Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible conime - menu bar focus


  • This topic is locked This topic is locked
26 replies to this topic

#1 ForeverRogue

ForeverRogue

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 27 December 2012 - 06:45 PM

Hello and thanks. Continuing from topic #479833...

HP Pavillion laptop running Vista 64.
Had massive pop ups flooding screen. They were web browser windows all connecting to a site for a musical celeberty (not porn). Was able to run the usual scans (MBAM, SAS, SPYBOT and AD AWARE SE). Found and deleted a Trojan. I did not note which one - sorry, but it was a 'gen' type.
No more pop ups and everything working EXCEPT I am left with 2 issues (of course). 
1 - SCARY. Something is consistently sending packets to the internet. I had a NetworkMeter on the Sidebar and it would show about 5 spikes 1 second apart and then stop for 5 seconds and then repeat the spikes. This would go on for 20 seconds and then stop for about a minute or 2 and then repeat.

2 - ANNOYING. The Menu Bar (File, Edit, View) keeps stealing focus. It will highlite the File menu and any keystroke will select the appropriate menu command. This happens in ALL windows (IE, WORD, and any EXPLORER windows) and also happens with no windows open at all - the desktop, or icons on the desktop will randomly flash or blink. In a Window, the focus does not stay on the Menu Bar, but goes back and forth randomly from what you were doing - trying to enter text into a search field, or type a web adress or fill out an online form. 
Tried to get rid of this through the usual scans - ESET, RogueKiller, ComboFix (ooops sorry!) HJT... and a few others mentioned in your Forums. Trouble is that I tried to do it myself when I knew you guys could do it in a few replies - SORRY!!! 
Obviously, that did not work and I finally resorted to our trusty old friend FORMAT C:. HOWEVER (lol) I do not have the Windows, or the Recovery disks for the laptop and therefore could not do the Destructive Recovery. Could only reinstall and restore to factory original. The focus-stealing issue was still happening DURING the recovery...

So, there you go. I have a freshly restored laptop with some sort of Trojan/Virus. Help please  And thanks in advance!! 


Attached File  dds.txt   7KB   4 downloads
Attached File  attach.txt   3.29KB   1 downloads

Edited by ForeverRogue, 27 December 2012 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 01:12 PM

Greetings ForeverRogue and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 01:14 PM

Logs Posted:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 7.0.6000.16386
Run by USER at 13:37:07 on 2012-12-27
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.2045.1077 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files (x86)\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Hp\QuickPlay\QPService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~2\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files (x86)\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\SysWOW64\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=laptop
mWinlogon: Userinit = userinit.exe
BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: <No Name>: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
TB: Show Norton Toolbar: {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [osCheck] "c:\Program Files (x86)\Norton Internet Security\osCheck.exe"
mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
mRun: [QlbCtrl] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [Symantec PIF AlertEng] "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
mRun: [ALUAlert] "C:\Program Files (x86)\Symantec\LiveUpdate\ALuNotify.exe"
mRunOnce: [Launcher] C:\Windows\SMINST\launcher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBER~1.LNK - C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBER~2.LNK - C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{FC051D2A-1DCF-4B87-9603-CA7A07C1050F} : DHCPNameServer = 192.168.0.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [NvSvc] RUNDLL32.EXE C:\Windows\System32\nvsvc64.dll,nvsvcStart
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\System32\NvMcTray.dll,NvTaskbarInit
x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [HP Health Check Scheduler] C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2007-3-13 52664]
R1 IDSvia64;Symantec Intrusion Prevention Driver;C:\PROGRA~3\Symantec\DEFINI~1\SymcData\idsdefs\20121218.001\IDSvia64.sys [2012-12-26 392752]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2006-12-7 300032]
R3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw3v64.sys [2006-11-9 2582528]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2006-11-1 83456]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 13:37:51.60 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 26/12/2012 5:42:10 PM
System Uptime: 26/12/2012 8:07:18 PM (17 hours ago)
.
Motherboard: Quanta | | 30BD
Processor: Intel® Core™2 CPU T5500 @ 1.66GHz | U2E1 | 1333/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 102 GiB total, 77.868 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 69.004 GiB free.
E: is FIXED (NTFS) - 9 GiB total, 2.949 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP31: 26/12/2012 5:59:38 PM - Installed HP Pavilion Webcam Driver for Vista v061.001.00005
RP32: 26/12/2012 6:00:18 PM - Device Driver Package Install: Chicony Imaging devices
RP33: 26/12/2012 7:11:46 PM - Norton Internet Security post configuration restore point
.
==== Installed Programs ======================
.
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Reader 8
AppCore
ASL_HS_InstallerAMD64
AutoUpdate
AV
ccCommon
ccCommon64
Conexant HD Audio
DivX
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent
HP Active Support Library
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Pavilion Webcam Driver for Vista v061.001.00005
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 3.0
HP Update
HP User Guide 0049
HP Wireless Assistant
LightScribe 1.4.136.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Works
MSRedist
muvee autoProducer 5.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Sonic Activation Module
SPBBC 64bit
Symantec Real Time Storage Protection Component (x64)
SymNet x64
Synaptics Pointing Device Driver
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
26/12/2012 7:09:05 PM, Error: Service Control Manager [7023] - The Offline Files service terminated with the following error: The system cannot find the path specified.
.
==== End Of File ===========================
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 01:23 PM

Greetings ForeverRogue,

Doesn't take long to review a fresh install!

