Another Ransom Locker? Windows Recovery?

ericm301 · April 26, 2011

You guy have been so helpful in the past. I thought I'd throw another puzzle your way. This time it's my WIFE'S laptop. It has been 'acting weird' for about a week. Then, today, she tells me, it has this weird dialog box that 'looks like' 'Windows Recovery' and keeps scanning the computer. The dialog has an 'advanced module' button, that when clicked, takes me to windows-recovery(dot)com/ Poking around a little, I found that "Task Manager has been disabled by your administrator.' and there is NOTHING on any of the drives

Anyway, I opened in safe mode, prompt, and was able to see all the files, now marked hidden, so I have some hope.

I read other trojan locker threads here, and though I'd better open my own, rather than poke blindly at my wife's machine, hoping something works.

I am at your mercy. Please help.

My wife's system is a Toshiba Qosimo E-15 (don't laugh, it was free), running Win XP Media.

I have yet to try the 'bootable CD-rom' I have because it is for a Toshiba Satelite, (hey, it was free, too).

My machine is a Win7 Compaq Presario, while not free, it was really cheap.

Thanks,

Eric M

UPDATE: I found the windows-recovery removal instructions in the self-help section and followed them. The virus definitions wouldn't update (access denied!), so I tried safe mode, and was able to scan and remove the windows-defender problem. However, I now get random audio playing from time to time, and javascript errors from pages there are no windows for. So, I think there is something else going on.

Any suggestions?

screen317 · April 27, 2011

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

ericm301 · April 28, 2011

Thanks for your help.

I ran DDS.com and DDS.scr and they both locked up the machine.

Here is my mbam log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6459

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

4/27/2011 12:59:40 PM

mbam-log-2011-04-27 (12-59-40).txt

Scan type: Quick scan

Objects scanned: 176666

Time elapsed: 10 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---*** End of mbam log file ***---

screen317 · April 29, 2011

Hi,

Download OTL.exe by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
Execute the file TDSSKiller.exe by double-clicking on it.
Wait for the scan and disinfection process to be over.
When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

ericm301 · April 30, 2011

OTL logfile created on: 4/29/2011 8:26:40 PM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.44 Gb Total Space | 14.35 Gb Free Space | 19.28% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/29 20:22:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

PRC - [2010/10/18 03:48:15 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

PRC - [2010/07/17 05:00:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe

PRC - [2009/08/13 02:04:28 | 000,435,496 | R--- | M] (Pervasive Software Inc.) -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe

PRC - [2009/03/24 17:21:14 | 000,204,800 | ---- | M] () -- C:\Program Files\Galleon\bin\Wrapper.exe

PRC - [2009/02/03 11:32:00 | 003,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Owner\Desktop\SysInternals\Utilities\procexp.exe

PRC - [2008/10/02 09:23:16 | 000,546,288 | ---- | M] (Google) -- C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

PRC - [2008/09/30 14:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2005/06/10 19:59:56 | 001,422,336 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

PRC - [2004/07/16 15:24:34 | 000,638,976 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Picture Enhancement Utility\TosPEHK.exe

PRC - [2004/06/29 18:04:10 | 001,077,326 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Touch and Launch\PadExe.exe

PRC - [2004/06/16 16:44:06 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

PRC - [2004/05/13 14:46:02 | 000,053,248 | ---- | M] () -- c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

PRC - [2004/03/02 13:45:28 | 000,135,168 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

PRC - [2003/12/16 16:47:42 | 000,376,832 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\ZCfgSvc.exe

PRC - [2003/12/16 16:43:06 | 000,184,320 | ---- | M] (Intel) -- C:\WINDOWS\system32\1XConfig.exe

PRC - [2003/12/16 16:42:32 | 000,311,363 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe

PRC - [2003/12/16 16:41:40 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe

PRC - [2003/09/05 03:24:46 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

PRC - [2003/05/23 13:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe

PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

PRC - [2002/03/29 04:44:54 | 000,794,112 | ---- | M] (Lexmark) -- C:\WINDOWS\system32\LXSUPMON.EXE

========== Modules (SafeList) ==========

MOD - [2011/04/29 20:22:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (RoxLiveShare9)

SRV - [2009/11/02 13:17:00 | 001,098,968 | ---- | M] (TiVo Inc.) [Disabled | Stopped] -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe -- (TivoBeacon2)

SRV - [2009/08/13 02:04:28 | 000,435,496 | R--- | M] (Pervasive Software Inc.) [Auto | Running] -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe -- (psqlWGE)

SRV - [2009/03/24 17:21:14 | 000,204,800 | ---- | M] () [Auto | Running] -- C:\Program Files\Galleon\bin\Wrapper.exe -- (Galleon)

SRV - [2005/06/10 19:59:56 | 001,422,336 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

SRV - [2004/06/16 16:44:06 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)

