View Full Version : Win Vista x64 Infection
skydyvyr
2012-01-27, 06:39
Windows Vist has begun running unusably slow and I have been unable to un any Anti-Virus software. I've had MSE installed and when it failed. I disabled it and attempted to install MalwareBytes and HouseCall, however neither will not run. I have successfully run rKill, but even after running it, Anti-Virus will not run. I attempted to run DDS (In Windows Safe Mode). It launched and appeared to hang -- no logs for 45+ minutes.
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
Please download OTH (http://oldtimer.geekstogo.com/OTH.scr) to your desktop ( if you use Firefox, right click on the OTH link and select Save as )
Double-click the OTH file to run it and click Kill All Processes, your desktop will go blank.
http://oldtimer.geekstogo.com/OTH/OTH_Main_1020.jpg
Then select Start Misc Program. Browse to DDS and then attempt to run another scan.
Click the Internet Explorer button, post these logs in your Virus Removal topic.
skydyvyr
2012-01-30, 08:08
I downloaded OTH.scr from the link you provided, but when I double clicked it, it opened in Notepad. I tried to right-mouse click on it to see if there was an option to run the script from the menu, but there was not. I did notice that at the top of the Notepad window the text: This program must be run under Win32. Will this script work on my Windows x64 OS?
Thanks in advance for your help
--Andy
Good Morning Andy,
My apologies, I should have been a bit more clearer on the instructions.
Right click on the link and select Save Link As, and save it to your desktop. On the dropdown menu , save it as All Files, then click on Test
See if you can run this program also
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
skydyvyr
2012-01-30, 18:45
I did download it to the desktop and attempt to run it. After my last post, I renamed the file to OTH.exe, right clicked the file and selected Run as Administrator. The application launched and I clicked "Kill All Processes" as directed. Nothing appeared to happen. Specifically the desktop did not go black. After about a half hour, I tried to take the next step and run dds.exe from the OTH console as directed.
When I clicked the button and got the window to browse for files, it was empty. No matter what directory I pointed it at, no files or subdirectories were visible. I ended up pointing it at the Desktop directory and entering the file name "dds.exe" and clicking the "Open" button. DDS launched, but acted exactly as before.
I am now running aswMBR. It asked to download Avast definitions which I accepted. It is downloading now and I will post the results in my next reply.
--Andy
How are you coming along Andy ? Where you able to get aswMBR to run ?
skydyvyr
2012-01-31, 02:33
Here are the results -- sorry for the delay, but I had to leave for work.
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 08:41:50
-----------------------------
08:41:50.239 OS Version: Windows x64 6.0.6002 Service Pack 2
08:41:50.240 Number of processors: 4 586 0xF07
08:41:50.240 ComputerName: ANDY-PC UserName: Andy
08:41:53.319 Initialize success
08:45:46.619 AVAST engine defs: 12012600
08:47:28.666 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:47:28.667 Disk 0 Vendor: Intel___ 1.0. Size: 476945MB BusType: 8
08:47:28.671 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-0
08:47:28.674 Disk 1 Vendor: Maxtor_6 BACE Size: 194481MB BusType: 3
08:47:28.692 Disk 0 MBR read successfully
08:47:28.695 Disk 0 MBR scan
08:47:28.702 Disk 0 Windows VISTA default MBR code
08:47:28.724 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476943 MB offset 2048
08:47:28.743 Service scanning
08:47:29.427 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
08:47:30.044 Modules scanning
08:47:30.049 Disk 0 trace - called modules:
08:47:30.065 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
08:47:30.073 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006f37790]
08:47:30.079 3 CLASSPNP.SYS[fffffa6000fc6c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800615b050]
08:47:31.836 AVAST engine scan C:\Windows
08:47:38.898 AVAST engine scan C:\Windows\system32
08:57:17.301 AVAST engine scan C:\Windows\system32\drivers
08:57:55.205 AVAST engine scan C:\Users\Andy
09:40:37.692 AVAST engine scan C:\ProgramData
10:05:09.317 Scan finished successfully
16:31:32.018 Disk 0 MBR has been saved successfully to "C:\Users\Andy\Desktop\MBR.dat"
16:31:32.024 The log file has been saved successfully to "C:\Users\Andy\Desktop\aswMBR.txt"
skydyvyr
2012-01-31, 02:35
I did notice after the fact that it ran a "QuickScan". Did you want a full scan?
--ANdy
Thats fine, see if you can run these programs
Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
skydyvyr
2012-01-31, 02:48
As I was sitting here, MSE popped up a Potential threat details window warning me about Rogue:Win32/Winwebsec. It indicates that it has suspended the file and is suggesting I remove it. What do you want me to do?
--Andy
skydyvyr
2012-01-31, 02:55
Here is the Log from MBRCheck:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Ultimate Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Intel Corporation
BIOS Manufacturer: Intel Corp.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x03c0401c
Kernel Drivers (total 161):
0x02647000 \SystemRoot\system32\ntoskrnl.exe
0x02601000 \SystemRoot\system32\hal.dll
0x0060C000 \SystemRoot\system32\kdcom.dll
0x00616000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00651000 \SystemRoot\system32\PSHED.dll
0x00665000 \SystemRoot\system32\CLFS.SYS
0x006C2000 \SystemRoot\system32\CI.dll
0x00806000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E0000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008EE000 \SystemRoot\system32\drivers\acpi.sys
0x00944000 \SystemRoot\system32\drivers\WMILIB.SYS
0x0094D000 \SystemRoot\system32\drivers\msisadrv.sys
0x00957000 \SystemRoot\system32\drivers\pci.sys
0x00987000 \SystemRoot\System32\drivers\partmgr.sys
0x0099C000 \SystemRoot\system32\drivers\volmgr.sys
0x00774000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B0000 \SystemRoot\system32\drivers\intelide.sys
0x009B8000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009C8000 \SystemRoot\System32\drivers\mountmgr.sys
0x00A02000 \SystemRoot\system32\drivers\iastorv.sys
0x00AC7000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x00BE3000 \SystemRoot\system32\drivers\atapi.sys
0x009DB000 \SystemRoot\system32\drivers\ataport.SYS
0x00C0C000 \SystemRoot\system32\drivers\fltmgr.sys
0x00C53000 \SystemRoot\system32\drivers\fileinfo.sys
0x00C67000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00E02000 \SystemRoot\system32\drivers\ndis.sys
0x00CEE000 \SystemRoot\system32\drivers\msrpc.sys
0x00D3E000 \SystemRoot\system32\drivers\NETIO.SYS
0x01007000 \SystemRoot\System32\drivers\tcpip.sys
0x0117B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0120D000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0138D000 \SystemRoot\system32\drivers\volsnap.sys
0x013D1000 \SystemRoot\System32\Drivers\spldr.sys
0x013D9000 \SystemRoot\System32\Drivers\mup.sys
0x011A7000 \SystemRoot\System32\drivers\ecache.sys
0x011D3000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x013EB000 \SystemRoot\system32\drivers\disk.sys
0x00FC5000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x01200000 \SystemRoot\system32\drivers\crcdisk.sys
0x02932000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0293F000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x02948000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x02A00000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x036AE000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x036B3000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x03796000 \SystemRoot\System32\drivers\watchdog.sys
0x03803000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x038F0000 \SystemRoot\system32\DRIVERS\e1e6032e.sys
0x03943000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x0394F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03995000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03B71000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x03B83000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x03B93000 \SystemRoot\system32\DRIVERS\parport.sys
0x03BAF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x03BC5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03BD3000 \SystemRoot\system32\DRIVERS\serial.sys
0x03BF0000 \SystemRoot\system32\DRIVERS\serenum.sys
0x039A6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x039C2000 \SystemRoot\system32\DRIVERS\BackupReader.sys
0x03A00000 \SystemRoot\system32\DRIVERS\dsNcAdX64.sys
0x03BFC000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0x039D5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x039E7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x037A6000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x0295B000 \SystemRoot\system32\DRIVERS\storport.sys
0x039EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x029B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x037DF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x00D97000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x037EB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x029DB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x00DC8000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x03C08000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x03CA2000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03CB5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03CC1000 \SystemRoot\system32\DRIVERS\swenum.sys
0x03CC3000 \SystemRoot\system32\DRIVERS\ks.sys
0x03CF7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03D02000 \SystemRoot\system32\DRIVERS\umbus.sys
0x03D12000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x03D5A000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x03D65000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0x03D6C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x03D80000 \SystemRoot\system32\drivers\stwrt64.sys
0x04608000 \SystemRoot\system32\drivers\portcls.sys
0x04643000 \SystemRoot\system32\drivers\drmk.sys
0x04666000 \SystemRoot\system32\drivers\ksthunk.sys
0x0466C000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x0469D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x046A7000 \SystemRoot\System32\Drivers\Null.SYS
0x046BB000 \SystemRoot\System32\drivers\vga.sys
0x046C9000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x046EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x046F7000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04700000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0470B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0471C000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x04725000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04742000 \SystemRoot\system32\DRIVERS\smb.sys
0x0475D000 \SystemRoot\system32\drivers\afd.sys
0x0480F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04853000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04871000 \SystemRoot\system32\DRIVERS\netbios.sys
0x04880000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0489B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x048E8000 \SystemRoot\system32\drivers\nsiproxy.sys
0x048F4000 \SystemRoot\system32\drivers\csc.sys
0x0496A000 \SystemRoot\System32\Drivers\dfsc.sys
0x04987000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x04997000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04999000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x049A2000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x049BE000 \SystemRoot\System32\Drivers\nx6000.sys
0x049CB000 \SystemRoot\System32\Drivers\usbvideo.sys
0x047C8000 \SystemRoot\system32\drivers\usbaudio.sys
0x047E1000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x04800000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02800000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x03DE3000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x0291C000 \SystemRoot\System32\drivers\Dxapi.sys
0x00DE0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00480000 \SystemRoot\System32\TSDDD.dll
0x006F0000 \SystemRoot\System32\cdd.dll
0x007DA000 \SystemRoot\system32\drivers\luafv.sys
0x00BEB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x09400000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x09434000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x0943F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x09457000 \SystemRoot\system32\drivers\spsys.sys
0x094F1000 \SystemRoot\system32\drivers\HTTP.sys
0x09594000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x095BD000 \SystemRoot\system32\DRIVERS\bowser.sys
0x095DB000 \SystemRoot\System32\drivers\mpsdrv.sys
0x0A004000 \SystemRoot\system32\drivers\mrxdav.sys
0x0A02B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0A054000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0A09D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0A0BC000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0A0EE000 \SystemRoot\System32\DRIVERS\srv.sys
0x0A181000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x0A191000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x0A19C000 \??\C:\Windows\system32\drivers\aksdf.sys
0x0A1AC000 \SystemRoot\System32\Drivers\fastfat.SYS
0x0A1E1000 \??\C:\Windows\system32\drivers\aksfridge.sys
0x0980E000 \??\C:\Windows\system32\drivers\hardlock.sys
0x0985B000 \SystemRoot\system32\drivers\peauth.sys
0x09911000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0991C000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0992C000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x0994C000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x09962000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x0997A000 \SystemRoot\system32\drivers\tdtcp.sys
0x09987000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x09995000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x099D1000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x099ED000 \??\C:\Users\Andy\AppData\Local\Temp\aswMBR.sys
0x03A0C000 \SystemRoot\system32\DRIVERS\athrx.sys
0x77550000 \Windows\System32\ntdll.dll
Processes (total 97):
0 System Idle Process
4 System
456 C:\Windows\System32\smss.exe
532 csrss.exe
592 csrss.exe
600 C:\Windows\System32\wininit.exe
644 C:\Windows\System32\services.exe
656 C:\Windows\System32\lsass.exe
664 C:\Windows\System32\lsm.exe
696 C:\Windows\System32\winlogon.exe
856 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\nvvsvc.exe
932 C:\Windows\System32\svchost.exe
1016 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
512 C:\Windows\System32\svchost.exe
632 C:\Windows\System32\svchost.exe
584 C:\Windows\System32\svchost.exe
1064 C:\Windows\System32\audiodg.exe
1104 C:\Windows\System32\svchost.exe
1120 C:\Windows\System32\SLsvc.exe
1232 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1244 C:\Windows\System32\nvvsvc.exe
1264 C:\Windows\System32\svchost.exe
1440 C:\Windows\System32\wisptis.exe
1456 C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
1488 C:\Windows\System32\svchost.exe
1852 C:\Windows\System32\spoolsv.exe
1876 C:\Windows\System32\svchost.exe
1708 C:\Windows\SysWOW64\svchost.exe
2264 C:\Windows\SysWOW64\svchost.exe
2320 C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
2440 C:\Program Files\Microsoft LifeCam\MSCamS64.exe
2460 C:\Windows\System32\svchost.exe
2472 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
2536 C:\Windows\System32\svchost.exe
2548 C:\Windows\System32\svchost.exe
2568 C:\Windows\System32\svchost.exe
2688 C:\Windows\System32\VSSVC.exe
2744 C:\Windows\System32\svchost.exe
2760 C:\Program Files\Windows Server\Bin\WhsMcClient.exe
2804 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2820 C:\Windows\System32\taskeng.exe
2884 C:\Program Files\Windows Server\Bin\WSConnectorUpdate.exe
2952 C:\Program Files\Windows Server\Bin\LANConfigSvc.exe
3028 WUDFHost.exe
1304 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2492 C:\Windows\System32\Tablet.exe
3120 C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe
3296 C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
3336 C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
3380 C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
3452 C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
3812 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
1664 C:\Windows\System32\svchost.exe
4120 C:\Windows\ehome\ehrecvr.exe
4136 C:\Windows\ehome\ehsched.exe
4204 C:\Program Files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe
4376 C:\Windows\System32\svchost.exe
4412 C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
4584 C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
4624 C:\Windows\System32\svchost.exe
4656 C:\Program Files\Windows Media Player\wmpnetwk.exe
3448 C:\Windows\System32\dwm.exe
4312 C:\Windows\System32\taskeng.exe
4852 C:\Windows\System32\wisptis.exe
2892 C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
1668 C:\Windows\explorer.exe
5132 C:\Windows\System32\WTablet\TabUserW.exe
5148 C:\Windows\System32\Tablet.exe
5480 WmiPrvSE.exe
5664 C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
5748 C:\Windows\WindowsMobile\wmdc.exe
5784 C:\Windows\sttray64.exe
5792 C:\Program Files\Zune\ZuneLauncher.exe
5800 C:\Program Files\Microsoft Security Client\msseces.exe
5808 C:\Program Files\Windows Server\Bin\Launchpad.exe
5816 C:\Program Files\Windows Sidebar\sidebar.exe
6000 C:\Program Files\BOINC\boincmgr.exe
6012 C:\Program Files\BOINC\boinctray.exe
3944 C:\Program Files\BOINC\boinc.exe
4036 C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
1372 C:\Windows\System32\LMabcoms.exe
5980 C:\Program Files\Windows Sidebar\sidebar.exe
5428 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
2064 C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
960 C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
2284 C:\Windows\System32\msiexec.exe
1152 C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
8960 C:\Program Files (x86)\Internet Explorer\iexplore.exe
8608 C:\Program Files (x86)\Internet Explorer\iexplore.exe
8200 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
8424 C:\Windows\System32\taskmgr.exe
11976 C:\Program Files\Windows Server\Bin\runtask.exe
4876 C:\Windows\servicing\TrustedInstaller.exe
12260 dllhost.exe
9568 dllhost.exe
11528 C:\Users\Andy\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\O: -->
skydyvyr
2012-01-31, 03:13
When I run OTL as directed it begins it's scan with the words "Getting Drive Info" in the bottom of the the window, then hangs. I can reboot if you like and try again (there were several hung windows open that I forceably quit including OTH) but a reboot on this machine will take several hours.
--Andy
Andy,
Go ahead and reboot and then make sure there are no running programs and give OTL another shot
skydyvyr
2012-02-01, 03:29
OTL does the same exact thing after reboot (reboots take 6 to seven hours from shutdown command to login complete btw)
Try this one in lew of OTL
Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, Attach the file ).
skydyvyr
2012-02-01, 17:25
OTS appears to be hung. It seems to be in a similar state to what OTL was in -- with the words "Getting Drive Info" on the bottom of the window.
--Andy
Ok, looks like your computer has some serious issues.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
skydyvyr
2012-02-02, 17:35
I attempted to run ComboFix. It loaded, asked if I wanted to download an updated version (Which I did) then loaded opened a blue window and hung for several hours with the words "Attempting to create a new System Restore point" on the screen.
--Andy
skydyvyr
2012-02-02, 17:38
It never asked me anything about installing Recovery Console.
--Andy
Andy, try running it in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
skydyvyr
2012-02-04, 09:53
I rebooted into Safe Mode and ran ComboFix. It ran for a while, then rebooted the machine (Which takes several hours). The machine has rebooted and I have logged in. ComboFix launched and currently says "Creating Logs. Do not start any applications until ComboFix finishes.
I wanted to reply to keep this thread alive.
--Andy
Good Morning Andy,
Dont worry, I will keep this thread open for you.
Not sure whats going on with it taking so long for your computer to boot up , thats not normal, lets see if Combofix completes and go from there
skydyvyr
2012-02-05, 06:58
It appears that after 12 plus hours of not completing, ComboFix is hung. It did run in safe mode, but once it rebooted the machine and it came back up in standard mode, it claimed to be writing logs, but there are none and the app never seemed to progress.
Next Steps?
I certainly appreciate your assistance on this.
Thanks
--Andy
Good Morning Andy,
Did Combofix leave any sort of log, it will be on your C: drive here C:\ComboFix.txt
Lets try one more program
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
skydyvyr
2012-02-06, 05:34
ComboFix did create a file on the root of the C Drive, but it is not a log. The file (C:\ComboFix) has the same Icon as "My Computer" and when I click on it, it displays the contents of my computer. When I looked at the properties it shows that the file is 15Mb or so which is strange given that there are 235GB or so of data stored on the C:\ Drive alone.
I do have the Folder permission set to not hide extensions, and this file has no extension. Adding an extension of ".txt" had no effect on the function of the file when double clicked.
I attempted to copy the file to another directory on the machine. The copy showed up as a file folder, and when I opened it, it displayed the contents of the folder which contained it.
It is also strange that when I naviagte to the root of C:\ in the CLI and enter a DIR command, there is no listing for a c:\ComboFix.
What should I try next?
--Andy
See if TDSSKiller will run
skydyvyr
2012-02-07, 03:50
Downloaded TDSSKiller from Kapersky and ran it -- It appears to have hung several hours later. Here is the Log:
06:48:39.0522 9264 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
06:48:40.0041 9264 ============================================================
06:48:40.0041 9264 Current date / time: 2012/02/06 06:48:40.0041
06:48:40.0041 9264 SystemInfo:
06:48:40.0041 9264
06:48:40.0041 9264 OS Version: 6.0.6002 ServicePack: 2.0
06:48:40.0041 9264 Product type: Workstation
06:48:40.0042 9264 ComputerName: ANDY-PC
06:48:40.0042 9264 UserName: Andy
06:48:40.0042 9264 Windows directory: C:\Windows
06:48:40.0042 9264 System windows directory: C:\Windows
06:48:40.0042 9264 Running under WOW64
06:48:40.0042 9264 Processor architecture: Intel x64
06:48:40.0042 9264 Number of processors: 4
06:48:40.0042 9264 Page size: 0x1000
06:48:40.0042 9264 Boot type: Normal boot
06:48:40.0042 9264 ============================================================
06:50:48.0461 9264 Drive \Device\Harddisk0\DR0 - Size: 0x7471100000 (465.77 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
06:50:48.0670 9264 Drive \Device\Harddisk1\DR1 - Size: 0x2F7B100000 (189.92 Gb), SectorSize: 0x200, Cylinders: 0x60D8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
06:50:48.0693 9264 \Device\Harddisk0\DR0:
06:50:48.0693 9264 MBR used
06:50:48.0694 9264 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A387800
06:50:48.0694 9264 \Device\Harddisk1\DR1:
06:50:48.0694 9264 MBR used
06:50:48.0694 9264 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x17BD5299
06:50:50.0963 9264 Initialize success
06:50:50.0963 9264 ============================================================
06:50:56.0697 3932 ============================================================
06:50:56.0697 3932 Scan started
06:50:56.0697 3932 Mode: Manual;
06:50:56.0697 3932 ============================================================
Yep, thats not the entire log.
Nothing appears to be running correctly , scans are aborting prior to completion.
Lets check your Master Boot Record , you will need to use Firefox for the downloads as IE is messing with them and downloading them incorrectly. You will also need a usb thumb drive, it doesnt have to be large or expensive, just a small one will do. What this will do is create an offline dump of your Master Boot Record and we can look at it and see if its infected and causing you all this grief.
xPUD
We will need a USB stick and access to an uninfected machine.
We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
Insert your USB drive ino the uninfected machine.
Click on Start > My Computer > right click your USB drive > choose Format > Quick format.
Next
Download both http://sourceforge.net/projects/unetbootin/files/UNetbootin/Custom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
Make sure you have the formatted USB stick in the uninfected system.
Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
Press Run and then OK.
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded.
Verify the correct drive letter is selected for your USB device then click OK.
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer, simply close the installer.
Next
Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
Once dumpit is downloaded save it to the USB stick.
Next
Take the USB to the infected computer and boot with it.
The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB drive.
Click on the folder that represents your USB drive (sdb1 ?).
Confirm that you see dumpit that you downloaded there.
Double click on dumpit.
Once completed, a file called mbr.zip will be saved to the USB drive.
Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.
If you encounter any diffuculties just let me know.
skydyvyr
2012-02-08, 09:16
I followed your instructions exactly and when the the computer would not boot. After the BIOS screen it gave me "Boot error". I tried another Thumb Drive and had exactly the same result. I tried downloading the files using Chrome and had exactly the same result.
I then burned the ISO to a cd and left dumpit on the thumb drive and booted from the CD. I was able to run dumpit and mbr.zip is attached.
FWIW, there is a logical drive (RAID array) and a separate physical drive in this machine. It boots from the RAID array which I believe is was not mounted. I would have expected it to mount as sdd1 with the separate drive mounting as sdd2, but I believe the separate drive is mounted as sdd1.
--Andy
Good Morning,
What I was looking for was a hidden infected partition in your dump and I dont see one. Why do you use Raid ?
skydyvyr
2012-02-10, 18:02
I use RAID 5 for a couple of reasons; first performance and second for reliability.
I am currently booted with the Vista install disk running chkdsk c: /f /r. Depending on the results of that I may also attempt to repair replace the MBR unless you think that would be a bad idea.
I have also downloaded Kapersky's Rescu Disk ISO which supposedly supports RAID configs. Once chckdsk is done, and assuming that Kapersky will load and recognize the RAID, I'll try running dumpit again including the RAID array (C Drive) and get the results to you.
--Andy
At this point I would not attempt to replace the MBR, I have some other people looking in so if you could get me the dump file that would be great
skydyvyr
2012-02-14, 06:47
So I was able to boot with my Vista disk and run chkdsk /r/f. Several issues were reported and fixed. Kapersky Rescue disk loaded but hung attempting to mount the RAID array. I rebooted into windows and now there is a message in the lower right corner of the screen:
Windows Vista (TM)
Build 6002
This copy of Windows is not genuine
I am quite certain that it is a genuine copy of windows as I purchased the disk from a reputable reseller (in person) and have been running it for years without ever seeing this message. I assume this to be the result of the infection and am beginning to wonder if I would be better off reformatting and starting over. I have good backups of all data that I can restore (once I have scanned for viruses).
My preference would be to clean the infection, as I am not 100% confident I can restore the entire backup (I have restored a few files here and there to verify that I could, but I've never attempted a backup of this scale with my Win Home Server before. Do you have any more ideas for me or should we throw in the towel?
I do appreciate all the time you've put into trying to help me.
Thanks
--Andy
Andy, go ahead and give TDSSKiller another shot and see if it will run. When where done I can link you to a windows forum that can help you with the error message related to windows
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
skydyvyr
2012-02-14, 17:28
The machine is currently booted using the Vista Install disk (Repair Oprion). Is there a way to run tdsskiller from there, or do I need to reboot the machine using the installed OS?
--Andy
See if it will boot normally and run TDSSKiller
skydyvyr
2012-02-17, 08:13
So, I'm still waiting for the system to boot up. It took nearly 24 hours to get a logon screen and now has taken nearly 24 hours and my desktop is not fully drawn. I'm able to get a cmd prompt by opening up Task Mgr. I can navigate the disks from the cmd prompt, but am unable to unzip tdsskiller.
I tried unzipping on another machine and transfering the file with a thumb drive, but the thumb drive has not been recognized by the infected machine yet, and is not mounted so I cannot reach it via the cmd prompt.
What next?
--Andy
Lets give this a shot
Download this to your C:\ drive
http://noahdfear.net/downloads/beta/up-ntfs-3g
up-ntfs-3g is self-extracting. It must be run from the root of any drive. Upon execution it will unmount any mounted ntfs partitions, update the ntfs-3g driver then remount the ntfs drives at their original location. It will then try to locate a sirefef created junction (currently using the naming convention $NtUninstallKB*****$) in the Windows directory. If found, it will attempt to locate a Windows user account Recycle Bin folder and move the rogue to that location - in Windows, this is the equivelent of deleting the junction. If successful, the junction will no longer be present back in normal mode, not even in the Recycle Bin.
skydyvyr
2012-02-17, 18:42
Thanks for all your help so far--
Before running up-ntfs-3g I was able to get a copy of TDSSKILLER onto my machine. I did this by extracting it, copying the file to a website I manage then downloading the unzipped version. It ran exactly the same as the previous attempt and left an almost identical log as before (Dates and version were changed).
It took a while and some gyrations to get up-ntfs-3g to the root of c:\--
--First due to permissions IE would not save the file to the root of C:\
--IE would only save it as a .txt file
--I used the cmd prompt to rename it to up-ntfs-3g.exe
--I attempted to xcopy it to the root of c:\ with no luck (Permission denied-- even though I am logged in as administrator
--I fought with the system to get an CMD Prompt in elevated mode
--I xcopied up-ntfs-3g.exe to the root of C:\
--When I ran it (from the elevated cmd prompt) I got the following error:
Unsupported 16-Bit Application
The program or feature "\??\C:\up-ntfs-3g.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatable version is available.
FYI, at this point my system is extremely unstable and barely running.
For what it is worth, My C:\drive is the previously discussed RAID array, but I also have another stand alone drive in the machine that contains some very old files that typically mounts as the "O:\" drive. While I am able to freely navigate the C:\ drive via the cmd prompt, every time I type "O:\" into the cmd prompt it hangs -- It doesn't report that the there is no O:\ drive as it would if I typed "Z:\" (There is no Z:\ drive on this machine). Apparently the O:\drive is only partially mounted.
What do you suggest as a next step?
--Andy
Andy,
I used the cmd prompt to rename it to up-ntfs-3g.exe
Did you rename it back, exe wont work. Try redownloading it again with FireFox and save it without renaming it to the root of your C:\drive
Not sure at this point if your problems are malware or hardware related.
skydyvyr
2012-02-18, 07:29
And got the same message.
I'm thinking it might be time to format and start over. Do you agree?
--Andy
I think that would be a good option , my self if you dont need RAID I would stay away from it. I know what it is and what it does but personally have never used it so dont really know what to tell you about it.
Let me know what you decide and I can link you to a good windows forum that can help you with it if you need it