Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.boot.pihar.c removal


  • This topic is locked This topic is locked
27 replies to this topic

#1 ksd1998

ksd1998

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 23 November 2012 - 09:39 AM

Hi,

Our computer was occasionally shutting down and some google searches were being redirected. I ran a malwarebytes scan andremoved several items. The problem seemed to remain so I ran TDSSKiler. It detected rootkit.boot.pihar.c. I chose to cure the item ands it recommended reboot. On reboot I got BSOD. Another restart usually gets windows back up. I have been through this same cycle several times.


Any help or suggestions?

Thanks

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:04 PM

Posted 23 November 2012 - 10:06 AM

Hello ksd1998 ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.




  • Download ListParts to a USB flash drive.
  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Check the box beside List BCD
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]

Regards,
Georgi

cXfZ4wS.png


#3 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 24 November 2012 - 02:54 PM

Hi Georgi, Thanks for your help. I got the two listpart items on my flash drive. When I tried to restart computer under repair your computer option, I get an error message ERROR: F3-F100-0010 Please press OK to turn off the computer. I never get to the select language option.

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:04 PM

Posted 24 November 2012 - 03:36 PM

Well...this seems to be a Toshiba specific error code.
Can you please try this instead:


You will also need a USB drive.


Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB (right click the following link and select Save Link/Target As. Save the file to your flash drive)
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.



Regards,
Georgi

cXfZ4wS.png


#5 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 26 November 2012 - 10:53 AM

mbr.zip is attached.

Thanks

Attached Files

  • Attached File  mbr.zip   2.43KB   18 downloads


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:04 PM

Posted 26 November 2012 - 06:31 PM

Thanks...I asked some colleagues for assistance with this.
Stay tuned. :)



Regards,
Georgi

cXfZ4wS.png


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:04 PM

Posted 27 November 2012 - 04:00 PM

Hi,



Try the steps and let me know if boot was successful.

You will need to use xPUD and your USB/flash drive again.

Be sure to delete any old copy of mbr.bin first.

Please click on the following link and save the file to your flashdrive.

Now reboot in xPUD and navigate to your USB drive. Click Tool > Open Terminal, type the following and press enter.

dd if=mbr.bin of=/dev/sda bs=512 count=1

After completing this, restart normally and let me know if you can get in windows now.



Regards,
Georgi

cXfZ4wS.png


#8 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 November 2012 - 01:46 PM

No luck with that.

At first attempt to restart, just a blinking cursor.

At second attempt, blue screen.

At third attempt computer tried to repair windows, but was unsuccessful.

I tried another restart in safe mode, just got blue screen.

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:04 PM

Posted 28 November 2012 - 04:16 PM

Hi,



Can you check if you can access the Recovery Environment now?


Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type bootrec /fixboot then hit Enter.
  • Reboot the computer and let me know what happened.



Btw, if you have Windows installation DVD you can try to access the Recovery Environment from there to see if there any differences.



Regards,
Georgi

Edited by B-boy/StyLe/, 28 November 2012 - 04:17 PM.
typo.

cXfZ4wS.png


#10 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 November 2012 - 04:52 PM

The message I get is "The volume does not contain a recognized file system. Please make sure that all file system drivers are loaded and that the volume is not corrupted."

I do not have a recovery disc. Computer was given to my daughter by her Aunt. I think it came from Best Buy. It has the Windows 7 product key on the bottom.

There is a "Toshiba recovery wizard" option on system recovery tool menu

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:04 PM

Posted 28 November 2012 - 05:43 PM

Hi ksd1998,

While my good colleague Georgi is taking a break I will be assisting you.

We have still a couple of options to boot the computer.

Now you are now able to get to System Recovery Options by using F8 and run the tools.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#12 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 November 2012 - 07:59 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012
Ran by SYSTEM at 28-11-2012 19:56:09
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [x]
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [x]
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [x]
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [49152 2003-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe" [221184 2003-08-20] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [49152 2003-06-25] (Hewlett-Packard)
HKLM-x32\...\Run: [HPHmon05] C:\windows\SysWOW64\hphmon05.exe [483328 2003-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-12-07] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKU\Owner\...\Run: [racap] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\racap.dll",Warn [524800 2012-11-16] (Promise Technology,Inc)
HKU\Owner\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 WlanWpsSvc; C:\Program Files (x86)\NETGEAR\WNA1000M\WlanWpsSvc.exe [x]

