also @ TechSpot: OCZ Vertex 450 Review

Recovery Console vs clean up on Vista

Discussion in 'Virus and Malware Removal' started by learninmypc, Feb 11, 2012.

Post New Reply
Page 1 of 3

  1. learninmypc TechSpot Guru Posts: 3,030   +100

    A friend in the building I live in asked me yesterday if I was online & I told him yes.
    Long story short, I found out he got hit with Whitesmoke & I told him I could get it cleaned up by coming in here for help.
    He then asked me about using the Recovery Console instead & I told him he'd lose everything & he knows that.
    To my knowledge,he only had the trial programs on his Vista pc.
    So, my question is, would it be faster for me to use the Recovery Console & then install MS updates, SUPERAntispyware, Mbam, Spybot S&D,Avast , CCleaner & probably SeaMonkey for a browser.WOT & other necessary addons?
    Or get help in here to clean it up?
    I believe it is Vista. Other than that, I know no more about it cept he can't get online,yet. TIA:)
    learninmypc, Feb 11, 2012
    #1

  2. Broni Malware Annihilator Posts: 39,431   +177

    I assume you're talking about using recovery partition to reset the computer to its original state?
    That will work in most cases.
    However if the computer is infected with some kind of rootkit that won't work.
    To remove a rootkit he'd have to format his hard drive.
    Using recovery partition does NOT format hard drive.
    Broni, Feb 11, 2012
    #2

  3. learninmypc TechSpot Guru Posts: 3,030   +100

    Ok, since I'm not too familiar with Vista, I'll tell him & see what he says.
    I don't feel like formatting a harddrive & reinstalling it.
    ALL I do know is I clicked on his Google Chrome Icon & saw a Whitesmoke URL & knew it was not good.
    Thank you Broni
    learninmypc, Feb 11, 2012
    #3

  4. Broni Malware Annihilator Posts: 39,431   +177

    Sure thing :)
    Broni, Feb 11, 2012
    #4

  5. learninmypc TechSpot Guru Posts: 3,030   +100

    learninmypc, Feb 11, 2012
    #5

  6. Broni Malware Annihilator Posts: 39,431   +177

    Keep me posted....
    Broni, Feb 11, 2012
    #6
     

  7. learninmypc TechSpot Guru Posts: 3,030   +100

    As previously stated, I used SAS portable & it found over 385 tracking cookies which were removed & I rebooted.
    Still unable to get online,I used a flashdrive to hopefully remove ALL of Norton.
    Still unable to get online, I finally hooked it up to my DSL & am in here in Safe Mode With Networking & running aswMBR ver 0.9.9.1...Will post results in next post.
    learninmypc, Feb 11, 2012
    #7

  8. learninmypc TechSpot Guru Posts: 3,030   +100

    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-11 13:17:33
    -----------------------------
    13:17:33.437 OS Version: Windows 6.0.6001 Service Pack 1
    13:17:33.437 Number of processors: 2 586 0x6B02
    13:17:33.438 ComputerName: HOMEPC UserName: earl
    13:17:33.981 Initialize success
    13:18:27.689 AVAST engine defs: 12021101
    13:19:04.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004c
    13:19:04.378 Disk 0 Vendor: ST325031 3.AH Size: 238475MB BusType: 3
    13:19:04.385 Disk 0 MBR read successfully
    13:19:04.389 Disk 0 MBR scan
    13:19:04.396 Disk 0 unknown MBR code
    13:19:04.400 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 226949 MB offset 63
    13:19:04.434 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11523 MB offset 464792580
    13:19:04.468 Disk 0 scanning sectors +488392065
    13:19:04.533 Disk 0 scanning C:\Windows\system32\drivers
    13:19:11.444 Service scanning
    13:19:12.559 Modules scanning
    13:19:14.735 Disk 0 trace - called modules:
    13:19:14.754 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    13:19:14.760 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84fbc030]
    13:19:14.767 3 CLASSPNP.SYS[8072e745] -> nt!IofCallDriver -> [0x84a3d4f0]
    13:19:14.779 5 acpi.sys[8060b6a0] -> nt!IofCallDriver -> \Device\0000004c[0x84a41ab8]
    13:19:15.308 AVAST engine scan C:\Windows
    13:19:16.826 AVAST engine scan C:\Windows\system32
    13:21:34.679 AVAST engine scan C:\Windows\system32\drivers
    13:21:43.791 AVAST engine scan C:\Users\earl.homepc
    13:24:09.058 AVAST engine scan C:\ProgramData
    13:25:53.703 Scan finished successfully
    13:30:48.474 Disk 0 MBR has been saved successfully to "C:\Users\earl.homepc\Desktop\MBR.dat"
    13:30:48.497 The log file has been saved successfully to "C:\Users\earl.homepc\Desktop\aswMBR.txt"
    learninmypc, Feb 11, 2012
    #8