SRV - [2004/05/13 14:46:02 | 000,053,248 | ---- | M] () [Auto | Running] -- c:\Toshiba\Ivp\Swupdate\swupdtmr.exe -- (Swupdtmr)

SRV - [2003/12/16 16:42:32 | 000,311,363 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)

SRV - [2003/12/16 16:41:40 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)

SRV - [2003/05/23 13:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)

SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2010/12/15 04:02:13 | 000,033,912 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)

DRV - [2010/12/15 04:02:06 | 000,010,744 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)

DRV - [2009/07/18 10:48:55 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT25USBAP.SYS -- (RT25USBAP)

DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)

DRV - [2008/04/04 09:00:00 | 000,008,864 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS -- (CdaC15BA)

DRV - [2007/05/02 09:49:12 | 000,014,037 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)

DRV - [2007/02/08 06:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)

DRV - [2007/02/02 05:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)

DRV - [2007/02/02 05:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)

DRV - [2005/11/30 10:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)

DRV - [2005/06/10 19:58:16 | 000,298,571 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2005/01/26 04:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2004/07/10 01:04:52 | 000,822,016 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ttv200x.sys -- (ttv200x)

DRV - [2004/07/02 09:50:14 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)

DRV - [2004/06/24 10:35:48 | 000,048,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)

DRV - [2004/06/03 11:45:22 | 000,057,344 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)

DRV - [2004/06/03 11:44:58 | 000,092,544 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)

DRV - [2004/05/17 15:18:24 | 000,008,573 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosrfec.sys -- (tosrfec)

DRV - [2004/05/08 20:38:06 | 000,101,833 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2004/05/06 14:35:08 | 000,018,308 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)

DRV - [2004/04/19 12:02:48 | 000,062,959 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)

DRV - [2004/04/09 12:33:36 | 000,045,598 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)

DRV - [2004/02/20 15:00:44 | 001,265,388 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2004/01/30 10:32:32 | 000,090,480 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)

DRV - [2004/01/02 02:52:34 | 001,646,720 | ---- | M] (Intel

ericm301 · April 30, 2011

Hi, Chris,

I got the logs above, as you can see, but when I downloaded and tried to run TDSSKiller.exe, it did nothing.

I tried running it in safe mode from a command prompt, and even that didn't work.

I was able to run it on my other laptop.

I think I saw another thread mention this problem. I will look, but, meanwhile, if you think of anything, pease let me know.

Thanks,

Eric M

ericm301 · May 2, 2011

Hi, Chris,

I have not been able to get TDSSKiller to do anything on the infected machine. When I run it with Process Explorer open, it shows up and dies right away.

When I run it on my Win7 machine it opens and scans like it should. Same exact file.

Seems to me something is watching for the process so it can defend itself. Something I can't see in any of the tools I have (autoruns and procexp from Sysinternals).

My mbam log still shows nothing.

Thanks,

Eric M

ericm301 · May 3, 2011

Hi,

I've been waiting for a response since Friday. I know you are busy, and that you are not the source of my frustration, but I still could use some help.

Please?

Eric M

screen317 · May 5, 2011

Hi,

My apologies for the delay.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

ericm301 · May 6, 2011

Thanks for getting to me. As I am typing this on my laptop, I am watching the infected laptop. All it has is a blue terminal style window and a blinking cursor. I did get through the authorization dialog, but since then, nothing. This is my third attempt.

First, I downloaded it, and when I ran it, some service (TiVo protocol/interface handler) warnings and the script error dialog interrupted things. So, I killed the services, and tried a second time. Still nothing. Then I disabled the services, downloaded a fresh ComboFix, restarted, and tried again.

So, that's where I'm at. Still looking at the blue terminal window on my desktop, with a blinking cursor...

Also, I could never get DDS to run.

screen317 · May 9, 2011

Hi,

Grab a fresh copy of ComboFix and save it to your Desktop. Before you download it, rename it to eric.com but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\eric.com" /killall /nombr

See if it runs now.

ericm301 · May 11, 2011

It gets part way through, then hangs at the 'ten minutes' screen. It never starts counting.

Thanks,

--Eric

screen317 · May 12, 2011

Hi,

How long did you wait?

Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
Execute the file TDSSKiller.exe by double-clicking on it.
Wait for the scan and disinfection process to be over.
When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

ericm301 · May 13, 2011

I waited about 10-12 hours. I let it run all day while I was at work.

I still am not able to run TDSSKiller, in normal or safe mode.

I can't run DDS.com or DDS.scr

ESET is running right now, just started downloading signatures.

Will let it run tonight, poke at it some more in the morning.

ericm301 · May 13, 2011

TDSSKiller.exe would not run.

