Inactive Redirect virus and IE running in background, please help
- Thread starter Solrock
- Start date
aswMBR log:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-21 17:26:05
-----------------------------
17:26:05.573 OS Version: Windows x64 6.1.7600
17:26:05.573 Number of processors: 8 586 0x1A05
17:26:05.573 ComputerName: X UserName:
17:26:07.351 Initialize success
17:26:07.445 AVAST engine defs: 11112101
17:26:50.002 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0
17:26:50.002 Disk 0 Vendor: WDC_WD64 05.0 Size: 610480MB BusType: 11
17:26:50.002 Device \Driver\mv91xx -> DriverStartIo SCSIPORT.SYS fffff88000db2bc0
17:26:50.002 Device \Driver\mv91xx -> MajorFunction fffffa8007a6b2c0
17:26:52.030 Disk 0 MBR read successfully
17:26:52.030 Disk 0 MBR scan
17:26:52.045 Disk 0 Windows 7 default MBR code
17:26:52.045 Service scanning
17:26:53.777 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
17:26:53.808 Service NTACCESS D:\NTACCESS_64.sys **LOCKED** 21
17:26:53.855 Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21
17:26:53.870 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
17:26:54.432 Modules scanning
17:26:54.432 Disk 0 trace - called modules:
17:26:54.448 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80085e2334]<<
17:26:54.448 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80085d0060]
17:26:54.463 3 CLASSPNP.SYS[fffff88001b7343f] -> nt!IofCallDriver -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0[0xfffffa8007bc5050]
17:26:54.463 \Driver\mv91xx[0xfffffa8007b86660] -> IRP_MJ_CREATE -> 0xfffffa8007a6b2c0
17:26:56.850 AVAST engine scan C:\Windows
17:27:02.076 AVAST engine scan C:\Windows\system32
17:27:47.690 AVAST engine scan C:\Windows\system32\drivers
17:27:56.270 AVAST engine scan C:\Users\Logan
17:31:47.478 AVAST engine scan C:\ProgramData
17:35:04.351 Scan finished successfully
17:36:30.510 Disk 0 MBR has been saved successfully to "C:\Users\Logan\Desktop\MBR.dat"
17:36:30.510 The log file has been saved successfully to "C:\Users\Logan\Desktop\aswMBR.txt"
Bootkit log:
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 64-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff
Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Done;
Press any key to quit...
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-21 17:26:05
-----------------------------
17:26:05.573 OS Version: Windows x64 6.1.7600
17:26:05.573 Number of processors: 8 586 0x1A05
17:26:05.573 ComputerName: X UserName:
17:26:07.351 Initialize success
17:26:07.445 AVAST engine defs: 11112101
17:26:50.002 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0
17:26:50.002 Disk 0 Vendor: WDC_WD64 05.0 Size: 610480MB BusType: 11
17:26:50.002 Device \Driver\mv91xx -> DriverStartIo SCSIPORT.SYS fffff88000db2bc0
17:26:50.002 Device \Driver\mv91xx -> MajorFunction fffffa8007a6b2c0
17:26:52.030 Disk 0 MBR read successfully
17:26:52.030 Disk 0 MBR scan
17:26:52.045 Disk 0 Windows 7 default MBR code
17:26:52.045 Service scanning
17:26:53.777 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
17:26:53.808 Service NTACCESS D:\NTACCESS_64.sys **LOCKED** 21
17:26:53.855 Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21
17:26:53.870 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
17:26:54.432 Modules scanning
17:26:54.432 Disk 0 trace - called modules:
17:26:54.448 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80085e2334]<<
17:26:54.448 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80085d0060]
17:26:54.463 3 CLASSPNP.SYS[fffff88001b7343f] -> nt!IofCallDriver -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0[0xfffffa8007bc5050]
17:26:54.463 \Driver\mv91xx[0xfffffa8007b86660] -> IRP_MJ_CREATE -> 0xfffffa8007a6b2c0
17:26:56.850 AVAST engine scan C:\Windows
17:27:02.076 AVAST engine scan C:\Windows\system32
17:27:47.690 AVAST engine scan C:\Windows\system32\drivers
17:27:56.270 AVAST engine scan C:\Users\Logan
17:31:47.478 AVAST engine scan C:\ProgramData
17:35:04.351 Scan finished successfully
17:36:30.510 Disk 0 MBR has been saved successfully to "C:\Users\Logan\Desktop\MBR.dat"
17:36:30.510 The log file has been saved successfully to "C:\Users\Logan\Desktop\aswMBR.txt"
Bootkit log:
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 64-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff
Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Done;
Press any key to quit...
Broni
Posts: 56,041 +516
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html
- Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
- This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select Complete scan.
- Click the green arrow
at the right, and the scan will start.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click File and choose Save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
Everything that turned up is something i downloaded to help? is this just a false positive or is something wrong?
dds.scr;C:\Documents and Settings\Logan\Desktop;Trojan.MulDrop3.6866;Incurable.Deleted.;
dds.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____0.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____1.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____2.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
OTL____0.exe;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.Siggen3.20406;Incurable.Moved.;
dds.scr;C:\Users\Logan\Desktop;Trojan.MulDrop3.6866;Invalid path to file ;
dds.scr;C:\Documents and Settings\Logan\Desktop;Trojan.MulDrop3.6866;Incurable.Deleted.;
dds.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____0.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____1.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
dds____2.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
OTL____0.exe;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.Siggen3.20406;Incurable.Moved.;
dds.scr;C:\Users\Logan\Desktop;Trojan.MulDrop3.6866;Invalid path to file ;
Its alright, i was already thinking of that. Whats the best way to go about reformatting? Is it safe to move files to my external hard drive with out risking reinfection? It's mostly stuff for my convenience so i dont have to set up a ton of different stuff again.
And if i can, after backing up the stuff i want to keep I might try and see if Gparted will work. The blog i linked is dated 11/14/11 so i feel like its pretty likely that I may have this newest variant of the TDL4 bootkit and thats why none of the logs showed anything. I'm not experienced with any of this but its worth a shot and if it works I can post back here and give you my results.
And if i can, after backing up the stuff i want to keep I might try and see if Gparted will work. The blog i linked is dated 11/14/11 so i feel like its pretty likely that I may have this newest variant of the TDL4 bootkit and thats why none of the logs showed anything. I'm not experienced with any of this but its worth a shot and if it works I can post back here and give you my results.
Broni
Posts: 56,041 +516
Windows t clean installation: http://pcsupport.about.com/od/operatingsystems/ss/windows-7-clean-install-part-1.htm
Yes you back up your data but.....
After clean installation install this on your computer...
Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)
*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*
Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer
Now you can safely connect your external drive and scan it with your AV program.
Yes you back up your data but.....
After clean installation install this on your computer...
Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)
*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
- Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer
Now you can safely connect your external drive and scan it with your AV program.
The Windows 7 clean install you linked me too, just to be sure, is instructions to install a fresh version of windows 7 on my hard drive and includes a step that will erase the old one and any malicious programs with it? So I don't have to do an actual reformat of my hard drive first but i will have to backup anything i'll want to keep. correct?
Ok so i did a clean install of windows 7 and everything went alright.
But now that i'm trying to put stuff back on my computer I keep getting disconnected from the internet and it tells me that i need to unplug and reset my modem. Do you know what could be causing this? Had no problems with my connection before the format.
But now that i'm trying to put stuff back on my computer I keep getting disconnected from the internet and it tells me that i need to unplug and reset my modem. Do you know what could be causing this? Had no problems with my connection before the format.
I think i figured out what was disconnecting me. my wifes laptop and my computer were trying to share the same ip address so i shut down her laptop and i think that fixed that problem. but now I'm trying to update WoW and it will go fine (~1.7-2.1MB/s) for a little while then it will drop to like 10KB/s. I thought it might just be the WoW installer but the same thing happens with my Steam games. eventually it will just drop to 0 but I deactivate Avast and restart the download and it will pop back up to normal. I've tried looking for a firewall in avast but i can't find one. do you have any suggestions?
Edit: nevermind on that first part. I just had to unplug my modem to reset it again to reconnect to the internet. My network sharing thing on my computer said I couldn't connect to my DNS or something while my router was saying i had set the wrong static/dynamic ip address. My router has a horrible set up program that doesnt explain anything so i normally ignore it and it didnt cause any problems until i redid everything
Edit: nevermind on that first part. I just had to unplug my modem to reset it again to reconnect to the internet. My network sharing thing on my computer said I couldn't connect to my DNS or something while my router was saying i had set the wrong static/dynamic ip address. My router has a horrible set up program that doesnt explain anything so i normally ignore it and it didnt cause any problems until i redid everything