  9. learninmypc TechSpot Guru Posts: 3,030   +100

    When I was doing the Bootkit remover, I got this warning
    [IMG]
    What do I do?

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
    001), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 306a70bb88e51c06c67244ab8a2237bf

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
    learninmypc, Feb 11, 2012
    #9

  10. Broni Malware Annihilator Posts: 39,431   +177

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Broni, Feb 11, 2012
    #10

  11. learninmypc TechSpot Guru Posts: 3,030   +100

    I will do so.
    I'm not in safe mode with networking now.
    learninmypc, Feb 11, 2012
    #11

  12. Broni Malware Annihilator Posts: 39,431   +177

    Good :).......
    Broni, Feb 11, 2012
    #12

  13. learninmypc TechSpot Guru Posts: 3,030   +100

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.11.06

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 7.0.6001.18000
    earl :: HOMEPC [administrator]

    2/11/2012 2:42:22 PM
    mbam-log-2012-02-11 (14-42-22).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 177996
    Time elapsed: 4 minute(s), 13 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    learninmypc, Feb 11, 2012
    #13

  14. learninmypc TechSpot Guru Posts: 3,030   +100

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6001.18000
    Run by earl at 15:25:05 on 2012-02-11
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80273&lng=en
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
    uSearch Page = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
    uSearchAssistant = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80273&lng=en
    mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80273
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.3\PriceGongIE.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AppGraffiti: {6f6a5334-78e9-4d9b-8182-8b41ea8c39ef} - c:\progra~1\appgra~1\APPGRA~1.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: : {ccb69577-088b-4004-9ed8-ff5bcc83a039} - c:\progra~1\rebate~1\RebateI.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
    BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [Google Update] "c:\users\earl.homepc\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [ChicaPasswordManager] c:\program files\chicalogic\chica password manager\stpass.exe
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [Linkury Chrome Smartbar] c:\users\earl.homepc\appdata\local\linkury\application\Linkury.exe startup
    uRun: [RebateInformer] c:\progra~1\rebate~1\REBATE~1.EXE /STARTUP
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
    TCP: Interfaces\{B1C57204-5091-4C47-8EED-2FA742EAA100} : DhcpNameServer = 192.168.1.1 184.16.33.54
    Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
    Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\rebate~1\RebateI.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? SASDIFSV;SASDIFSV
    R? SASKUTIL;SASKUTIL
    R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
    S? aswFsBlk;aswFsBlk
    S? aswMonFlt;aswMonFlt
    S? aswSnx;aswSnx
    S? aswSP;aswSP
    S? avast! Antivirus;avast! Antivirus
    .
    =============== Created Last 30 ================
    .
    2012-02-11 23:05:36 -------- d-----w- c:\users\earl.homepc\appdata\local\Mozilla
    2012-02-11 23:05:00 -------- d-----w- c:\program files\SeaMonkey
    2012-02-11 22:40:56 -------- d-----w- c:\users\earl.homepc\appdata\roaming\Malwarebytes
    2012-02-11 22:40:50 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-11 22:40:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 22:40:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-11 22:30:02 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-11 22:30:02 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-11 22:29:20 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-11 22:29:02 -------- d-----w- c:\programdata\AVAST Software
    2012-02-11 22:29:02 -------- d-----w- c:\program files\AVAST Software
    2012-02-11 20:56:01 2730536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
    2012-02-11 20:55:54 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c4e7f698-a5a2-4ed5-854d-f8a35872170d}\mpengine.dll
    2012-02-11 20:55:53 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-11 19:40:26 -------- d-----w- c:\users\earl.homepc\appdata\roaming\SUPERAntiSpyware.com
    2012-02-11 19:40:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2012-01-27 20:13:14 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2012-01-27 20:11:36 -------- d-----w- c:\users\earl.homepc\appdata\local\Apple
    2012-01-25 23:32:31 -------- d-----w- c:\program files\AppGraffiti
    2012-01-25 23:32:23 -------- d-----w- c:\program files\RebateInformer
    2012-01-25 23:32:23 -------- d-----w- c:\program files\Inbox.com
    2012-01-25 23:30:33 -------- d-----w- c:\program files\Inbox Toolbar
    2012-01-23 17:58:35 -------- d-----w- c:\users\earl.homepc\appdata\roaming\RealNetworks
    2012-01-16 17:33:51 -------- d-----w- c:\users\earl.homepc\appdata\local\Real
    2012-01-16 17:33:30 -------- d-----w- c:\program files\common files\xing shared
    2012-01-13 18:19:54 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2012-01-13 18:19:53 17920 ----a-w- c:\windows\system32\netevent.dll
    2012-01-13 18:19:28 378368 ----a-w- c:\windows\system32\winhttp.dll
    .
    ==================== Find3M ====================
    .
    2012-01-16 17:33:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-01-16 17:33:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-01-09 20:46:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-03 18:02:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 15:26:49.04 ===============
    learninmypc, Feb 11, 2012
    #14

