TechSpot

Followed 5 step removal. Next step?

By Delseg
Feb 4, 2012
  1. Hi. My computer went black and popped up numerous mini windows and pop up tabs on the bottom taskbar, one of them saying "Hard drive clusters are partly damaged". I follwed your 5 step and here are the logs:
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.04.01

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    SEGURA :: SEGURA-PC [administrator]

    2/4/2012 12:10:44 AM
    mbam-log-2012-02-04 (00-10-44).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 219016
    Time elapsed: 7 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dll (Trojan.Agent) -> Data: rundll32 dll32,sm -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s -> Quarantined and deleted successfully.

    Registry Data Items Detected: 5
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    They were very clear instructions and downloads went smoothly. I hope I've done everything right. Your help will be greatly appreciated.
     
  2. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-04 12:19:26
    Windows 6.0.6002 Service Pack 2
    Running: w90fw6cs[1].exe; Driver: C:\Users\SEGURA\AppData\Local\Temp\uwdiqpow.sys


    ---- Files - GMER 1.0.15 ----

    File C:\## aswSnx private storage 0 bytes
    File C:\## aswSnx private storage\r3 0 bytes
    File C:\## aswSnx private storage\snx_rhive 262144 bytes
    File C:\## aswSnx private storage\snx_rhive.LOG1 9216 bytes
    File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
    File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TM.blf 65536 bytes
    File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
    File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
    File C:\Windows\$NtUninstallKB65229$\2571265935 0 bytes
    File C:\Windows\$NtUninstallKB65229$\2571265935\U 0 bytes
    File C:\Windows\$NtUninstallKB65229$\3525520853 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  3. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    dds

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by SEGURA at 12:36:11 on 2012-02-04
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    BHO: RebateRobot BHO: {fa3fedf6-1a34-4076-9f25-a26a2de6a401} - c:\program files\rebaterobot\RebateRobot.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S28CC.tmp" /EF "HKCU"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [Skytel] Skytel.exe
    mRun: [T-Mobile webConnect Manager] "c:\program files\t-mobile\webconnect manager\TMobileCM.exe" -a
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
    mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    Trusted Zone: intuit.com\community
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mktg.webex.com/client/T26L/webex/ieatgpc1.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{A3EB1582-E3FC-46E7-B3FE-56D369801665} : NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{DAF6BA8E-8071-48B4-82AF-7E5BF8F22606} : NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{DAF6BA8E-8071-48B4-82AF-7E5BF8F22606} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{E53C32FA-66C4-49E6-AF2D-5C68493AA9CE} : DhcpNameServer = 10.177.0.34 10.166.208.148
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? CATmobile;T-Mobile Con App Svc
    R? ewusbnet;HUAWEI USB-NDIS miniport
    R? ExpressInvoiceService;Express Invoice
    R? fssfltr;fssfltr
    R? fsssvc;Windows Live Family Safety Service
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? hwusbdev;Huawei DataCard USB PNP Device
    R? tmobile_mf691_cdc_acm;T-Mobile MF691 CDC-ACM driver
    R? tmobile_mf691_cdc_ecm;tmobile_mf691_cdc_ecm
    R? tmobile_mf691_cpo;T-Mobile webConnect CPO device
    R? TMobileRcAppSvc;T-Mobile RcApp Svc
    S? aswFsBlk;aswFsBlk
    S? aswMonFlt;aswMonFlt
    S? aswSnx;aswSnx
    S? aswSP;aswSP
    S? avast! Antivirus;avast! Antivirus
    S? CLPSLS;COMODO livePCsupport Service
    S? cmdGuard;COMODO Internet Security Sandbox Driver
    S? cmdHlp;COMODO Internet Security Helper Driver
    S? ConfigFree Service;ConfigFree Service
    S? FwLnk;FwLnk Driver
    S? tmobile_mf691_dc_enum;T-Mobile MF691 DC Enumerator
    S? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service
    S? uwdiqpow;uwdiqpow
    .
    =============== Created Last 30 ================
    .
    2012-02-04 18:22:11 -------- d-----w- c:\users\segura\appdata\local\Comodo
    2012-02-04 07:36:21 -------- d-----w- c:\programdata\CPA_VA
    2012-02-04 07:29:26 -------- d-----w- c:\programdata\Comodo
    2012-02-04 07:29:01 -------- d-----w- c:\program files\Comodo
    2012-02-04 06:09:13 -------- d-----w- c:\users\segura\appdata\roaming\Malwarebytes
    2012-02-04 06:08:44 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-04 06:08:42 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-04 06:08:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-04 05:56:59 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-04 05:56:58 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-04 05:56:23 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-04 05:55:31 -------- d-----w- c:\programdata\AVAST Software
    2012-02-04 05:55:31 -------- d-----w- c:\program files\AVAST Software
    2012-02-04 03:38:06 -------- d--h--w- c:\users\segura\appdata\local\CrashDumps
    2012-02-04 03:01:03 -------- d--h--w- c:\users\segura\appdata\roaming\Systweak
    2012-02-04 03:00:58 -------- d--h--w- C:\skin
    2012-02-04 03:00:58 -------- d--h--w- C:\defaults
    2012-02-04 03:00:58 -------- d--h--w- C:\content
    2012-02-04 03:00:57 811 ----a-w- C:\compile.bat
    2012-02-04 03:00:57 -------- d-----w- c:\program files\RebateRobot
    2012-02-04 03:00:54 17280 ----a-w- c:\windows\system32\roboot.exe
    2012-02-04 03:00:51 -------- d-----w- c:\program files\RegClean Pro
    2012-02-03 04:55:41 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-02-03 04:09:45 709154 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-02-03 03:53:01 337032 ---ha-w- c:\programdata\RdsZxl2zOqKEJQ.exe
    2012-01-18 03:00:32 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    .
    ==================== Find3M ====================
    .
    2011-12-20 00:59:06 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-12-20 00:59:04 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-12-20 00:58:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2011-12-20 00:58:56 301224 ----a-w- c:\windows\system32\guard32.dll
    2011-12-03 19:41:57 116224 ---ha-w- c:\programdata\SqWs1pyv.exe_
    .
    ============= FINISH: 12:44:02.66 ===============
     
