also @ TechSpot: Bill Gates is once again the richest person in the world

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

System Check

Discussion in 'Virus and Malware Removal' started by sandberg85, Jan 19, 2012.

Post New Reply

Page 4 of 5

sandberg85 Newcomer, in training Posts: 54

tried both neither got me anywhere. I have no windows screen showing up. the only two options i have are f2 setup and f12 boot. f8 does nothing im still brought to the black screen.

sandberg85, Jan 22, 2012

#61
Broni Malware Annihilator Posts: 39,189 +175

What do you mean by both?

Broni, Jan 22, 2012

#62
sandberg85 Newcomer, in training Posts: 54

sorry about that. i meant I tried option one and couldnt do it. then would do option 2 but dont have a disc.

sandberg85, Jan 22, 2012

#63
Broni Malware Annihilator Posts: 39,189 +175

NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

Broni, Jan 23, 2012

#64
sandberg85 Newcomer, in training Posts: 54

ok i couldnt find a recovery CD. so I reran the instructions from prior to see if I had misstepped. I booted from the CD and went to the partitions. I had change my "dellutility" partition to "boot" from "diag" before. This time I went and changed "dellutility" back to diag and changed the RECOVERY partition to "boot" maybe, that is my OS one and I had misread something because this time windows booted up no problem.

sandberg85, Jan 23, 2012

#65

sandberg85 Newcomer, in training Posts: 54

redirect gone too

sandberg85, Jan 23, 2012

#66

Broni Malware Annihilator Posts: 39,189 +175

Good job

See if aswMBR will run now and also post new Bootkit Remover log.

Broni, Jan 23, 2012

#67
sandberg85 Newcomer, in training Posts: 54

aswmbr ran here's the log.

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-23 15:20:22
-----------------------------
15:20:22.476 OS Version: Windows x64 6.1.7601 Service Pack 1
15:20:22.476 Number of processors: 4 586 0x2A07
15:20:22.476 ComputerName: TY-PC UserName: Ty
15:20:24.286 Initialize success
15:23:12.060 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:23:12.064 Disk 0 Vendor: WDC_WD10EALX-759BA1 19.01H19 Size: 953869MB BusType: 3
15:23:12.068 Disk 0 MBR read successfully
15:23:12.070 Disk 0 MBR scan
15:23:12.073 Disk 0 Windows VISTA default MBR code
15:23:12.075 Disk 0 Partition 1 00 06 FAT16 DELL 4.1 39 MB offset 63
15:23:12.078 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15166 MB offset 81920
15:23:12.081 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 938662 MB offset 31141888
15:23:12.082 Service scanning
15:23:12.514 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
15:23:13.071 Modules scanning
15:23:13.075 Disk 0 trace - called modules:
15:23:13.081 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
15:23:13.085 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006570060]
15:23:13.091 3 CLASSPNP.SYS[fffff8800199843f] -> nt!IofCallDriver -> [0xfffffa8006135520]
15:23:13.096 5 ACPI.sys[fffff88000f837a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80060e3680]
15:23:13.101 Scan finished successfully
15:25:52.660 Disk 0 MBR has been saved successfully to "C:\Users\Ty\Documents\MBR.dat"
15:25:52.667 The log file has been saved successfully to "C:\Users\Ty\Documents\aswMBR.txt"

sandberg85, Jan 23, 2012

#68
sandberg85 Newcomer, in training Posts: 54

Bootkit Log

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`b6600000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

sandberg85, Jan 23, 2012

#69
Broni Malware Annihilator Posts: 39,189 +175
Looks good

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Jan 23, 2012

#70
sandberg85 Newcomer, in training Posts: 54

security check

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 24
Out of date Java installed!
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

sandberg85, Jan 23, 2012

#71
sandberg85 Newcomer, in training Posts: 54

FSS log

Farbar Service Scanner Version: 18-01-2012 01
Ran by Ty (administrator) on 23-01-2012 at 17:08:29
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

MD5 is too legit to quit.

hey hey

sandberg85, Jan 23, 2012

#72
sandberg85 Newcomer, in training Posts: 54

TFC ran and rebooted and then ESET didnt produce a log.

sandberg85, Jan 23, 2012

#73
sandberg85 Newcomer, in training Posts: 54

You think I can set a back up yet?

sandberg85, Jan 23, 2012

#74
Broni Malware Annihilator Posts: 39,189 +175
After you complete the following, yes.

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Do NOT post JavaRa log.

============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL :Commands [purity] [emptytemp] [EMPTYFLASH] [emptyjava] [CLEARALLRESTOREPOINTS] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
Broni, Jan 23, 2012

#75
sandberg85 Newcomer, in training Posts: 54

what is OTL?

sandberg85, Jan 23, 2012

#76
Broni Malware Annihilator Posts: 39,189 +175

You should still have it on your desktop.
See my reply #21.

Broni, Jan 23, 2012

#77
sandberg85 Newcomer, in training Posts: 54

just did the reboot through OTL. you dont need the log? also downloading WOT.

so I can delete all the tools now eh? im clean?? like really? ^ ^ I feel clean!

edit: so I reinstall java now? I just had a java error pop up saying couldnt update.

sandberg85, Jan 23, 2012

#78
Broni Malware Annihilator Posts: 39,189 +175

Run JavaRa first.
Then try to update Java again.

Broni, Jan 23, 2012

#79
sandberg85 Newcomer, in training Posts: 54

done. what now broni?

sandberg85, Jan 23, 2012

#80

Page 4 of 5

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.