TechSpot

Google redirect, AV & IE damage

Solved
By tatterjack
Oct 13, 2011
  1. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    aswmbr has disappeared off the desktop and I cannot download it on the infected computer. I can reformat the USB stick each time I use it. What I was doing was deleting the files each time.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Install this on sick computer. It'll prevent anything from jumping off of that stick into your computer.
    You may install this on a good computer as well....

    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine, or BitDefenderā€™s USB Immunizer

    Format USB stick.

    Download aswMBR on good computer and move it to bad computer.
     
  3. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Flash Disinfector

    Couldn't download this on infected computer so formatted usb stick and then transferred it. It appeared to run OK but the autorun.inf file still contains only the one line with "rmn" as first three characters. The Recycler folder full of copies of the virus still gets placed there.

    Thinking back everything seemed to be going well until I started Adobe reader.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    OK. Give me fresh aswMBR log.
     
  5. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    aswMBR Log

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-10-21 01:11:25
    -----------------------------
    01:11:25.937 OS Version: Windows 5.1.2600 Service Pack 3
    01:11:25.937 Number of processors: 2 586 0x407
    01:11:25.937 ComputerName: UNIVERSI-2DDE3C UserName: Russell Dobash
    01:11:26.484 Initialize success
    01:11:36.687 AVAST engine download error: 0
    01:12:24.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    01:12:24.109 Disk 0 Vendor: ST3160812AS 3.ADH Size: 152587MB BusType: 3
    01:12:26.156 Disk 0 MBR read successfully
    01:12:26.171 Disk 0 MBR scan
    01:12:26.187 Disk 0 Windows XP default MBR code
    01:12:26.203 Disk 0 scanning sectors +312480315
    01:12:26.296 Disk 0 scanning C:\WINDOWS\system32\drivers
    01:12:38.250 Service scanning
    01:12:39.484 Modules scanning
    01:12:59.703 Disk 0 trace - called modules:
    01:12:59.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    01:12:59.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a625ab8]
    01:12:59.812 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a651b00]
    01:12:59.828 Scan finished successfully
    01:13:29.015 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
    01:13:29.156 The log file has been saved successfully to "F:\aswMBR.txt"
     
  6. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Looks good.
    Delete your Combofix file, download fresh one and post new log.
     
  7. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    New ComboFix log

    ComboFix 11-10-20.05 - Russell Dobash 10/21/2011 1:25.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1527 [GMT 1:00]
    Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
    c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
    c:\documents and settings\LocalService\Local Settings\Application Data\mnldimku.log
    c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
    c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
    c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
    c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\bvdbobao.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\fkvqtkwm.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\mnldimku.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\nesqejrr.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\obigcqqa.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\rwgxkfbp.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\ydmeccsi.log
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-21 00:35 . 2011-10-21 00:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    2011-10-20 22:31 . 2011-10-21 00:30 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-10-20_02.23.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 12:00 . 2011-09-26 10:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
    + 2011-10-21 00:35 . 2011-10-21 00:35 114035 c:\windows\Temp\drggmmefohcljxih.exe
    - 2011-10-20 02:22 . 2011-10-20 02:22 114035 c:\windows\Temp\drggmmefohcljxih.exe
    + 2004-08-04 12:00 . 2011-09-26 10:41 220160 c:\windows\system32\dllcache\oleacc.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "LmlLhkfv"="c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe" [BU]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-LmlLhkfv - c:\documents and settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-21 01:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3472)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-21 01:43:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-21 00:43
    ComboFix2.txt 2011-10-20 22:25
    ComboFix3.txt 2011-10-20 22:01
    ComboFix4.txt 2011-10-20 21:41
    ComboFix5.txt 2011-10-21 00:22
    .
    Pre-Run: 132,148,740,096 bytes free
    Post-Run: 132,149,911,552 bytes free
    .
    - - End Of File - - E512EC81A78539440D010943FAFF51C0
     
  8. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Temp\drggmmefohcljxih.exe
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    
    
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    
    
    Driver::
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "LmlLhkfv"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  9. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    We're back to:

    Windows cannot access the specified drive, path or file
     
  10. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
     
  11. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    No reparse points found.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Hmm....nothing wrong there.

    Try to run the fix from safe mode.
     
  13. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Safe mode still doesn't work
     
  14. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  15. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    got the Oops message on the infected machine on trying to open virustotal.com. Copied the files to the stick to try it via the other machine but site won't open on this one. Is the site down?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,078   +258

  17. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    All three got "Scan finished. 0 out of 20 scanners reported malware."
     
  18. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Let's reset your MBR one more time...

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y".)

    exit

    Reboot computer.

    Post fresh aswMBR log.
     
  19. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    aswMBR log after FIXMBR

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-10-21 03:48:20
    -----------------------------
    03:48:20.578 OS Version: Windows 5.1.2600 Service Pack 3
    03:48:20.578 Number of processors: 2 586 0x407
    03:48:20.578 ComputerName: UNIVERSI-2DDE3C UserName: Russell Dobash
    03:48:41.437 Initialize success
    03:48:59.156 AVAST engine download error: 0
    03:49:09.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    03:49:09.171 Disk 0 Vendor: ST3160812AS 3.ADH Size: 152587MB BusType: 3
    03:49:11.234 Disk 0 MBR read successfully
    03:49:11.250 Disk 0 MBR scan
    03:49:11.265 Disk 0 Windows XP default MBR code
    03:49:11.281 Disk 0 scanning sectors +312480315
    03:49:11.390 Disk 0 scanning C:\WINDOWS\system32\drivers
    03:49:29.718 Service scanning
    03:49:30.765 Modules scanning
    03:49:35.593 Disk 0 trace - called modules:
    03:49:35.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
    03:49:35.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5e2ab8]
    03:49:35.703 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a5aab00]
    03:49:35.718 Scan finished successfully
    03:53:43.203 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
    03:53:43.328 The log file has been saved successfully to "F:\aswMBR.txt"
     
  20. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Delete your Combofix file, download fresh one and see if you can run the fix from my reply #108.
     
  21. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Cannot delete combofix.exe from desktop, access denied.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    DeleteFile: 
    "c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe"
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
  23. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Broni, I'm really sorry but it is getting late for me. I'm enormously grateful for all your work but there has to come a point where I call it a day and go for a clean install. I don't want to on this machine because there are programs I need for which I don't have the setups and which will be difficult to replace. If you think we are almost there let's carry on for the next hour. Otherwise let me have a think about it overnight. I'm away for the weekend anyway so couldn't resume the task till Monday.
     
  24. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Blitzblank log

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    MoveFileOnReboot: sourceFile = "\??\c:\documents and settings\russell dobash\desktop\combofix.exe", destinationFile = "(null)", replaceWithDummy = 0
     
  25. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Reinstallation may the best option at this point.
    It looks like one of those rare cases, where the issue may be beyond repair.
    Let me know...
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.