Jump to content

negster22

Experts
  • Posts

    1,157
  • Joined

  • Last visited

Posts posted by negster22

  1. Whenever you install a new program or Windows Updates, a new restore point is created, so that restore point will suffice.

    You can plug in your external hard drive, and first scan it with a Malwarebytes quick scan. Then perform a full system scan with an updated Avast, followed by a full MBAM scan. If anything is detected you can post those logs.

  2. Do I need to keep the aswMBR logs as well or just the MBR zip? Do I need DDS or Gparted any longer? It doesn't seem combofix was fully uninstalled, it still seems to remain in Computer/(C:)/Users/Dylan/Downloads/Combofix, should I just manually delete this one, or is there another tricky way to take care of this?

    Good question - it is a good idea to keep the MBR logs so they can be compared to logs acquired at a future date if the need arises.

    You do not need DDS or GParted. The "first" because you should always download the latest copy of any system analysis program, and the "second" because you haven't been able to tweak your system to boot from CD. I would contact Acer support about that issue.

    Since Combofix is in your downloads directory issue this command from the run line (start -> run):

    "C:/Users/Dylan/Downloads/Combofix" /uninstall

    If that doesn't work, you can manually delete the C:\Combofix and C:\Qoobox folders and set a new system restore point:

    http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/

    Also Secunia tells me my flashplayer is out of date, but then I visit the adobe flash website, and it says Flash is incorporated in googlechrome, and will update itself when needed... so I guess that one is ok even though Secunia says it is not?

    That is the beauty of Chrome (its add-ons are built in and self-updating) , so you can ignore that and BTW the current version of Adobe Flash Player is 11.1.102.55.

    http://get.adobe.com/flashplayer/

  3. Excellent job!

    Your scans are all coming up clean now and the rootkit that was causing your redirect problems has been disinfected.

    We have a perform a few "housekeeping" steps to remove the clean-up tools that we used!!

    • Please delete these programs from your Desktop (or their download location):
      TDSSKiller, MBRCheck, ASWMBR.exe
    • Please retain the back-up copy of your MBR and make sure that you have burned it to CD or copied it to USB for safekeeping, so you have it in the event You need to restore it.

    To remove Combofix and it's quarantine folder:

    • Click Start -> type "run" into the Start Search box, the double-click the "Run" that appears under the "Programs" category at the top
    • Copy/paste the following bolded text into the Start Search box and select OK:
    • "%userprofile%\desktop\combofix.exe" /uninstall

    This will do the following:

    • Uninstall Combofix and all its associated files and folders.
    • Flush your system restore points and create a new restore point.
    • Rehide your system files and folders
    • Reset your system clock
    • Disable autorun to prevent you from contracting USB transferred infections. You can still access all plugged in devices via My Computer (or Computer in Vista & W7) or by hitting the (Windows key + E) simultaneously to open Windows Explorer

    ---

    Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

    1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

    Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

    Note: If your firewall prompts you about access, allow it.

    2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

    3. You should visit the Windows Updates website, and obtain the most current updates/patches for your Operating System and Internet Explorer.

    • The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update or by acessing Windows Update through your Start Menu
    • However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis.
    • It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system.
    • Windows Updates (including a new Microsoft Malicious Software Removal Tool (MSRT)) are released on the second Tuesday of every month.

    Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

    Happy Surfing! :)

  4. I honestly do not know why that IAStore pop-up appeared, but as long as Combofix finished and produced a log, I would not worry about what seems to be a one-time occurrence. If there had been a blue screen I would be more concerned.

    Yes, we did make substantial progress yesterday and it's just about time to wrap things up.

    But, before we do, there's something you should do now that your MBR is clean:

    Back up your clean MBR

    • Delete the infected MBR.dat on your desktop
    • Right-click aswMBR.exe on your desktop and select "Run as Administrator"
    • Post the contents of the log that opens in your next reply
    • Zip up MBR.dat and attach it to your next reply
    • Retain mbr.dat (it is only 512 bytes) so your have a clean MBR that can be restored in the event it ever becomes infected again
    • Copy MBR.dat to a CD or USB for safekeeping.

  5. Your DDS logs look pretty good.

    Did you intentionally install these Programs?

