Page 1 of 4 1234 LastLast
Results 1 to 10 of 32

Thread: Help please!

  1. #1
    Member
    Join Date
    Jul 2008
    Posts
    36

    Default Help please!

    I followed the instructions post, but my PC will not finish the DDS, no reports are populated. Spybot stops halfway through but I can see 2 entries of Virtumonde and 4 for Fraud.antimalwareDoctor.

    My computer was running fine, but we decided to do some system cleaning. In running the uninstall on a few things we don't use (one being an IE toolbar).. the constant pop ads have begin. Also worth noting, we ran S&Destroy prior to running the uninstalls and it found only one minor problem, removed it with no issue.

    Please let me know how to proceed...

    Thank you!

    Ashley

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Ash at 7:19:16.09 on 27/04/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Motorola Media Link\NServiceEntry.exe
    c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LClock\LClock.exe
    C:\Program Files\Subsonic\subsonic-service.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\Documents and Settings\Ash\Application Data\C3B7CC607230956CA4AE70E68AFE1D84\tr700lqqcore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ash\Local Settings\Temporary Internet Files\Content.IE5\0S7E3OOC\dds[1].com
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = 192.168.*.*
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [LClock] c:\program files\lclock\LClock.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Srixiku] rundll32.exe "c:\windows\mfig32.dll",Startup
    uRun: [tr700lqqcore.exe] c:\documents and settings\ash\application data\c3b7cc607230956ca4ae70e68afe1d84\tr700lqqcore.exe
    uRun: [AntiVirus AntiSpyware 2011] "c:\documents and settings\ash\application data\antivirus antispyware 2011\AntiVirus AntiSpyware.exe" /STARTUP
    uRun: [AntiVirus AntiSpyware 2011 Security] c:\documents and settings\ash\application data\antivirus antispyware 2011\securitymanager.exe
    uRunOnce: [SpybotDeletingB3939] command.com /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Antimalware Doctor.lnk"
    uRunOnce: [SpybotDeletingD1015] cmd.exe /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Antimalware Doctor.lnk"
    uRunOnce: [SpybotDeletingB9383] command.com /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Uninstall.lnk"
    uRunOnce: [SpybotDeletingD6863] cmd.exe /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Uninstall.lnk"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [Dfemesiyo] rundll32.exe "c:\windows\oyavipej.dll",Startup
    mRunOnce: [SpybotDeletingA1214] command.com /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Antimalware Doctor.lnk"
    mRunOnce: [SpybotDeletingC4549] cmd.exe /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Antimalware Doctor.lnk"
    mRunOnce: [SpybotDeletingA2593] command.com /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Uninstall.lnk"
    mRunOnce: [SpybotDeletingC830] cmd.exe /c del "c:\documents and settings\ash\start menu\programs\antimalware doctor\Uninstall.lnk"
    mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [LClock] c:\program files\lclock\LClock.exe
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: Copy to Semagic - c:\program files\semagic\copy.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Semagic - c:\program files\semagic\link.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://139.142.250.200:2082/activex/AxisCamControl.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\ash\applic~1\mozilla\firefox\profiles\i2rvvuz7.default\
    FF - prefs.js: browser.startup.homepage - google.ca
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\ash\application data\mozilla\firefox\profiles\i2rvvuz7.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? BTCFilterService;USB Networking Driver Filter Service
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? motccgp;Motorola USB Composite Device Driver
    R? motccgpfl;MotCcgpFlService
    R? MotDev;Motorola Inc. USB Device
    R? Motousbnet;Motorola USB Networking Driver Service
    R? motusbdevice;Motorola USB Dev Driver
    R? SwitchBoard;Adobe SwitchBoard
    R? UsbGps;LGE CDMA USB GPS NMEA Port
    R? vcdrom;Virtual CD-ROM Device Driver
    S? DeviceMonitorService;DeviceMonitorService
    S? MotoHelper;MotoHelper Service
    S? ramdisk;Windows RAM Disk Driver
    .
    =============== Created Last 30 ================
    .
    2011-04-27 05:52:15 -------- d-----w- c:\windows\26-04-2011
    2011-04-27 05:38:24 0 ----a-w- c:\windows\Ctofiwogijanile.bin
    2011-04-27 05:38:22 -------- d-----w- c:\docume~1\ash\locals~1\applic~1\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}
    2011-04-27 05:37:56 -------- d-----w- c:\docume~1\ash\applic~1\AntiVirus AntiSpyware 2011
    2011-04-27 05:37:00 -------- d-----w- c:\docume~1\ash\applic~1\C3B7CC607230956CA4AE70E68AFE1D84
    2011-04-15 02:56:35 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
    2011-04-15 02:05:32 -------- d-----w- c:\docume~1\ash\applic~1\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    2011-04-15 02:05:32 -------- d-----w- c:\docume~1\ash\applic~1\Adobe Mini Bridge CS5
    2011-04-14 14:40:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe
    .
    ==================== Find3M ====================
    .
    2011-03-07 05:31:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:27:43 1866880 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 13:05:45 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-09 01:03:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HTS541612J9SA00 rev.SBDOC74P -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85A06730]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85a0ca10]; MOV EAX, [0x85a0ca8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86547AB8]
    3 CLASSPNP[0xF761DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006e[0x8657D3B8]
    5 ACPI[0xF7494620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8657BD98]
    \Driver\atapi[0x862F4B10] -> IRP_MJ_CREATE -> 0x85A06730
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x85A0657B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 7:22:24.31 ===============

    thanks in advance
    Last edited by tashi; 2011-04-27 at 18:07. Reason: Merged three posts

