ity.im message

ASJ112 · 18-01-2013 4:32pm

You probably have a MBR infection, its trickier than usual ones. Can you post the avast log here when its done.

marcelbrown · 18-01-2013 9:52pm

FYI, it appears this infection is an MBR rootkit, Rootkit.Boot.SST.b, also possibly known as Trojan.MBR.Alureon!IK. The apparent cure requires booting the machine from an external boot CD or USB drive (or pulling the drive out of the machine and connecting it to another machine) and running TDSSKiller or Hitman Pro (or perhaps another utility that can be run from an external drive). I will detail this on the earlier referenced blog link. Hopefully this information will be helpful to the person working with the OP. Good luck!

22-01-2013 2:48pm

ASJ112 wrote: »

You probably have a MBR infection, its trickier than usual ones. Can you post the avast log here when its done.

Hi Ive scanned in Avast but dont know how to post log (its not in notepad form)
There were 7 infections found.
They have been moved "to chest"

The pop up ads are still coming but the ity.im dialogue boxes have stopped so far.

Running speed is very slow

marcelbrown · 22-01-2013 3:33pm

I have more information about this infection here: http://solotechpros.com/2013/01/17/pleaes-remove-all-ity-im-ads-from-your-website/

The simple answer is from a different PC, download and prepare a boot disc or USB drive of Windows Defender Offline. Boot the infected PC from this disc and have it do a scan. It should find the MBR rootkit.

ASJ112 · 22-01-2013 4:05pm

can you do this step that I mentioned earlier

download tdsskiller and aswmbr, run them and post the logs

http://www.bleepingcomputer.com/download/aswmbr/
http://www.bleepingcomputer.com/download/tdsskiller/

also if you know how to take a screenshot, do that to show me what avast found.

24-01-2013 12:56pm

Here is screen shot from the Avast scans.

ASJ112 · 24-01-2013 1:44pm

They don't look too bad, can you do the scans above

24-01-2013 2:35pm

Ive downloaded both.

I click on them to run but nothing happens.....?

ASJ112 · 24-01-2013 2:36pm

Can you try close down your anti-virus and any other programs before you run them. If they don't work then, can you try run them in safe mode.

24-01-2013 2:46pm

running in safe mode. Still not doing anything. Should something open up after I click run?

ASJ112 · 24-01-2013 2:50pm

yeah they should open up and let you run them.

do this instead

download combofix again, run it, and post that log

http://www.bleepingcomputer.com/download/combofix/

24-01-2013 3:13pm

have ran combofix. cant find the logs though

scrap that.........its just starting to run now

ASJ112 · 24-01-2013 7:54pm

usually logs will be saved in your C:\ drive, called combofix.txt

25-01-2013 10:51am

combofix log

ComboFix 13-01-24.01 - Liam 24/01/2013 14:29:09.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.1915.356 [GMT 0:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 )))))))))))))))))))))))))))))))
.
.
2013-01-24 15:02 . 2013-01-24 15:02

d

w- c:\users\Default\AppData\Local\temp
2013-01-22 14:26 . 2013-01-22 14:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-01-18 13:59 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-18 13:59 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-18 13:59 . 2012-10-30 22:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-18 13:59 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-18 13:59 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-18 13:59 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-01-18 13:58 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-18 13:58 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-18 13:57 . 2013-01-18 13:57

d

w- c:\programdata\AVAST Software
2013-01-18 13:57 . 2013-01-18 13:57

d

w- c:\program files\AVAST Software
2013-01-18 12:10 . 2012-07-26 02:46 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-01-18 12:10 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-01-18 12:10 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-01-18 12:10 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2013-01-18 12:10 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-01-18 12:10 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-01-18 12:10 . 2012-07-26 03:39 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-01-18 12:10 . 2012-07-26 03:39 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-01-18 12:10 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-01-18 12:10 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-01-18 12:10 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-01-18 12:01 . 2012-12-16 13:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-01-18 12:01 . 2012-12-16 10:50 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-01-17 16:07 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-17 16:06 . 2012-08-21 11:47 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys
2013-01-17 16:06 . 2012-11-02 10:18 376320 ----a-w- c:\windows\system32\dpnet.dll
2013-01-17 16:06 . 2012-11-02 08:26 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2013-01-17 16:06 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-17 16:06 . 2012-11-13 01:29 2048 ----a-w- c:\windows\system32\tzres.dll
2013-01-17 16:06 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-01-17 16:06 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2013-01-17 16:06 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2013-01-17 13:36 . 2013-01-17 13:36 512 ----a-w- C:\PhysicalMBR.bin
2013-01-17 11:56 . 2013-01-17 11:56

d

w- c:\programdata\WindowsSearch
2013-01-16 14:54 . 2013-01-16 14:54

d

w- C:\_OTL
2013-01-15 13:35 . 2013-01-15 13:35

d

w- c:\program files\Malwarebytes' Anti-Malware
2013-01-15 13:35 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-15 13:32 . 2013-01-15 13:32

d

w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-15 14:26 . 2012-05-01 09:16 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 14:26 . 2011-06-10 10:36 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-15 14:26 . 2012-08-30 13:25 15739912 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\users\Liam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-09-26 13:22 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2007-10-31 21:01 54608 ----a-w- c:\program files\TOSHIBA\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileBroadband]
2011-05-23 15:19 274944 ----a-w- c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-02-11 11:39 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 13:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 08:24 581632 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2008-01-11 02:07 574864 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba TEMPO]
2008-04-24 09:22 103824 ----a-w- c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2008-01-17 15:27 431456 ----a-w- c:\program files\TOSHIBA\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-15 14:49 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 14:26]
.
2013-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 20:41]
.
2013-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 20:41]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
TCP: DhcpNameServer = 10.128.128.128
.
.

File Associations

.
JSEFile=NOTEPAD.EXE "%1"
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_ROC_JULY_P1 - c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-24 15:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????5`?u??P?#?x?#???#???#??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

LOCKED REGISTRY KEYS

.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c $:\$ \Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.

DLLs Loaded Under Running Processes

.
- - - - - - - > 'Explorer.exe'(4180)
c:\windows\system32\igdumdx32.dll
c:\windows\system32\igdumd32.dll
.
Completion time: 2013-01-24 15:21:34
ComboFix-quarantined-files.txt 2013-01-24 15:21
ComboFix2.txt 2013-01-17 11:56
.
Pre-Run: 30,287,147,008 bytes free
Post-Run: 30,376,820,736 bytes free
.
- - End Of File - - 1B090F7262700D2FE20AAEC28FB045AF

ASJ112 · 25-01-2013 1:23pm

Don't suppose you have the log from when you ran hitmanpro ?

download and run roguekiller, post the log from it

http://www.bleepingcomputer.com/download/roguekiller/

this next scan may take a few minutes. open OTL click the None button at the top. copy and paste this in the custom scan/fixes box

c:\windows\system32\drivers\volsnap.sys /md5
c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe /md5
C:\netsetup.exe /s /md5
C:\rpm1m.cf1 /s
C:\*.cf1 /s
C:\rpm1m.* /s
C:\ity.* /s
C:\*.im /s

click run scan post the log it gives.

25-01-2013 1:33pm

No idea if I have that Hitmanpro log. where would it be?

ASJ112 · 25-01-2013 1:59pm

Should be around here

Logs under Settings, History where you can view the created log files.

or

Results window. Click the Save Log link and save the log to your desktop.

Go on with the other steps if you cant find it.

25-01-2013 2:10pm

RogueKiller V8.4.3 [Jan 24 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Liam [Admin rights]
Mode : Scan -- Date : 01/25/2013 12:52:39
| ARK || MBR |

€€€ Bad processes : 0 €€€

€€€ Registry Entries : 10 €€€
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[WALLP] HKCU\[...]\Desktop : Wallpaper (C:\Users\Liam\Pictures\tropical-beach-wallpaper-1920x1200.jpg) -> FOUND

€€€ Particular Files / Folders: €€€

€€€ Driver : [NOT LOADED] €€€

€€€ Infection : Root.MBR €€€

€€€ HOSTS File: €€€
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

€€€ MBR Check: €€€

+++++ PhysicalDrive0: TOSHIBA MK1652GSX +++++
--- User ---
[MBR] 8ce030dea975cced57d221b862768431
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 37efafaf8d47ce75a1e3056e78a1fa09
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312579760 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 37efafaf8d47ce75a1e3056e78a1fa09
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312579760 | Size: 0 Mo

