Solved System Check

I can't proceed because you didn't answer my question:
How is computer doing?
Click to expand...

p4494882.gif
 
The computer is running at it's fastest I assume. No more pop ups and I can enter IE now. But I think that was after the OTL thing. Im not really accustomed to the way the computer works normally yet so I assume it's running fine. CPU usage 1% , But 1.63 GB memory available of 6 GB but I do have all these programs on here and did that dumb restore.
 
Good :)

What happened to McAfee?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
 
I deleted Mcafee couldnt get it to turn off long enough. I still have my third full version of norton to use up.


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ty
->Temp folder emptied: 85933 bytes
->Temporary Internet Files folder emptied: 36950987 bytes
->Java cache emptied: 5234 bytes
->FireFox cache emptied: 42359666 bytes
->Google Chrome cache emptied: 5050736 bytes
->Flash cache emptied: 14673 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 772272 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 1371 bytes

Total Files Cleaned = 81.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Ty
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Ty
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01202012_170515

Files\Folders moved on Reboot...
C:\Users\Ty\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHL3R2MY\alzheimers;ct=news;pos=1;sz=300x250;KW=null;tile=2;ord=1327100697[1].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHL3R2MY\alzheimers;ct=news;pos=1;sz=728x90;KW=null;tile=1;ord=1327100697[1].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHL3R2MY\alzheimers;ct=news;pos=2;sz=300x250;KW=null;tile=3;ord=1327100697[1].htm not found!
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHL3R2MY\partner[2].htm moved successfully.
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHL3R2MY\socialLink[1].png moved successfully.
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EGGE263\hub.1326407570[1].htm moved successfully.
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EGGE263\plp_iehistory[1].htm moved successfully.
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\918[1].htm not found!
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\activityi;src=2906542;type=level092;cat=level635;u3=brand%20shop_%20c9%20by%20champion_%20men;ord=1;num=1[1].htm moved successfully.
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\ads[7].htm moved successfully.
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\dementia-treatment-by-2025-u-s-government-says_01-17-2012[1].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\iframe3[1].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\iframe3[2].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\iframe3[3].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\like[1].htm not found!
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\like[2].htm not found!
C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5886OXQ0\tweet_button.1326407570[2].htm moved successfully.
File\Folder C:\Users\Ty\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1WG3YPLH\N-5t1ks[1].htm not found!

Registry entries deleted on Reboot...
 
Install some AV program, McAfee or Norton, whichever you feel like.

Are you saying you're still getting redirected?
If so, which browser?
 
Did you reinstall some AV program?

Can you check if Firefox and Chrome are redirected as well?
 
I just put back on Avast. I just tried to download firefox, and when it went to open it said it had caused an error and had to be closed. The same thing it was doing yesterday. So I clicked on internet explorer too and it too wont open now. Luckily I still had this window open. here's the error details for firefox

Problem signature:
Problem Event Name: BEX
Application Name: firefox.exe
Application Version: 9.0.1.4371
Application Timestamp: 4ef15e74
Fault Module Name: StackHash_26c1
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 0068e1fd
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 26c1
Additional Information 2: 26c14b81d8a7b7196a22e6a3a0d14563
Additional Information 3: 2a71
Additional Information 4: 2a716e83199952efd0e4376fd34eafdc
 
Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
ASWmbr wont open either. Bootkit ran though

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`b6600000

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
ListParts by Farbar
Ran by Ty on 21-01-2012 at 16:37:39
Windows 7 (X64)
Running From: D:\
************************************************************

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 6056.63 MB
Available physical RAM: 4747.7 MB
Total Pagefile: 12111.45 MB
Available Pagefile: 10707.67 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:916.66 GB) (Free:878.71 GB) NTFS
2 Drive d: (Jan 20 2012) (CDROM) (Total:0.69 GB) (Free:0.53 GB) UDF

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 916 GB 14 GB
Partition 4 Primary 1744 KB 931 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 916 GB Healthy Boot

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.



****** End Of Log ******
 
We have TDL rootkit there.

Download GETxPUD.exe to the desktop of your clean computer

  • Double click on GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Insert blank CD into your CD drive.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Boot bad computer from the CD
  • Press Tool at the top
  • Choose Open Terminal
  • Type parted /dev/sda set 2 boot on
  • Press Enter
  • Type parted /dev/sda rm 4
  • Press Enter
  • Remove xPUD CD, reboot, run aswMBR and post the log
 
when you say "boot" bad computer what do you mean? I have the CD made, and put it in the CD drive of the bad computer and now it's prompting me to "Open folder and view files". There are files named BOOT, OPT, a thing called BOOT security catalog, then ISOLINUX, ISOLINUX.
 
Are you BOOTING bad computer from the CD you just made?
Put the CD in.
Restart computer.
Watch for the following message:
"Press any key to boot from CD".
At that point press any key.
 
im not getting that message. only 2 options i have are f2 setup and f12 boot options. is boot from cd under boot options?
 
Maybe. it gives me a list

SATA:WDC WD10EALX-759BA1

SATA: TSSTcorp DVD+/-RW TS-H65

Enter Setup

Diagnostics


its the TSSTcorp one the CD drive?
 
ok i did that and a white screen came up asking if what language, then a black screen that says stuff like "Fatal Server error: no screens found" then im stuck at a blinking underscore that says sh-4.0#
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
781
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back