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 RTL8192cu; C:\Windows\System32\DRIVERS\WNA1000M.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-28 19:55 - 2012-11-28 19:55 - 00000000 ____D C:\FRST
2012-11-27 17:15 - 2012-11-27 17:15 - 00277136 ____A C:\Windows\Minidump\112712-28953-01.dmp
2012-11-23 05:56 - 2012-11-23 05:56 - 00287000 ____A C:\Windows\Minidump\112312-19780-01.dmp
2012-11-23 05:53 - 2012-11-23 05:53 - 00281264 ____A C:\Windows\Minidump\112312-32931-01.dmp
2012-11-22 20:39 - 2012-11-22 20:39 - 00000000 ____D C:\Windows\Sun
2012-11-22 20:13 - 2012-11-22 20:13 - 00281288 ____A C:\Windows\Minidump\112212-34897-01.dmp
2012-11-21 18:24 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-19 13:30 - 2012-11-19 13:30 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Downloads\tdsskiller (1).exe
2012-11-19 13:30 - 2012-11-19 13:30 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\tdsskiller.exe
2012-11-19 12:33 - 2012-11-23 06:00 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-18 17:30 - 2012-11-18 17:30 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-18 17:30 - 2012-11-18 17:30 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2012-11-18 17:29 - 2012-11-18 17:30 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-18 17:29 - 2012-11-18 17:29 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-11-18 17:27 - 2012-11-18 17:27 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-11-18 15:48 - 2012-11-27 17:15 - 264809162 ____A C:\Windows\MEMORY.DMP
2012-11-18 15:48 - 2012-11-27 17:15 - 00000000 ____D C:\Windows\Minidump
2012-11-18 15:48 - 2012-11-18 15:48 - 00268880 ____A C:\Windows\Minidump\111812-17238-01.dmp
2012-11-16 06:37 - 2012-11-16 06:37 - 00524800 ____A (Promise Technology,Inc) C:\Users\Owner\AppData\Roaming\racap.dll
2012-11-16 05:04 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-16 05:04 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-16 05:04 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-16 05:04 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-16 04:50 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-16 04:50 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-16 04:50 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-16 04:50 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-16 04:50 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-16 04:50 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-16 04:50 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-16 04:50 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-16 04:50 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-16 04:50 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-16 04:50 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-16 04:50 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-16 04:50 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-16 04:50 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-16 04:50 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-16 04:50 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-16 04:50 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-16 04:50 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-16 04:50 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-16 04:50 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-16 04:50 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-16 04:50 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-16 04:50 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-16 04:50 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-16 04:50 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-16 04:50 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-16 04:50 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-16 04:50 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-16 04:50 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-16 04:50 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-16 04:50 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-16 04:50 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-16 04:47 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-16 04:47 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-16 04:47 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-16 04:47 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-16 04:47 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-16 04:47 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-16 04:47 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-16 04:47 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-15 05:38 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-15 05:38 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2012-11-15 05:38 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2012-11-15 05:38 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2012-11-15 05:38 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2012-11-15 05:38 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-11-15 05:38 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2012-11-15 05:38 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2012-11-15 05:38 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2012-11-15 05:38 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2012-11-15 05:38 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2012-11-15 05:38 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2012-11-15 05:38 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2012-11-15 05:38 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2012-11-15 05:38 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2012-11-15 05:38 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-11-15 05:38 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-15 05:38 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2012-11-15 05:37 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-11 18:16 - 2012-11-11 18:16 - 00000000 ____D C:\Users\Owner\AppData\Local\{B0D2244A-46DD-469F-A3B4-252D24FB6BAF}
2012-11-07 18:40 - 2012-11-07 18:40 - 00000000 ____D C:\Users\Owner\AppData\Local\{36957995-AE71-4890-B930-32AFD13BDBD7}
2012-11-05 19:22 - 2012-11-05 19:22 - 00000000 ____D C:\Users\Owner\AppData\Local\{04499FD5-234E-4295-BA3C-46A93E8B95A6}
2012-10-29 15:03 - 2012-10-29 15:03 - 00000000 ____D C:\Users\Owner\AppData\Local\{27E08275-DA4B-4AD5-B5A1-87C1D9EF2563}