Finished : << RKreport[1]_S_01252013_02d1252.txt >>
RKreport[1]_S_01252013_02d1252.txt

25-01-2013 2:21pm

OTL logfile created on: 25/01/2013 13:13:26 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Liam\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1.87 Gb Total Physical Memory | 0.89 Gb Available Physical Memory | 47.48% Memory free
3.98 Gb Paging File | 3.10 Gb Available in Paging File | 77.84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.37 Gb Total Space | 30.06 Gb Free Space | 40.41% Space Free | Partition Type: NTFS
Drive E: | 73.21 Gb Total Space | 67.93 Gb Free Space | 92.79% Space Free | Partition Type: NTFS

Computer Name: SPECIAL-NEEDS | User Name: Liam | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< c:\windows\system32\drivers\volsnap.sys /md5 >
[2012/08/21 11:47:42 | 000,224,640 | ---- | M] (Microsoft Corporation) MD5=786DB5771F05EF300390399F626BF30A -- c:\windows\system32\drivers\volsnap.sys

< c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe /md5 >
[2013/01/15 14:49:23 | 001,606,760 | ---- | M] (Google Inc.) MD5=0A5562952091635CBF3AC20F9FB73D09 -- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe

< C:\netsetup.exe /s /md5 >
[2005/12/21 09:39:08 | 001,708,032 | ---- | M] () MD5=A3B81E15B513C05BA36189505C42867B -- C:\Program Files\UKey5\NetSetup.exe

< C:\rpm1m.cf1 /s >
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1

< C:\*.cf1 /s >
[2009/05/22 14:22:59 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\dbvm.cf1
[2009/05/22 14:22:34 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\fii.cf1
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm.cf1
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-black-enchashm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-black-urlm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-malware-domainm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-white-domainm.cf1
[2012/03/08 15:04:23 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\dbvm.cf1
[2012/03/08 15:04:23 | 020,971,520 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\fii.cf1
[2012/03/08 15:04:23 | 041,943,040 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\rpm.cf1
[2009/10/02 13:25:40 | 041,943,040 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-black-enchashm.cf1
[2009/09/28 08:42:10 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-black-urlm.cf1
[2009/09/04 11:28:05 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-malware-domainm.cf1
[2009/11/02 12:53:06 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-white-domainm.cf1

< C:\rpm1m.* /s >
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1

< C:\ity.* /s >

< C:\*.im /s >

< End of report >

25-01-2013 2:23pm

what do I do here when the roguekiller has finished?

ASJ112 · 25-01-2013 2:37pm

you can leave roguekiller, it didn't really find anything

need you to try this again but in a different way

download tdsskiller again but from here

http://www.softpedia.com/get/Antivirus/TDSSKiller.shtml

when it asks you to save it, call it "explorer.exe". Does it run for you then ?

If not, download malwarebytes anti-rootkit, run it and post the log it gives you

http://www.malwarebytes.org/products/mbar/

25-01-2013 2:45pm

it didnt ask me to save it.

just run or cancel

do I run it anyway?

ASJ112 · 25-01-2013 2:52pm

Try run it. Your browser must be saving files automatically for you, can you find where it saved it if the program wont run

25-01-2013 2:54pm

not running

how do I find where it saved it?

25-01-2013 3:02pm

It saved it to the desktop.....staring me in the face...sorry

ASJ112 · 25-01-2013 3:11pm

no problem, rename it to "explorer.exe" and tell me if it runs then. If not go onto the malwarebytes anti-rootkit step

25-01-2013 3:14pm

i renamed it.
This is what came up.

windows explorer has stopped working

windows can check online for a solution to the problem and try to retsart the program

check online for a solution and restart the program
restart the program.

ASJ112 · 25-01-2013 3:23pm

ok close it and rename it as "abcd.exe" and see if it works then, just give it any random name really.

25-01-2013 3:31pm

i cant close that dialogue box now

if i do it just reopens and dont have enough time to rename it as screen goes blank and icons disappear

same happens for clicking any of the options on the box.

ASJ112 · 25-01-2013 3:33pm

Restart the machine and then try it again. Make sure you rename the tdsskiller.exe file before you run it.

ity.im message

Comments