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.06 GB) (Free:332.51 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 39 MB
Partition 3 Primary 451 GB 14 GB
Partition 4 Primary 10 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C OS NTFS Partition 451 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,968 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:16 PM

Posted 03 October 2012 - 07:26 PM

Hi Josh,

We are going to make some changes to remove the malicious partition. Please do this for me.


===================================================


Running a ListParts Fix

--------------

  • Press the windows key Posted Image + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy and paste the contents of the code box below into Notepad.

    Disk=0 Partition=2 active
    Disk=0 Partition=4 type=07
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fix.txt to the flash drive where ListParts is located.
  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...


    Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will be saved to the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]
===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Result.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 10:10 PM

Here is the log, and the redirecting seems to be gone. Moreover, my browsing is much faster now. Thank you, but Avast is still saying there is a Partition 4 Rootkit on my PC, it gives me the option to delete it as it did before; though it always seems to come back. I was also able to open up TDSS Killer and ran it with the same parameters specified above. I'll attach that log as well. It didn't find anything malacious, just a few suspisous files which I just skipped.

ListParts by Farbar Version: 02-10-2012
Ran by SYSTEM (administrator) on 03-10-2012 at 22:50:09
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4084.5 MB
Available physical RAM: 3569.52 MB
Total Pagefile: 4082.65 MB
Available Pagefile: 3553.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.15 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS) (Fixed) (Total:451.06 GB) (Free:332.52 GB) NTFS
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
4 Drive f: (Lexar) (Removable) (Total:14.92 GB) (Free:13.97 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 39 MB
Partition 3 Primary 451 GB 14 GB
Partition 4 Primary 10 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D OS NTFS Partition 451 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G RAW Partition 10 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 20 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F Lexar FAT32 Removable 14 GB Healthy

======================================================================================================

****** End Of Log ******

#15 Knight526806

Knight526806
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 October 2012 - 10:15 PM

I wasn't able to attach or post the TDSS Killer log because it was too long.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users