    SweetIM for Messenger 3.6

    SweetIM Toolbar for Internet Explorer 4.2

    Price Gong

    Go to the Control Panel -> Programs and Features

    Uninstall the following Programs: (unless you use them)

    SweetIM Toolbar for Internet Explorer

    AVG PC Tuneup 2011 <=== ESET detected a trojan in part of this program

    Price Gong

    Please delete the renamed Combofix on your desktop and download a new version from HERE or HERE

    Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

    http://www.bleepingcomputer.com/forums/topic114351.html

    Now, we have to run Combofix with a script this time as follows:

    1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

    2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" function on the Notepad Menu.


    KillAll::

    DDS::
    BHO-X64: SWEETIE - No File
    BHO-X64: PriceGong - No File
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: PriceGong - No File

    Folder::
    C:\TDSSKiller_Quarantine

    ClearJavaCache::

    3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

    4. Close All Open Windows and Browsers,

    CFScriptB-4.gif

    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    This will launch ComboFix.

    If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

    If ComboFix prompts you to:

    • Update to a newer version, make sure you allow it to update.
    • Upload infected files for analysis, please allow it to do so.

    Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

  6. Got it, would you recommend getting the malwarebytes pro instead of these free options?

    MBAM is to be run as an adjunct to an antivirus not as an antivirus replacement. It is compatible with most AV's and it finds quite a few threats that AV's do not ordinarily detect and remove.

    I run MBAM and ESET on one of my PCs, and MSE and MBAM on the other. Also, I always keep UAC a full throttle!

    Let me look at your DDS and attach now.

  7. Your ESET scan results are not as bad as you think because most of those detections are in TDSSSKiller's quarantine stores, Temporary Internet Cache, or Java Cache and they are not active (running) threats as illustrated in the quoted material below:

    TDSSSKiller's quarantine stores

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0004.dta Win64/Olmarik.X trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0005.dta a variant of Win32/Olmarik.AXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0006.dta Win64/Olmarik.AC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0007.dta a variant of Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\22.11.2011_07.24.06\tdlfs0000\tsk0008.dta Win64/Olmarik.Z trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0004.dta Win64/Olmarik.X trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0005.dta a variant of Win32/Olmarik.AXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0006.dta Win64/Olmarik.AC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0007.dta a variant of Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\TDSSKiller_Quarantine\29.11.2011_08.36.02\tdlfs0000\tsk0008.dta Win64/Olmarik.Z trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    Java Cache:

    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\750e1b8d-171be5c4 Java/Agent.DW trojan (deleted - quarantined) 00000000000000000000000000000000 C

    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\576c5ff4-5c7d8344 Java/Agent.DW trojan (deleted - quarantined) 00000000000000000000000000000000 C

    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\42b098b5-32131425 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

    Temporary Internet Files

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IVBWP310\ai8r643[1].htm JS/Kryptik.DQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    Downloaded Installers

    C:\Users\Dylan\Downloads\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

    C:\Users\Dylan\Downloads\XvidSetup.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

    There's a temp file cleaner that I want your to run called TFC (Temporary File Cleaner)

    Download TFC to your desktop:

    http://www.amtsc.com/OldTimer/TFC.exe

    Close any open windows.

    Double click the TFC icon to run the program

    TFC will close all open programs itself in order to run,

    Click the Start button to begin the process.

    Allow TFC to run uninterrupted.

    The program should not take long to finish it's job

    Once its finished it should automatically reboot your machine,

    if it doesn't, manually reboot to ensure a complete clean

    Now clear the Java cache:

    After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*] Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

    I see your running SUPER Antispyware and MBAM but I don't see that your running an Antivirus so you need to get one.

    There are three free AV's that I highly recommend!

    Microsoft Security Essentials:

    http://windows.microsoft.com/en-US/windows/products/security-essentials

    Avast:

    http://www.avast.com/free-antivirus-download

    Avira Free Antivirus:

    http://www.avira.com/en/avira-free-antivirus

    ESET you must pay for but to me it is worth every penny:

    ESET Smart Security:

    http://www.eset.com/us/home/products/smart-security/

    Download one of the above and then perform a new DDS scan for me and post DDS.txt and attach the attach.txt this time.

  8. Well, I have to go out now anyway so the length of the scan does not bother me! :)

    Just post the results when done - all indications show that your clean.

    Also, please attach the Microsoft Windows Malicious Software Removal Tool (MSRT) log as follows:

    • Click the Start button.
    • For Windows 7: Type or copy/paste
      c:\windows\debug\mrt.log into the Start/Search box and hit Enter
    • Attach the MRT log that opens in Notepad to your next reply

  9. AWESOME!!

    We cross posted! That is what I suspected, so you are no longer infected and you do NOT have to restore your system!!

    However, I want you to run this scan:

    Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

    http://www.eset.com/onlinescan/index.php

    • ESET recommends disabling your resident antivirus's active protection component BEFORE scanning
    • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
    • If you are using Vista or Windows 7, launch 32 bit Internet Explorer by right-clicking the Start Menu icon & selecting "Run as Administrator"
    • Check the "Yes, I accept the terms of use" box.
    • Click "Start"
    • Approve the installation of the ActiveX control that's required to enable scanning
    • Make sure the box to
      • Remove found threats. is CHECKED!!
      • Click "Start"

      [*]Allow the definition data base to install

      [*]Click "Scan"

    When the scan is done:

    • Do NOT choose the option to uninstall the ESET Online Scanner with all its components because you need to retain the scan log for posting.
    • Please post the scan report in your next reply. It can be found in this location:
      C:\Program Files\EsetOnlineScanner\log.txt
    • You can remove the ESET Online Scanner using the Windows Control Panel - Add/Remove Programs feature

    Important: Do NOT choose the option to automatically uninstall or the ESET Scan log will be deleted!!

    Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

    Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

    To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

  10. Let's not worry about your external drive now since it's not a "boot" drive and the MBR rootkit is on your primary operating system drive.

    First things, first:

    Is your browser still being redirected?

    I want to try a couple of things to fix your problem first, before having your resort to a full restore of your system. First, we'll attempt to update the drivers TDSSKiller flagged through Device Manager

    If you do not find them, just continue with my instructions on running TDSSKiller.

    To Replace C:\Windows\system32\Drivers\usbaapl64.sys

    This is apparently a driver associated with the iphone & itunes, so it is nonessential and it can be downloaded if necessary

    • Click Start
    • Right-click Computer and select Properties
    • Click Device Manager
    • Locate iphone in Device Manager listing, right-click it and select Properties
    • Select Driver Tab -> Update

    To replace C:\Windows\system32\DRIVERS\MijXfilt.sys

    This is apparently a driver associated with an XBox 360 Joystick Controller so it is also nonessential and it can be downloaded if necessary

    • Click Start
    • Right-click Computer and select Properties
    • Click Device Manager
    • Click "Microsoft Common Controller for Windows Class" in the Device Manager listing
    • Right-click "Xbox 360 Controller for Windows" and select Properties
    • Select Driver Tab -> Update

    These three "threats" were in the TDSSKiller log that you posted in reply 41:

    15:03:59.0981 1860 Detected object count: 3

    15:03:59.0981 1860 Actual detected object count: 3

    15:04:17.0911 1860 MotioninJoyXFilter ( UnsignedFile.Multi.Generic ) - skipped by user

    15:04:17.0911 1860 MotioninJoyXFilter ( UnsignedFile.Multi.Generic ) - User select action: Skip

    15:04:17.0911 1860 USBAAPL64 ( UnsignedFile.Multi.Generic ) - skipped by user

    15:04:17.0911 1860 USBAAPL64 ( UnsignedFile.Multi.Generic ) - User select action: Skip

    15:04:17.0911 1860 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

    15:04:17.0911 1860 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

    I want you to rerun TDSSKiller but this time select "Delete" on Action Choice window for all three of the above detections (see attached image that depicts how you should deal with these detections).

    Post back the TDSSKiller log.

    post-25-0-06046400-1322840187.png

  11. Go back to reply 41 - this is in the TDSSKiller log that you posted:

    15:03:59.0981 1860 Detected object count: 3

    15:03:59.0981 1860 Actual detected object count: 3

    15:04:17.0911 1860 MotioninJoyXFilter ( UnsignedFile.Multi.Generic ) - skipped by user

    15:04:17.0911 1860 MotioninJoyXFilter ( UnsignedFile.Multi.Generic ) - User select action: Skip

    15:04:17.0911 1860 USBAAPL64 ( UnsignedFile.Multi.Generic ) - skipped by user

    15:04:17.0911 1860 USBAAPL64 ( UnsignedFile.Multi.Generic ) - User select action: Skip

    15:04:17.0911 1860 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

    15:04:17.0911 1860 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

    The detections in red show that you have a MBR rootkit (\Device\Harddisk0\DR0 is your hard drive).