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


    Your infected with a nasty Rootkit

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Still with us ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  4. #4
    Member
    Join Date
    Jul 2008
    Posts
    36

    Default

    Hi! Thank you for the help, I will attempt this within the hour and update how it went. Just a note that I was unable to log into the pc yesterday, I will try this in safe mode with networking.

    Tks again!!

    Ash

  5. #5
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    That nasty Rootkit is most likely why you cant boot to normal windows. TDSSkiller may not work , if it fails we will use another method
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  6. #6
    Member
    Join Date
    Jul 2008
    Posts
    36

    Default

    Was unable to log in normally.. But safemode with networking allowed me to download and unzip tdss tool. Installation gets to 80÷ then windows encounters error and needs to abort installation. Rebooted in safe mode no networking, same thing. Is there anything we can do to get it running?

  7. #7
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Run this tool, dont fix anything , I need to see the log first

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Member
    Join Date
    Jul 2008
    Posts
    36

    Default

    much thanks again, so appreciated. here is the requested log.

    aswMBR version 0.9.5.232 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-01 16:08:45
    -----------------------------
    16:08:45.093 OS Version: Windows 5.1.2600 Service Pack 3
    16:08:45.093 Number of processors: 2 586 0xE08
    16:08:45.093 ComputerName: ASH-LAPTOP UserName: Ash
    16:08:46.109 Initialize success
    16:08:48.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    16:08:48.875 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC74P Size: 114473MB BusType: 3
    16:08:48.875 Device \Driver\atapi -> DriverStartIo 862c757b
    16:08:50.890 Disk 0 MBR read successfully
    16:08:50.890 Disk 0 MBR scan
    16:08:50.906 Disk 0 TDL4@MBR code has been found
    16:08:50.921 Disk 0 Windows XP default MBR code found via API
    16:08:50.937 Disk 0 MBR hidden
    16:08:50.953 Disk 0 MBR [TDL4] **ROOTKIT**
    16:08:50.953 Disk 0 trace - called modules:
    16:08:50.968 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862c7730]<<
    16:08:50.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8635eab8]
    16:08:51.000 3 CLASSPNP.SYS[f766bfd7] -> nt!IofCallDriver -> \Device\0000006e[0x863189e8]
    16:08:51.015 5 ACPI.sys[f75c2620] -> nt!IofCallDriver -> [0x86363940]
    16:08:51.031 \Driver\atapi[0x8635b030] -> IRP_MJ_CREATE -> 0x862c7730
    16:08:51.078 Scan finished successfully
    16:09:23.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ash\Desktop\MBR.dat"
    16:09:23.656 The log file has been saved successfully to "C:\Documents and Settings\Ash\Desktop\aswMBR.txt"

  9. #9
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Re-Run aswMBR

    Click Scan

    On completion of the scan

    Click the Fix for TDL4



    Save the log as before and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Member
    Join Date
    Jul 2008
    Posts
    36

    Default progress!

    aswMBR version 0.9.5.232 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-01 20:28:38
    -----------------------------
    20:28:38.515 OS Version: Windows 5.1.2600 Service Pack 3
    20:28:38.515 Number of processors: 2 586 0xE08
    20:28:38.515 ComputerName: ASH-LAPTOP UserName: Ash
    20:28:39.375 Initialize success
    20:28:41.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    20:28:41.500 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC74P Size: 114473MB BusType: 3
    20:28:43.531 Disk 0 MBR read successfully
    20:28:43.546 Disk 0 MBR scan
    20:28:43.562 Disk 0 Windows XP default MBR code
    20:28:45.562 Disk 0 scanning sectors +234436545
    20:28:45.609 Disk 0 scanning C:\WINDOWS\system32\drivers
    20:28:51.187 Service scanning
    20:28:54.828 Disk 0 trace - called modules:
    20:28:54.875 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    20:28:54.875 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86310ab8]
    20:28:54.890 3 CLASSPNP.SYS[f766bfd7] -> nt!IofCallDriver -> \Device\0000006e[0x8636f968]
    20:28:54.906 5 ACPI.sys[f75c2620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86317940]
    20:28:54.921 Scan finished successfully
    20:29:07.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ash\Desktop\MBR.dat"
    20:29:07.234 The log file has been saved successfully to "C:\Documents and Settings\Ash\Desktop\aswMBR.txt"

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •