Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSKILLER will not run / Still have redirects


  • This topic is locked This topic is locked
3 replies to this topic

#1 ICKIER

ICKIER

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 11 October 2012 - 09:56 AM

Good Day. I was refered here by narenxp. My "hopefully this will be a quick one" isn't turning out to be.
I am continuing to have redirects. Malwarebytes shows nothing.
TDSSKILLER will not run even after renamed.
Kaspersky's AVP tool shows nothing.
Win 7 machine.

Weird behavior: desktop icons will stop working after I close IE until I end iexplore in task manager which is still displayed when I close IE!
It seems to grow in size to upwards of 170k.

I was instructed to download and run aswMBR. It will not run either.
ESET scanner - it will download to 89-91% done and IE will lock up.
I downloaded from a clean computer and ran it.
I woke up to a rebooted machine but remembered seeing variant of win32/installcore a application AND html lframe b gen virus before I went to bed.
I ran it again hoping to see what was found again but they were removed as the result was clean this scan. Still having issues though.

Very odd things on reboot now, configuring windows update then it says it failed.

I was asked to run TDSS fix (which appeared to be an older version of tdsskiller)

Little disturbed windows reported this file unsafe after it downloaded, but i ran it. No threats found.
Why is it this Kaspersky antirootkit program ran and the recent ones downloaded from their site do not?


I was aked to run list parts. Here's the log. (See more at end!)

For 64 bit

List parts 64


ESET running from download off clean computer.

list parts64 log below. do not see attach file option.
ListParts by Farbar Version: 02-10-2012
Ran by Jack (administrator) on 10-10-2012 at 17:20:38
Windows 7 (X64)
Running From: C:\Users\Jack\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PVW5DNLK
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 50%
Total physical RAM: 3893.86 MB
Available physical RAM: 1915.57 MB
Total Pagefile: 9731.05 MB
Available Pagefile: 7503.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:448.4 GB) (Free:348.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:17.07 GB) (Free:2.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 448 GB 200 MB
Partition 3 Primary 17 GB 448 GB
Partition 4 Primary 103 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 448 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 17 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
extendedinput Yes
default {c279be76-9b51-11de-9b93-a29d207e6d0e}
resumeobject {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder {c279be76-9b51-11de-9b93-a29d207e6d0e}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {4971561a-f955-11df-a168-81b7afab3df8}

Windows Boot Loader
-------------------
identifier {4971561a-f955-11df-a168-81b7afab3df8}
device ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{4971561b-f955-11df-a168-81b7afab3df8}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{4971561b-f955-11df-a168-81b7afab3df8}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Windows Boot Loader
-------------------
identifier {572bcd60-ffa7-11d9-aae0-0007e994107d}
device ramdisk=[boot]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
path \windows\system32\boot\winload.exe
description Microsoft Windows PE 2.0
osdevice ramdisk=[boot]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
systemroot \windows
detecthal Yes
winpe Yes
ems Yes

Windows Boot Loader
-------------------
identifier {c279be76-9b51-11de-9b93-a29d207e6d0e}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {4971561a-f955-11df-a168-81b7afab3df8}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx OptIn

Resume from Hibernate
---------------------
identifier {c279be75-9b51-11de-9b93-a29d207e6d0e}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {4971561b-f955-11df-a168-81b7afab3df8}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\WindowsRE\boot.sdi

Setup Ramdisk Options
---------------------
identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
description Ramdisk Options
ramdisksdidevice boot
ramdisksdipath \boot\boot.sdi


****** End Of Log ******



DDS Logs are attached. I read the tutorial on how to run GMER.
You ask for certain boxes to be unchecked which I can do, but what has me baffled is you want most of the boxes checked, like
System, Sections, Devices, Modules etc. When I run GMER they are all greyed out!
All I can check are Services, Registry, Files, and ADS so the logs attached here reflect that. (next message - it's still running)

Attached Files



BC AdBot (Login to Remove)

 


#2 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 11 October 2012 - 11:20 AM

GMER attached.

Something else I've discovered...the redirects seem to only be happening in IE. Crome and Safari don't seem to be doing it.


New update: After resetting IE under internet tools/advanced it seems the redirects have stopped but I still can't run TDSSKILLER or aswMBR or really anything sercurity related (GMER still won't let me click the unchecked greyed out boxes) the desktop icon issue has stopped also.
Shut down hangs for a very long time...

Anybody? Suggestions?

Attached Files

  • Attached File  gmer.log   414bytes   2 downloads

Edited by ICKIER, 11 October 2012 - 05:28 PM.


#3 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 13 October 2012 - 09:40 AM

Hi ICKIER,

The GMER is designed to run only on 32bit systems and therefore you will see some checkboxes are greyed out on 64bit machines.

I'd like to have a review on Combofix log which can be found at C:\ComboFix.txt

Post the contents in your next reply. No need to attach it.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 16 October 2012 - 03:28 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users