Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
ity.im message
Options
Comments
-
You probably have a MBR infection, its trickier than usual ones. Can you post the avast log here when its done.0
-
FYI, it appears this infection is an MBR rootkit, Rootkit.Boot.SST.b, also possibly known as Trojan.MBR.Alureon!IK. The apparent cure requires booting the machine from an external boot CD or USB drive (or pulling the drive out of the machine and connecting it to another machine) and running TDSSKiller or Hitman Pro (or perhaps another utility that can be run from an external drive). I will detail this on the earlier referenced blog link. Hopefully this information will be helpful to the person working with the OP. Good luck!0
-
You probably have a MBR infection, its trickier than usual ones. Can you post the avast log here when its done.
There were 7 infections found.
They have been moved "to chest"
The pop up ads are still coming but the ity.im dialogue boxes have stopped so far.
Running speed is very slow0 -
I have more information about this infection here: http://solotechpros.com/2013/01/17/pleaes-remove-all-ity-im-ads-from-your-website/
The simple answer is from a different PC, download and prepare a boot disc or USB drive of Windows Defender Offline. Boot the infected PC from this disc and have it do a scan. It should find the MBR rootkit.0 -
can you do this step that I mentioned earlier
download tdsskiller and aswmbr, run them and post the logs
http://www.bleepingcomputer.com/download/aswmbr/
http://www.bleepingcomputer.com/download/tdsskiller/
also if you know how to take a screenshot, do that to show me what avast found.0 -
Advertisement
-
Here is screen shot from the Avast scans.0
-
They don't look too bad, can you do the scans above0
-
Ive downloaded both.
I click on them to run but nothing happens.....?0 -
Can you try close down your anti-virus and any other programs before you run them. If they don't work then, can you try run them in safe mode.0
-
running in safe mode. Still not doing anything. Should something open up after I click run?0
-
Advertisement
-
yeah they should open up and let you run them.
do this instead
download combofix again, run it, and post that log
http://www.bleepingcomputer.com/download/combofix/0 -
have ran combofix. cant find the logs though
scrap that.........its just starting to run now0 -
usually logs will be saved in your C:\ drive, called combofix.txt0
-
combofix log
ComboFix 13-01-24.01 - Liam 24/01/2013 14:29:09.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.1915.356 [GMT 0:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 )))))))))))))))))))))))))))))))
.
.
2013-01-24 15:02 . 2013-01-24 15:02
d
w- c:\users\Default\AppData\Local\temp
2013-01-22 14:26 . 2013-01-22 14:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-01-18 13:59 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-18 13:59 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-18 13:59 . 2012-10-30 22:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-18 13:59 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-18 13:59 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-18 13:59 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-01-18 13:58 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-18 13:58 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-18 13:57 . 2013-01-18 13:57
d
w- c:\programdata\AVAST Software
2013-01-18 13:57 . 2013-01-18 13:57
d
w- c:\program files\AVAST Software
2013-01-18 12:10 . 2012-07-26 02:46 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-01-18 12:10 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-01-18 12:10 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-01-18 12:10 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2013-01-18 12:10 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-01-18 12:10 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-01-18 12:10 . 2012-07-26 03:39 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-01-18 12:10 . 2012-07-26 03:39 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-01-18 12:10 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-01-18 12:10 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-01-18 12:10 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-01-18 12:01 . 2012-12-16 13:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-01-18 12:01 . 2012-12-16 10:50 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-01-17 16:07 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-17 16:06 . 2012-08-21 11:47 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys
2013-01-17 16:06 . 2012-11-02 10:18 376320 ----a-w- c:\windows\system32\dpnet.dll
2013-01-17 16:06 . 2012-11-02 08:26 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2013-01-17 16:06 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-17 16:06 . 2012-11-13 01:29 2048 ----a-w- c:\windows\system32\tzres.dll
2013-01-17 16:06 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-01-17 16:06 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2013-01-17 16:06 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2013-01-17 13:36 . 2013-01-17 13:36 512 ----a-w- C:\PhysicalMBR.bin
2013-01-17 11:56 . 2013-01-17 11:56
d
w- c:\programdata\WindowsSearch
2013-01-16 14:54 . 2013-01-16 14:54
d
w- C:\_OTL
2013-01-15 13:35 . 2013-01-15 13:35
d
w- c:\program files\Malwarebytes' Anti-Malware
2013-01-15 13:35 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-15 13:32 . 2013-01-15 13:32
d
w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-15 14:26 . 2012-05-01 09:16 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 14:26 . 2011-06-10 10:36 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-15 14:26 . 2012-08-30 13:25 15739912 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\users\Liam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-09-26 13:22 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2007-10-31 21:01 54608 ----a-w- c:\program files\TOSHIBA\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileBroadband]
2011-05-23 15:19 274944 ----a-w- c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-02-11 11:39 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 13:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 08:24 581632 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2008-01-11 02:07 574864 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba TEMPO]
2008-04-24 09:22 103824 ----a-w- c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2008-01-17 15:27 431456 ----a-w- c:\program files\TOSHIBA\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-15 14:49 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 14:26]
.
2013-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 20:41]
.
2013-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 20:41]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
TCP: DhcpNameServer = 10.128.128.128
.
.
File Associations
.
JSEFile=NOTEPAD.EXE "%1"
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_ROC_JULY_P1 - c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-24 15:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????5`?u??P?#?x?#???#???#??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'Explorer.exe'(4180)
c:\windows\system32\igdumdx32.dll
c:\windows\system32\igdumd32.dll
.
Completion time: 2013-01-24 15:21:34
ComboFix-quarantined-files.txt 2013-01-24 15:21
ComboFix2.txt 2013-01-17 11:56
.
Pre-Run: 30,287,147,008 bytes free
Post-Run: 30,376,820,736 bytes free
.
- - End Of File - - 1B090F7262700D2FE20AAEC28FB045AF0 -
Don't suppose you have the log from when you ran hitmanpro ?
download and run roguekiller, post the log from it
http://www.bleepingcomputer.com/download/roguekiller/
this next scan may take a few minutes. open OTL click the None button at the top. copy and paste this in the custom scan/fixes box
c:\windows\system32\drivers\volsnap.sys /md5
c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe /md5
C:\netsetup.exe /s /md5
C:\rpm1m.cf1 /s
C:\*.cf1 /s
C:\rpm1m.* /s
C:\ity.* /s
C:\*.im /s
click run scan post the log it gives.0 -
No idea if I have that Hitmanpro log. where would it be?0
-
Should be around here
Logs under Settings, History where you can view the created log files.
or
Results window. Click the Save Log link and save the log to your desktop.
Go on with the other steps if you cant find it.0 -
RogueKiller V8.4.3 [Jan 24 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Liam [Admin rights]
Mode : Scan -- Date : 01/25/2013 12:52:39
| ARK || MBR |
€€€ Bad processes : 0 €€€
€€€ Registry Entries : 10 €€€
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[WALLP] HKCU\[...]\Desktop : Wallpaper (C:\Users\Liam\Pictures\tropical-beach-wallpaper-1920x1200.jpg) -> FOUND
€€€ Particular Files / Folders: €€€
€€€ Driver : [NOT LOADED] €€€
€€€ Infection : Root.MBR €€€
€€€ HOSTS File: €€€
--> C:\Windows\system32\drivers\etc\hosts
ÿþ1
€€€ MBR Check: €€€
+++++ PhysicalDrive0: TOSHIBA MK1652GSX +++++
--- User ---
[MBR] 8ce030dea975cced57d221b862768431
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 37efafaf8d47ce75a1e3056e78a1fa09
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312579760 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 37efafaf8d47ce75a1e3056e78a1fa09
[BSP] 4faac61575f30567c7d8a8a931297d3d : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 76154 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 159037440 | Size: 74971 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312579760 | Size: 0 Mo
Finished : << RKreport[1]_S_01252013_02d1252.txt >>
RKreport[1]_S_01252013_02d1252.txt0 -
OTL logfile created on: 25/01/2013 13:13:26 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Liam\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy
1.87 Gb Total Physical Memory | 0.89 Gb Available Physical Memory | 47.48% Memory free
3.98 Gb Paging File | 3.10 Gb Available in Paging File | 77.84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.37 Gb Total Space | 30.06 Gb Free Space | 40.41% Space Free | Partition Type: NTFS
Drive E: | 73.21 Gb Total Space | 67.93 Gb Free Space | 92.79% Space Free | Partition Type: NTFS
Computer Name: SPECIAL-NEEDS | User Name: Liam | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Custom Scans ==========
< c:\windows\system32\drivers\volsnap.sys /md5 >
[2012/08/21 11:47:42 | 000,224,640 | ---- | M] (Microsoft Corporation) MD5=786DB5771F05EF300390399F626BF30A -- c:\windows\system32\drivers\volsnap.sys
< c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe /md5 >
[2013/01/15 14:49:23 | 001,606,760 | ---- | M] (Google Inc.) MD5=0A5562952091635CBF3AC20F9FB73D09 -- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
< C:\netsetup.exe /s /md5 >
[2005/12/21 09:39:08 | 001,708,032 | ---- | M] () MD5=A3B81E15B513C05BA36189505C42867B -- C:\Program Files\UKey5\NetSetup.exe
< C:\rpm1m.cf1 /s >
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1
< C:\*.cf1 /s >
[2009/05/22 14:22:59 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\dbvm.cf1
[2009/05/22 14:22:34 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\fii.cf1
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm.cf1
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-black-enchashm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-black-urlm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-malware-domainm.cf1
[2009/05/22 14:22:59 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\safeweb\goog-white-domainm.cf1
[2012/03/08 15:04:23 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\dbvm.cf1
[2012/03/08 15:04:23 | 020,971,520 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\fii.cf1
[2012/03/08 15:04:23 | 041,943,040 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\rpm.cf1
[2009/10/02 13:25:40 | 041,943,040 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-black-enchashm.cf1
[2009/09/28 08:42:10 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-black-urlm.cf1
[2009/09/04 11:28:05 | 000,008,122 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-malware-domainm.cf1
[2009/11/02 12:53:06 | 000,262,144 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\ad8ec13bb018\safeweb\goog-white-domainm.cf1
< C:\rpm1m.* /s >
[2009/05/22 14:22:35 | 000,008,134 | ---- | M] () -- C:\Users\Liam\AppData\Local\Google\Google Desktop\234f26a6d22c\rpm1m.cf1
< C:\ity.* /s >
< C:\*.im /s >
< End of report >0 -
what do I do here when the roguekiller has finished?0
-
Advertisement
-
you can leave roguekiller, it didn't really find anything
need you to try this again but in a different way
download tdsskiller again but from here
http://www.softpedia.com/get/Antivirus/TDSSKiller.shtml
when it asks you to save it, call it "explorer.exe". Does it run for you then ?
If not, download malwarebytes anti-rootkit, run it and post the log it gives you
http://www.malwarebytes.org/products/mbar/0 -
it didnt ask me to save it.
just run or cancel
do I run it anyway?0 -
Try run it. Your browser must be saving files automatically for you, can you find where it saved it if the program wont run0
-
not running
how do I find where it saved it?0 -
It saved it to the desktop.....staring me in the face...sorry0
-
no problem, rename it to "explorer.exe" and tell me if it runs then. If not go onto the malwarebytes anti-rootkit step0
-
i renamed it.
This is what came up.
windows explorer has stopped working
windows can check online for a solution to the problem and try to retsart the program
check online for a solution and restart the program
restart the program.0 -
ok close it and rename it as "abcd.exe" and see if it works then, just give it any random name really.0
-
i cant close that dialogue box now
if i do it just reopens and dont have enough time to rename it as screen goes blank and icons disappear
same happens for clicking any of the options on the box.0 -
Advertisement
-
Restart the machine and then try it again. Make sure you rename the tdsskiller.exe file before you run it.0
Advertisement