[tammy111]

Hi guys, I'm back again. I googled winrar and when I downloaded one, norton 360 5.0 popped up and said that I had a possible back door trojan (i think)...it suggested that I download something to fix it. I did and the fix said that it would now restart...so I clicked ok. When it rebooted, a bright blue screen popped up with an error report. I rebooted again and it came up again. I rebooted a third time and hit f8 i think...got it to boot to last known good setting or something like that...but it was so very very slow and unresponsive that I shut it down again.

Please help....I have the trusty laptop up and running beside the desktop..ready to follow your instructions!!!

Edited by tammy111, 27 January 2012 - 08:51 AM.

[Advertisements]

bump...please help

[tammy111]

bump...please help

[Render]

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

• Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
• Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
• Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
• Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
• Please reply within 3 days to be fair to other people asking for help.
• Please tell me if you have your original Windows CD/DVD available
• When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below - in normal mode if possible - so I can have a look at the current condition of your machine.

Step 1

• Please download aswMBR.exe to your desktop.
• Double click the aswMBR.exe to run it.
  
  
  
• When asked if you want to download Avast's virus definitions please select Yes.
• Click the Scan button to start scan.
  
  
  
• On completion of the scan click Save log, save it to your desktop and post in your next reply.
• Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

Step 2

OTL Custom Scan

• Download OTL to your Desktop.
• Double click on the icon to run it.
• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top, make sure Stadard output is selected.
• Select Scan all users
• Under the Extra Registry section, check Use SafeList
• Check the boxes beside LOP Check and Purity Check.
• Under the Custom Scans/Fixes box copy and paste this in:
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  userinit.exe
  svchost.exe
  consrv.dll
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  CREATERESTOREPOINT

• Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

When completed the above, please post back the following in the order asked for:

• aswMBR log and attached zipped MBR.dat file
• OTL scan log
• Extras log
  

[tammy111]

ok it wont start normally. got it to start up in safe mode but when i went to 'my computer' it freezes.. i have aswmbr on a usb drive but i cant get to it bc mycomputer wont do anything...

also, i do not have my xp cd available...i am on my laptop so i can download to the pin drive if i could get over to the desktop

[tammy111]

it took about 5 minutes but my computer finally came up. i am trying to get amwmbr to run from the usb drive but the system is so slow that its taking forever...btw..the program that norton told me to download is 'fixtdss' i can see it on the desktop now...just fyi

[tammy111]

ok, the only way i could get this to work was to start in safe mode. when i ran it, it asked to use avast definitions i said yes...it locked up so i restarted aswmbr and said no this time. here is the log

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-30 12:55:48
-----------------------------
12:55:48.921 OS Version: Windows 5.1.2600 Service Pack 3
12:55:48.921 Number of processors: 1 586 0x209
12:55:48.937 ComputerName: BEDROOM UserName: Todd
13:00:42.000 Initialize success
13:14:39.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:14:45.921 Disk 0 Vendor: Maxtor_6Y080L0 YAR41BW0 Size: 76293MB BusType: 3
13:14:45.937 Disk 0 MBR read successfully
13:14:45.953 Disk 0 MBR scan
13:14:45.968 Disk 0 Windows XP default MBR code
13:14:46.000 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
13:14:46.015 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76253 MB offset 64260
13:14:51.921 Disk 0 scanning sectors +156232125
13:14:52.078 Disk 0 scanning C:\WINDOWS\system32\drivers
13:21:08.953 File: C:\WINDOWS\system32\drivers\cdrom.sys **SUSPICIOUS**
13:31:01.000 Disk 0 trace - called modules:
13:31:01.046 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ae4bff0]<<
13:31:10.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afc0970]
13:31:10.937 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8af04aa8]
13:32:04.062 \Driver\00000478[0x8af0f5d8] -> IRP_MJ_CREATE -> 0x8ae4bff0
13:32:09.921 Scan finished successfully
13:47:54.437 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
13:47:59.921 The log file has been saved successfully to "F:\aswMBR.txt"
14:06:57.937 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
14:06:57.968 The log file has been saved successfully to "F:\aswMBR.txt"

[Render]

Hi,

On your working computer please do this:

• Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

NEXT...

Please do the following on your infected computer (please boot into Safe mode with networking):

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:

• Do not mouse-click Combofix's window while it is running. That may cause it to stall.
• ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
• Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
• CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
• If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.

Please carefully follow all steps below:

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
• When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofix. Use copy/paste.

Also please describe how your computer behaves at the moment.

[tammy111]

i waited for about 10 minutes after i clicked my computer then 'c' drive to get the log from combofix. I finally walked away from it and now that im back, i see that i have a small blue dos style window open that says 'autoscan' the symbol in the top left corner has a tiny 'c:\'...i dont know how long this has been running

[tammy111]

now it has shut down on its own...and tried to restart...blue screen 'problem has been detecte and windows has shut down to prevent damange to your puter".......last line is

stop: 0xc0000007e (0c0000005, 0xba5d57f2...and others

it also says to restart, hit f8 and choose safe mode. i did this twice, once choosing safe mode w/networking and once choosing just safe mode. both times this same blue screen comes up

[Render]

We will work outside of Windows then. Please print these instruction out so that you know what you are doing.
We will need clean computer, blank CD-R to burn this tool and USB pen drive.

On your clean computer do the following steps:

• Download OTLPENet.exe to your Desktop.
• Ensure that you have a blank CD-R in the CD/DVD drive.
• Double click OTLPENet.exe and this will then open Imgburn to burn the file to CD-R.
• Download and save this attached scan.txt file to your USB pen drive.  scan.txt   580bytes   90 downloads

On your infected computer do the following steps:

• Reboot your system using the boot CD you just created.
  Note: If you do not know how to set your computer to boot from CD follow the steps here.
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads.
• Your system should now display a Reatogo desktop.
  Note: as you are running from CD it is not exactly speedy.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location.
• When asked "Do you wish to load the remote registry", select Yes.
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes.
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK.
• OTL should now start.
• Drag and drop scan.txt file from USB pen drive into the Custom scans and fixes box, or double click the scan box and then find and open scan.txt file on your USB pen drive.
• Press Run Scan to start the scan.
• When finished, the file will be saved on root of drive C:\OTL.txt
• Copy this file to your USB pen drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the OTL.txt file in your reply.

[tammy111]

bump for any thoughts....

[Render]

Please just try to proceed with instructions from my previous post. I don't have any thoughts so far.

[Render]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.