  15. learninmypc TechSpot Guru Posts: 3,030   +100

    .
    ==== Installed Programs ======================
    .
    ActiveCheck component for HP Active Support Library
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    Amazon Kindle
    AppGraffiti
    Apple Software Update
    ASPCA Tri Reminder by We-Care.com v4.0.13.5
    avast! Free Antivirus
    Community Smartbar
    CyberLink DVD Suite Deluxe
    Google Chrome
    Google Earth
    Google Update Helper
    Hardware Diagnostic Tools
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Demo
    HP Recovery Manager RSS
    HP Total Care Advisor
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    Inbox Toolbar
    InstallIQ Updater
    Java Auto Updater
    Java(TM) 6 Update 30
    Java(TM) 6 Update 7
    Juno Preloader
    LabelPrint
    LightScribe System Software 1.14.25.1
    LightScribe Template Labeler
    Malwarebytes Anti-Malware version 1.60.1.1000
    Media Player Classic - Home Cinema v1.5.2.3456
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Live Search Toolbar
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Music Oasis
    muvee Reveal
    My HP Games
    NetZero Preloader
    NVIDIA Drivers
    PictureMover
    Power2Go
    PowerDirector
    PriceGong 2.5.3
    Python 2.5.2
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    RebateInformer
    SeaMonkey (2.7.1)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Soft Data Fax Modem with SmartCP
    SPORE Creature Creator Trial Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== End Of File ===========================
    learninmypc, Feb 11, 2012
    #15

  16. Broni Malware Annihilator Posts: 39,431   +177

    ...and GMER....
    Broni, Feb 11, 2012
    #16

  17. learninmypc TechSpot Guru Posts: 3,030   +100

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-11 16:25:58
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000004f ST325031 rev.3.AH
    Running: gmer.exe; Driver: C:\Users\EARL~1.HOM\AppData\Local\Temp\kfldipow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E5137A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
    learninmypc, Feb 11, 2012
    #17

  18. Broni Malware Annihilator Posts: 39,431   +177

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    Broni, Feb 11, 2012
    #18

  19. learninmypc TechSpot Guru Posts: 3,030   +100

    I've posted them already. Do I need to re do them?
    learninmypc, Feb 11, 2012
    #19

  20. Broni Malware Annihilator Posts: 39,431   +177

    Oh, sorry about it :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Feb 11, 2012
    #20
Page 1 of 3

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.