Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus that survives formatting


  • This topic is locked This topic is locked
6 replies to this topic

#1 crusaderbond

crusaderbond

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 08 April 2015 - 01:33 PM

My previous post in Am I infected. Still not 100% sure I am infected, but I'm sure someone here will know.

As well as displaying unusual and slow activity, Gmer reports rootkit activity even after a fresh reinstall. After flashing the bios and restarting, the computer displays only a black screen for approx 5 minutes when turned on, then boots as normal. This only happens directly after a bios flash, and it seems suspicious. At this point I am beginning to doubt the results and am suspicious of a hardware issue, but gmer has never failed me before, and the computer was definitely infected when I started working on it. Malwarebytes removed 3 trojans, but the infection persisted when I first received it, so I wiped the hard drive. On reinstall, Gmer reported suspected rootkit activity, so I booted up on a linux cd and wiped the mbr and the whole drive, then reinstalled, with the same results in gmer. I then flashed the mouse, bios, and cd drive firmware, wiped the mbr and the drive, and reinstalled again. The PC bluescreened when i ran gmer again, and displayed warnings about hard disk integrity. I shut off the computer, then entered dell's diagnostic tool from the f12 boot menu, but the built in hard drive diagnostic tool never advanced past 0%, despite running it 3 times for an hour each.
 
PC is a dell studio hybrid 140g running windows vista. I have formatted the hard drive and wiped the mbr 8 times now, trying different things. An issue is that the bios updates can only be run in a windows environment, so I can't be certain they are actually working, since I am running it in a possibly infected environment. It's my mothers computer, and I'd really appreciate assistance in figuring out what to do next. I am completely lost at this point.
 
Thank you.

 
My frst logs are attached, as well as the blue screen error report and a screenshot.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by PC (administrator) on PC-PC on 08-04-2015 11:18:10
Running from E:\
Loaded Profiles: PC (Available profiles: PC)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\DFDWiz.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1901934802-177999405-3712639699-1000\...\MountPoints2: {703dd28f-dca9-11e4-9707-d5accc49b6e3} - E:\setup.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
Tcpip\Parameters: [DhcpNameServer] 172.31.79.142 172.31.79.144 157.54.14.146 157.54.14.162

