so it looks like ive joined the click.giftload party. any help would be greatly appreciated

my dds....

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by BiGPhAttY at 23:12:17.11 on Wed 03/30/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2010.749 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\OPTENET\bin\optproxy.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\OPTENET\bin\OptGui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\mcbuilder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - __BHODemonDisabled
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [OPTENET_GUI] c:\progra~1\optenet\bin\OPTGui.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\users\bigpha~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\bigpha~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\optenet\bin\lsp.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {B3AF316E-31B5-4C16-BC1A-28C9F740DF7B} = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bigpha~1\appdata\roaming\mozilla\firefox\profiles\9ja60ou0.default\
FF - prefs.js: browser.startup.homepage - hxxp://listen.grooveshark.com/
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2009-12-4 11264]
.
=============== Created Last 30 ================
.
2011-03-09 06:19:30 -------- d-----w- c:\program files\iPod(118)
2011-03-09 06:19:22 -------- d-----w- c:\program files\iTunes(119)
2011-03-09 06:13:45 -------- d-----w- c:\users\bigphatty\{0b7bd331-80ba-4e8d-a97a-c99d7af2f059}
2011-03-09 06:12:41 -------- d-----w- c:\program files\Bonjour(3)
2011-03-09 06:12:41 -------- d-----w- c:\program files\Bonjour
2011-03-04 01:09:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-03-02 21:43:22 98816 ----a-w- c:\windows\system32\mfps.dll
2011-03-02 21:42:08 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-02 21:42:08 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-03-02 21:42:07 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-03-02 21:42:07 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-03-02 21:42:07 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-02 21:42:07 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-03-02 21:42:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-03-02 20:15:06 -------- d-----w- c:\users\bigpha~1\appdata\local\ESET
.
==================== Find3M ====================
.
2011-03-02 21:43:22 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: SAMSUNG_ rev.HH10 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86874439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8687a7d0]; MOV EAX, [0x8687a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82263912] -> \Device\Harddisk0\DR0[0x8618F9A0]
3 CLASSPNP[0x883A98B3] -> ntkrnlpa!IofCallDriver[0x82263912] -> [0x848DDC20]
\Driver\iaStor[0x86292CC0] -> IRP_MJ_CREATE -> 0x86874439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 23:16:01.02 ===============

would this also infect a usb flash drive if i had it hooked up to my computer? If so is there any way i can clean it too?

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Just reply to this thread only by using the SUBMIT REPLY and do not start any new topics or we wont be able to keep track of you.


Your infected with a nasty rookit, this right now is our main concern. Yes your flashdrive could be infected so dont use it and when we can run a tool a bit later to fix it.



Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the "Scan" button to start scan


http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply

mbr results.... thanks for your help

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 11:42:11
-----------------------------
11:42:11.501 OS Version: Windows 6.0.6002 Service Pack 2
11:42:11.501 Number of processors: 2 586 0x170A
11:42:11.501 ComputerName: BADNASTY UserName:
11:42:13.108 Initialize success
11:42:15.292 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:42:15.292 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
11:42:15.292 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:15.308 Disk 0 MBR read successfully
11:42:15.308 Disk 0 MBR scan
11:42:15.308 Disk 0 TDL4@MBR code has been found
11:42:15.323 Disk 0 MBR hidden
11:42:15.323 Disk 0 MBR [TDL4] **ROOTKIT**
11:42:15.323 Disk 0 trace - called modules:
11:42:15.339 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86978439]<<
11:42:15.339 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862938d8]
11:42:15.354 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x86b14f08]
11:42:15.354 \Driver\iaStor[0x86396a98] -> IRP_MJ_CREATE -> 0x86978439
11:42:15.370 Scan finished successfully

Hi, Lets get rid of it.


Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrtdl4.gif



Save the log as before and post in your next reply

ok I ran it again just now and it said it cleaned it. i saved that as .txt. then it told me to reboot asap, which i did and now as soon as my desktop comes up I get a bsod in normal mode. I am able to load successfully in safe mode and safemode with networking but im currently on a seperate comp.

Hi,


First try rebooting your computer a few times and see if it boots normally. If you cant, then boot to safemode with networking and post the log it produced.

Then try this


Go to Start> Shut off your Computer> Restart
Or if the computer is off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

so looks like i cant get on the internet even in safemode with networking. I then tried the f8 and boot last known good and i got another bsod right after windows loaded. Im trying to figure out how i could get the .txt from the infected comp to this comp without infecting it, but i'm out of ideas... I could prolly type it if you wanted me to.

My only internet connection is by cellular 3g so maybe its driver doesnt get loaded in safe mode with networking idk.

i was able to take some pictures of the .txt files with my camera. If you'd like for me to post them just let me know

Hi,

I am wondering if you clicked the right button during the fix, are you sure you clicked on the FIX button and not FIXMBR ?


If you can use a usb drive to access the infected computer, copy the report and post it please, also the picture from your camera may work.


Try doing a System Restore, here are the instructions
http://www.bleepingcomputer.com/tutorials/tutorial143.html

How are you coming along, did you try System Restore ?

Im pretty sure that i just pressed fix and not fixmbr. I will try to post the pics of the mbr scan asap (im not at home at the moment). in the meantime im trying to do a system restore but when i try to pull up the restore points i get a window that says "to perform an offline system restore, you must specify which windows installation you would like to restore" then it gives me a command prompt example- rstrui.exe/OFFLINE:C:/Windows. but it doesn't tell me where or how to do this. I tried to restore by pressing f8 upon reboot with the repair my computer option but i got a bsod right after that.

Look on your desktop, do you have a asbMBR.dat file ? If so can you transfer it by flash drive and then use a working computer to attach it to this thread

ok the first saved log is right after i pressed fix and then i saved it before rebooting. the second is after the first reboot in safemode i did a rescan only with mbr and saved it.

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 11:42:11
-----------------------------
11:42:11.501 OS Version: Windows 6.0.6002 Service Pack 2
11:42:11.501 Number of processors: 2 586 0x170A
11:42:11.501 ComputerName: BADNASTY UserName:
11:42:13.108 Initialize success
11:42:15.292 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:42:15.292 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
11:42:15.292 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:15.308 Disk 0 MBR read successfully
11:42:15.308 Disk 0 MBR scan
11:42:15.308 Disk 0 TDL4@MBR code has been found
11:42:15.323 Disk 0 MBR hidden
11:42:15.323 Disk 0 MBR [TDL4] **ROOTKIT**
11:42:15.323 Disk 0 trace - called modules:
11:42:15.339 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86978439]<<
11:42:15.339 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862938d8]
11:42:15.354 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x86b14f08]
11:42:15.354 \Driver\iaStor[0x86396a98] -> IRP_MJ_CREATE -> 0x86978439
11:42:15.370 Scan finished successfully
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 14:14:08
-----------------------------
14:14:08.036 OS Version: Windows 6.0.6002 Service Pack 2
14:14:08.036 Number of processors: 2 586 0x170A
14:14:08.036 ComputerName: BADNASTY UserName:
14:14:09.409 Initialize success
14:14:12.092 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
14:14:12.092 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
14:14:12.092 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:14:12.123 Disk 0 MBR read successfully
14:14:12.123 Disk 0 MBR scan
14:14:12.123 Disk 0 TDL4@MBR code has been found
14:14:12.139 Disk 0 MBR hidden
14:14:12.139 Disk 0 MBR [TDL4] **ROOTKIT**
14:14:12.139 Disk 0 trace - called modules:
14:14:12.155 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86978439]<<
14:14:12.155 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862938d8]
14:14:12.155 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x86b14f08]
14:14:12.170 \Driver\iaStor[0x86396a98] -> IRP_MJ_CREATE -> 0x86978439
14:14:12.170 Scan finished successfully
14:14:13.949 Disk 0 fixing MBR
14:14:23.964 Disk 0 MBR restored successfully
14:14:23.964 Infection fixed successfully - please reboot ASAP


the second:


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 11:42:11
-----------------------------
11:42:11.501 OS Version: Windows 6.0.6002 Service Pack 2
11:42:11.501 Number of processors: 2 586 0x170A
11:42:11.501 ComputerName: BADNASTY UserName:
11:42:13.108 Initialize success
11:42:15.292 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:42:15.292 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
11:42:15.292 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:15.308 Disk 0 MBR read successfully
11:42:15.308 Disk 0 MBR scan
11:42:15.308 Disk 0 TDL4@MBR code has been found
11:42:15.323 Disk 0 MBR hidden
11:42:15.323 Disk 0 MBR [TDL4] **ROOTKIT**
11:42:15.323 Disk 0 trace - called modules:
11:42:15.339 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86978439]<<
11:42:15.339 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862938d8]
11:42:15.354 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x86b14f08]
11:42:15.354 \Driver\iaStor[0x86396a98] -> IRP_MJ_CREATE -> 0x86978439
11:42:15.370 Scan finished successfully
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 14:14:08
-----------------------------
14:14:08.036 OS Version: Windows 6.0.6002 Service Pack 2
14:14:08.036 Number of processors: 2 586 0x170A
14:14:08.036 ComputerName: BADNASTY UserName:
14:14:09.409 Initialize success
14:14:12.092 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
14:14:12.092 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
14:14:12.092 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#4&27fab17b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:14:12.123 Disk 0 MBR read successfully
14:14:12.123 Disk 0 MBR scan
14:14:12.123 Disk 0 TDL4@MBR code has been found
14:14:12.139 Disk 0 MBR hidden
14:14:12.139 Disk 0 MBR [TDL4] **ROOTKIT**
14:14:12.139 Disk 0 trace - called modules:
14:14:12.155 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86978439]<<
14:14:12.155 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862938d8]
14:14:12.155 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x86b14f08]
14:14:12.170 \Driver\iaStor[0x86396a98] -> IRP_MJ_CREATE -> 0x86978439
14:14:12.170 Scan finished successfully
14:14:13.949 Disk 0 fixing MBR
14:14:23.964 Disk 0 MBR restored successfully
14:14:23.964 Infection fixed successfully - please reboot ASAP

mbr.dat

sorry the second set in my previous post is not correct. it is the same as the first . this is the second, it was just a scan after reboot:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 14:34:46
-----------------------------
14:34:46.966 OS Version: Windows 6.0.6002 Service Pack 2
14:34:46.966 Number of processors: 2 586 0x170A
14:34:46.981 ComputerName: BADNASTY UserName:
14:34:47.558 Initialize success
14:34:53.642 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:34:53.658 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
14:34:53.658 Disk 0 MBR read successfully
14:34:53.674 Disk 0 MBR scan
14:34:53.674 Disk 0 scanning sectors +312579760
14:34:53.705 Disk 0 scanning C:\Windows\system32\drivers
14:34:59.820 Service scanning
14:35:01.910 Disk 0 trace - called modules:
14:35:01.942 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
14:35:01.942 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8586f8a0]
14:35:01.957 3 CLASSPNP.SYS[883aa8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84e42028]
14:35:01.957 Scan finished successfully

Thanks for the info, I am forwarding your dat file to people that can analyze it and see if there is something that needs to be restored, I will be back when I hear from them

In the meantime here is some info for you on how to do a System Restore with Vista
http://www.howtogeek.com/howto/windows-vista/using-windows-vista-system-restore/

to keep you posted on my progress: I tried to repair my comp with the original windows vista dvd that came with it. I tried to initialy restore startup it said it was successful, and that gave me a bsod. then i tried to restore to a previous date with the vista dvd and that also gave me a bsod after it restored to the earlier date. I have not wiped my system clean yet (factory new) in hopes that there may be another option. Im still able to get into windows in safe mode but i still have no networking capabilities.

thanks for your help

Go to the Programs and Features in the Control Panel an uninstall ESET NOD32 Antivirus 4.2, reboot and see if it helped.

I'm currently trying my best to remove nod32, but looks like all its files got corrupted not letting me uninstall it. So im currently trying to uninstall it manually. sorry its taking so long

Try this uninstaller for ESET
http://kb.eset.com/esetkb/index?page=content&id=SOLN2289

ok, thanks for being patient. I was finally able to remove nod32. I had to reinstall it then unistall it. but when i tried to reboot i got a bsod. I then got on in safemode and i saw many files that still said eset or nod 32. I found a website that talked about a nod32 service called AMON that can cause a bsod upon startup in some instances. I deleted this file from the drivers directory and then rebooted = bsod. i then got back on and found the same file and hit properties... it said i didnt have administrator privileges. most of the eset files i tried to delete said this. I only have 1 login on my comp and it is the administrator. the website talking about amon is http://www.file.net/process/amon.sys.html.

the nod32 uninstall program listed above didnt find any eset products on my comp.

Good Morning,

Do you have your windows Vista CD or the Recovery Disk that came with your computer? What I would like you to do is to post in this forum ( we all work together ) and have them run you though either doing a system restore or a windows repair. You can link them to this thread if you wish so they can see what we have done and I will find you on that forum and offer any advice I can.

http://forums.whatthetech.com/index.php?showforum=119
Just tell them that after removing a nasty rootkit that your system wont boot to normal windows but will boot to safemode, there very good at getting you up and running

Ken

Thanks for your help up to this point but i can restore my comp back to factory defaults with no problem.

I mentioned before that i was worried about my flashdrives that ive hooked up to the infected computer. I believe you mentioned we would be able to do something about that earlier. If you could help me with this i would appreciate it.

You can do this

Please download Flash_Disinfector.exe (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:


Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.