  4. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    Attach

    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Acrobat Reader 3.0
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.4
    Adobe Shockwave Player
    Apple Software Update
    ArcSoft PhotoImpression 6
    ArcSoft Print Creations
    ATT-HSI
    avast! Free Antivirus
    Bluetooth Stack for Windows by Toshiba
    Camera Assistant Software for Toshiba
    CD/DVD Drive Acoustic Silencer
    Comodo Dragon
    COMODO GeekBuddy
    COMODO Internet Security
    Compatibility Pack for the 2007 Office system
    CyberLink PowerCinema for TOSHIBA
    DVD MovieFactory for TOSHIBA
    EPSON CX8400 User's Guide
    EPSON Printer Software
    EPSON Scan
    EPSON Stylus CX8400 Series Scanner Driver Update
    EPSON Web-To-Page
    Excel Invoice Manager 2.21.1024
    Express Invoice
    GearDrvs
    Google Update Helper
    HVAC Personnel Assessment
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    Intel® Matrix Storage Manager
    Java(TM) 6 Update 3
    Junk Mail filter update
    LimeWire 5.5.14
    Malwarebytes Anti-Malware version 1.60.1.1000
    mCorev32.ism_new
    mCPlug
    Memeo AutoBackup
    mHelp
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft XML Parser
    mMHouse
    Move Networks Media Player for Internet Explorer
    mPfMgr
    MSVCRT
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 Parser and SDK
    Music Oasis
    Norton Internet Security
    QuickBooks
    QuickBooks Pro 2009
    QuickTime
    Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    RebateRobot for Online Shopping version 1.0.1
    RegClean Pro
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    Security Update for Windows Media Encoder (KB954156)
    Skype™ 4.1
    Spelling Dictionaries Support For Adobe Reader 8
    SupportSoft Assisted Service
    Synaptics Pointing Device Driver
    T-Mobile webConnect Manager
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Unity Web Player
    WebEx
    WildTangent Games
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Encoder 9 Series
    Yahoo! Install Manager
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== End Of File ===========================
     
  5. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  6. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    aswMBR

    Thank you for your response and help. OK I have finally hit a roadblock. When I click the link to dl aswMBR it does ask me to run so I do. Then User Account Control box pops up asking if I will allow it. I do. Then the dialog box pops up showing it downloading. Once it completes, the box disappears then nothing happens. I did find the file and when I click it to open it, nothing happens. I tested your link on my other laptop and it downloaded and popped up the black screen with data and buttons for scan and fix mbr and stuff so your link works but for some reason this computer won't open it.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Go ahead with Bootkit Remover.
     
