Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSKiller Removal = BlueScreen on Boot


  • This topic is locked This topic is locked
1 reply to this topic

#1 Punk4598

Punk4598

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 07 November 2012 - 03:47 PM

Hello! You guys have helped me before! I have run TDSSKiller to remove a Rootkit and the laptop will boot to the start-up logo (Win7) and then BSOD (and restart to only repeat the same thing).

I tried running the FRST tool with the fixlist of FixMBR and FixBOOT (both failed to fix the problem).

Thanks for any and all help!

Here is the FRST Scan log so we can get right to business:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-11-2012
Ran by SYSTEM at 07-11-2012 15:46:05
Running from D:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [288312 2009-07-27] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-08-25] (Intel Corporation)
HKLM\...\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe [563736 2009-06-18] (PDF Complete Inc)
HKLM\...\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [NortonOnlineBackupReminder] "C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-05-18] (Analog Devices, Inc.)
HKLM\...\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray [3866624 2009-05-18] (Analog Devices, Inc.)
HKLM\...\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe" [153640 2009-06-03] (ActivIdentity)
HKLM\...\Run: [] [x]
HKLM\...\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [400936 2009-06-03] (ActivIdentity)
HKLM\...\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start [354360 2009-07-30] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule [24848 2009-07-23] (Bioscrypt Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1134488 2010-03-02] (Affinegy, Inc.)
HKLM\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [1638400 2010-05-07] (Eastman Kodak Company)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [385024 2008-01-31] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [273528 2011-11-03] (RealNetworks, Inc.)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Krystal\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1668664 2009-07-15] (Hewlett-Packard)
HKU\Krystal\...\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Krystal\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)
HKLM\...\Runonce: [5C32B578-9FDC-4181-A623-83BA3C75CDC9] cmd.exe /C start /D "C:\Users\Krystal\AppData\Local\Temp" /B 5C32B578-9FDC-4181-A623-83BA3C75CDC9.exe -postboot [x]
HKLM\...\runonceex: [ContentMerger] c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\ContentMerger10.exe [19952 2009-06-13] (Sonic Solutions)
Tcpip\Parameters: [DhcpNameServer] 24.92.226.11 24.92.226.12
AppInit_DLLs: C:\PROGRA~1\HEWLET~1\IAM\bin\APSHook.dll
Lsa: [Notification Packages] scecli ASWLNPkg
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
Startup: C:\Users\Krystal\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [207400 2009-06-03] (ActivIdentity)
2 AffinegyService; "C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe" [536472 2010-03-02] (Affinegy, Inc.)
2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-07-27] (LSI Corporation)
2 ASBroker; C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [192784 2009-07-23] (Bioscrypt Inc.)
2 ASChannel; C:\Program Files\Hewlett-Packard\IAM\Bin\AsChnl.dll [150288 2009-07-23] (Bioscrypt Inc.)
2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1201400 2009-07-29] (AuthenTec, Inc.)
3 HP ProtectTools Service; "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe" [45056 2009-07-30] (Hewlett-Packard Development Company, L.P)
2 HpFkCryptService; "C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [256544 2009-07-29] (McAfee, Inc.)
2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe [308592 2010-05-17] (Eastman Kodak Company)
2 NIS; "C:\Program Files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\19.9.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [635416 2009-06-18] (PDF Complete Inc)
2 TeamViewer5; "C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe" -service [173352 2010-04-15] (TeamViewer GmbH)
3 RoxMediaDB10; "c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

==================== Drivers (Whitelisted) ====================

0 92039223; C:\Windows\System32\drivers\30389354.sys [177496 2012-11-07] (Kaspersky Lab, GERT)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.6.2.10\Definitions\BASHDefs\20121030.002\BHDrvx86.sys [995488 2012-10-05] (Symantec Corporation)
1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1309000.009\ccSetx86.sys [132768 2012-06-06] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-09] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-09] (Symantec Corporation)
3 hitmanpro36; \??\C:\windows\system32\drivers\hitmanpro36.sys [27976 2012-11-07] ()
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.6.2.10\Definitions\IPSDefs\20121106.001\IDSvix86.sys [386720 2012-08-31] (Symantec Corporation)
3 MfeRKDK; C:\Windows\System32\drivers\MfeRKDK.sys [34248 2009-05-15] (McAfee, Inc.)
1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [55336 2009-05-15] (McAfee, Inc.)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.6.2.10\Definitions\VirusDefs\20121106.032\NAVENG.SYS [92704 2012-09-13] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.6.2.10\Definitions\VirusDefs\20121106.032\NAVEX15.SYS [1601184 2012-09-13] (Symantec Corporation)
1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [12528 2009-07-29] (SafeBoot International)
0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [109216 2009-07-29] (SafeBoot International)
0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51408 2009-07-29] (SafeBoot N.V.)
0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [12960 2009-07-29] (SafeBoot International)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1765168 2009-07-02] ()
1 SRTSP; C:\Windows\System32\Drivers\NIS\1309000.009\SRTSP.SYS [574112 2012-07-05] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NIS\1309000.009\SRTSPX.SYS [32928 2012-07-05] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NIS\1309000.009\SYMDS.SYS [340088 2012-01-17] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NIS\1309000.009\SYMEFA.SYS [924320 2012-05-21] (Symantec Corporation)
3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT.SYS [141944 2012-04-04] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NIS\1309000.009\Ironx86.SYS [149624 2012-04-17] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NIS\1309000.009\SYMNETS.SYS [318584 2012-04-17] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-07 12:10 - 2012-11-07 12:10 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\30389354.sys
2012-11-07 12:10 - 2012-11-07 12:10 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-07 12:09 - 2012-11-07 12:09 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Krystal\Desktop\tdsskiller.exe
2012-11-07 12:06 - 2012-11-07 12:06 - 00027976 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-11-07 12:05 - 2012-11-07 12:05 - 00010440 ____A C:\Users\Krystal\Desktop\HitmanPro_20121107_1505.log
2012-11-07 12:05 - 2012-11-07 12:05 - 00002976 ____A C:\Windows\System32\.crusader
2012-11-07 11:59 - 2012-11-07 12:05 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-11-07 11:57 - 2012-11-07 11:55 - 08260552 ____A (SurfRight B.V.) C:\Users\Krystal\Desktop\HitmanPro36.exe
2012-10-28 08:45 - 2012-10-28 08:45 - 00000000 ___AH C:\Users\Krystal\Documents\Default.rdp
2012-10-26 14:57 - 2012-10-26 14:57 - 00000000 ____D C:\Windows\Sun
2012-10-10 16:45 - 2012-08-24 08:57 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-10 16:42 - 2012-08-10 15:56 - 00542208 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-10-10 13:52 - 2012-08-31 09:18 - 01211760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys


==================== One Month Modified Files and Folders ========

2012-11-07 15:28 - 2012-11-07 15:28 - 00000000 ____D C:\FRST
2012-11-07 12:10 - 2012-11-07 12:10 - 00177496 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\30389354.sys
2012-11-07 12:10 - 2012-11-07 12:10 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-07 12:10 - 2010-05-04 22:36 - 01892050 ____A C:\Windows\WindowsUpdate.log
2012-11-07 12:10 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-07 12:10 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-07 12:09 - 2012-11-07 12:09 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Krystal\Desktop\tdsskiller.exe
2012-11-07 12:08 - 2009-07-13 20:39 - 00167869 ____A C:\Windows\setupact.log
2012-11-07 12:07 - 2010-08-24 08:27 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-11-07 12:07 - 2010-01-12 11:14 - 00000000 ____D C:\Users\All Users\PDFC
2012-11-07 12:06 - 2012-11-07 12:06 - 00027976 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-11-07 12:06 - 2010-09-19 14:06 - 00000000 ____D C:\Users\All Users\Kodak
2012-11-07 12:06 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-07 12:05 - 2012-11-07 12:05 - 00010440 ____A C:\Users\Krystal\Desktop\HitmanPro_20121107_1505.log
2012-11-07 12:05 - 2012-11-07 12:05 - 00002976 ____A C:\Windows\System32\.crusader
2012-11-07 12:05 - 2012-11-07 11:59 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-11-07 11:55 - 2012-11-07 11:57 - 08260552 ____A (SurfRight B.V.) C:\Users\Krystal\Desktop\HitmanPro36.exe
2012-11-07 11:39 - 2009-07-13 20:53 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-07 11:06 - 2010-01-12 11:12 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-05 12:43 - 2010-05-25 20:06 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForKrystal.job
2012-10-28 08:45 - 2012-10-28 08:45 - 00000000 ___AH C:\Users\Krystal\Documents\Default.rdp
2012-10-26 14:57 - 2012-10-26 14:57 - 00000000 ____D C:\Windows\Sun
2012-10-10 16:42 - 2010-05-04 14:33 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-10-10 16:42 - 2010-01-12 11:17 - 00000000 ____D C:\Users\All Users\Microsoft Help

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-07-11 13:36:16
Restore point made on: 2012-07-11 14:03:51
Restore point made on: 2012-08-16 04:01:32
Restore point made on: 2012-08-19 17:39:52
Restore point made on: 2012-08-19 17:42:10
Restore point made on: 2012-08-19 17:42:59
Restore point made on: 2012-09-12 17:24:25
Restore point made on: 2012-09-18 15:41:23
Restore point made on: 2012-09-23 07:00:12
Restore point made on: 2012-09-25 15:44:31
Restore point made on: 2012-10-10 16:40:52
Restore point made on: 2012-10-14 11:19:04
Restore point made on: 2012-10-26 14:45:59

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3996.27 MB
Available physical RAM: 3399.86 MB
Total Pagefile: 3994.54 MB
Available Pagefile: 3406.96 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.38 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:280.8 GB) (Free:228.8 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (CWP Bench) (Removable) (Total:3.74 GB) (Free:1.98 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.91 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3835 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 280 GB 301 MB
Partition 3 Primary 15 GB 281 GB
Partition 4 Primary 2043 MB 296 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 300 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 280 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 HP_RECOVERY NTFS Partition 15 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E HP_TOOLS FAT32 Partition 2043 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3827 MB 19 KB

=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 D CWP Bench NTFS Removable 3827 MB Healthy

=========================================================

Last Boot: 2012-09-06 15:49

==================== End Of Log ============================

BC AdBot (Login to Remove)

 


#2 Punk4598

Punk4598
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 07 November 2012 - 05:36 PM

*REMOVE THIS TOPIC PLEASE*

Fixed on my own, thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users