Both of the other logs are below.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=87e6fb19108ceb4fb610574d614db593

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-13 05:00:50

# local_time=2011-05-12 10:00:50 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=108154

# found=2

# cleaned=2

# scan_time=3654

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\31410a01-3a267a74 Java/Exploit.CVE-2010-3562.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\de78250-1b674732 Java/Exploit.CVE-2009-2843.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=87e6fb19108ceb4fb610574d614db593

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-13 12:09:36

# local_time=2011-05-13 05:09:36 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=108177

# found=0

# cleaned=0

# scan_time=3473

esets_scanner_update returned -1 esets_gle=53251

# version=7

# IEXPLORE.EXE=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=87e6fb19108ceb4fb610574d614db593

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-13 01:18:26

# local_time=2011-05-13 06:18:26 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=108188

# found=0

# cleaned=0

# scan_time=3374

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 2 Runtime Environment, SE v1.4.2_03

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.4.2

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

screen317 · May 16, 2011

Hi,

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

Click the "Scan" button to start scan.
Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
Please post the contents of that log in your next reply.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

ericm301 · May 17, 2011

Run date: 2011-05-16 17:03:43

-----------------------------

17:03:43.156 OS Version: Windows 5.1.2600 Service Pack 3

17:03:43.156 Number of processors: 1 586 0xD06

17:03:43.156 ComputerName: LAPTOP UserName: Owner

17:03:43.467 Initialize success

17:03:51.268 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

17:03:51.268 Disk 0 Vendor: ST980815A 3.ALC Size: 76222MB BusType: 3

17:03:53.311 Disk 0 MBR read successfully

17:03:53.311 Disk 0 MBR scan

17:03:53.311 Disk 0 unknown MBR code

17:03:55.314 Disk 0 scanning sectors +156103605

17:03:55.754 Disk 0 scanning C:\WINDOWS\system32\drivers

17:04:06.049 Service scanning

17:04:07.531 Disk 0 trace - called modules:

17:04:07.541 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a6821ed]<<

17:04:07.541 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6e5ab8]

17:04:07.541 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000008a[0x8a7299e8]

17:04:07.551 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6e9940]

17:04:07.551 \Driver\atapi[0x8a7902f0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a6821ed

17:04:07.551 Scan finished successfully

17:05:18.934 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"

17:05:18.944 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

And:

MBR.zip

Glad to have a tool actually finish...I was getting worried.

Thanks!

screen317 · May 19, 2011

Hi,

We're having a really tough time getting things to run properly.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
F-Secure Rescue CD - Rescue CD 3.01 released.
Video: How to Remove Malware with F-Secure Rescue CD
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
BitDefender LiveCD - Index of /rescue_cd
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes. See if you are able to run DDS and ComboFix or TDSSKiller afterward.

ericm301 · May 20, 2011

Avira is scanning my system now. Had an interesting time firguring out how to get the machine to boot the disk.

Will post results soon...

ericm301 · May 20, 2011

This is really getting interesting. I'm half expecting to see a black screen, with the words:

You are in a maze of twisty little passages, all alike.

There is a lamp at your feet.

What do you want to do?

>

Anyway, here's what's going on:

Avira scanned and found 8 infected files, Trojan/AntiHosts.Gen and Trojan/Patched.Gen, and some Java exploit sigs.

It scanned and cleaned or renamed them, but now the machine won't boot the HD, even to safe mode.

I get Windows > BSOD flash > restart > lather > rinse > repeat

I am following the instructions on the Avira site, and creating a Windows Boot CD, and will scan after booting that.

Back soon...

screen317 · May 21, 2011

Okay thank for the update.

Do you have your Windows CD?

ericm301 · May 23, 2011

So, I got the system to boot on it's own by copying all the sys files from hiren's mini xp to my system32/drivers/ folder.

I was able to get my WinXP(Pro) install cd to boot, but some of the drivers were different version numbers, and hiren's matched. Laptop has WinXP, Media Center Edition, which must be based on the Home Edition.

Now it boots but no network, no internet.

The wireless adapter connects to my router, and gets IP/DNS info, but IE still says 'Offline.' Tried everything I can think of to get it back online, it keeps wanting to connect to my old VPN. Won't delete the connection either.

Probably wrecked some settings somewhere...

DSS still hangs.

TDSSKiller runs (AHA!) but finds nothing (snap!).I can download stuff onto the laptop by booting hiren's cd, connecting and downloading, then booting back into the HD.

I ran OTL right before I left for work this morning. I will post its logs this afternoon.

Back then...

ericm301 · May 24, 2011

Here's the log from OTL.exe, in two parts:

OTL logfile created on: 5/23/2011 5:14:36 AM - Run 2

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.51% Memory free

5.36 Gb Paging File | 5.05 Gb Available in Paging File | 94.30% Paging File free

Paging file location(s): C:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.44 Gb Total Space | 29.62 Gb Free Space | 39.79% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 22:11:15 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

PRC - [2011/05/03 10:53:45 | 000,140,952 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe

PRC - [2009/08/13 03:52:22 | 000,028,456 | R--- | M] (Sage Software, Inc.) -- C:\Program Files\Sage\Peachtree\PeachtreePrefetcher.exe