Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSkill has zapped rootkit but...


  • This topic is locked This topic is locked
62 replies to this topic

#1 John Knee

John Knee

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 20 November 2012 - 06:29 PM

http://www.bleepingcomputer.com/forums/topic475407.html/page__pid__2899036__st__15#top

-----------------------------

TDSSkill zapped and removed some rootkits, but aswMBR indicated something unidentified looked suspicious.
I'm still getting things happening... Updater.exe is still showing up when I boot up before quickly disappearing off the Task Manager. In the last day or two when backing up my files, this situation has appeared several times:

http://img.photobucket.com/albums/v239/John_Knee/BleepingComputer/Settings.jpg

which I keep deleting. Sometimes it reappears within about 5 minutes....

Enough waffling. You can probably find more information as per the main link at the top.

-----------------------------

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by Matt at 23:13:18 on 2012-11-20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1282 [GMT 0:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k BullGuard
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Tiscali Internet Access
mStart Page = about:blank
mWindow Title = Tiscali Internet Access
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe" -boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000002}\SC_Acrobat.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\bglsp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209545512159
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6DB993EE-720F-4761-8B2E-C9256AE23280} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\matt\application data\mozilla\firefox\profiles\elcyxmk5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - ExtSQL: !HIDDEN! 2009-07-04 15:53; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-1-14 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2012-5-4 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\system32\svchost.exe -k BullGuard [2019-3-7 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\system32\svchost.exe -k BullGuard [2019-3-7 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\system32\svchost.exe -k BullGuard [2019-3-7 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [2008-11-10 31640]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [2012-5-4 256792]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 bfastfao;bfastfao;\??\c:\docume~1\matt\locals~1\temp\bfastfao.sys --> c:\docume~1\matt\locals~1\temp\bfastfao.sys [?]
S3 BGRaSvc;BGRaSvc;c:\program files\bullguard ltd\bullguard\support\bgrasvc.exe [2008-7-29 83280]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-12-2 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-12-2 51840]
.
=============== Created Last 30 ================
.
2019-03-07 17:56:59 99328 ----a-w- c:\windows\system32\winscard.dll
2019-03-07 17:54:21 -------- d-----w- C:\i386
2019-03-07 17:53:51 -------- d-----w- C:\cmpnents
2012-11-18 19:41:12 -------- d-----w- c:\documents and settings\matt\application data\SUPERAntiSpyware.com
2012-11-18 19:40:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-18 19:40:26 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-11-18 02:27:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-02 20:20:48 -------- d-----w- c:\documents and settings\matt\local settings\application data\Chromium
2012-11-02 19:33:08 -------- d-----w- c:\documents and settings\matt\local settings\application data\Sports Interactive
.
==================== Find3M ====================
.
2012-11-12 07:04:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-12 07:04:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 19:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
.
============= FINISH: 23:14:33.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 22 November 2012 - 07:09 PM

Greetings John and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do the following for me.


===================================================


xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.


    Posted Image

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

    Winlogon.exe
  • After the search is completed please type the following then press Enter:

    volsnap.sys
  • After the search is completed please type the following then press Enter:

    explorer.exe
  • After the search is completed please type the following then press Enter:

    Userinit.exe
  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Navigate to mbr.bin, zip the file, and attach it to your next reply
  • Copy and paste the contents of report.txt and filefind.txt in your reply

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.zip
  • report.txt (zip and attach if too large)
  • filefind.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 08:58 AM

Above you wrote the instruction:

"•Remove the USB and insert it in the sick computer"

Should the USB boot disk be created on a clean computer or can it be created on the sick one?

On a side note, we have 3 computers operating off the same router - 2 desktop and one laptop. Are the other two at risk of being infected if any of them are using the network at the same time as the sick PC?

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 09:04 AM

Hi John,

Please create it on a clean computer so we know we have a good copy.

I would say we should be overly cautious. I would isolate the sick computer as much as you can.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 02:03 PM

I am at this bit:

  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts

I've put in the USB, hit the on switch and both held and kept pressing F12 but I am getting no option to boot from the USB. Is there any alternative keys I can hit or am I hitting F12 at the wrong point. Upon booting up normally, it recognises there is a USB put into the computer. Edit: Or is there an option on the control panel that says never to boot off a floppy etc that needs de-ticking?

