TechSpot

Redirect virus and IE running in background, please help

Inactive
By Solrock
Nov 13, 2011
  1. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Post new aswMBR and Bootkit Remover logs.
     
  2. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    aswMBR log:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-21 17:26:05
    -----------------------------
    17:26:05.573 OS Version: Windows x64 6.1.7600
    17:26:05.573 Number of processors: 8 586 0x1A05
    17:26:05.573 ComputerName: X UserName:
    17:26:07.351 Initialize success
    17:26:07.445 AVAST engine defs: 11112101
    17:26:50.002 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0
    17:26:50.002 Disk 0 Vendor: WDC_WD64 05.0 Size: 610480MB BusType: 11
    17:26:50.002 Device \Driver\mv91xx -> DriverStartIo SCSIPORT.SYS fffff88000db2bc0
    17:26:50.002 Device \Driver\mv91xx -> MajorFunction fffffa8007a6b2c0
    17:26:52.030 Disk 0 MBR read successfully
    17:26:52.030 Disk 0 MBR scan
    17:26:52.045 Disk 0 Windows 7 default MBR code
    17:26:52.045 Service scanning
    17:26:53.777 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
    17:26:53.808 Service NTACCESS D:\NTACCESS_64.sys **LOCKED** 21
    17:26:53.855 Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21
    17:26:53.870 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    17:26:54.432 Modules scanning
    17:26:54.432 Disk 0 trace - called modules:
    17:26:54.448 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80085e2334]<<
    17:26:54.448 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80085d0060]
    17:26:54.463 3 CLASSPNP.SYS[fffff88001b7343f] -> nt!IofCallDriver -> \Device\Scsi\mv91xx1Port4Path0Target0Lun0[0xfffffa8007bc5050]
    17:26:54.463 \Driver\mv91xx[0xfffffa8007b86660] -> IRP_MJ_CREATE -> 0xfffffa8007a6b2c0
    17:26:56.850 AVAST engine scan C:\Windows
    17:27:02.076 AVAST engine scan C:\Windows\system32
    17:27:47.690 AVAST engine scan C:\Windows\system32\drivers
    17:27:56.270 AVAST engine scan C:\Users\Logan
    17:31:47.478 AVAST engine scan C:\ProgramData
    17:35:04.351 Scan finished successfully
    17:36:30.510 Disk 0 MBR has been saved successfully to "C:\Users\Logan\Desktop\MBR.dat"
    17:36:30.510 The log file has been saved successfully to "C:\Users\Logan\Desktop\aswMBR.txt"


    Bootkit log:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    596 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  3. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    What is drive "D"?
     
  4. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    Drive "D" is my physical DVD drive.
    clicking on 'my computer' i see C:, D: and E: No idea what the "E" drive is, it says "BD-ROM Drive"
     
  5. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
     
  6. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    Everything that turned up is something i downloaded to help? is this just a false positive or is something wrong?

    dds.scr;C:\Documents and Settings\Logan\Desktop;Trojan.MulDrop3.6866;Incurable.Deleted.;
    dds.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
    dds____0.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
    dds____1.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
    dds____2.scr;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.MulDrop3.6866;Incurable.Moved.;
    OTL____0.exe;C:\Documents and Settings\Logan\DoctorWeb\Quarantine;Trojan.Siggen3.20406;Incurable.Moved.;
    dds.scr;C:\Users\Logan\Desktop;Trojan.MulDrop3.6866;Invalid path to file ;
     
  7. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Still same issues?
     
  8. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    Yep, no change.
     
  9. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

  10. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    At this point....

    I ran out of tools and ideas.
    No tool indicates anything being wrong.

    Possibly we're dealing here with some new type of infection.

    I have to other option but to suggest backing up your data and clean reinstallation.

    I'm sorry :(
     
  11. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    Its alright, i was already thinking of that. Whats the best way to go about reformatting? Is it safe to move files to my external hard drive with out risking reinfection? It's mostly stuff for my convenience so i dont have to set up a ton of different stuff again.

    And if i can, after backing up the stuff i want to keep I might try and see if Gparted will work. The blog i linked is dated 11/14/11 so i feel like its pretty likely that I may have this newest variant of the TDL4 bootkit and thats why none of the logs showed anything. I'm not experienced with any of this but its worth a shot and if it works I can post back here and give you my results.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Windows t clean installation: http://pcsupport.about.com/od/operatingsystems/ss/windows-7-clean-install-part-1.htm

    Yes you back up your data but.....
    After clean installation install this on your computer...
    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine, or BitDefenderā€™s USB Immunizer

    Now you can safely connect your external drive and scan it with your AV program.
     
  13. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    What AV program would you recommend? I currently use Avast free is there something better but still free?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    I use Avast as well :)
     
  15. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    The Windows 7 clean install you linked me too, just to be sure, is instructions to install a fresh version of windows 7 on my hard drive and includes a step that will erase the old one and any malicious programs with it? So I don't have to do an actual reformat of my hard drive first but i will have to backup anything i'll want to keep. correct?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Clean installation must include hard drive formatting.
     
  17. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    Ok so i did a clean install of windows 7 and everything went alright.

    But now that i'm trying to put stuff back on my computer I keep getting disconnected from the internet and it tells me that i need to unplug and reset my modem. Do you know what could be causing this? Had no problems with my connection before the format.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Did you reset modem?
    You may also call your ISP to see if your settings are correct.
     
  19. Solrock

    Solrock TS Rookie Topic Starter Posts: 55

    I think i figured out what was disconnecting me. my wifes laptop and my computer were trying to share the same ip address so i shut down her laptop and i think that fixed that problem. but now I'm trying to update WoW and it will go fine (~1.7-2.1MB/s) for a little while then it will drop to like 10KB/s. I thought it might just be the WoW installer but the same thing happens with my Steam games. eventually it will just drop to 0 but I deactivate Avast and restart the download and it will pop back up to normal. I've tried looking for a firewall in avast but i can't find one. do you have any suggestions?


    Edit: nevermind on that first part. I just had to unplug my modem to reset it again to reconnect to the internet. My network sharing thing on my computer said I couldn't connect to my DNS or something while my router was saying i had set the wrong static/dynamic ip address. My router has a horrible set up program that doesnt explain anything so i normally ignore it and it didnt cause any problems until i redid everything
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.