Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT


  • This topic is locked This topic is locked
15 replies to this topic

#1 FivePastTwo

FivePastTwo

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 10 November 2017 - 01:08 PM

Hi all,

 

Is there a link where I can run and submit a HJT log, I'm struggling to find a link



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 10 November 2017 - 01:50 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You can submit your logs in this topic.

HijackThis is no longer supported.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar Recovery Scan Tool from now on to report problems.
<<<>>>


:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 10 November 2017 - 05:40 PM

Hi nasdaq

 

I've downloaded MWB, followed your instructions, the programme stated scanning, passed rootkits, at the next point, I think it's scan start up memory, my system crashed.

 

I uninstalled, reinstalled MWB again, once again, going from rootkits to scan start up memory, my system crashed again.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 11 November 2017 - 09:16 AM

Hi,

Lets see if we can find what driver crashed.

Please download the free home edition of WhoCrashed to your Desktop from here whocra10.png and install it by double-clicking "whocrashedSetup.exe".
At the end, it will open automatically. Click the "Analyze" button.

Please scroll down the Information window to copy and paste the results in your next reply.
====


We will also check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • ===

    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan.
    • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
    • Please paste the contents of that log in your next reply.
    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#5 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 12 November 2017 - 10:19 AM

Hi nasdaq

 

See below, unable to upload report from TDSSKiller, however, I've run it and it says no threats detected


Edited by FivePastTwo, 12 November 2017 - 11:24 AM.


#6 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 12 November 2017 - 11:22 AM

System Information (local)

 

 

Computer name: USER-PC
Windows version: Windows 7 Service Pack 1, 6.1, build: 7601
Windows dir: C:\Windows
Hardware: HP G61 Notebook PC, Hewlett-Packard, 3069
CPU: GenuineIntel Celeron® Dual-Core CPU T3100 @ 1.90GHz Intel586, level: 6
2 logical processors, active mask: 3
RAM: 2075054080 bytes total

 

Crash Dump Analysis

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.

On Fri 10/11/2017 22:16:36 your computer crashed
crash dump file: C:\Windows\Minidump\111017-27690-01.dmp
This was probably caused by the following module: ataport.sys (ataport+0x1E93C)
Bugcheck code: 0x7A (0xFFFFF6FC400090F0, 0xFFFFFFFFC0000185, 0x1266B860, 0xFFFFF8800121E93C)
Error: KERNEL_DATA_INPAGE_ERROR
file path: C:\Windows\system32\drivers\ataport.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: ATAPI Driver Extension
Bug check description: This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.

On Fri 10/11/2017 22:16:36 your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ataport.sys (ataport+0x1E93C)
Bugcheck code: 0x7A (0xFFFFF6FC400090F0, 0xFFFFFFFFC0000185, 0x1266B860, 0xFFFFF8800121E93C)
Error: KERNEL_DATA_INPAGE_ERROR
file path: C:\Windows\system32\drivers\ataport.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: ATAPI Driver Extension
Bug check description: This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.

On Fri 10/11/2017 21:39:23 your computer crashed
crash dump file: C:\Windows\Minidump\111017-22838-01.dmp
This was probably caused by the following module: ataport.sys (ataport+0x1E93C)
Bugcheck code: 0x7A (0xFFFFF6FC40009AE0, 0xFFFFFFFFC0000185, 0x5F152860, 0xFFFFF8800135C93C)
Error: KERNEL_DATA_INPAGE_ERROR
file path: C:\Windows\system32\drivers\ataport.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: ATAPI Driver Extension
Bug check description: This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.

 

Conclusion

3 crash dumps have been found and analyzed. No offending third party drivers have been found. Connsider using WhoCrashed Professional which offers more detailed analysis using symbol resolution. Also configuring your system to produce a full memory dump may help you.


Read the topic general suggestions for troubleshooting system crashes for more information.

Note that it's not always possible to state with certainty whether a reported driver is responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.

Attached Files


Edited by FivePastTwo, 12 November 2017 - 11:28 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 12 November 2017 - 11:46 AM

Hi,

It could be some hardware issue.

Did you install any new hardware recently?

Also lets find out if it's caused by a rootkit.

Run this Malwarebytes Anti-Rootkit.

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Before you run the program make sure you follow the instructions under Section 5.
5. Unselect sectors and system below. Hit the scan button.

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.
<<<>>>

#8 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 12 November 2017 - 01:41 PM

Hi

 

I've run a scan following your links and instructions above, nothing to export as no threats were found



#9 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 12 November 2017 - 01:45 PM

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.11.12.05
  rootkit: v2017.10.14.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18349
User :: USER-PC [administrator]

12/11/2017 18:03:14
mbar-log-2017-11-12 (18-03-14).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 277893
Time elapsed: 30 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)
 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 13 November 2017 - 07:58 AM

Hi,

Did youy Unselect Sector and System before you executed the program?

Before you run the program make sure you follow the instructions under Section 5.
5. Unselect sectors and system below. Hit the scan button.


If not please run again and disable the sections.

Did you add any Hardware recently?

Update the ATAPI driver.
https://www.techwalla.com/articles/how-to-update-the-atapi-drivers

Keep me posted.

#11 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 13 November 2017 - 09:54 AM

Hi

 

I don't recall installing any hardware recently

 

Sectors and sections disabled, details below, techwalta scan to follow

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.11.13.07
  rootkit: v2017.10.14.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18349
User :: USER-PC [administrator]

13/11/2017 14:22:16
mbar-log-2017-11-13 (14-22-16).txt

Scan type:
Scan options enabled: Anti-Rootkit | Drivers | MBR
Scan options disabled: Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Objects scanned: 324
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#12 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 13 November 2017 - 10:06 AM

Hi

 

Update the ATAPI driver.
https://www.techwalla.com/articles/how-to-update-the-atapi-drivers

 

I'm trying to open the above link, IE won't allow, pop up message: IE has stopped working, a problem caused the programme to stop working correctly.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 13 November 2017 - 01:35 PM

If installed use Firefox or Chrome.

#14 FivePastTwo

FivePastTwo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 15 November 2017 - 12:25 AM

Hi

 

I've installed Chrome

 

Now managed to get onto the link posted above.

 

Followed the instructions got as far as step 6

 

Step 5

Click the "Driver" tab in the hardware device properties window and then press the "Update Driver" button. The driver update utility will open.

Step 6

Click the "Search Automatically for Updated Driver Software" option to set Windows on a search for a new driver for the ATAPI device. After the updated driver is found Windows installed it automatically and you may resume normal use of your PC.

 

Just hangs forever, have to manually power laptop down



#15 nasdaq

nasdaq

  • Malware Response Team
  • 37,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:15 AM

Posted 15 November 2017 - 08:52 AM



Hi,

Step 6
Click the "Search Automatically for Updated Driver Software" option to set Windows on a search for a new driver for the ATAPI device. After the updated driver is found Windows installed it automatically and you may resume normal use of your PC.



http://whatis.techtarget.com/definition/ATAPI-AT-Attachment-Packet-Interface

I suggest you start a new topic in the internal Hardware forum.
https://www.bleepingcomputer.com/forums/f/7/internal-hardware/

An expert with Hardware issues should be able to help you better than I can. This is not malware related and not my forte.

Explain you problems and include the aswMBR.txt file that you submitted on this topic.

I will keep this topic open for 6 days. If you need to return please do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users