Please start with this.


===================================================


Running TDSSKiller with Changed Parameters

--------------------

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    Posted Image

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    Posted Image
  • Click Start Scan and allow the scan process to run


    Posted Image

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    Posted Image

  • Click Reboot computer
  • Please copy and paste the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 04:12 PM

Hi Gary, thanks for your help. My name is Andy...

I am replying from my tablet and have tried to paste the logs here, but it won't let me click on 'post' afterwards. I am now going to try to attach them - my apologies in advance...

tdskiller did not find any threats...

Edited by ForeverRogue, 01 January 2013 - 04:27 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 04:41 PM

Hi Andy,

Welcome aboard.

If you are able to post the TDSS log at some point I would still like to take a look at it. Based on what you have indicated I already know what I would like to do next.

Let's take a look at your Master Boot Record (MBR) before Windows has a chance to load. Sometimes malicious entries are hidden during the Windows load up process and getting a picture this way will tell us what is really there before your computer can play hide and seek! :)

Please do this.


===================================================


GET xPUD MBR Dump

--------------------

For this step you will need a USB device and a blank CD. I have provided step by step instructions for this process in order to simplify the detailed task.

  • Download GETxPUD.exe to the desktop of your clean computer
  • Double click the Posted Image icon
  • Click Run
  • Double click the Posted Image folder which should now be on your desktop
  • Double click on Posted Image
  • The program will download xpud_0.9.2.iso, and when it is finished it will open a BurnCDCC window

    Posted Image
  • Click on Start, insert a blank CD when instructed, then click OK
  • When completed, the CD will eject for removal
  • Remove the CD and insert it and the USB device into the infected computer
  • Boot the infected computer with the CD you just burned
  • As the computer boots up gently tap F12 and choose to boot from the CD by using the keyboard arrow keys to highlight CD/DVD and then hit Enter
  • At the first screen select English
  • A Welcome to xPUD screen will appear
  • Press File
  • Under File System on the left hand side click on the triangle symbol to expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click on the folder that represents your USB drive (sdb1 ?).
  • If you do not see it, please remove the USB device, wait about 5 seconds, reinsert it, then click on the Refresh icon to the left of the house icon near the top of your screen. It should be added under mnt
  • On the top bar select Tool then select Open Terminal
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin. Please ensure the file is there
  • Remove the USB drive, insert it back in your working computer
  • Navigate to mbr.bin, zip the file, and attach it to your next reply.


===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 04:42 PM

Ok, so I FINALLY got it to post after I pasted the log file.... but it told me it was too long and I should shorten it. ??? When I tried to attach it, I got the same message - the attachment is too big. The log is 407 kb.

Please advise :)

... Ok, thank you. It will take me a day or 2 to get to a device able to burn the CD. I will do so and get back to you ASAP. In the meantime, is there anything we can try 'from' the infected laptop?

Thanks again for your help and patience :)

Edited by ForeverRogue, 01 January 2013 - 04:48 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 04:46 PM

Hi Andy,

We cross posted. Please see my previous post.

Try to zip and attach the TDSSKiller file.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 05:14 PM

Goodness... I don't know why I didn't think of that. Zipped file should be attached... Thanks :)

Attached File  TDSSKiller.2.8.15.0_01.01.2013_12.41.39_log.zip   66.12KB   2 downloads

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 06:08 PM

If you have the ability to burn a CD on the infected computer please try that.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 06:57 PM

Hi Gary - I managed to get the laptop to boot from the CD that we created. I even got as far as opening the terminal window... now the problem I am having is entering the text you requested.

This nasty is stealing focus by invoking the CTRL key, or something... As I try to enter the text, I am getting ASCII characters instead. I have to hold the ctrl key while repeatedly tapping the key I want to enter. This of course produces multiple letters which are then difficult to 'backspace' for the same reason :(

Bare with me as I continue to attempt input. Any suggestions in the meantime would be appreciated :)

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 07:32 PM

Hi Andy,

Let's get the information this way.


===================================================


xPUD Master Boot Record (MBR) Report Using Dumpit

--------------------

  • Insert your USB drive into your clean computer
  • Right click this dumpit link, select "save link/target as", and save the file directly to your USB
  • Remove your USB device and insert it into your infected computer
  • Boot the Sick computer using your GETxPUD CD
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1, sdc1, etc.). If it is not there remove the USB device for 5 seconds then reinsert.
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 08:01 PM

Guru Gary - thanks millions!! Good luck :) Attached File  mbr.zip   2.96KB   1 downloads

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 01 January 2013 - 08:20 PM

Hi Andy,

Your MBR looks fine. Can you please describe your keyboard and mouse setup.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 ForeverRogue

ForeverRogue
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 01 January 2013 - 08:53 PM

Hi Gary - the keyboard is the OEM on-board. I am however using a USB wireless mouse. The input method is soo difficult, using the on-board touchpad would be next to impossible. I've had to double-click on things 30-50 times before actually catching it... I have tried cleaning the ctrl and alt keys, as well as the entire keyboard.

Is there any other way to get to the format command, without a CD? Someone should create a website that you can access to run certain commands directly from online lol - life should be this simple. I know, I know .... can't run format from within Windows.

Anyway - thanks for your help. Let me know if there is anything else we can try.

Edited by ForeverRogue, 01 January 2013 - 09:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users