==================== One Month Modified Files and Folders =======

2012-11-28 19:55 - 2012-11-28 19:55 - 00000000 ____D C:\FRST
2012-11-28 07:28 - 2012-10-27 15:51 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-28 07:28 - 2012-03-29 06:19 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-28 07:28 - 2010-05-31 07:12 - 01182028 ____A C:\Windows\WindowsUpdate.log
2012-11-27 17:23 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-27 17:23 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-27 17:20 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-27 17:16 - 2012-10-27 15:51 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-27 17:15 - 2012-11-27 17:15 - 00277136 ____A C:\Windows\Minidump\112712-28953-01.dmp
2012-11-27 17:15 - 2012-11-18 15:48 - 264809162 ____A C:\Windows\MEMORY.DMP
2012-11-27 17:15 - 2012-11-18 15:48 - 00000000 ____D C:\Windows\Minidump
2012-11-27 17:15 - 2012-04-08 15:43 - 00002362 ____A C:\Windows\setupact.log
2012-11-27 17:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-27 16:29 - 2012-10-27 15:52 - 00002385 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-23 06:00 - 2012-11-19 12:33 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-23 05:56 - 2012-11-23 05:56 - 00287000 ____A C:\Windows\Minidump\112312-19780-01.dmp
2012-11-23 05:53 - 2012-11-23 05:53 - 00281264 ____A C:\Windows\Minidump\112312-32931-01.dmp
2012-11-22 20:39 - 2012-11-22 20:39 - 00000000 ____D C:\Windows\Sun
2012-11-22 20:13 - 2012-11-22 20:13 - 00281288 ____A C:\Windows\Minidump\112212-34897-01.dmp
2012-11-21 18:23 - 2010-04-03 21:36 - 00267670 ____A C:\Windows\PFRO.log
2012-11-21 18:22 - 2009-07-13 19:20 - 00000000 ___AD C:\Windows\System32\sysprep
2012-11-20 07:33 - 2011-12-14 11:40 - 00000000 ____D C:\Bovada
2012-11-19 13:30 - 2012-11-19 13:30 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Downloads\tdsskiller (1).exe
2012-11-19 13:30 - 2012-11-19 13:30 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\tdsskiller.exe
2012-11-18 17:30 - 2012-11-18 17:30 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-18 17:30 - 2012-11-18 17:30 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2012-11-18 17:30 - 2012-11-18 17:29 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-18 17:29 - 2012-11-18 17:29 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-11-18 17:27 - 2012-11-18 17:27 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-11-18 15:48 - 2012-11-18 15:48 - 00268880 ____A C:\Windows\Minidump\111812-17238-01.dmp
2012-11-18 14:48 - 2012-02-07 13:09 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-18 14:48 - 2011-07-07 06:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-17 07:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-16 06:37 - 2012-11-16 06:37 - 00524800 ____A (Promise Technology,Inc) C:\Users\Owner\AppData\Roaming\racap.dll
2012-11-16 06:36 - 2010-10-09 11:24 - 00097448 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-16 06:36 - 2009-07-13 20:45 - 00379128 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-16 05:09 - 2010-05-31 07:17 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-16 04:48 - 2010-10-09 12:24 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-11-11 18:16 - 2012-11-11 18:16 - 00000000 ____D C:\Users\Owner\AppData\Local\{B0D2244A-46DD-469F-A3B4-252D24FB6BAF}
2012-11-07 18:40 - 2012-11-07 18:40 - 00000000 ____D C:\Users\Owner\AppData\Local\{36957995-AE71-4890-B930-32AFD13BDBD7}
2012-11-05 19:22 - 2012-11-05 19:22 - 00000000 ____D C:\Users\Owner\AppData\Local\{04499FD5-234E-4295-BA3C-46A93E8B95A6}
2012-10-29 15:03 - 2012-10-29 15:03 - 00000000 ____D C:\Users\Owner\AppData\Local\{27E08275-DA4B-4AD5-B5A1-87C1D9EF2563}


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 1915.98 MB
Available physical RAM: 1475.06 MB
Total Pagefile: 1915.98 MB
Available Pagefile: 1465.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (TI105847W0F) (Fixed) (Total:222.47 GB) (Free:161.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive d: detected. Check for MBR/Partition infection.
3 Drive e: (xPUD) (CDROM) (Total:0.06 GB) (Free:0 GB) CDFS
5 Drive g: () (Removable) (Total:3.6 GB) (Free:3.6 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3696 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 222 GB 1501 MB
Partition 3 Primary 8 GB 223 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105847W0F NTFS Partition 222 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3696 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-11-17 07:32

==================== End Of Log =============================

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:04 PM

Posted 29 November 2012 - 01:40 AM

Well done. We expect the following fix to resolve the boot issue.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Owner\...\Run: [racap] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\racap.dll",Warn [524800 2012-11-16] (Promise Technology,Inc)
C:\Users\Owner\AppData\Roaming\racap.dll
C:\Windows\svchost.exe
TDL4: custom:26000022 <===== ATTENTION!
end
Now please enter System Recovery Options and select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#14 ksd1998

ksd1998
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 29 November 2012 - 10:09 AM

Normal boot worked perfectly!

Here is fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-29 10:04:50 Run:1
Running from G:\

==============================================

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\racap Value deleted successfully.
C:\Users\Owner\AppData\Roaming\racap.dll moved successfully.
C:\Windows\svchost.exe moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:04 PM

Posted 29 November 2012 - 10:51 AM

Great. :thumbup2:

My colleague will work with you to make sure everything is taken care of.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users