FireFox:
========

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 hidkmdf; C:\Windows\System32\DRIVERS\hidkmdf.sys [13216 2015-02-26] (Windows ® Win 7 DDK provider)
S3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [35104 2015-02-26] (SteelSeries ApS)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PEGAIO; \??\E:\pfutemp\PEGAIO32.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 11:17 - 2015-04-08 11:18 - 00000000 ____D () C:\FRST
2015-04-08 11:13 - 2015-04-08 11:13 - 00000000 ____H () C:\Windows\system32\Drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2015-04-08 11:13 - 2015-04-08 11:13 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_sshid_01009.Wdf
2015-04-08 11:10 - 2015-04-08 11:10 - 00134880 _____ () C:\Windows\Minidump\Mini040815-01.dmp
2015-04-08 11:10 - 2015-04-08 11:10 - 00000000 ____D () C:\Windows\Minidump
2015-04-08 11:09 - 2015-04-08 11:10 - 134176479 _____ () C:\Windows\MEMORY.DMP
2015-04-07 13:03 - 2015-04-07 13:03 - 00000000 ____D () C:\515feca0623f1a5b8787
2015-04-07 13:02 - 2015-04-07 13:02 - 00000000 ____D () C:\Users\admin
2015-04-07 13:02 - 2015-04-07 13:02 - 00000000 ____D () C:\ProgramData\SteelSeries
2015-04-07 13:02 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2015-04-07 13:02 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2015-04-07 13:01 - 2015-04-07 13:01 - 00000000 ____D () C:\Program Files\SteelSeries
2015-04-07 11:37 - 2015-04-07 11:37 - 00048600 _____ () C:\Users\PC\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-07 11:37 - 2015-04-07 11:37 - 00000949 _____ () C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-04-07 11:37 - 2015-04-07 11:37 - 00000944 _____ () C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-04-07 11:36 - 2015-04-08 11:11 - 00000680 _____ () C:\Users\PC\AppData\Local\d3d9caps.dat
2015-04-07 11:36 - 2015-04-07 13:03 - 00000000 ____D () C:\Users\PC
2015-04-07 11:36 - 2015-04-07 11:36 - 00000915 _____ () C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
2015-04-07 11:36 - 2015-04-07 11:36 - 00000020 ___SH () C:\Users\PC\ntuser.ini
2015-04-07 11:36 - 2015-04-07 11:36 - 00000000 ____D () C:\Users\PC\AppData\Local\VirtualStore
2015-04-07 11:36 - 2008-01-20 19:42 - 00000000 ___RD () C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-04-07 11:36 - 2008-01-20 19:42 - 00000000 ___RD () C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-04-06 16:07 - 2015-04-06 16:07 - 00008192 ___RS () C:\BOOTSECT.BAK
2015-04-06 16:07 - 2015-04-06 15:20 - 00000000 ____D () C:\Windows\Panther
2015-04-06 16:07 - 2008-01-20 19:24 - 00333203 __RSH () C:\bootmgr
2015-04-06 16:06 - 2015-04-06 12:40 - 00000024 _____ () C:\Windows\dell_version
2015-04-06 15:16 - 2015-04-06 15:16 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_00_00.Wdf
2015-04-06 15:10 - 2015-04-06 15:17 - 00001355 _____ () C:\Windows\TSSysprep.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 11:17 - 2006-11-02 05:52 - 00028864 _____ () C:\Windows\setupact.log
2015-04-08 11:17 - 2006-11-02 03:33 - 00690960 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-08 11:13 - 2008-01-20 18:35 - 00053717 _____ () C:\Windows\WindowsUpdate.log
2015-04-08 11:11 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-08 11:11 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-08 11:11 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-07 11:58 - 2006-11-02 05:37 - 00000000 ____D () C:\Windows\system32\restore
2015-04-07 11:33 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\rescache
2015-04-06 16:07 - 2006-11-02 05:43 - 00041984 ____H () C:\Windows\system32\config\BCD-Template.LOG
2015-04-06 16:07 - 2006-11-02 05:37 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2015-04-06 15:19 - 2006-11-02 05:47 - 00228720 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-06 15:17 - 2006-11-02 06:01 - 00004344 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-06 15:10 - 2006-11-02 05:48 - 00003257 _____ () C:\Windows\DtcInstall.log

==================== Files in the root of some directories =======

2015-04-07 11:36 - 2015-04-08 11:11 - 0000680 _____ () C:\Users\PC\AppData\Local\d3d9caps.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-08 11:16

==================== End Of Log ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by PC at 2015-04-08 11:18:33
Running from E:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)


==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

07-04-2015 11:58:21 Scheduled Checkpoint
07-04-2015 13:02:13 Installed DirectX
07-04-2015 13:02:40 Device Driver Package Install: SteelSeries ApS Human Interface Devices

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (whitelisted) ==============


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1901934802-177999405-3712639699-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img24.jpg
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-1901934802-177999405-3712639699-500 - Administrator - Disabled)
Guest (S-1-5-21-1901934802-177999405-3712639699-501 - Limited - Disabled)
PC (S-1-5-21-1901934802-177999405-3712639699-1000 - Administrator - Enabled) => C:\Users\PC

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Standard VGA Graphics Adapter
Description: Standard VGA Graphics Adapter
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard display types)
Service: vga
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Video Controller
Description: Video Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Realtek RTL8168/8111 Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Description: Realtek RTL8168/8111 Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8169
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/08/2015 11:11:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/07/2015 01:02:28 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point on volume (Process = C:\Users\admin\AppData\Local\Temp\steelseriesengine-dxredist\dxsetup.exe /silent; Descripton = ôqw; Hr = 0x80070057).

Error: (04/07/2015 01:02:13 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {862e3508-f80c-4c20-a115-1f31e8adcdbe}

Error: (04/07/2015 11:34:11 AM) (Source: Windows Search Service Profile Notification) (EventID: 2) (User: )
Description: Unable to remove Windows Search Service indexed data for user 'PC-PC\Administrator' in response to user profile deletion. Error code 0x80070015.

The device is not ready.
.

Error: (04/07/2015 11:32:54 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/08/2015 11:11:13 AM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (04/08/2015 11:11:08 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:03:35 PM on 4/7/2015 was unexpected.