Edited by John Knee, 23 November 2012 - 02:06 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 02:15 PM

Hi John,

Yes, there can be different keys to hit. Some computers use the Del, Esc, or other key. Sometimes during the boot up process there will be a quick flash on the bottom of the screen telling you what key to hit for boot options.

There is a way we can do it through the BIOS but if we can do it by hitting a key instead it is easier.

Let me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 02:27 PM

What is the BIOS method? The only key that works is F10 and that runs the recovery thing that I think reformats and reinstalls...

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 02:34 PM

Hi John,

There are variations but if you work your way through these instructions you should be able to change the order.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 02:57 PM

Apparently my booting order is Floppy Disk... then CD-Rom and then the HDD... And further probing sees the USB stick as being the second choice HDD - would this be correct? Should I make the change so that the USB disk is the 1st HDD?

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 03:00 PM

Yes, you want the USB device in the first position.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 03:54 PM

I cannot believe that any version of Winzip was installed on this computer!

--------------------------------------------------

Search results for winlogon.exe

8846e87210ad131cf71e3e2e49f647b0 /mnt/sda2/Program Files/Malwarebytes' Anti-Malware/Chameleon/winlogon.exe
213.1K Sep 29 19:54

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 10 2004

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/system32/winlogon.exe
496.0K Apr 14 2008

2246d8d8f4714a2cedb21ab9b1849abb /mnt/sda1/minint/system32/winlogon.exe
504.5K Aug 29 2002


Search results for volsnap.sys

4c8fcb5cc53aab716d810740fe59d025 /mnt/sda2/WINDOWS/ServicePackFiles/i386/volsnap.sys
51.1K Apr 13 2008

ee4660083deba849ff6c485d944b379b /mnt/sda2/WINDOWS/$NtServicePackUninstall$/volsnap.sys
51.1K Aug 10 2004

4c8fcb5cc53aab716d810740fe59d025 /mnt/sda2/WINDOWS/system32/drivers/volsnap.sys
51.1K Apr 13 2008


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/ServicePackFiles/i386/explorer.exe
1009.5K Apr 14 2008

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/explorer.exe
1009.5K Apr 14 2008

a0732187050030ae399b241436565e64 /mnt/sda2/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 10 2004


Search results for userinit.exe

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 10 2004

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/system32/userinit.exe
25.5K Apr 14 2008

e931e0a2b8bf0019db902e98d03662cb /mnt/sda1/minint/system32/userinit.exe
21.5K Aug 29 2002

Attached Files



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 05:03 PM

Hi John,

All of that looks good, which is good news.

For some reason Skype continues to want to look for an update beyond the first attempt when you log in. Please do the following to disable it.

  • Launch Skype
  • Click Tools, Options, then the Automatic Update tab
  • Click Turn off automatic updates, then click Save
  • Reboot and test your computer

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • How are things going?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 05:32 PM

The Updater.exe didn't show up in my Task Manager so I think that part of the issue is sorted... I still have concerns though. For example, Bullguard is still taking a while to declare the firewall etc is active. I will try re-installing later and see if that shift the issue. The thing that I am most weary about is that after making the changes to Skype, I looked at my network connections and saw this:

Posted Image

I deleted all the items and then rebooted...

I then checked again and saw:

Posted Image

In light of the fact Teredo has certain security concerns about it, I'd rather it not constantly crop up.

Any idea what the unknown MBR code was that was reported by boopme at the very last page and comment on here?

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:17 AM

Posted 23 November 2012 - 05:53 PM

Hi John,

The "Unknown MBR Code" does not necessarily mean it is bad. It is good to follow up on that when it is coupled with some troubling symptoms which may indicate a corrupted MBR. That is why boopme wanted some follow up. Relative to MBR issues "corrupted" and "unknown" are not interchangeable. When follow up investigation determines the MBR is fine (as it is in your case) "Unknown MBR Code" simply means it is unknown to the program running the scan.

Now regarding Teredo, do you use IPv6? IPv4 is most common.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 23 November 2012 - 06:01 PM

I have no reason for using IPv6 as far as I know - I'd rather it not appear at all until such time the entire internet takes it up and it is a case of use it, or lose the internet.

I just suddenly noticed Teredo appearing out of the blue - when I first noticed it, I don't recall having recently installed new software that might have activated it. In terms of the websites I go to, I sometimes borrow my wife's laptop to visit them and her computer doesn't seem to have IPv6 running. It makes me nervous the fact the thing can appear several times.

Is there any way of deactivating it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users