Hi e28ct17m,
Reboot to windows. Reboot the computer a couple of times then try xPUD. You're doing fine.
Hi e28ct17m,
Reboot to windows. Reboot the computer a couple of times then try xPUD. You're doing fine.
Member of UNITE and ASAP
When I input 2 I received the warning message about no bootloader, so I input 3 and it worked. Below are the logs you requested
2012-01-28-14:37:36
The following drives were found
sda
sdg
User has chosen drive sda
tdl_mbr_sda.bin exists
backing up mbr to tdl_mbr_sda.2012-01-28-14:37:56
Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 2048 31459327 15728640 27 Unknown
/dev/sda2 31459328 31664127 102400 1a Unknown
/dev/sda3 31664128 1953521663 960928768 7 HPFS/NTFS
/dev/sda4 * 1953521664 1953525151 1744 17 Hidden HPFS/NTFS
Model: ATA WDC WD10EADS-22M (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 16.1GB 16.1GB primary ntfs
2 16.1GB 16.2GB 105MB primary ntfs
3 16.2GB 1000GB 984GB primary ntfs
4 1000GB 1000GB 1786kB primary ntfs boot, hidden
User has chosen to make partition 2 active
Warning! No bootloader found on partition 2
User rejected making partition 2 active
User has chosen to make partition 3 active
Model: ATA WDC WD10EADS-22M (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 16.1GB 16.1GB primary ntfs
2 16.1GB 16.2GB 105MB primary ntfs
3 16.2GB 1000GB 984GB primary ntfs boot
4 1000GB 1000GB 1786kB primary ntfs hidden
User has accepted changes
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {36350f4e-934d-11de-b33d-b7495bee80d8}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {36350f50-934d-11de-b33d-b7495bee80d8}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {36350f4e-934d-11de-b33d-b7495bee80d8}
nx OptIn
Windows Boot Loader
-------------------
identifier {36350f50-934d-11de-b33d-b7495bee80d8}
device ramdisk=[C:]\Recovery\36350f50-934d-11de-b33d-b7495bee80d8\Winre.wim,{36350f51-934d-11de-b33d-b7495bee80d8}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\36350f50-934d-11de-b33d-b7495bee80d8\Winre.wim,{36350f51-934d-11de-b33d-b7495bee80d8}
systemroot \windows
nx OptIn
winpe Yes
Resume from Hibernate
---------------------
identifier {36350f4e-934d-11de-b33d-b7495bee80d8}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No
Windows Memory Tester
---------------------
identifier {memdiag}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes
EMS Settings
------------
identifier {emssettings}
bootems Yes
Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200
RAM Defects
-----------
identifier {badmemory}
Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}
Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}
Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200
Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}
Device options
--------------
identifier {36350f51-934d-11de-b33d-b7495bee80d8}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\36350f50-934d-11de-b33d-b7495bee80d8\boot.sdi
Hi e28ct17,
Good job.
Before we finish cleaning this for you a couple of questions. After rebooting did the computer boot normally or did you need to edit the line again?
Are you still getting redirects?
RogueKiller has been updated. Please delete the copy you have and download a new one. The interface is different in the new version. Double click to run it. Once it's open and has done it's prescan click the scan button. After the scan has completed click the report button and post the log.
You can get a new copy from HERE
Member of UNITE and ASAP
The computer booted normally....I did not have to edit the line. The redirects have stopped. Looks like things are back to normal, thanks to you!!
RogueKiller V7.0.1 [01/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Janice [Admin rights]
Mode: Scan -- Date : 01/28/2012 15:25:51
¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] ReminderHelper.exe -- C:\ProgramData\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] winupd.job : C:\Users\Janice\AppData\Local\Temp:winupd.exe -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 862d43404943f43730948c81ebbefce0
[BSP] 62f35c68ca4bceaeae08b6f8c4f7e488 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16106 Mo
1 - [XXXXXX] UNKNOWN (0x1a) [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 983991 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
Hi e28ct17,
Sorry this is taking so long. Your computer is a bit of an oddity so I wanted to make sure it was the computer and not something new this malware was doing.
