Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows vista recovery virus


  • This topic is locked This topic is locked

#1
stangel055

stangel055

    Member

  • Member
  • PipPip
  • 34 posts
my log

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-28 10:33:05
-----------------------------
10:33:05.710 OS Version: Windows 6.0.6002 Service Pack 2
10:33:05.710 Number of processors: 2 586 0xF0B
10:33:05.710 ComputerName: BIGHEAD-PC UserName: BigHead
10:38:08.802 Initialize success
10:38:35.372 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:38:35.372 Disk 0 Vendor: WDC_WD25 10.0 Size: 238475MB BusType: 3
10:38:35.637 Disk 0 MBR read successfully
10:38:35.637 Disk 0 MBR scan
10:38:35.652 Disk 0 unknown MBR code
10:38:35.730 Disk 0 scanning sectors +488392065
10:38:35.840 Disk 0 scanning C:\Windows\system32\drivers
10:40:41.388 Service scanning
10:41:00.384 Disk 0 MBR has been saved successfully to "C:\Users\BigHead\Desktop\MBR.dat"
10:41:00.384 The log file has been saved successfully to "C:\Users\BigHead\Desktop\aswMBR.txt"
10:41:05.992 Disk 0 trace - called modules:
10:41:06.023 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86e6f1ed]<<
10:41:06.023 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861118e0]
10:41:06.039 3 CLASSPNP.SYS[887a38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85606030]
10:41:06.039 \Driver\iaStor[0x84c61560] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86e6f1ed
10:41:06.039 Scan finished successfully
10:43:32.432 Disk 0 MBR has been saved successfully to "C:\Users\BigHead\Desktop\MBR.dat"
10:43:32.432 The log file has been saved successfully to "C:\Users\BigHead\Desktop\aswMBR.txt"
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Do you have an OTL log to go with that ? What problems are you experiencing ?

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#3
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Fake windows vista recovery scan, kept popup hard drive failure, auto restart computer, make stupid noise and song. Any software can stop the virus restart the computer? The OTL took forever to Scan
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are you prepared to work outside windows and can you access another computer with a cd burner

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

  • Download the scan.txt to a USB drive
  • Download OTLPENet.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)

  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Double click the Custom scans and fixes box
  • In the dialogue locate the scan.txt you have on the USB
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#5
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
..

Edited by stangel055, 28 May 2011 - 01:59 PM.

  • 0

#6
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
after 3hours the OTLPE still scanning, struck at "Manual file scan - getting folder structure". Does it scan that long?
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No stop it and restart but without the scan script

If that should fail then we will try one other programme from normal mode - it may not work

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Then try the OTL programme
  • 0

#8
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
RogueKiller V5.1.8 [05/27/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: BigHead [Admin rights]
Mode: Remove -- Date : 05/28/2011 18:42:59

Bad processes: 0

Registry Entries: 1
[SUSP PATH] HKCU\[...]\Run : HeypPtdMGKlWj (C:\ProgramData\HeypPtdMGKlWj.exe) -> DELETED

HOSTS File:
127.0.0.1 localhost
::1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#10
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
struck at "Manual file scan - getting folder structure" again
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I do not really like doing this so early but needs must

Download Unhide.exe from here to your desktop
Run Unhide.exe to recover all your folder icons

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#12
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
look like Unhide.exe not working
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Different analysis programme

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
  • 0

#14
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
DDS log

Attached Files

  • Attached File  DDS.txt   19.13KB   111 downloads

  • 0

#15
stangel055

stangel055

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
doing combofix now
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP