Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet hijacked [Closed]


  • This topic is locked This topic is locked

#16
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,
I can't see your screenshot. If it's easier, you can attach it following these instructions:

How to add an attachment to a new topic or reply
  • 0

Advertisements


#17
Brandio

Brandio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I updated last post with the screen shot. Not sure if you noticed since it didn't bump the thread.
  • 0

#18
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

Sorry I didn't notice you had edited your last post, I don't get notified of them.

You have a nasty new type of infection that has installed a hidden partition to your system which we will remove. You'll have to make a boot disk on a clean PC. It's quite complicated so read it thoroughly a few times before you do it.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create two bootable CDs, one for Gparted and one for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image
According to your logs, the partition that you want to delete is 10MB
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
Posted Image

Now you should be here:
Posted Image

Posted Image
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
Posted Image

Now double-click the Posted Image button.

You should receive a small pop up like this:
Posted Image
Choose reboot and then press OK.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

  • fixmbr \Device\HardDisk0
  • fixboot c:
  • exit

Once back in Windows.

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Attach that file.

  • 0

#19
Brandio

Brandio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
When I boot from the Gparted CD it takes me to the first screen but then when I press enter the first time it doen't take me to the secound screen you posted it just shows a bunch of different grey text on a black background and then says done at the bottom and doesnt do anything. Then when I let it sit for a while it takes me to a screen that says Boot failed and a bunch of other things.

Edited by Brandio, 14 December 2011 - 06:55 PM.

  • 0

#20
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

I've not seen the GParted boot disc fail before. It's possible that you've got a bad burn/download. Can you please download another copy of GParted and burn it again. Try burning at a slower speed.
  • 0

#21
Brandio

Brandio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 149):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA338000 pavboot.sys
0xBA0E8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA4BC000 CLBStor.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xB9E14000 Mup.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xB94E8000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xB94D4000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xB94AF000 \SystemRoot\System32\DRIVERS\HDAudBus.sys
0xBA1C8000 \SystemRoot\System32\DRIVERS\HECI.sys
0xBA4A8000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB948B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xB9468000 \SystemRoot\System32\DRIVERS\nusb3xhc.sys
0xBA5E8000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB9425000 \SystemRoot\System32\DRIVERS\Rtenicxp.sys
0xBA1D8000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xBA1E8000 \SystemRoot\System32\DRIVERS\serial.sys
0xB9DF0000 \SystemRoot\System32\DRIVERS\serenum.sys
0xBA1F8000 \SystemRoot\System32\DRIVERS\imapi.sys
0xBA208000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA218000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9402000 \SystemRoot\System32\DRIVERS\ks.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB9DE8000 \SystemRoot\System32\DRIVERS\wmiacpi.sys
0xBA228000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xBA7ED000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA238000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9DE4000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB93EB000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA248000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA258000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA358000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB93DA000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA268000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA398000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA3A0000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB93AB000 \SystemRoot\system32\DRIVERS\neti1634.sys
0xBA278000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA3A8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBA3B0000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA5EA000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB934D000 \SystemRoot\System32\DRIVERS\update.sys
0xB9DD4000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xB9310000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0xBA298000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAB06B000 \SystemRoot\system32\drivers\AtiHdmi.sys
0xAB047000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xBA168000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xAA9F6000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xBA2B8000 \SystemRoot\System32\DRIVERS\nusb3hub.sys
0xBA5F4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6BE000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3D8000 \SystemRoot\System32\drivers\vga.sys
0xBA5F8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3E0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3E8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA59C000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xA9AE3000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xA9A8A000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xA9A4C000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xA9A16000 \??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
0xBA2D8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xA999E000 \SystemRoot\System32\DRIVERS\netbt.sys
0xA9966000 \SystemRoot\System32\DRIVERS\tcpip6.sys
0xBA2E8000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xA9944000 \SystemRoot\System32\drivers\afd.sys
0xBA2F8000 \SystemRoot\system32\drivers\ip6fw.sys
0xBA308000 \SystemRoot\System32\DRIVERS\netbios.sys
0xBA118000 \??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
0xBA128000 \SystemRoot\System32\DRIVERS\ShlDrv51.sys
0xA9919000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xA98A9000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xA987B000 \??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
0xAA9B6000 \??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
0xBA138000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3F0000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xAA9B2000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xBA148000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xAA9AA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA9A6000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xBA158000 \??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
0xBA594000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA97CA000 \??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
0xBA198000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA978A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5FE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9A0E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA410000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6F8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF12F000 \SystemRoot\System32\atikvmag.dll
0xBF1DE000 \SystemRoot\System32\atiok3x2.dll
0xBF259000 \SystemRoot\System32\ati3duag.dll
0xBF9C6000 \SystemRoot\System32\ativvaxx.dll
0xBF631000 \SystemRoot\System32\ATMFD.DLL
0xA6D61000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xA6C26000 \SystemRoot\system32\DRIVERS\pavdrv51.sys
0xA6BF9000 \SystemRoot\System32\Drivers\CLBUDF.SYS
0xA6BE8000 \SystemRoot\System32\Drivers\Udfs.SYS
0xA6ABA000 \SystemRoot\System32\DRIVERS\nwlnkipx.sys
0xBA188000 \SystemRoot\System32\DRIVERS\nwlnknb.sys
0xA6BD4000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBA458000 \SystemRoot\system32\DRIVERS\RtNdPt5x.sys
0xA6D31000 \??\C:\WINDOWS\system32\PavTPK.sys
0xA69EA000 \SystemRoot\System32\DRIVERS\nwlnkspx.sys
0xA685D000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xA65BB000 \??\C:\WINDOWS\system32\Drivers\rikvm_E92D8507.sys
0xA6473000 \SystemRoot\System32\DRIVERS\srv.sys
0xA61C9000 \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
0xA6175000 \??\C:\WINDOWS\system32\PavSRK.sys
0xA5D54000 \SystemRoot\system32\drivers\wdmaud.sys
0xA626B000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5AE3000 \SystemRoot\system32\drivers\av5flt.sys
0xA5822000 \SystemRoot\System32\Drivers\HTTP.sys
0xA578A000 \??\C:\Program Files\MSI\Live Update 5\NTIOLib.sys
0xA593B000 \??\C:\Program Files\MSI\Live Update 5\msibios32_100507.sys
0xA56E2000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 72):
0 System Idle Process
4 System
1268 C:\WINDOWS\system32\smss.exe
1392 csrss.exe
1432 C:\WINDOWS\system32\winlogon.exe
1476 C:\WINDOWS\system32\services.exe
1488 C:\WINDOWS\system32\lsass.exe
1676 C:\WINDOWS\system32\ati2evxx.exe
1692 C:\WINDOWS\system32\svchost.exe
1932 svchost.exe
132 C:\WINDOWS\system32\svchost.exe
160 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe
480 svchost.exe
1036 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\WebProxy.exe
1556 svchost.exe
1152 C:\WINDOWS\system32\ati2evxx.exe
1760 C:\WINDOWS\system32\spoolsv.exe
1108 svchost.exe
1792 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
612 C:\Program Files\Application Updater\ApplicationUpdater.exe
364 C:\Program Files\Bonjour\mDNSResponder.exe
360 C:\WINDOWS\system32\dldtcoms.exe
756 C:\WINDOWS\system32\svchost.exe
1284 C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
448 C:\Program Files\Java\jre6\bin\jqs.exe
464 C:\Program Files\Google\Update\GoogleUpdate.exe
1820 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1280 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1068 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
2364 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsCtrlS.exe
2620 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PavFnSvr.exe
2896 C:\Program Files\Common Files\Panda Security\PavShld\PavPrSrv.exe
3164 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\FIREWALL\PSHost.exe
3628 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsImSvc.exe
2344 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\psksvc.exe
2528 C:\Program Files\CyberLink\Shared files\RichVideo.exe
2920 C:\WINDOWS\system32\tcpsvcs.exe
3180 C:\WINDOWS\system32\snmp.exe
3384 C:\WINDOWS\system32\svchost.exe
596 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PAVSRV51.EXE
3108 C:\WINDOWS\system32\wuauclt.exe
3836 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\AVENGINE.EXE
3692 C:\WINDOWS\explorer.exe
1828 wmiprvse.exe
2116 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\ApVxdWin.exe
2472 alg.exe
432 C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
3424 C:\Program Files\MSI\Live Update 5\LU5.exe
284 C:\Program Files\MSI\Super-Charger\Super-Charger.exe
2608 C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
700 C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
1184 C:\Program Files\CyberLink\Shared files\brs.exe
896 C:\Program Files\lg_fwupdate\fwupdate.exe
3952 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3992 C:\WINDOWS\RTHDCPL.EXE
5044 C:\Program Files\iTunes\iTunesHelper.exe
3480 C:\Program Files\NOVA Development\MediaNow CD & DVD Burning Suite\PowerDVD\PDVDServ.exe
4256 C:\PROGRA~1\NOVADE~1\MEDIAN~1\INSTAN~1\Win2K\IBurn.exe
4420 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
5400 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
4880 C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
4944 C:\WINDOWS\system32\ctfmon.exe
5196 C:\Program Files\DAEMON Tools Lite\DTLite.exe
5560 C:\Documents and Settings\Branden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
5676 C:\Program Files\Steam\steam.exe
4520 C:\Program Files\iPod\bin\iPodService.exe
4268 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\avciman.exe
4260 C:\Program Files\Panda Security\Panda Antivirus Pro 2010\psimreal.exe
2192 C:\Documents and Settings\Branden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
5716 C:\Documents and Settings\Branden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3440 C:\Documents and Settings\Branden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
5240 C:\Documents and Settings\Branden\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD5000AADS-00M2B0, Rev: 01.00A01

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
  • 0

#22
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

Looking better, now we need to remove the rest of the infection, please do the following:


Step 1:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now


Step 2:

Delete the copy of TDSSkiller that you have and download a new one
Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

How is the PC running now?
  • 0

#23
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#24
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP