Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Mevio Redirect


  • Please log in to reply

#76
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

i do have a windows 7 cd - i am also downloading the boot disc - how do you want to proceed. I can use my son's laptop to communicate while we boot the infected pc.
  • 0

Advertisements


#77
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I like Hiren's because you can make a copy of the MBR and then do the fixing. That way if it doesn't work you can back it out. With the Windows 7 disk there's no backup capability.
  • 0

#78
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
good thinking - when i boot from the cd and select one of the mbr tools do i need to enter commands or is there an option to run fixmbr and fixboot.
  • 0

#79
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Most of the MBR tools require commands but most of them have a help screen that show the commands when you type /? . I usually google for the instructions.

Here are the instructions for mbr wizard

http://mbrwizard.com/reference.php

First boot up into the miniXP and then I think you can run the program from the command prompt. Hiren changes things around with each version so it's not the most user friendly thing but it is very powerful.

We will want to /save and I expect we will need to tell it where so I would try (you may have to CD to the correct folder to get it to work)

MBRWiz /Save=C:\mbrbackup.dat

MBRWiz /list would be good to do so you can see what it is up to. It shouldn't look much different from the partitions we saw earlier. If you see any other partitions then they may need to be removed.

mbrwizard can only make an XP MBR so we can't use it to repair the mbr.


MBRfix looks like it can create a good vista mbr:

MbrFix /0 fixmbr /vista
  • 0

#80
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
HI Ron,

Will this work for Windows 7 - i booted from the Hiron's disk and went to Partion/Boot/MBR and then command line- MBRWizard


i get an error when ii try and backup - i think this is because i am at B:\Temp\HBCD> how do o change to the c prompt
  • 0

#81
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I expect it is simply:

C:
  • 0

#82
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
The virus may be gone

Edited by dl9796, 01 December 2011 - 11:45 PM.

  • 0

#83
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Probably shouldn't change to D: Windows needs to know where the file lives. It doesn't look everywhere. just in the folder you are in and then in a small list of folders called the path. You want to be in the same folder as mbrwiz.exe when you run the command. To see if the mbrwiz.exe is in the current folder type:

dir

To look for the file:

b:

cd \

dir /s mbrwiz.exe


To change to the folder:

cd \fullpathtofolder
  • 0

#84
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
the virus may be gone - i was able to run TDSSKiller from the Hiron Boot Disk and it found four errors. I booted in windows 7 and my browser did not redirect and i am now able to run the copies of TDSSKiller that would not load before.

Could you assist me in two items:

1) Can we somehow get my windows firewall back - somehow the windows firewall services got deleted
2) Should we run some additional scans to verify everything is clean
  • 0

#85
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Great news.

I have a neighbor who just got a new Win 7 PC. It might be 64 bit. If so I'm sure I can go over there and export the registry entries we need in order to reinstall it. Until then:

Why don't you see if you can get Online Armor to work on your PC? It's a better firewall anyway.

http://www.online-ar...m/downloads.php
  • 0

Advertisements


#86
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

That would be great if you could get the registry enteries. I just download and installed Armor. Do you suggest we run any scans to double check i am clean.

i can't tell you how much i appreciate your assistance - this has been the longest week of my life.
  • 0

#87
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
We need to cleanup System Restore:

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)



Press Start in the new window. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#88
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron

So far - so good. I think we got it. You were right all along about getting TDSSKiller to run. The versions i downloaded ran but did not find the virus. The version on the Hirens CD found the virus.

The sfc /scannow completed with no errors.

Here are the (2) Logs that you requested:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 02/12/2011 11:12:58 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/12/2011 4:11:52 PM
Type: Error Category: 0
Event: 10000 Source: Microsoft-Windows-DistributedCOM
Unable to start a DCOM Server: {40650C99-8E52-46C6-8F21-3E96B478F87B}. The error: "5" Happened while starting this command: "C:\Program Files (x86)\Sharp\Sharpdesk\Indexer.exe" -Embedding

Log: 'System' Date/Time: 02/12/2011 4:10:55 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

Log: 'System' Date/Time: 02/12/2011 4:08:30 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The HyperW7 Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/12/2011 4:08:19 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.

Log: 'System' Date/Time: 02/12/2011 4:08:19 PM
Type: Error Category: 0
Event: 1500 Source: SNMP
The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Log: 'System' Date/Time: 02/12/2011 4:08:16 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

Log: 'System' Date/Time: 02/12/2011 4:08:12 PM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/12/2011 4:06:56 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 02/12/2011 4:06:56 PM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\IWMSSvc.dll




Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 02/12/2011 11:17:24 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 02/12/2011 4:08:50 PM
Type: Error Category: 0
Event: 100 Source: vmauthd
Cannot connect to VMX: C:\Virtual Machines\2008Server-32\2008Server-32.vmx


Log: 'Application' Date/Time: 02/12/2011 4:08:49 PM
Type: Error Category: 0
Event: 100 Source: vmauthd
Cannot connect to VMX: C:\Virtual Machines\2003Server\2003Server.vmx


Log: 'Application' Date/Time: 02/12/2011 4:08:48 PM
Type: Error Category: 0
Event: 100 Source: vmauthd
Cannot connect to VMX: C:\Virtual Machines\2008Server_1\2008Server.vmx


Log: 'Application' Date/Time: 02/12/2011 4:08:47 PM
Type: Error Category: 0
Event: 100 Source: vmauthd
Cannot connect to VMX: C:\Virtual Machines\Windows XP\Windows XP.vmx


Log: 'Application' Date/Time: 02/12/2011 4:08:33 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 02/12/2011 4:08:18 PM
Type: Error Category: 0
Event: 0 Source: IntactActionService
Service cannot be started. Intact.BusinessLayer.IntactException: Intact Execption ---> System.Data.SqlClient.SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParserStateObject.ReadSniError(TdsParserStateObject stateObj, UInt32 error) at System.Data.SqlClient.TdsParserStateObject.ReadSni(DbAsyncResult asyncResult, TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParserStateObject.ReadNetworkPacket() at System.Data.SqlClient.TdsParserStateObject.ReadBuffer() at System.Data.SqlClient.TdsParserStateObject.ReadByte() at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataRea...

Log: 'Application' Date/Time: 02/12/2011 4:08:18 PM
Type: Error Category: 4
Event: 17187 Source: MSSQL$INTACT
SQL Server is not ready to accept new client connections. Wait a few minutes before trying again. If you have access to the error log, look for the informational message that indicates that SQL Server is ready before trying to connect again. [CLIENT: <local machine>]

Log: 'Application' Date/Time: 02/12/2011 4:08:18 PM
Type: Error Category: 4
Event: 17187 Source: MSSQL$INTACT
SQL Server is not ready to accept new client connections. Wait a few minutes before trying again. If you have access to the error log, look for the informational message that indicates that SQL Server is ready before trying to connect again. [CLIENT: <local machine>]

Log: 'Application' Date/Time: 02/12/2011 4:08:07 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: HyperW7Svc64.exe, version: 1.0.0.1, time stamp: 0x4cf5de0b Faulting module name: HyperW7Svc64.exe, version: 1.0.0.1, time stamp: 0x4cf5de0b Exception code: 0xc0000005 Fault offset: 0x000000000000d248 Faulting process id: 0x38c Faulting application start time: 0x01ccb10c8aa74772 Faulting application path: C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe Faulting module path: C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe Report Id: d2312f94-1cff-11e1-b34b-005056c00008

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 02/12/2011 4:08:19 PM
Type: Warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance INTACT is not valid.

Log: 'Application' Date/Time: 02/12/2011 4:06:51 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-2421173305-923280183-2936765214-1127:
Process 540 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2421173305-923280183-2936765214-1127\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 540 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2421173305-923280183-2936765214-1127\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • 0

#89
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I think I see why your firewall is not working.

"The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed."


BFE is Base Filtering Engine. You need it for the firewall to work.

Let's see what your PC has for the BFE service. Copy the next line:

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE %userprofile%\Desktop\BFE.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

Right click and Paste or Edit then Paste and the line should appear. Hit Enter. Do you get an error? Now type:

net  start  BFE  >>  %userprofile%\Desktop\BFE.txt


Close the Command window. On your desktop should be a file BFE.txt. Double click on it and copy and paste the text into a reply.

Other errors:

Don't know what this is but it is not happy:

C:\Program Files (x86)\Sharp\Sharpdesk\Indexer.exe

The HyperW7 Service service terminated unexpectedly. It has done this 1 time(s).


This is Lenovo's RapidBoot. Supposed to make it boot faster but will cause a 30 second delay if it is not working. It may not like MBAM or AVAST. I found one post
http://forums.lenovo...wer/td-p/438847
where a guy with MSSE and MBAM removed them then reinstalled it and it started working OK.

The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.


This one is just because you have the snmp service running but never configured it. Since you don't need it (or you would have configured it by now) I would turn it off:
Go to Start menu and open Control Panel.
Click on Programs and Features and in the left pane click on 'Turn Windows features on or off'
Click yes if you are prompted with UAC and scroll down to 'Simple Network Management Protocol (SNMP)' in Windows Features window.
Select the SNMP check box and uncheck it then OK


The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.



Let's see what your PC has for the Browser service. Copy the next line:

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser %userprofile%\Desktop\Browser.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

Right click and Paste or Edit then Paste and the line should appear. Hit Enter. Do you get an error? Now type:

net  start  Browser  >>  %userprofile%\Desktop\Browser.txt


Close the Command window. On your desktop should be a file BFE.txt. Double click on it and copy and paste the text into a reply.
  • 0

#90
dl9796

dl9796

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

Here are the responses to your commands: My answers start after ******


Let's see what your PC has for the BFE service. Copy the next line:

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE %userprofile%\Desktop\BFE.txt

*****This error came up: The System was unable to find the specified registry key or value*****


reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser %userprofile%\Desktop\Browser.txt
*****The operation completed successfully*****



Right click and Paste or Edit then Paste and the line should appear. Hit Enter. Do you get an error? Now type:

net start BFE >> %userprofile%\Desktop\BFE.txt
*****The specified service does not exist as an installed service*****


Both times the BFT Texr file was created but no data was written to the file


Here is the browser text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser]
"DisplayName"="@%systemroot%\\system32\\browser.dll,-100"
"Group"="NetworkProvider"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%systemroot%\\system32\\browser.dll,-101"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,\
6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,\
00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,00,00
"FailureActions"=hex:84,03,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
62,00,72,00,6f,00,77,00,73,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001
"MaintainServerList"="Auto"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo\0]
"Type"=dword:00000004
"Action"=dword:00000001
"GUID"=hex:07,9e,56,b7,21,84,e0,4e,ad,10,86,91,5a,fd,ad,09
"Data0"=hex:31,00,33,00,39,00,00,00,54,00,43,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType0"=dword:00000002
"Data1"=hex:31,00,33,00,37,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType1"=dword:00000002
"Data2"=hex:31,00,33,00,38,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType2"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo\1]
"Type"=dword:00000004
"Action"=dword:00000002
"GUID"=hex:38,ed,44,a1,12,8e,e4,4d,9d,96,e6,47,40,b1,a5,24
"Data0"=hex:31,00,33,00,39,00,00,00,54,00,43,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType0"=dword:00000002
"Data1"=hex:31,00,33,00,37,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType1"=dword:00000002
"Data2"=hex:31,00,33,00,38,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
74,00,65,00,6d,00,00,00,00,00
"DataType2"=dword:00000002

桔⁥潃灭瑵牥䈠潲獷牥猠牥楶散椠⁳瑳牡楴杮മ
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP