Random Invisible Ads/Sounds/Commercials and Redirection

[Lianabanana7]

I was able to install and run the tool successfully. The scan did not detect any threats. I ran this scan multiple times, because each time, after I would click 'select all' at the results page, the program would freeze when I'd click 'copy'. Here's what it looked like:

http://postimage.org/image/nxk0hgsch/

I'm going to try again to get a log for you, if you'd still like to look!

[CatByte]

no, that's ok thanks

we have to somehow get that hidden malware partition taken care of,

our last chance is to see if you can boot the machine via a USB

please follow these instructions. You may want to prepare this on a clean computer:

Download the Universal USB Installer from here to your desktop.

Insert your USB drive (needs to be empty as the procedure will format the usb and delete anything on it)

After inserting USB, run the application “Universal USB Installer”,

step one - select the Linux distribution from the drop down list to put on your USB

from the drop down list scroll down to the "Puppy Linux Based" choices and choose Puppy 4.3.1 which is quite small approx. 100mb, check the "Download the .iso" box, which will download the linux .iso file we need

choose to save it to your desktop (it shouldn't take too long to download)

Step 2: once the linux.iso has completed downloading > browse to the location of the download

Step 3: select your USB drive letter > check the box to Format the USB drive (be absolutely sure of your USB drive letter)

now click the Create, > your USB boot disk will be created onto the USB

Once the files have been written to the USB click the "close" button, now you have a bootable USB.

NEXT

Now we need to add additional file to our USB

• Download pltdl_fix.sh and save it to the USB drive.
  
• Insert your USB into the infected computer and reboot > choose to boot from USB (F10?)
  
• the screen will go black for a moment then it will automatically install the required drivers, you will then be asked to choose your keyboard,language, time zone and video set up which is fairly straight forward)
  
• The puppy desktop will now load
  
• You should see the drive icons on the desktop. When mounted, they will be marked with a green dot. If not mounted, either click each icon to mount (and open an Explorer-type window) or click the Mount icon on the desktop, select the Drive tab and click the Mount button for each drive (this will also open the drive in an Explorer-type window).
  
• Once all of the drives are mounted, open the usb drive's Explorer-type window > right click anywhere in the window and select Window > Terminal Here, then execute the script.
  
• Type bash pltdl_fix.sh then press Enter.
  
• ** Make sure to leave a space to either side of pltdl_fix.sh in the command.
  
• You will be shown a list of partitions to choose marking active.
  
• Type 2 then press Enter.
  
• If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 1 to select partition 1 then press Enter.
  
• When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter
  
• The script will complete and prompt you to reboot the computer.
  
• Close the Terminal window and restart back into Windows.
  
• Post the contents of the ptdl_fix.txt file that was created on your flash drive.
  

Note - in the event there is a problem booting the computer normally after running the script, run the pltdl_fix.sh script again using the following command.

bash pltdl_fix.sh -restore

Make sure to leave a space to either side of pltdl_fix.sh in the command.

This will prompt you to use the file pltdl_mbr_sda.bin on drive sda.

Ok the procedure then restart when complete.

[Lianabanana7]

I am able to boost off my USB, however the puppy desktop will not load for me. For some reason, after putting in my time zone, etc, I'm asked for my monitor specs and such in Xorg setup. Once I enter them it tells me that X has failed, and I cannot get to the puppy desktop. I'm currently searching for a solution to this problem.

[CatByte]

Let's see if this version of TDSSKiller will run:

See if this one runs, Do not update it when prompted

TDSSKiller

• Double click on TDSSKiller.exe to run the application,
  For Vista or Windows 7 > right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  
• click on Change parameters
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
• Click the Start Scan button.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue
  
• If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue
  
• Reboot now to finish the cleaning process.
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
  
• Please copy and paste its contents on your next reply.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

[Lianabanana7]

Like the original TDSSKiller, the undetectable one won't open either. I'm sorry this is so troublesome!

[CatByte]

see if this will run:

Download FixTDSS and save it to your desktop.

• Double click on the FixTDSS.exe icon to run it.
  
• Click the "I Accept" button, then the "Proceed" button to begin
  
• The tool will restart your computer automatically - click OK to allow it to do so
  
• The tool will begin it's scan on reboot > click "run" to begin
  
• It will report if an infected MBR is found > click the "repair" button
  
• a log is created in the same location as the tool and is called FixTDSS.log, please post the content in your next reply
  

I'm afraid you will probably run into the same issues with ubuntu as you are having with puppy linux

I'm just looking at the instructions for putting gparted onto a USB, so I'll get back to you with those instructions

[CatByte]

ok, it seems fairly straight forward,

we will make a bootable gparted USB,

then follow the previous instructions for removing the malware partition

How to Create a System Rescue USB from the ISO:

• Download the gparted.iso and save it to your desktop
  
• Now download and run the Universal USB Installer and save it to your desktop
  
• Insert a USB into your computer
  
• Run the Universal USB installer, scroll down the list until you see Gparted, select gparted, browse to the location of the gparted.iso file on your desktop and select it, then follow the onscreen instructions
  
• Reboot your PC and set your system BIOS or Boot Menu to boot from the USB device, save your changes and reboot booting from the memory stick
  

Upon reboot, you should be running GParted from your USB flash memory stick.

Use the default settings to load gparted

You should be here... Press ENTER

By default, "do not touch keymap" is highlighted.

Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .

The Partition has gone

Now select Apply

Now you should be here:

Select Apply after double checking that the right partition was deleted

Is "boot" next to your 14GB system drive?

If "boot" is not next to your 14GB System drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below, then close :

Under File select Quit

You will see this small Popup

Choose reboot and then press OK.

let me know how that goes

[Lianabanana7]

I am unable to run fixTDSSKiller.

I followed your gparted instructions to a T, and upon restart after I finished in gparted, windows will not start up normally at all. I am able to access startup repair at this point, which can't find the problem and can't fix anything. It gives me the option for system restore, which I decided to try after multiple tries to boot windows. I chose a restore date, and it said it loaded the system restore successfully and to restart. When I restarted, I am still unable to load windows.

I am starting to panic at this point...I can't bare to think that all my files are gone! Can I fix this??

[Lianabanana7]

I am unable to run fixTDSSKiller.

I followed your gparted instructions to a T, and upon restart after I finished in gparted, windows will not start up normally at all. I am able to access startup repair at this point, which can't find the problem and can't fix anything. It gives me the option for system restore, which I decided to try after multiple tries to boot windows. I chose a restore date, and it said it loaded the system restore successfully and to restart. When I restarted, I am still unable to load windows.

I am starting to panic at this point...I can't bare to think that all my files are gone! Can I fix this??

[CatByte]

yes, we can fix this, we have several options available to us, so if one doesn't work, we try another

the first thing to try is this: I want to make sure that the correct partition is set to boot

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]now press the search button

[*]when the search is complete, search.txt will also be written to your USB

[*]type exit and reboot the computer normally

[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)

[CatByte]

were you able to get FRST to run?

[Lianabanana7]

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2012

Ran by SYSTEM at 18-09-2012 18:16:03

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3666800 2011-01-21] (Dell Inc.)

HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-17] (Intel® Corporation)

HKLM\...\Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10228224 2010-11-03] (Intel Corporation)

HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-04-29] ()

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1484856 2010-09-30] (McAfee, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2825741 2011-04-29] ()

==================== Services (Whitelisted) ===================

2 Bluetooth Device Monitor; "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [897088 2010-11-03] (Intel Corporation)

3 Bluetooth Media Service; "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [1298496 2010-11-03] (Intel Corporation)

2 Bluetooth OBEX Service; "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [983104 2010-11-03] (Intel Corporation)

2 DellDigitalDelivery; "C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [148360 2011-03-24] (Dell Products, LP.)

3 McAWFwk; C:\PROGRA~1\mcafee\msc\mcawfwk.exe [220528 2010-08-30] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [509416 2010-10-07] (McAfee, Inc.)

2 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200056 2010-10-13] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [245352 2010-10-13] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [149032 2010-10-13] (McAfee, Inc.)

2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-17] ()

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [62800 2010-10-13] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [121248 2010-10-13] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [190136 2010-10-13] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [441328 2010-10-13] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [529128 2010-10-13] (McAfee, Inc.)

1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75032 2010-10-13] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [94864 2010-10-13] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [283360 2010-10-13] (McAfee, Inc.)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-09-18 18:11 - 2012-09-18 18:12 - 00000000 ____D C:\FRST

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000000 ____D C:\Emergency

2012-09-17 20:46 - 2012-09-17 20:46 - 00000000 ____D C:\Windows\SMINST

==================== 3 Months Modified Files ==================

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-12 10:13:04

Restore point made on: 2012-09-17 17:51:23

==================== Memory info ===========================

Percentage of memory in use: 13%

Total physical RAM: 8099.18 MB

Available physical RAM: 6985.41 MB

Total Pagefile: 8097.38 MB

Available Pagefile: 7023.37 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:655.39 GB) NTFS

3 Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.8 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive e: detected. Check for MBR/Partition infection.

4 Drive f: (PENDRIVE) (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 13 MB

Disk 1 No Media 0 B 0 B

Disk 2 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 683 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

==================================================================================

Disk: 2

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F PENDRIVE FAT Removable 244 MB Healthy

=========================================================

Last Boot: 2011-02-23 08:08

==================== End Of Log =============================

Search.txt:

Farbar Recovery Scan Tool (x64) Version: 17-09-2012

Ran by SYSTEM at 2012-09-18 18:14:07

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

[Lianabanana7]

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2012

Ran by SYSTEM at 18-09-2012 18:16:03

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3666800 2011-01-21] (Dell Inc.)

HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-17] (Intel® Corporation)

HKLM\...\Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10228224 2010-11-03] (Intel Corporation)

HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-04-29] ()

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1484856 2010-09-30] (McAfee, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2825741 2011-04-29] ()

==================== Services (Whitelisted) ===================

2 Bluetooth Device Monitor; "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [897088 2010-11-03] (Intel Corporation)

3 Bluetooth Media Service; "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [1298496 2010-11-03] (Intel Corporation)

2 Bluetooth OBEX Service; "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [983104 2010-11-03] (Intel Corporation)

2 DellDigitalDelivery; "C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [148360 2011-03-24] (Dell Products, LP.)

3 McAWFwk; C:\PROGRA~1\mcafee\msc\mcawfwk.exe [220528 2010-08-30] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [509416 2010-10-07] (McAfee, Inc.)

2 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200056 2010-10-13] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [245352 2010-10-13] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [149032 2010-10-13] (McAfee, Inc.)

2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-17] ()

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [62800 2010-10-13] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [121248 2010-10-13] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [190136 2010-10-13] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [441328 2010-10-13] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [529128 2010-10-13] (McAfee, Inc.)

1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75032 2010-10-13] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [94864 2010-10-13] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [283360 2010-10-13] (McAfee, Inc.)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-09-18 18:11 - 2012-09-18 18:12 - 00000000 ____D C:\FRST

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000000 ____D C:\Emergency

2012-09-17 20:46 - 2012-09-17 20:46 - 00000000 ____D C:\Windows\SMINST

==================== 3 Months Modified Files ==================

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk

2012-09-17 20:59 - 2012-09-17 20:59 - 00000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-12 10:13:04

Restore point made on: 2012-09-17 17:51:23

==================== Memory info ===========================

Percentage of memory in use: 13%

Total physical RAM: 8099.18 MB

Available physical RAM: 6985.41 MB

Total Pagefile: 8097.38 MB

Available Pagefile: 7023.37 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:655.39 GB) NTFS

3 Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.8 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive e: detected. Check for MBR/Partition infection.

4 Drive f: (PENDRIVE) (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 13 MB

Disk 1 No Media 0 B 0 B

Disk 2 Online 244 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 683 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 244 MB 49 KB

==================================================================================

Disk: 2

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F PENDRIVE FAT Removable 244 MB Healthy

=========================================================

Last Boot: 2011-02-23 08:08

==================== End Of Log =============================

Search.txt:

Farbar Recovery Scan Tool (x64) Version: 17-09-2012

Ran by SYSTEM at 2012-09-18 18:14:07

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

[CatByte]

This should do it,

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
TDL4: custom:26000022 <===== ATTENTION!
cmd: bootrec /FixMbr
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

[Lianabanana7]

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-09-2012

Ran by SYSTEM at 2012-09-18 21:46:56 Run:1

Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

The operation completed successfully.

The operation completed successfully.

========= bootrec /FixMbr =========

ÿþT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========

==== End of Fixlog ====

I was able to restore windows. It appears to be back to factory settings and everything is new.

[CatByte]

I was able to restore windows. It appears to be back to factory settings and everything is new.

are you saying you reformatted after the FRST fix?

[Lianabanana7]

After the fix, I clicked reboot from the setup repair menu, since a reboot was requested. Upon reboot, windows loaded and sent me through promps to set itself up. I was not given the option to sign into my user name, which is the norm.

[Lianabanana7]

I have an emergency backup of my files from Dell DataSafe that was made yesterday, but I'm afraid to restore them without asking you first because I don't want to restore anything that was infected.

[CatByte]

well, given how terribly infected your machine was, it was probably the best solution, but probably not the one you were hoping for.

At least you can be assured of a clean machine now.

As a precaution, from a machine that has never been infected, I would change all your on-line passwords as there is no way of knowing if your personal information was compromised by the infection.

Let me know if it is running as it should.

[CatByte]

go ahead and restore them, it was the hidden malware partition that was causing the issue,did you take the back-up after the removal of the malware partition? Plus rogue killer had removed the infected files already

once they are restore, you can always run an online scan with ESET and MBAM to make sure none of the files are infected

[Lianabanana7]

I have restored all my files and ran a MBAM scan, which came back clean. Thank you so much for all of your help and patience. I have one last question: which anti virus/malware/spyware etc. program do you recommend that would prevent problems like these? I currently have Norton, which doesn't seem to be the most effective.

[CatByte]

very good

I would still run the machine through the ESET on-line scan as it often picks up infected files.

Personally I use the pro version of Malwarebytes as I really like the real time protection, I also use Microsoft Security Essentials as my AntiVirus, which is an excellent free antivirus and works very well with MBAM. I use just the Windows Fire wall and the Web of Trust which warns against suspicious web sites, it's very useful. I am also behind a secure router, if you haven't set a strong password on your router, i suggest you do so.

Here's some links

Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activeX control to install
  
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• When the scan completes, press the LIST OF THREATS FOUND button
  
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  
• Include the contents of this report in your next reply.
  
• Press the BACK button.
  
• Press Finish
  

Microsoft Security Essentials can be downloaded here:

http://www.microsoft.com/security_essentials/

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE

If you decide to uninstall norton, use the removal tool to get rid of all the traces of it

Norton has a tool that will remove all of its products from failed uninstalls or installs

• Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  
• Next Double click on Norton_Removal_Tool.exe to run the tool.
  
• Follow the on-screen instructions.
  
• Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.
  

Make sure you keep programs such as Java, Adobe Reader, Flash and Windows updates completely up to date as older versions are vulnerable to exploitation.

Make sure you set a med high level of security in your browsers.

It's best to stay away from cracks, keygens, peer to peer and torrents as they are generally infected, it's really not worth it.

[Lianabanana7]

Here's the ESET log--it actually did pick up something:

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\Backup\DSLUpdate\hstart.exe.bak a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\Backup\DSLUpdate\hstart.exe.bk1 a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application

I think that once my subscription to Norton is finished, I'll be purchasing a different program--perhaps Malwarebytes pro. : ) Thanks for the advice!

[CatByte]

Eset is just alerting to the type of file that it is. hstart.exe is a legitimate file as long as you are aware it is on your system, so those files are fine.

Malwarebytes Pro is an excellent antimalware product, but you will also need an antivirus, so when Norton runs out, give Microsoft Security Essentials a try

If you want a paid Antivirus, look at Kaspersky or ESET, they are both excellent products.

You should now be good to go

[Lianabanana7]

Thank you very much for all of your help and advice! I really appreciate everything!