  8. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    bootkit

    Grrrr I don't know why it's being difficult now.
    Ok when I click on the link it takes me straight to Smartest Computing, the Downloads tab, but there is nothing available to DL. It is just white screen. I've retried this several times and at times the bottom left corner will tell me "Done" or "errors on page".
    Once again I clicked the link on my working laptop and it shows your file to Download, so something is just not letting me see it on this one.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,892   +344

  10. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    Bootkit Remover

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  11. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  12. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    32 bit

    ListParts by Farbar
    Ran by SEGURA on 05-02-2012 at 21:01:51
    Windows Vista (X86)
    Running From: C:\Users\SEGURA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B56095XT
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 48%
    Total physical RAM: 3061.21 MB
    Available physical RAM: 1589.08 MB
    Total Pagefile: 6324.7 MB
    Available Pagefile: 4602.93 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1960.65 MB

    ======================= Partitions =========================

    1 Drive c: (SQ004710V01) (Fixed) (Total:231.42 GB) (Free:171.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 1500 MB 1024 KB
    Partition 2 Primary 231 GB 1501 MB
    Partition 3 Primary 1016 KB 233 GB

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C SQ004710V01 NTFS Partition 231 GB Healthy System (partition with boot components)

    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.



    ****** End Of Log ******
     
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    You're infected with TDL rootkit.

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Press Tool at the top
    • Choose Open Terminal
    • Type parted /dev/sda set 2 boot on
    • Press Enter
    • Type parted /dev/sda rm 3
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
     
  14. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    stuck

    Ok I was able to do steps up to burn the image but when you say "boot the bad computer from the cd", I just can't figure out what to do. The only tool(s) I'm coming across is on the top of the window and there isn't anything about opening terminal. Can you elaborate for me as to what's next? I'm sorry I don't know what you mean.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    What menu items do you have listed at the top?
     
  16. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    under "computer"

    file edit view tools help; Under tools- "map network drive, disconnect network drive, open sync center, folder options. DVD drive window-Security Catalog "Boot", File Folder "Boot" "OPT", a CFG file, and a BIN file. Everytime one of those are clicked, the tool bar options don't change. Am I doing something wrong?
     
  17. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Something has changed there.
    What options do you have under "File"?
     
  18. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    file

    "Add a network location" and "close"
    That's under the DVD drive. If I click on an icon and go to file I get: Open, explore, share, scan OPT, scan with malwarebytes, burn to disk, send to, new, properties, and close.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    You're doing something wrong.
    Are you booted from GETxPUD CD?
     
  20. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    Booted?

    I'm sorry but I don't know what that means. How do I boot from the cd?
     
  21. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Put the CD in and restart computer.
    Watch the screen.
    At some point you should see a message:
    "Press any key to boot from CD".
    If this is Dell computer press F12 at Dell's logo and you'll see the option to boot from the CD.
     
  22. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    Yea I inserted the CD, Restarted, and watched the screen. Nothing. It said "shutting down", then went black for a second, then I saw a rectangle with little blocks with moving colors, screen changed again to a blue window with the Windows logo in the middle, then straight to the desktop background. Never saw a message :( When I do insert the CD it takes me to Windows Photo Gallery :/
     
  23. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    See if you can boot another working computer with it.
     
  24. Delseg

    Delseg TS Rookie Topic Starter Posts: 31

    Yes I was able to do it on my clean computer. After pressing restart and shutting down it went straight to the xpud screen and booted. It's in a Welcome to xPUD home screen now on my clean computer.
     
  25. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Let's try different way.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ===========================================================================================

    Download Download gparted-live-0.11.0-7.iso (119.8 MB)

    Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    Boot off of the newly created Gparted CD.

    You should be here:
    [​IMG]
    Press Enter.

    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:
    [​IMG]

    Choose your language and press ENTER. English is default [33]:
    [​IMG]

    Once again, at this prompt, press ENTER:
    [​IMG]

    You will now be taken to the main GUI screen below:
    [​IMG]
    According to your logs, the partition that you want to delete is the small partition of 1016 KB.
    Click on it to highlight it.
    Click the trash can icon to delete and then click Apply.

    You should now be here confirming your actions:
    [​IMG]

    Now you should be here:
    [​IMG]

    Is "boot" next to your OS drive?
    [​IMG]

    If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]

    Now double-click the [​IMG] button.

    You should receive a small pop up like this:
    [​IMG]

    Choose reboot and then press OK.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...