1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Virus Problem (Black Internet rootkit)

Discussion in 'Malware and Virus Removal Archive' started by Pete, 2010/06/20.

  1. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    It is giving me BSOD whenever i enter recovery console.
    Mentions to check new hardware/sofware/ etc.. chkdisk.

    BSOD is getting more frequent even at normal starts ( sometimes 2 BSODs before normal start ), and computer seems to be running slower, but nothing horrible.

    Running scandisk atm. just in case.
     
  2. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Also...

    1. Click Start, click Run, type chkdsk /f /r, and then click OK.
    2. At the command prompt, type Y to let the disk scanner run when you restart the computer.
    3. Restart the computer.
    4. Chkdsk will run.

    I'm going to bed, so I'll check on you tomorrow morning...
     

  3. to hide this advert.

  4. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Notes :

    Restarting computer is starting to take 3-5 minutes for some reason.

    Managed to complete chk disk scan On 3rd attempt.
    It did keep fixin some stuff everytime
    first try it crashed at 21% stage 3. And 2nd try 29%
    third attempt was successful.

    Then
    Rebooted and -> recovery console

    Same BSOD :

    technical information :

    stop: x0000007B (0xf78d2524, 0xc0000024, 0x00000000, 0x00000000)
    BSOD
     
  5. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's see, if we can look at your computer booting from an external source.

    Using good computer, please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your bad computer using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  6. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Ran otl
    do u wish to load remote user profile for scanning ?
    I assumed no ?

    I don't see any option for loading all users.
    Quick scan posting log soon.

    Also I've seen that in the avg thread i've posted earlier someone has found a solution. Please look into that so i don't end up doing a whole lot I might not really need to do.

    I m growing tired of this problem :-(

    i hope I can get it fixed by today. Lol
     
    Last edited: 2010/06/26
  7. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    OTL log :

    OTL logfile created on: 6/26/2010 1:21:21 PM - Run
    OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): D:\pagefile.sys 3072 4096 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 50.00 Gb Total Space | 9.29 Gb Free Space | 18.59% Space Free | Partition Type: NTFS
    Drive D: | 61.78 Gb Total Space | 35.34 Gb Free Space | 57.21% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
    Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO
    Current User Name: SYSTEM
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/03/30 20:02:09 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
    SRV - [2010/02/25 05:59:54 | 001,047,880 | ---- | M] (TuneUp Software) [Auto] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
    SRV - [2010/02/25 05:56:02 | 000,030,024 | ---- | M] (TuneUp Software) [Auto] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
    SRV - [2009/12/03 19:29:00 | 003,377,880 | ---- | M] (INCA Internet Co., Ltd.) [Disabled] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
    SRV - [2009/10/29 11:22:50 | 030,603,640 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
    SRV - [2009/09/26 05:28:22 | 004,639,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
    SRV - [2009/09/25 11:16:00 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Disabled] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () [Disabled] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
    SRV - [2009/06/26 15:56:58 | 000,102,400 | ---- | M] (WDC) [Auto] -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe)
    SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
    SRV - [2009/03/25 16:11:28 | 001,533,824 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
    SRV - [2007/11/13 12:43:00 | 000,580,608 | ---- | M] (PY Software) [Disabled] -- C:\Program Files\Active WebCam\Watchdog.exe -- (ACTIVEWEBCAMWATCHDOG)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (ProtoWall)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (NSNDIS5)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | On_Demand] -- -- (EagleNT)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | System] -- -- (Cdaudio)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - [2010/06/18 15:32:50 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/06/18 15:32:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2010/06/18 15:32:50 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2009/12/29 13:42:49 | 000,139,016 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
    DRV - [2009/12/03 04:49:10 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/10/14 07:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
    DRV - [2009/07/26 22:43:18 | 000,058,908 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
    DRV - [2009/06/17 14:21:27 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
    DRV - [2009/06/05 11:42:28 | 000,017,408 | ---- | M] (Apple Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\netaapl.sys -- (Netaapl)
    DRV - [2009/06/04 19:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
    DRV - [2009/05/01 01:02:00 | 008,055,584 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2008/12/18 23:43:48 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
    DRV - [2008/12/18 23:43:40 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
    DRV - [2008/05/12 23:06:44 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
    DRV - [2008/04/14 01:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007/10/10 20:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\OEM02Dev.sys -- (OEM02Dev)
    DRV - [2007/09/26 09:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
    DRV - [2007/06/07 20:00:02 | 000,141,376 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\OEM02Afx.sys -- (OEM02Afx)
    DRV - [2007/05/23 17:26:34 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2007/03/31 16:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (btkrnl)
    DRV - [2007/03/31 16:02:40 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
    DRV - [2007/03/23 13:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
    DRV - [2007/03/23 13:50:36 | 000,037,280 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
    DRV - [2007/03/23 13:50:24 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
    DRV - [2007/03/23 13:50:08 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
    DRV - [2007/03/23 13:49:54 | 000,539,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
    DRV - [2007/03/05 13:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
    DRV - [2007/01/30 15:12:06 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2006/11/15 03:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2006/11/14 22:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2006/11/14 20:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2005/09/18 18:02:52 | 000,005,632 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/23 19:11:55 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/23 21:12:35 | 000,000,000 | ---D | M]

    [2010/06/25 20:03:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/06/23 21:12:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/06/23 21:09:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2009/08/17 07:42:14 | 000,073,728 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

    O1 HOSTS File: ([2010/06/24 20:54:53 | 000,000,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
    O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    O4 - Startup: Error locating startup folders.
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
    O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab (UnoCtrl Class)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266743745718 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1259328307765 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
    O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UIHost - (C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe) - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
    O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/05/22 05:18:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/06/25 23:11:22 | 000,000,000 | ---D | C] -- C:\Avenger
    [2010/06/25 14:38:32 | 000,000,000 | ---D | C] -- C:\Rooter$
    [2010/06/25 12:54:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/06/25 12:54:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/06/25 12:54:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/06/25 12:54:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/06/25 12:54:20 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2010/06/25 12:54:11 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/06/23 21:23:12 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/06/23 21:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/06/23 21:12:35 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2010/06/23 21:12:35 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/06/23 21:12:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/06/23 21:12:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010/06/23 21:12:35 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2010/06/20 21:34:28 | 000,164,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/06/20 21:34:28 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/06/20 21:34:28 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/06/20 21:34:28 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/06/20 21:34:28 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2010/06/20 21:34:28 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/06/20 21:34:28 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/06/20 21:34:17 | 000,165,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/06/20 21:34:17 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
    [2010/06/20 21:34:12 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2010/06/20 12:02:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2010/06/20 03:18:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Sun
    [2010/06/20 03:18:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe
    [2010/06/18 18:13:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
    [2010/06/18 15:37:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/06/18 15:37:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/06/18 15:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/06/18 12:43:59 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\PrivacIE
    [2010/06/18 12:43:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe
    [2010/05/31 19:49:40 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTorrent 1.0

    ========== Files - Modified Within 30 Days ==========

    [2010/06/26 12:07:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/06/26 11:46:46 | 000,525,448 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/26 11:46:46 | 000,444,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/26 11:46:46 | 000,072,248 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/06/26 11:42:42 | 000,230,258 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
    [2010/06/26 11:42:41 | 000,134,696 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
    [2010/06/26 11:42:03 | 2145,427,456 | -HS- | M] () -- C:\hiberfil.sys
    [2010/06/25 13:06:52 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/06/24 20:54:53 | 000,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/06/23 21:09:43 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/06/23 21:09:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/06/23 21:09:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010/06/23 21:09:42 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2010/06/23 21:09:40 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2010/06/20 21:34:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/06/20 12:08:31 | 000,000,250 | ---- | M] () -- C:\WINDOWS\BissHM.ini
    [2010/06/20 12:08:25 | 000,000,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100620-121323.backup
    [2010/06/19 19:58:26 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/06/19 19:58:26 | 000,000,460 | RHS- | M] () -- C:\boot.ini
    [2010/06/18 17:22:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/06/18 17:14:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/06/18 15:34:38 | 002,742,748 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100618-153531.backup
    [2010/06/17 18:29:44 | 000,134,696 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
    [2010/06/16 15:08:51 | 000,078,612 | ---- | M] () -- C:\ReactorException.dmp
    [2010/06/15 19:31:35 | 002,738,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100618-153438.backup
    [2010/06/14 22:09:14 | 002,286,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\TUKernel.exe
    [2010/06/11 00:50:08 | 002,738,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100615-193135.backup

    ========== Files Created - No Company Name ==========

    [2010/06/25 12:54:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/06/25 12:54:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/06/25 12:54:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/06/25 12:54:28 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/06/25 12:54:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/06/19 21:30:42 | 2145,427,456 | -HS- | C] () -- C:\hiberfil.sys
    [2010/03/31 12:52:18 | 000,001,024 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    [2009/12/07 08:34:22 | 000,573,440 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    [2009/12/07 02:10:43 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2009/12/07 02:10:43 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2009/12/07 02:10:42 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009/12/07 02:10:42 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009/12/07 02:10:41 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2009/12/07 02:10:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
    [2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
    [2009/10/29 16:59:00 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2009/10/27 12:45:30 | 000,000,250 | ---- | C] () -- C:\WINDOWS\BissHM.ini
    [2009/08/10 12:35:16 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/08/01 01:18:22 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2009/06/25 17:20:28 | 000,139,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
    [2009/05/22 17:40:34 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
    [2009/05/01 03:31:06 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2009/05/01 03:31:06 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2009/05/01 03:31:06 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2009/05/01 03:31:06 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2008/10/07 12:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
    [2008/10/07 12:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
    [2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
    [2007/05/17 17:52:30 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
    [2007/05/17 17:23:20 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
    [2005/02/17 15:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
    [2005/02/17 15:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
    [2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

    ========== LOP Check ==========

    [2009/12/03 04:29:07 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

    ========== Purity Check ==========


    < End of report >
     
  8. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We tried Bootkit Remover already and it didn't work.

    =============================================================

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    PRC - File not found -- C:\System Volume Information\Microsoft\smss.exe
    PRC - File not found -- C:\System Volume Information\Microsoft\services.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\System Volume Information\Microsoft
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
     
  9. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Tried it.

    Says processing beneath and the program hangs

    processing prc - file not found - smss.exe

    I'm not sure but. Is the code supposed to be folder instead of file ?
     
  10. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run it with little bit different code:

    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\System Volume Information\Microsoft
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
    OTL doesn't differ between "files" and "folders ".

    Also, do you have Windows XP CD?
    If you do, see, if you can boot to it and access recovery console that way.
    If you can, run "fixmbr" from there (my reply #75).
    Running "fixmbr" should be crucial here.
    We have another thread here: http://www.windowsbbs.com/malware-virus-removal/93695-active-iexplore-exe-problem.html with a very same infection on Vista and we fixed it by resetting "mbr ".
     
  11. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Ic. Hopefully it works. :)

    Btw, u mean OTL as in OTLPE right ?
    From the boot cd I just burned.

    Because that's the time its gets stuck. Have not ttried the code in normal startup yet
     
  12. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes....
     
  13. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Run fix seemed to run fine.
    Rebooted.

    Rebooted again. Selected recovery console same blue screen.

    And since I don't carry my xp cd everywhere I go. I don't have it Atm.
    Its at my place and I'll be back there in maybe a week or longer.
    I can't wait that long. I've already lost plenty of time and this laptop is set up to organize all my work material. :-(

    I'm going to try and burn a "copy" and see if it works that way.
    Btw how do I get to recovery console with xp cd inserted ?
     
    Last edited: 2010/06/26
  14. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
  15. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Thanks for your prompt reply. I'm working on it right
    now
     
  16. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's hope, it'll get us somewhere.

    I doubt, OTLPE script fixed your problem, but you can try booting your computer normally and see, if iexplore.exe is still running.
     
  17. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Sorry it took a while. My cd drive always gives
    me problems. Had to rewrite several times
    before one worked.

    Anyways after blue screen setup loading files.
    -> starting windows.

    BSOD :-(
    technical info

    Stop xxxx XXXXXXXX
    pci.sys adress fxxxxxxxx base at fxxxxxxxx datestamp xxxxxx
     
    Last edited: 2010/06/26
  18. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Yes 2 iexplore.exe s are still running
     
  19. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    At this point, since we're not able to access recovery console, which is the only way to reset "mbr" from the outside, I'm running out of options and tools.

    Let's try one more thing....

    Please download Sophos Anti-rootkit & save it to your desktop.

    IMPORTANT!
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Clean out your temporary files.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
    • After starting the scan, do not use the computer until the scan has completed.
    • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

    • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
    • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
    • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now ". Click Yes.
    • Make sure the following are checked:
      • Running processes
      • Windows Registry
      • Local Hard Drives

    • Click Start scan.
    • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
    • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results ". Click OK to continue.
    • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
      • Files tagged as Removable: No are not marked for removal and cannot be removed.
      • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
      • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

    • Select only items recommended for removal, then click "Clean up checked items ". You will be asked to confirm, click Yes.
    • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
    • After reboot, a dialog box displays the files you selected for removal and the action taken.
    • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
    • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
    • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
     
  20. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Last edited: 2010/06/26
  21. 2010/06/26
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Also, do you happen to know why I keep getting BSOD ? :(

    I dont understand, i never had this problem.
    The only thing malfunctioning is my CD drive, that too sometimes.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.