google redirect

[ken545]

When you set Partition 2 as active, where there any error messages, did the computer attempt to go into a repair/restore mode ?

I need you to take a screenshot of the partition, dont feel bad , we have some other users with the same problem.


Click Start > Control Panel > Adminstrator Tools > Computer Mangement

• When Computer Management opens double click on disk management
• make sure the pane is expanded wide enough to show all partitions
• Take a screenshot by pressing the alt and print screen keys at the same time
• open an editor such as Paint
• right click in the white panel and click paste
• save the image as a .jpg or .png
• attach it to your next reply

 

[shcorley]

Ken,

Yes it did try to repair. I said no to going back to a previous restore point, then rebooted and ran the xpud program using the -restore feature.

I am having to bounce back and forth as I still can't get to the internet through the infected computer.

I did do the screen print (attached) and put it on a flash drive. Do I need to worry about bringing the virus to this machine from the infected one through the use of the flash drive?>

 

[ken545]

Thanks, we are looking over your screenshot now

 

[ken545]

Looks like there is no hidden partition but malware has adjusted your boot options, I hope you can follow this, your doing real well so far


Go back in with xPUD and set partition 2 as active. When you reboot press the F10 to bring up 'Edit Boot Options' screen. If you press it too early you might get the bios screen instead.

If it says /minint or int/min after /NOEXECUTE=OPTIN,

hit the Backspace key until that entry reads:

/NOEXECUTE=OPTIN



If you can get windows to load:

• click start
• type cmd into the search box
• right click on cmd that appears at the top and click Run as adminstrator
• type bcdedit /enum all >%userprofile%\desktop\log.log
  
  (there is a space after bcdedit, one after enum and one after all)
• hit enter

When it's finished a notepad named log.log will be on the desktop.

Post the log, if you shut the computer down you will most likely need to edit the boot option again.




http://www.techsupportforum.com/forums/f100/search-results-being-redirected-622128-2.html
Similiar problem here, it includes a screenshot of Edit Boot Options so you can get an idea of what were doing, the screenshot is in post 25, but remember we are setting Partition 2 as active, not 1.

 

[shcorley]

Things seem to be looking UP. I was able to run TDL_fix.sh to switch to partition 2, then run the /noexecute=optin command on reboot

I am also now able to open and post from Fire Fox on the infected computer!

Here is the log file


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume2
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {ff197ea8-84ae-11e0-b7dc-001aa075c955}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {ff197eaa-84ae-11e0-b7dc-001aa075c955}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {ff197ea8-84ae-11e0-b7dc-001aa075c955}
nx OptIn

Windows Boot Loader
-------------------
identifier {ff197eaa-84ae-11e0-b7dc-001aa075c955}
device ramdisk=[\Device\HarddiskVolume2]\Recovery\WindowsRE\Winre.wim,{ff197eab-84ae-11e0-b7dc-001aa075c955}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[\Device\HarddiskVolume2]\Recovery\WindowsRE\Winre.wim,{ff197eab-84ae-11e0-b7dc-001aa075c955}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {ff197ea8-84ae-11e0-b7dc-001aa075c955}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=\Device\HarddiskVolume2
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
custom:26000022 Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {ff197eab-84ae-11e0-b7dc-001aa075c955}
description Ramdisk Options
ramdisksdidevice partition=\Device\HarddiskVolume2
ramdisksdipath \Recovery\WindowsRE\boot.sdi

 

[ken545]

Darn your good :bigthumb:

This is the malware

EMS Settings
------------
identifier {emssettings}
custom:26000022 Yes


I want someone else to look at it as its a very delicate removal. Be right back

 

[ken545]

What were going to do is remove the malware entry and then reset the value back to default, its important that this is run from an Elevated Command Prompt, not just the command prompt.

This is the way to do it.

1. Click the Start button .
2. In the Search box, type command prompt.
3. In the list of results, right-click Command Prompt, and then click Run as administrator.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Then enter these one at a time, you may be able to copy and paste, after you do the first one press enter to excute

bcdedit /deletevalue {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} custom:26000022

Then go to the Elevated Command Prompt again and insert this second one

bcdedit /set {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} bootems Yes



Exit the command prompt, reboot and let me know how things are running

 

[shcorley]

WWWOOOOHOOOOO.......!!!!!

I am not getting redirected in FF nor IE......I think you got it!

-Scott

 

[ken545]

Thats wonderful Scott. I had a few people behind the scenes lend a hand.

Go ahead and run the instructions again for the screenshot of Disk Management

 

[shcorley]

Ken, here is the latest DDS


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Holly at 20:25:05 on 2012-01-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4056.2668 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Holly\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe -update activex
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\Holly\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Holly\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.5.1
TCP: Interfaces\{302245DC-2E29-41B5-9422-3D20B34F161D} : DhcpNameServer = 192.168.5.1
TCP: Interfaces\{302245DC-2E29-41B5-9422-3D20B34F161D}\D4F445F425F4C414D23344236354 : DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO-X64: Ad-Aware Security Toolbar - No File
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Holly\AppData\Roaming\Mozilla\Firefox\Profiles\7b5zwuw5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?_bc=1
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2011-5-22 89600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-5-29 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-5-29 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-3 2152152]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-5-29 1153368]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2012-1-2 17152]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-27 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-27 136176]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-01-22 19:37:04 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{10B18553-1B04-461B-90CC-E2370AB6A41E}\mpengine.dll
2012-01-17 03:31:56 -------- d-----w- C:\Users\Holly\AppData\Roaming\SUPERAntiSpyware.com
2012-01-17 03:31:30 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-01-17 03:31:30 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-01-17 01:45:50 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-17 00:33:06 -------- d-----w- C:\ComboFix
2012-01-15 22:45:13 35712 ----a-w- C:\Windows\SysWow64\drivers\BlackBox.sys
2012-01-15 03:00:23 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-15 03:00:23 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-15 03:00:23 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-15 03:00:23 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-01-14 03:28:54 -------- d-----w- C:\Program Files (x86)\ESET
2012-01-13 01:02:40 -------- d-----w- C:\_OTL
2012-01-11 23:38:45 98816 ----a-w- C:\Windows\sed.exe
2012-01-11 23:38:45 518144 ----a-w- C:\Windows\SWREG.exe
2012-01-11 23:38:45 256000 ----a-w- C:\Windows\PEV.exe
2012-01-11 23:38:45 208896 ----a-w- C:\Windows\MBR.exe
2012-01-11 23:36:26 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-01-11 23:36:26 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll
2012-01-11 23:36:25 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-01-11 23:36:25 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-01-11 23:36:23 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-01-11 23:36:23 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-01-11 23:36:21 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-11 23:36:21 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-01-07 00:26:59 -------- d-----w- C:\Users\Holly\AppData\Local\Diagnostics
2012-01-05 01:46:36 -------- d-----w- C:\ProgramData\PC Tools
2012-01-02 21:12:53 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2012-01-02 21:05:57 -------- d-----w- C:\Users\Holly\AppData\Local\adaware
2012-01-02 21:05:55 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection
2012-01-02 21:05:51 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
2012-01-02 21:05:48 -------- d-----w- C:\Program Files (x86)\adawaretb
2012-01-02 21:05:40 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2012-01-02 21:05:32 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-12-31 01:34:13 684297 ----a-w- C:\unhide.exe
2011-12-31 01:28:32 -------- d-----w- C:\Users\Holly\AppData\Roaming\Malwarebytes
2011-12-31 01:28:16 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-31 01:28:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-30 23:09:04 363520 ----a-w- C:\scott kill.com
2011-12-30 23:08:41 363520 ----a-w- C:\rkill.com
2011-12-27 02:58:00 -------- d-----r- C:\Users\Holly\Dropbox
2011-12-27 02:56:34 -------- d-----w- C:\Users\Holly\AppData\Roaming\Dropbox
.
==================== Find3M ====================
.
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-16 23:07:13 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 19:29:56 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 20:25:56.08 ===============

 

[ken545]

Ok, we must have crossed post as I changed my instructions but looking over DDS is fine, but go ahead and post another screenshot from Disk Management

 

[shcorley]

screen shot

Not sure why I just did DDS....not reading well I guess. the screen shot is attached.

 

[shcorley]

now i feel better. I swore I read DDS then when I looked at the post again it wasn't there. I'm not losing it

 

[ken545]

One more fix to go, we need to use xPud again and this time it will search for the hidden partition and delete it

• Boot into xPUD then click the File tab.
• Press File
• Expand mnt
• Click on the folder under mnt that represents your USB drive (sdb1 ?)
• You should see the tdl_fix.sh file in the main window.
• Select Tool from the Menu
• Choose Open Terminal
• Type bash tdl_fix.sh -delete then press Enter.
• ** Make sure to leave a space to either side of tdl_fix.sh in the command.
• You should be notified of a hidden partition found and prompted to delete it.
• Type y then press Enter.
• The script will complete and prompt you to reboot the computer.
• Close the Terminal window and restart back into Windows.
• Post the contents of the tdl_delete.txt file that was created on your flash drive.

Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.

 

[shcorley]

Here is the delete.txt results

2012-01-22-22:22:21

using tdl_delete_sda.bin

Model: ATA TOSHIBA MK3265GS (scsi)
Disk /dev/sda: 320GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 140MB 140MB primary fat16
2 141MB 11.6GB 11.5GB primary ntfs boot
3 11.6GB 320GB 308GB primary ntfs
4 320GB 320GB 1393kB primary ntfs hidden

Hidden partition found on sda
sda4 is hidden
Deleting partition 4 on drive sda

Model: ATA TOSHIBA MK3265GS (scsi)
Disk /dev/sda: 320GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 140MB 140MB primary fat16
2 141MB 11.6GB 11.5GB primary ntfs boot
3 11.6GB 320GB 308GB primary ntfs

No hidden partition on sdc

 

[ken545]

All looks well, booting up alright, no problems ?


Scott, can you do me a favor and post another screenshot of Disk Mangement , just want to compare it to the old one so I know what to look for in future threads

You need to update your Java. Go into the Control Panel and open Java , go to the update tab and have it check for updates, download and install the latest update which is Version 6 Update 29, once it installs you can go back into Programs and Features in the Control Panel and uninstall any previous versions

 

[shcorley]

Ken, attached is the screen shot. I've been getting messages to update Java, but haven't while you were doing your thing. I will now.

Do we need to delete any of the programs we downloaded during the fix?

 

[ken545]

Yep, that hidden infected partition is gone :bigthumb: Glad things are back to normal and we could help you

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
  
  

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed

• 
  How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

 

[shcorley]

Ken, I can't thank you enough! I really appreciate all the help. I've supported with a donation and will continue to use Sbybot.

Thanks for what you do!

-Scott

 

[ken545]

Your very welcome Scott

Take care,

Ken