Error: (04/07/2015 11:32:40 AM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (04/06/2015 03:11:05 PM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos


Microsoft Office Sessions:
=========================
Error: (04/08/2015 11:11:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/07/2015 01:02:28 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Users\admin\AppData\Local\Temp\steelseriesengine-dxredist\dxsetup.exe /silentôqw0x80070057

Error: (04/07/2015 01:02:13 PM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {862e3508-f80c-4c20-a115-1f31e8adcdbe}

Error: (04/07/2015 11:34:11 AM) (Source: Windows Search Service Profile Notification) (EventID: 2) (User: )
Description: PC-PC\Administrator0x80070015The device is not ready.

Error: (04/07/2015 11:32:54 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
Date: 2015-04-08 11:18:19.499
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.499
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.483
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.483
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.421
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.421
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.405
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:18:19.390
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:11:30.021
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-08 11:11:30.005
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU T5850 @ 2.16GHz
Percentage of memory in use: 25%
Total physical RAM: 2038.45 MB
Available physical RAM: 1514.22 MB
Total Pagefile: 4312.2 MB
Available Pagefile: 3834.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.38 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.88 GB) (Free:222.36 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (MULTISYSTEM) (Removable) (Total:14.89 GB) (Free:13.36 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 20000000)
Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.9 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=14.9 GB) - (Type=0B)

==================== End Of Log ============================

Attached Files


Edited by Oh My!, 09 April 2015 - 07:25 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:11 AM

Posted 09 April 2015 - 07:36 PM

Greetings crusaderbond and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Your computer is not infected. We can take a couple of steps here to take a quick look but you are probably going to need to post in a different forum. Please do these things.

===================================================

Seagate Seatools for DOS

----------
  • Please download SeaTools for DOS and create a bootable CD as instructed here and save it to your desktop
  • NOTE: If you have any difficulty booting up with this version, please use one of the legacy versions of SeaTools for DOS
  • If you do not have ISO burning software on your computer download and install Active@ ISO Burner then create a bootable disk with the downloaded file
  • Boot your computer using the CD you just created. If necessary see here for instructions about how to boot to CD
  • After the program loads click I Accept
  • Left Click on your hard drive listed under Drive List (if you have a Seagate hard drive take special note of the caution below)
  • Click Basic Tests, then select Long Generic
  • Allow the process to run, which may take up to 3 hours, and report the findings in your reply
  • If the results indicate your hard drive failed the test and you have a Seagate hard drive installed DO NOT follow up on the suggestion to allow the program to attempt to resolve the issue. Doing so may cause permanent loss of data
===================================================

Uploading Minidump File

--------------------
  • Using Windows Explorer please navigate to the following location(s):

C:\Windows\Minidump\Mini040815-01.dmp

  • Upload the file(s) here
  • I will be automatically notified when the file has been successfully uploaded
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Hard drive report
  • Uploaded Minidump file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 crusaderbond

crusaderbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 April 2015 - 05:32 PM

I feel dumb. I kept assuming that problems were malware related even after I probably removed the malware. the disk failed the long test and says it's smart flag has triggered.

 

I just uploaded the dump. Thanks for the help. If you don't see anything odd, I'm more than capable of replacing the hard drive.

 

Sorry about the slow response time, I discovered my cd burner on another pc is dead too. You are super helpful Greg, have a splendid day/night!

 

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:11 AM

Posted 10 April 2015 - 06:22 PM

Greetings,

Sorry you were delivered the bad news but at least you know. Nothing in the dump file changes the need to replace the drive. After that you should be fine.

Though we really only deal with one computer per Topic you might want to take a quick look here before potentially starting a new Topic.

Is there anything else I can assist you with?


Edited by Oh My!, 10 April 2015 - 06:30 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 crusaderbond

crusaderbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 April 2015 - 06:38 PM

I've got it from here, thanks for being so helpful! :)

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:11 AM

Posted 10 April 2015 - 07:23 PM

I didn't do much but you are welcome. Allow me to leave you with just a bit of information as I close this Topic.

===================================================

Keeping Your Computer Safe

----------

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif

Edited by Oh My!, 10 April 2015 - 07:23 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:11 AM

Posted 11 April 2015 - 08:33 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users