    Unfortunately TDSSKiller is not able to remove it, and that would be the easiest and cleanest automatic removal method if it were possible but it is not.

    I don't believe you have the newest version of TDL4 which is the variant that creates a new hidden partition on your hard drive to store its file system. The reason I think this, is because your symptoms differ from those I wrote about in the Gparted article and Diskpart and Disk Management did not show any partitions that are unaccounted for. Furthermore, I inspected your MBR's partition table and there is no hidden partition, and your system reserved partition is the active partition, so it corroborates what Diskpart and Disk Mgt are reporting (all of that is legit). Using GParted was a way for me to look at your partitions by externally bypassing Windows, so I could crosscheck Diskpart and Disk Mgt's results.

    I do know you have an MBR rootkit, and the only cure for it is to overwrite your MBR with default Windows 7 code or to run two simple commands from the Windows Recovery Environment that should eliminate it. That sounds pretty simple and it is in theory, but doing that will also overwrite the code that enables you to access your recovery partition. That means we have a Catch 22 situation - because any attempts that we make to remove the rootkit will cause you to lose your ability to reinstall Windows. It wouldn't be so critical if you had a W7 installation CD or Recovery media, but the fact that you don't and your system for whatever reason fails to be able to boot to CD makes me very hesitant to try anything that will make you lose access to your Recovery Partition.

    Now, I am still mulling over what we should do.

  12. K so good news and bad news... The good news is that I was able to figure out the System Recovery, erecovery, to restore back to factory settings.

    That is good news so I assume that you were able to boot to your recovery partition then. What method did you use to access it since you said that <Alt> <F10> did not work? Or is there a method reached by using All Programs -> Acer -> Recovery?

    Important: Did you restore your computer back to factory settings or not?

    I found this article:

    HOW TO SET the BIOS TO BOOT FROM CDROM:

    http://www.hiren.info/pages/bios-boot-cdrom

    However, it appears that you did just that or that the CDROM was set to the boot device by default on your Acer so you didn't have to. Just give it a look over to make sure you did what is described. Though the key combinations are different on different makes of Computers the concept is the same for all of them.

  13. The BIOS menu is screen that allows me to pick the boot sequence and other things, not where I can chose safe mode or debugging mode correct?

    Correct - The BIOS is also called Setup or the Setup Utility Menu. You can access Boot Options from there or by pressing the Function Key required for you to access the boot options on your PC which according to you is F12 (although it is disabled).

    The Advanced Boot Options Menu is the one that allows you boot in Safe Mode, Safe Mode with Networking, Last Known Good Configuration, etc and it is normally accessed by tapping the F8 key immediately upon system restart (right after you see your Acer splash screen). I don't suppose there's an option to access your recovery partition in the Advanced Boot Options Menu is there? (that would be too simple)

    Then under the tab that says Boot the list is as follows: 1) USB CDROM, 2)IDE0: Hitachi HTS545050B9A300, 3) IDE1: HL-DT-STDVDRAMGT3IN, 4) USB FDD, 5)Network Boot Altheros Boot Agent, 6) USB HDD

    This indicates that the Boot Order is USB/CDROM first because USB CDROM is listed as the first boot device. When you created your GParted CD did you use the " Burn an ISO" option? That is very important!

    A program that is very easy to use for burning ISOs is ImageBurn:

    http://www.imgburn.com/

    You can see in the Imgburn website screenshots how easy it is - you just choose the "Write Image File to Disk" Option.

    • Insert a blank CD or DVD in the CD Bay
    • Browse to the ISO file by clicking the "Folder" Icon.
    • Next, Choose your CD/DVD drive as the destination.
    • Click the "Write" Icon
    • When the Burn is done, Shut Down your PC, Power back p, and see if you can boot to the CDROM!!

    I want you to try burning the GParted ISO again using ImgBurn, and start from scratch by deleting the old copy of GParted and downloading a fresh one.

    Please tell me what model Acer you have, so I can research how to boot to the Recovery Partition online.

    BTW, Have you seen this:

    http://www.pctechbytes.com/acer/acer-aspire-system-recovery-partition/

    Also, the last reply here sounds about right - but your PC already has D2D enabled.

  14. It sounds like you did everything right to boot from your PC's CD/DVD device but it somehow is not responding correctly. Unfortunately, that leaves us with few options because before attempting repair or removal, I like to have that as a safety net. Most rootkit infections are so severe that being able to boot to a repair or recovery CD or DVD outside of Windows is critical to the removal and repair process.

    Yes, please back up your files.

    Important for you to answer, since it will impact our next plan of action:

    Since you don't have a Windows Reinstallation DVD, if you need to reformat & reinstall Windows then I assume you'd have to do it from your Hard Drive's Recovery Partition - Right?

    You should check to make sure you have access to the Recovery Partition.

  15. I want to to try and see if you can boot to and run the Windows System Repair CD you just created.

    If you can, then something may have gone haywire with the burning of the GParted ISO, making it unbootable. If that's the case, you may want to retry burning the GParted ISO as an image to a CD using Win 7's onboard burning CD/DVD software.

    This tutorial tells you how to a burn an ISO using Windows 7 :

    http://windowsteamblog.com/windows/b/windowsexperience/archive/2009/04/13/burn-iso-images-natively-in-windows-7.aspx

    • However, now that you have used MagicISO when you right-click an ISO file it will automatically try to open it with Magic ISO.
    • To counteract that you have to right-click, select Open With, and then select "Windows Disc Image Burn" then just Hit the burn button.

    I want you to rescan with TDSSKiller, and post back the log because I want to see if the TDSS rootkit detection still exists after you "cured" it.

    Next, Please download MBRCheck to your desktop.

    http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

    1. Right click MBRCheck.exe and select "Run as Administrator".

    2. It will open a black window, please do not fix anything (if it gives you an option).

    3. Exit that window and it will produce a log (MBRCheck_date_time).

    4. Please post that log when you reply.

    A very important question I have for you is - do you have a Windows 7 installation DVD or did Acer supply you with a Recovery DVD, that will effectively reinstall Windows on your computer so you can return it to baseline 0 - the way it was when you first bought it (some manufactures include such media with a new computer)? I know you have a 13 GB Recovery Partition on your primary Hard Drive, but I'm talking about separate media.

    As far as backing up your data to that external 500 GB drive - yes, that is highly recommended as part of your computer "maintainance" but especially so when you are trying to recover from a deeply entrenched infection - so yes, please do that. Knowing that your data can be restored makes me feel better about performing tasks to remove the rootkit. Also, please back up the MBR.dat file (you Master Boot Record dump) that ASWMBR created and you attached to one of your replies.

  16. I was traveling all day today so I am just getting back to you now and will reply with more advice tomorrow.

    In the meantime, I'd like you to make a System Repair Disk:

    http://windows.microsoft.com/en-US/windows7/Create-a-system-repair-disc

    I'd also like you to tell me what happened when you tried to boot to the Gparted CD? Were you able to determine what function key you have to use to get into Setup (the BIOS) and/or the Boot Menu? If you power down your PC, and power it back up, you will see that key displayed (for a brief moment) as soon as the Acer splash screen is displayed.

    I want you to re-run TDSSKiller but this time do NOT skip this threat, instead "Cure" it if that option is presented:

    15:56:41.0533 4712 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

    15:56:41.0533 4712 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

    Then post the TDSSKiller log.

  17. Please don't worry about being absent during this Thanksgiving Holiday. I am away, too and not near my "regular" computer.

    1. Please refer back to post #8 because that us where I gave you instructions on how to upload the suspicious drivers that TDSSKiller flagged to the VirusTotal scanner. It is very possible that those drivers may be the source of your problems (they may have been replaced by infected versions of the original files).

    2. Next, I'd like you to forget about booting from the GParted CD for now, since so far there is no corroborating evidence to support you having the TDL4 infection variant that I thought you had.

    3. Next, I'd like you to delete TDSSKiller.exe and download a new TDSKiller.exe by following my earlier directions.

    Then run a scan with TDSSKIller one more time and post the log that opens upon completion of the scan.

    4. Next, reboot and immediately afterward, download and run combofix as previously directed. Then post C:\Combofix.txt in your next reply.

    Thanks!

  18. You can try powering down and powering up with the CD inserted in the CD bay. Sometimes that is required to kick it into gear.

    Here's some more things I want you to do:

    1. With all programs and browsers closed, can you please look in Task Manager (Ctrl + Shift + Esc simultaneously), click the process Tab, and see if there are any instances of iexplore.exe running?

    2. Did you get a chance to upload those two suspected drivers that TDSSKiller flagged to VirusTotal for threat analysis yet. I know the website was very sloooooooooooooow yesterday.

    I'd like you to try something else, too:

    Please Run ComboFix by following the steps provided in exactly this sequence:

    Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

    http://www.bleepingcomputer.com/forums/topic114351.html

    Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

    Using ComboFix ->

    Please download Combofix from one of these locations:

    HERE or HERE

    I want you to rename Combofix.exe as you download it to iexplore.exe

    Notes:

    • It is very important that save the newly renamed EXE file to your desktop.
    • You must rename Combofixe.exe as you download it and not after it is on your computer.
      You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
      • Open Firefox
      • Click Tools -> Options -> Main
      • Under the downloads section check the button that says "Always ask me where to save files".
      • Click OK

      [*]For Internet Explorer:

      • Choose to save, not open the file
      • When prompted - save the file to your desktop, and rename it iexplore.exe.

    Running Combofix

    In the event you already have Combofix, please delete it as this is a new version.

    • Close any open browsers and programs.
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
    • If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!

    1. To Launch Combofix right-click its desktop icon and select "Run as Administrator"

    2. When finished, it will produce a logfile located at C:\ComboFix.txt

    3. Post the contents of that log in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

    Please post C:\ComboFix.txt in your next reply.

  19. Please make sure you have made a system recovery disk just in case we need it:

    Please follow the instructions I have written up here to make a bootable GParted CD by burning an ISO image:

    http://secure-computer-solutions.com/blog/2011/11/using_gparted_to_edit_the_part_1.html

    You can refer to this article to learn how to burn an ISO to CD/DVD in Win 7:

    http://windowsteamblog.com/windows/b/windowsexperience/archive/2009/04/13/burn-iso-images-natively-in-windows-7.aspx

    You must Change the boot order in the BIOS to boot to the CD first, or just hit the Function key that displays on your screen at system restart to Change the Boot Order.

    I found this online, since you have an Acer it may apply:

    http://www.sevenforums.com/installation-setup/169456-key-sequence-chane-boot-order.html

    An Acer Aspire requires use of F5 and F6 keys to move/change boot order after a device is selected

    After you successfully boot up to the GParted Desktop, I do not want you to edit anything, I just want you to describe to me each partition as it is listed: Partition (ie /dev/sda1), Size, Label (ie Reserved), and especially tell me which partition has "Boot" next to it. Also tell me if you see unallocated space.

    Boot back into Windows and post your results please.

  20. Click start -> right-click "Computer" and select "Manage"

    When the Computer Management Console opens:

    Under Storage, Select "Disk Management"

    Take a screen shot of the current window:

    Hit the (Alt + Fn + Prnt Scrn) keys simultaneously to copy the screen image to the Windows Clipboard

    Open paint (Click start -> type paint in the Start Search box, and select "Paint" under programs

    After Paint pens, Click "Paste"

    Save the picture as disk.jpg

    Attach the image disk.jpg to your next post

    Note: If you prefer to use the Windows 7 snipping tool to take the screenshot - by all means,use that.

  21. Good now, open diskpart again by doing the following:

    Click Start and type cmd into the Start Search box

    In the search results, Under Programs, right-click cmd.exe and select "Run as Administrator" from the context menu.

    Once at the Command Prompt (a window with this line displayed)

    C:\Windows\system32

    Type diskpart

    Hit Enter

    Type list disk

    Hit Enter

    Type Select disk 0

    Hit Enter

    Type list partition

    Right-click the command window with the results, left click "Select All" (the window will change color) and right-click within the command window so its original color returns

    Open Notepad

    Select Edit -> Paste

    Save the file as listpart.txt

    Paste the contents into your next reply

    You should get something like this:

    Microsoft Windows [Version 6.0.6002]

    Copyright © 2006 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>diskpart

    Microsoft DiskPart version 6.0.6002

    Copyright © 1999-2007 Microsoft Corporation.

    On computer: NEGSTER22-PC

    DISKPART> list disk

    Disk ### Status Size Free Dyn Gpt

    -------- ---------- ------- ------- --- ---

    Disk 0 Online 112 GB 0 B

    DISKPART> select disk 0

    Disk 0 is now the selected disk.

    DISKPART> list partition

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 OEM 55 MB 32 KB

    Partition 2 Primary 10 GB 55 MB

    Partition 3 Primary 100 GB 10 GB

    Partition 0 Extended 2048 MB 110 GB

    Partition 4 Logical 2047 MB 110 GB

    DISKPART>

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.