Next, Right click on OTL.exe and chose Run as Administrator to run it
- Under the Custom Scans/Fixes box at the bottom, paste in the following
- Do Not copy the word CODE
- please note the fix starts with the :
Then click the Run Fix button at the topCode::Services :Reg :Files c:\users\Janice\AppData\Roaming\Yfhym c:\users\Janice\AppData\Roaming\Inuro c:\users\Janice\AppData\Roaming\Adodn c:\users\Janice\AppData\Roaming\Elday c:\users\Janice\AppData\Roaming\Urubn c:\users\Janice\AppData\Roaming\Goaci c:\users\Janice\AppData\Roaming\Ofgaub c:\users\Janice\AppData\Roaming\Sie :Commands [createrestorepoint] [purity] [emptytemp]
Please post the OTL fix log.
- Let the program run unhindered
- Please save the resulting log to be posted in your next reply.
One more trip with xPUD
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh -delete then press Enter.
- ** Make sure to leave a space to either side of tdl_fix.sh in the command.
- You should be notified of a hidden partition found and prompted to delete it.
- Type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_delete.txt file that was created on your flash drive.
The computer should boot normally. If for some reason it doesn't use the F10 method first. If you still have problems follow the steps below.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
Computer still behaving?
Thanks
Last edited by oldman960; 2012-01-29 at 06:55.
Member of UNITE and ASAP
Microsoft Security Essentials found the following on my computer (I have not taken any action on them)
DOS/Aluteon.E and Win32/Arcadeweb
I ran OTL and below is my log. I will wait to do xPUD until I hear back from you.
All processes killed
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\users\Janice\AppData\Roaming\Yfhym folder moved successfully.
c:\users\Janice\AppData\Roaming\Inuro folder moved successfully.
c:\users\Janice\AppData\Roaming\Adodn folder moved successfully.
c:\users\Janice\AppData\Roaming\Elday folder moved successfully.
c:\users\Janice\AppData\Roaming\Urubn folder moved successfully.
c:\users\Janice\AppData\Roaming\Goaci folder moved successfully.
c:\users\Janice\AppData\Roaming\Ofgaub folder moved successfully.
c:\users\Janice\AppData\Roaming\Sie folder moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Janice
->Temp folder emptied: 499906 bytes
->Temporary Internet Files folder emptied: 39799349 bytes
->Java cache emptied: 186882690 bytes
->FireFox cache emptied: 172457852 bytes
->Flash cache emptied: 70005 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 193586 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 2381032 bytes
Total Files Cleaned = 384.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 01292012_115543
Files\Folders moved on Reboot...
C:\Users\Janice\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDMOXURH\27[1].png moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDMOXURH\27[2].png moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0EJLRQW\32[1].png moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\533CW1BO\26[1].png moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\533CW1BO\30[1].png moved successfully.
C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03AWZWF0\31[2].png moved successfully.
Registry entries deleted on Reboot...
Hi e28ct17,
Do you know where the detection was? I'm pretty sure it finaly detected the rogue partition which is now inactive.DOS/Aluteon.E and Win32/Arcadeweb
Go ahead with xPUD.
Member of UNITE and ASAP
No, I don't know where the detection was...i don't think it said. Here is the log you requested
2012-01-30-21:09:16
using tdl_delete_sda.bin
Model: ATA WDC WD10EADS-22M (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 16.1GB 16.1GB primary ntfs
2 16.1GB 16.2GB 105MB primary ntfs
3 16.2GB 1000GB 984GB primary ntfs boot
4 1000GB 1000GB 1786kB primary ntfs hidden
Hidden partition found on sda
sda4 is hidden
Deleting partition 4 on drive sda
Model: ATA WDC WD10EADS-22M (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 16.1GB 16.1GB primary ntfs
2 16.1GB 16.2GB 105MB primary ntfs
3 16.2GB 1000GB 984GB primary ntfs boot
No hidden partition on sdg
Hi e28ct17,
That should have taken care of the MSE detections. Any problems?
Member of UNITE and ASAP
Yes, my browser home page keeps resetting to mywebsearch.com. Everything else seems to work ok.