PDA

View Full Version : Infected with unknown virus/malware...DDS not working. :(



JoshProto22
2012-01-29, 04:00
Hello Helpers,

My computer is infected with something. I can't say for sure what it is.

A few weeks ago, my computer was attacked by a trojan virus which basically took control of everything. A fake virus removal tool was popping up and scanning my system automatically. Then, my Dell laptop would not reboot at all. Long story short, I finally learned how to reboot my machine but then everything on my hard drive was hidden. Someone recommended that I download an application called "unhider" which helped return everything back to where it belonged.

I thought all of my problems were over but now I'm having problems with fake news sites popping open in new tabs in my Firefox browser. My computer also begins operating very slowly..almost to a crawl.

I have scanned my system with Spybot, Malwarebytes, and Ad-Aware but they all say that everything is clean.

Lastly, I have tried to run dds to get things started here on the forums but the application stalls and does not run. So, unfortunately, I do not have any dds scan results to post at this time.

I am hopeful that someone here will still be able to help me get back up and running smoothly again. I would greatly appreciate any assistance with my computer woes. Thank you very much! :bigthumb:

ken545
2012-02-03, 18:15
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR



Run RKill and then give DDS another shot

Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.




1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.






Either way, see if this program will run, post the DDS log if you get it running and also the aswMBR log please


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

JoshProto22
2012-02-08, 09:37
Hi,

I've been away from my computer for a while so I apologize for my late reply. Thank you very much for helping me.

Here is where I am with my progress...

I followed your request to run rkill. It seemed to go through it's process without any problems. However, I still could not run DDS afterward. I tried all of the different rkill versions but didn't have any more luck with DDS. (DDS starts to scan but then freezes and never finishes. I have to do a hard restart at that point.)

Thankfully, I was able to run the aswMBR scan. Here is the log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-08 01:47:11
-----------------------------
01:47:11.828 OS Version: Windows 5.1.2600 Service Pack 3
01:47:11.828 Number of processors: 2 586 0xE08
01:47:11.828 ComputerName: BASESTATION UserName: Russell
01:47:13.453 Initialize success
01:47:20.000 AVAST engine defs: 12020701
01:47:30.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
01:47:30.234 Disk 0 Vendor: TOSHIBA_MK1032GSX AS022D Size: 93958MB BusType: 3
01:47:30.265 Disk 0 MBR read successfully
01:47:30.265 Disk 0 MBR scan
01:47:30.281 Disk 0 unknown MBR code
01:47:30.281 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
01:47:30.296 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 89141 MB offset 96390
01:47:30.328 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 182675115
01:47:30.343 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 7 MB offset 192410505
01:47:30.359 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
01:47:30.359 Disk 0 scanning sectors +192426554
01:47:30.421 Disk 0 scanning C:\WINDOWS\system32\drivers
01:47:31.593 File: C:\WINDOWS\system32\drivers\APPDRV.SYS **INFECTED** Win32:Alureon-FZ
01:47:36.421 File: C:\WINDOWS\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
01:47:47.187 Disk 0 trace - called modules:
01:47:47.203 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a2a0ff0]<<
01:47:47.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a70bab8]
01:47:47.218 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a346490]
01:47:47.218 \Driver\00001464[0x8a2fa9f0] -> IRP_MJ_CREATE -> 0x8a2a0ff0
01:47:47.765 AVAST engine scan C:\WINDOWS
01:47:56.500 AVAST engine scan C:\WINDOWS\system32
01:51:32.375 AVAST engine scan C:\WINDOWS\system32\drivers
01:51:35.140 File: C:\WINDOWS\system32\drivers\APPDRV.SYS **INFECTED** Win32:Alureon-FZ
01:51:44.250 File: C:\WINDOWS\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
01:52:07.781 AVAST engine scan C:\Documents and Settings\Russell
02:06:13.078 AVAST engine scan C:\Documents and Settings\All Users
02:13:12.625 Scan finished successfully
02:13:49.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Russell\Desktop\MBR.dat"
02:13:49.953 The log file has been saved successfully to "C:\Documents and Settings\Russell\Desktop\aswMBR log.txt"


A side note... After I posted my initial help request, Malwarebytes found a couple different trojan viruses on my computer. It said it got rid of them but I'm still having Google search redirects and my computer begins working extremely sluggish within an hour or so after being turned on.

Thanks again for your help. I'm open to any further suggestions.

ken545
2012-02-08, 11:16
Good Morning,

It looks like your Master Boot Record may be infected with a hidden partition.

Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

JoshProto22
2012-02-08, 20:48
Hi,

Thanks for you help. I ran the MBRCheck scan and it seems to have found something. Here's the log report:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 159):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 Lbd.sys
0xB9EC3000 drvmcdb.sys
0xBA338000 PxHelp20.sys
0xB9EAC000 KSecDD.sys
0xB9E99000 WudfPf.sys
0xB9E0C000 Ntfs.sys
0xB9DDF000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DC5000 Mup.sys
0xBA138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA178000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9D45000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB970F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96FB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB96D3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9531000 \SystemRoot\system32\DRIVERS\NETw3x32.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB950D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB94F9000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA408000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB94AD000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9458000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D6000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xBA248000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA258000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9435000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA430000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA268000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xBA72C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA278000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D21000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB941E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA298000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB940D000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA440000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA448000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB93DD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9357000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D05000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA450000 \SystemRoot\system32\DRIVERS\omci.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA2D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB1219000 \SystemRoot\system32\drivers\sthda.sys
0xB11F5000 \SystemRoot\system32\drivers\portcls.sys
0xBA308000 \SystemRoot\system32\drivers\drmk.sys
0xB10A1000 \SystemRoot\system32\drivers\monfilt.sys
0xB106F000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB0F72000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB0EC2000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA458000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9908000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB9D5D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6A9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA480000 \SystemRoot\system32\drivers\ssrtln.sys
0xBA488000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xBA5E2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9D51000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0E3F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB0DE6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB0DBE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0D98000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB98F8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0D76000 \SystemRoot\System32\drivers\afd.sys
0xB98E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB98C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0CAB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0C3B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB98B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB93D5000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xB98A8000 \SystemRoot\System32\Drivers\tosrfusb.sys
0xB0C20000 \SystemRoot\System32\Drivers\tosrfbd.sys
0xB9888000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9878000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
0xBA158000 \SystemRoot\System32\Drivers\tosrfbnp.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB0C1C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA168000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA348000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xBA198000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB0B05000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB0C18000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA360000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB0AED000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5EC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB0C00000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA370000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7CC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBF3FE000 \SystemRoot\System32\ATMFD.DLL
0xB0D16000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA6FD000 \SystemRoot\system32\dla\tfsndres.sys
0xAE997000 \SystemRoot\system32\dla\tfsnifs.sys
0xAEA35000 \SystemRoot\system32\dla\tfsnopio.sys
0xBA5F4000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA388000 \SystemRoot\system32\dla\tfsnboio.sys
0xB0D06000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA6FC000 \SystemRoot\system32\dla\tfsndrct.sys
0xAE97E000 \SystemRoot\system32\dla\tfsnudf.sys
0xAE965000 \SystemRoot\system32\dla\tfsnudfa.sys
0xBA390000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAE9C5000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xAE6A1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE360000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE915000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE2EB000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xAE2BB000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xAE295000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xBA620000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xAE18C000 \SystemRoot\System32\Drivers\HTTP.sys
0xAE044000 \SystemRoot\system32\DRIVERS\srv.sys
0xAE375000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAD1C7000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
792 C:\WINDOWS\system32\smss.exe
932 csrss.exe
960 C:\WINDOWS\system32\winlogon.exe
1004 C:\WINDOWS\system32\services.exe
1016 C:\WINDOWS\system32\lsass.exe
1200 C:\WINDOWS\system32\ati2evxx.exe
1216 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1332 C:\WINDOWS\system32\svchost.exe
1376 C:\WINDOWS\system32\svchost.exe
1416 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1656 C:\WINDOWS\system32\ati2evxx.exe
1756 C:\WINDOWS\explorer.exe
1904 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1932 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
2000 svchost.exe
344 svchost.exe
648 C:\WINDOWS\system32\spoolsv.exe
712 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
820 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
980 C:\Program Files\Bonjour\mDNSResponder.exe
1240 C:\Program Files\Creative\Shared Files\CTDevSrv.exe
1440 C:\WINDOWS\ehome\ehrecvr.exe
1464 C:\WINDOWS\ehome\ehSched.exe
1712 C:\Program Files\Java\jre6\bin\jqs.exe
1996 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2176 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
2248 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2344 C:\WINDOWS\system32\svchost.exe
2772 wmiprvse.exe
3304 C:\WINDOWS\system32\dllhost.exe
3560 alg.exe
2844 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2848 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2632 C:\Program Files\Dell\QuickSet\quickset.exe
2996 C:\Program Files\QuickTime\QTTask.exe
3160 C:\Program Files\iTunes\iTunesHelper.exe
3168 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3272 C:\WINDOWS\system32\ctfmon.exe
3448 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
3192 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3476 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
3496 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
3396 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
1648 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3996 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
400 C:\Program Files\iPod\bin\iPodService.exe
2380 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
3972 C:\Documents and Settings\Russell\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS022D

Size Device Name MBR Status
--------------------------------------------
91 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 86489E3B39BA71CCD7428B67894DE6732DFFF0C8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

ken545
2012-02-08, 20:53
I need to get a offline dump file of your Master Boot Record, this will show me if a hidden infected partition has been installed and if so we can fix it. You may want to print this out and keep it handy.


xPUD

We will need a USB stick and access to an uninfected machine.

We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:

Insert your USB drive ino the uninfected machine.
Click on Start > My Computer > right click your USB drive > choose Format > Quick format.


Next

Download both http://sourceforge.net/projects/unetbootin/files/UNetbootin/Custom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
Make sure you have the formatted USB stick in the uninfected system.
Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
Press Run and then OK.
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded.
Verify the correct drive letter is selected for your USB device then click OK.
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer, simply close the installer.


Next

Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
Once dumpit is downloaded save it to the USB stick.


Next

Take the USB to the infected computer and boot with it.
The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB drive.
Click on the folder that represents your USB drive (sdb1 ?).
Confirm that you see dumpit that you downloaded there.
Double click on dumpit.
Once completed, a file called mbr.zip will be saved to the USB drive.
Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.



If you encounter any diffuculties just let me know.

JoshProto22
2012-02-08, 21:37
Hi,

I have to go to work so I will be back later tonight to continue the troubleshooting.

Just as a quick update, here are all the symptoms my computer is experiencing right now..

The computer is becoming more and more unresponsive and sluggish, almost to the point of becoming unusable. This sluggishness goes away after a restart but returns after about 10 minutes or so.

Fake news sites and ads are popping up in new tabs in my Firefox browser.

Also, experiencing Google search redirects.

Thanks again for your help. I'll be back later tonight.

ken545
2012-02-11, 16:29
Still need help ?

JoshProto22
2012-02-12, 00:22
Hi,

I'm sorry it's taken me so long to get back to you. For one reason or another, I've had problems over the last couple of days finding an uninfected computer to work on the most recent set of procedures you gave me.

I finally was able to use another computer last night. However, I ran into one problem involving the dumpit download. The download link that you posted just opened a .txt file when I clicked on it. I also tried right-clicking and selecting "Save Target As..." to save it to the desktop but doing so just saved the .txt document instead of a .exe file. Is this link no longer valid or did I just do something wrong?

After the link didn't work, I searched and found another dumpit download site. I was a little leery of opening this download since it wasn't from a site you suggested. I did, however, save this dumpit.exe file that I found (but did not open it). Do you think it would be safe to use this file instead? I'll send you a private message of the website where I found the link so you can verify it. I don't want to post it here if it's a malicious site.

Please let me know how I need to proceed.

JoshProto22
2012-02-12, 00:24
OK, I see that you don't receive private messages. I can post the website where I downloaded the dumpit file if you need it. Thanks again for your help.

ken545
2012-02-12, 00:40
You need to use Firefox for the downloads, Internet Explorer corrupts the download

ken545
2012-02-12, 00:51
Also, lets see if this will run and what it will remove

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

JoshProto22
2012-02-12, 03:35
Hi,

I'm sending this reply using my phone because combofix is still running on my computer. It's been running for over two hours now. Should I just let it continue? I'm a patient person I don't mind letting it go as long as necessary.

It gave me a message within the first few minutes that rootkit.noacess! had been found and that this takes longer to remove. So, should I just let it continue doing it's thing? I don't know if this means anything but I don't see the hard drive light flashing as if a process was working. Please advise. Thanks!

JoshProto22
2012-02-12, 04:43
OK, I just came back to my computer to check on the combofix progress and I only saw a black screen. Nothing I tried would wake it so I did a hard restart. Now I'm getting a blue screen of death during startup. I tried to restart in safe mode but the screen just filled with a message concerning a multi-partition. I guess this is referring to the hidden partition you suspected.

Question now is.... What do you suggest I try now? It seems like I've met nothing but brick walls to this point.

I'm still using my phone for these posts, by the way.

ken545
2012-02-12, 12:15
What you have is one heavily infected computer, where not talking about a little annoying virus but this is some heavy duty stuff that just cant be removed with the click of a mouse. If you can go back to post # 3 and look at the aswMBR report.


Try this


Go to Start> Shut off your Computer> Restart
Or if the computer is off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good Configuration
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





If you can continue to find a clean computer and get xPud on your usb drive, we can use it to boot into the infected computer and get me the dump file and we can go from there.

JoshProto22
2012-02-12, 20:44
Hi,

Thanks for continuing to help me. I was afraid the blue screen of death meant we were at a dead end. I'll have access to a clean computer again tomorrow so I'll finish grabbing the xpub contents then. If all goes well, you'll have a new log from me at that point.

ken545
2012-02-14, 11:03
Good Morning,

Do you by chance have your windows CD ?

http://windows.microsoft.com/en-US/windows-vista/Startup-Repair-frequently-asked-questions

JoshProto22
2012-02-14, 18:39
Hi,

Unfortunately, I haven't been able to find my original Windows CD. I keep all of these install cd's pretty well organized but of course the Windows one is the one that's missing.

I do have all of the xpud contents on a flash drive now, though. I'll try booting with it later when I have time. Let me know if you have any other suggestions. Thanks again!

ken545
2012-02-14, 19:42
When you boot up your system do you have an option for the Recovery Console ?

Can you boot with xPud and get me the dump file ?

JoshProto22
2012-02-16, 11:18
Hi,

I've finally been able to get back to the xpud procedure. Long story short, my original USB stick that contained my first xpud contents was left in a rental car a few days ago. I guess that just goes along with the other bad luck I've had so far with this virus.

Anyway, I've since started over with a new USB stick and I've attached the mbr.zip that you requested. Please let me know if this doesn't work or if you need anything else to go along with it.

Thank you very much. :bigthumb:

ken545
2012-02-16, 14:02
Hi,

Are you able to now boot up your system into windows ?

When you boot up your system do you have an option for the Recovery Console ?

Hang on a bit , I am looking at what to do next

ken545
2012-02-17, 01:33
Hi,

Are you able to now boot up your system into windows ?

When you boot up your system do you have an option for the Recovery Console ?

JoshProto22
2012-02-17, 01:50
Hi,

I wasn't able to boot into Windows. The recovery console was available but I got the blue screen when I tried it. I also tried to use the last known good configuration but I got a screen filled with error messages. Most of the error messages involved a hidden partition.

JoshProto22
2012-02-17, 02:09
Correction. I do not get the blue screen with the recovery console. It asks me which Windows installation would I like to log onto.

I do get the blue screen when I try to use the last known good confirmation.

JoshProto22
2012-02-17, 03:17
*last known good configuration

ken545
2012-02-17, 05:26
Your going to have to use another computer to download one more file to your usb drive


Download tdl_fix.sh (http://noahdfear.net/downloads/tdl_fix.sh) and save it to the xPUD flash drive.
Boot into xPUD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 2 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.


Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.

JoshProto22
2012-02-17, 08:33
I finished this procedure (bash tdl_fix.sh and bash tdl_fix.sh -restore) but still received the blue screen when I tried to reboot into Windows normally.

I don't know if you need this or not, but here's the "Technical Information" that the blue screen gives me:

*** STOP: 0x0000007B (0xBA4CB524, 0xC0000034, 0x00000000, 0x00000000)


Also, here are the results from tdl_fix.txt and tdl_restore.txt that were saved to my USB drive:

tdl_fix.txt:
2012-02-17-01:21:42

The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin


Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS

Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden


User has chosen to make partition 2 active

Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden


User has accepted changes


tdl_restore.txt:
2012-02-17-01:27:11

The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda

ken545
2012-02-17, 13:23
OK, just hang on , I am going to ask other helpers to take a peak

ken545
2012-02-18, 00:11
Where going to use xPud to see if we can find any System Restore Points.



Download http://noahdfear.net/downloads/rst.sh to the USB drive
Boot the Sick computer with the USB drive again
Press File
Expand mnt
Expand your USB (sdb1)
Confirm that you see rst.sh that you downloaded there
Press Tool at the top
Choose Open Terminal
Type bash rst.sh
Press Enter
After it has finished a report will be located at sdb1 named enum.log
Plug that USB back into the clean computer and open it


Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

ken545
2012-02-18, 03:01
Josh,

You may have chosen the incorrect partition to set active to boot from, open up your USB Drive and delete the dumpit file and follow the procedure to get me a new dumpit file so we can select the correct partition to set active to boot from..

Just hang on with the xPud system restore instructions for now, we can do that later if need be

xPUD

We will need a USB stick and access to an uninfected machine.

We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:

Insert your USB drive ino the uninfected machine.
Click on Start > My Computer > right click your USB drive > choose Format > Quick format.


Next

Download both http://sourceforge.net/projects/unetbootin/files/UNetbootin/Custom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
Make sure you have the formatted USB stick in the uninfected system.
Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
Press Run and then OK.
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded.
Verify the correct drive letter is selected for your USB device then click OK.
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer, simply close the installer.


Next

Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
Once dumpit is downloaded save it to the USB stick.


Next

Take the USB to the infected computer and boot with it.
The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB drive.
Click on the folder that represents your USB drive (sdb1 ?).
Confirm that you see dumpit that you downloaded there.
Double click on dumpit.
Once completed, a file called mbr.zip will be saved to the USB drive.
Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.



If you encounter any diffuculties just let me know.

JoshProto22
2012-02-18, 03:53
Hi,

I just went through procedure again like you asked.

I've attached the new mbr.zip file. Just let me know where I need to go from here. Thanks for your help.

ken545
2012-02-18, 04:18
You want to set Partition 2 as active and not any other one


Download tdl_fix.sh (http://noahdfear.net/downloads/tdl_fix.sh) and save it to the xPUD flash drive.
Boot into xPUD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 2 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.


Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.

JoshProto22
2012-02-18, 04:43
I followed the directions exactly. I still received a blue screen when I tried to reboot into Windows normally.

Here are the new tdl_fix.txt and tdl_restore.txt reports:

tdl_fix.txt
2012-02-17-21:37:37

The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin


Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS

Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden


User has chosen to make partition 2 active

Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden


User has accepted changes


tdl_restore.txt
2012-02-17-21:41:34

The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda

ken545
2012-02-18, 13:14
You should have not used the back up to restore, just set Partition 2 as active, beboot a couple of times and see if it takes.

If not than follow the instructions in my previous post to get me the System Restore log using xPud

JoshProto22
2012-02-18, 18:38
I used the backup to restore because the instructions that you copied and pasted for me told me to do that if Windows did not start normally.

I've gone back through the tdl_fix.sh procedure again several times now without using the restore option and I am still getting the same blue screen when trying o boot into windows.

I do notice when I select partition 2 that a message pops up saying the hidden partition becomes inactive.

You asked me to go back to the system restore procedure if the above did not work. I don't have a clean computer to download the file again right now. I had deleted the original rst.sh file from my usb drive because we went away from that course of action a few steps ago.

The xpud instructions said I can connect to the internet with FireFox if I have an Ethernet connection. I do have an Ethernet connection. However, the internet setup screen does not allow me to type my full pass key. It only allows for a certain amount of characters and my password has more than it allows.

I really need my computer back soon. I could at least access and use windows before we tried combo.fix. It has been dead in the water since then.

Is there a way that other helpers could let me know exactly what is going on? I need detailed feedback and explanations on everything that is happening. I have seen that other virus removal forum sites have blue screen specialists that take over once the removal process gets to that point. I would even be willing to use a pay site right now.

Thanks for your help. Let me know what I can do from here.

ken545
2012-02-18, 19:40
Sorry for your frustration, with the severity of infections going around your not alone in your situation. Remember what I said about how serious the infections you have are, at this point a format and fresh reinstall of windows would guarantee that the infection is gone and everything else will run normally, but like you stated you do not have the CD. A good option maybe to look around on eBay or Amazon, with the new Operating Systems out now you may be able to pick up a copy of Windows XP fairly reasonable.

Why dont you post here , all us forums work together and I will give them a heads up that your posting and lets see if they can get you up and running. Be sure to use JoshProto22 so that we can find you.

http://forums.whatthetech.com/index.php?showforum=119


After they get you going post back here and lets take another look.

ken545
2012-02-18, 19:55
Go ahead and post at WTT, but if you can do the System Restore thing using xPud we may be able to get you back up and running

JoshProto22
2012-02-18, 21:48
Thanks for the recommendation. I just posted at wtt. I posted under the virus and malware removal section but now I see that your link had me going to the Windows section. Hopefully this will be ok. Let me know if I should have posted on the windows area instead.

ken545
2012-02-18, 22:04
Yep, I moved your post to the windows forum and sent a PM to one of the helpers that you posted, just hang in and someone will be with you as soon as they can

JoshProto22
2012-02-18, 22:40
Thank you. :bigthumb:

ken545
2012-02-19, 12:03
http://forums.whatthetech.com/index.php?showtopic=122379

Looks like your being helped :bigthumb:

JoshProto22
2012-02-21, 08:27
Yes! Thanks very much for your efforts while I was here. I had to wipe everything clean and start over but I was happy to do so. Now I have my computer back with a fresh start. Thanks again for all your help.

ken545
2012-02-21, 11:15
Your very welcome. Like I said before with the seriousness of the infections you had your better off with the format and reinstall, now you know for sure that you have a nice clean computer.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken