this program cannot display this page [Solved]
#1
Posted 26 October 2012 - 04:54 PM
#2
Posted 27 October 2012 - 04:28 AM
I am surmising this is the same Windows 7 64 bit machine as last time(if not 64 bit merely inform myself)...
Anyway lets check if the following will reveal anything as follows...
Scan with Farbar Recovery Scan Tool:
Please download and save Farbar Recovery Scan Tool 64-Bit to a Flash/USB drive.
Then insert the Flash/USB drive into your machine....
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter[/list] Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste the contents of the aforementioned notepad file in your next reply.
#3
Posted 27 October 2012 - 09:23 PM
#4
Posted 28 October 2012 - 03:29 AM
Try using a different computer to do so, say a family members and or a friends for example.i can't save this download to usb flash drive
No need to touch/move your machines installed Hard-Drive at all. So no need to worry about that and or attempt anything that may aggravate your post operative physical well being etc.I can't move hard drive to get to back of it after surgery
I'm afraid that will not work with this tool I advised download, it has to be downloaded and ran from a USB type drive.so I tried to save to a readable/writeable disc and insert in my laptop. followed all the steps and it said frst.txt is saved where frst tool is. When I check r/w disc there is no text saved. I can't find it on my hard drive on desk top, it is ok to save this to a disc right? if so I may have to redo this and try again tomorrow
You're welcome!thanks.
Next:
Now if any problems encountered and or unable to gain access to another machine for downloading merely let myself know and we can take a different approach OK.
Also do you have a Windows 7 64 Bit Installation DVD or not, plus can you also inform myself what exact make and modal is your computer please.
#5
Posted 28 October 2012 - 01:14 PM
#6
Posted 29 October 2012 - 08:26 AM
OK lets try the following fairly easy options first...
Windows 7 LKGC:
Start-up your computer and during the POST(Power On Self Test) sequence continually depress Function Key 8(F8) to bring up the Advanced Boot Options screen.
Use the arrow keys to scroll down and select Last Know Good Configuration (advanced) and hit the Enter/Return key.
Your computer should now reboot back into Normal Mode. If all is fine merely let myself know, if not proceed to the below...
Windows 7 Start-up Repair:
You will need to boot your Asus Laptop using the actual Windows 7 64 bit Installation DVD.
- If not sure how to, a very good tutorial can be read here.
- You will have to answer a few basic questions then select the option Repair your computer
- At the the System Recovery Options screen click Windows 7 to highlight then Next>
- Now click on/select Startup Repair
- If prompted to use System Restore, select Cancel.
- The same if prompted to Send information about this problem (recommended), select Don't send.
- Click Finish when Startup Repair has completed, remove the Windows 7 64 bit Installation DVD and then click on Restart
Let myself know the outcome of the above in your next reply and we will go from there, thank you.
#7
Posted 29 October 2012 - 09:17 PM
#8
Posted 30 October 2012 - 01:39 PM
Good, some progress at least. Lets proceed as follows shall we...ok so I did the F8 thing and Last Known Good Config. my computer opened up and I saw desk top but firefox wouldn't open. I tried IE several times and it finally opened, that's what I'm responding to you from on my laptop.
Download/run Rkill:
(If one fails to work delete it and download/try another):
One, Two,Three, Four or Five
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
- Double click on Rkill.
- A command window will open then disappear upon completion, this is normal.
- Please leave Rkill on the Desktop until otherwise advised.
Scan with aswMBR:
Please download aswMBR.exe to your desktop.
- Right-click the aswMBR.exe select Run as Administrator to run it.
- When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
- Now click on the Scan button to start scan
- On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
When completed the above, please post back the following in the order asked for:
- How is your computer performing now, any further symptoms and or problems encountered?
- Rkill Log.
- aswMBR Log.
#9
Posted 30 October 2012 - 07:23 PM
Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html
Program started at: 10/30/2012 04:41:54 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 792) [WD-HEUR]
1 proccess terminated!
Possibly Patched Files.
* C:\Windows\system32\services.exe
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]
Checking Windows Service Integrity:
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]
* SharedAccess [Missing ImagePath]
Searching for Missing Digital Signatures:
* C:\Windows\System32\services.exe [NoSig]
+-> C:\Windows\ERDNT\cache64\services.exe : 328,704 : 07/13/2009 06:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 06:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 10/30/2012 04:44:07 PM
Execution time: 0 hours(s), 2 minute(s), and 12 seconds(s)
And the second Log is:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-30 16:46:17
-----------------------------
16:46:17.587 OS Version: Windows x64 6.1.7601 Service Pack 1
16:46:17.587 Number of processors: 2 586 0x2505
16:46:17.587 ComputerName: MARIA-PC UserName: Maria
16:46:18.487 Initialize success
16:46:35.985 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:46:35.985 Disk 0 Vendor: ST950056 SD22 Size: 476940MB BusType: 3
16:46:35.995 Disk 0 MBR read successfully
16:46:35.995 Disk 0 MBR scan
16:46:35.995 Disk 0 Windows 7 default MBR code
16:46:35.995 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 20000 MB offset 64
16:46:35.995 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 119235 MB offset 40960064
16:46:36.005 Disk 0 Partition - 00 0F Extended LBA 337704 MB offset 285154408
16:46:36.005 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 337703 MB offset 285156456
16:46:36.015 Disk 0 scanning C:\Windows\system32\drivers
16:46:43.715 Service scanning
16:46:50.155 Modules scanning
16:46:50.165 Disk 0 trace - called modules:
16:46:50.175 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
16:46:50.185 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800333b060]
16:46:50.185 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa8002d72950]
16:46:50.195 5 ACPI.sys[fffff88000d607a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002d7b050]
16:46:50.195 Scan finished successfully
18:15:40.376 Disk 0 MBR has been saved successfully to "C:\Users\Maria\Desktop\MBR.dat"
18:15:40.376 The log file has been saved successfully to "C:\Users\Maria\Desktop\aswMBR.txt"
#10
Posted 31 October 2012 - 05:20 AM
Acknowledged and do not let McAfee attempt to heal/remove anything for the time being as that will in all likely hood worsen the situation rather than solve anything in this instance.firefox when I open computer asks to run in safe mode, that's only way firefox will work. IE only opens in one screen at a time. my mcafee pops up saying scan done and 4 things can't be fixed, they say "desktop.ini" is what couldn't be deleted
Now lets scan your machine with a different application. Reason being it certainly looks like malware has gained a foothold and messed a few things up but I would prefer further confirmation before advising anything proactive to err on the side of caution...
Scan with RogueKiller:
Please download RogueKiller to your desktop
Alternate download is here.
- Quit all running programs
- Right-click on RogueKiller.exe and select Run as Administrator to start the application.
- Let the pre-scan complete, then click on Accept option when the disclaimer window appears.
- Now click on the Scan tab back in the RogueKiller main window.
- The RKreport.txt shall be generated next to the executable along with a zip file named RK_Quarantine.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.com
#11
Posted 31 October 2012 - 01:41 PM
RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Maria [Admin rights]
Mode : Scan -- Date : 10/31/2012 12:37:50
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] yzaf.exe -- C:\Users\Maria\AppData\Roaming\Igusla\yzaf.exe -> KILLED [TermProc]
¤¤¤ Registry Entries : 14 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AIM ("C:\Users\Maria\AppData\Local\AOL\AIM\aim.exe") -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : sjqkiflacifihvq (C:\ProgramData\sjqkifla.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Abwoepr (C:\Users\Maria\AppData\Roaming\Igusla\yzaf.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2184240491-3254005719-1364954233-1001[...]\Run : AIM ("C:\Users\Maria\AppData\Local\AOL\AIM\aim.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2184240491-3254005719-1364954233-1001[...]\Run : sjqkiflacifihvq (C:\ProgramData\sjqkifla.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2184240491-3254005719-1364954233-1001[...]\Run : Abwoepr (C:\Users\Maria\AppData\Roaming\Igusla\yzaf.exe) -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST95005620AS +++++
--- User ---
[MBR] 998e180e35cfee96266bbf21d55dd65e
[BSP] 1309998eb66b033b3bdba9aaa135e71e : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 64 | Size: 20000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40960064 | Size: 119235 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 285154408 | Size: 337704 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
#12
Posted 31 October 2012 - 03:15 PM
I have bad news I'm afraid.
One or more of the identified infections is a variant of the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!
OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course I strongly recommend.
Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Next:
I can attempt to clean this machine(anything I try may not be successful and the machine may loose internet connectivity) but I can't guarantee that it will be at all secure afterwords.
Should you have any questions, please feel free to ask.
Please let myself know what you have decided to do in your next post.
#13
Posted 02 November 2012 - 02:59 PM
#14
Posted 03 November 2012 - 04:15 AM
OK fair play and I will try my best on your behalf, the rest of your prior post is acknowledged also.I would like to have you try and clean up this laptop
As a precaution limit online use with the infected machine until I advise otherwise.
Re-scan with RogueKiller:
Run the scan again as outlined prior and it will create a new log called RKreport[2].txt. I actually have no need to review this one...
After the scan is complete, click on the Delete button, once complete click on the ShortcutsFix button.
Post the contents of both RKreport[3].txt and RKreport[4].txt in your next reply. Provide a quick update how your machine is performing now and we will go from there, thank you.
#15
Posted 03 November 2012 - 06:48 PM
RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Maria [Admin rights]
Mode : Remove -- Date : 11/03/2012 17:33:46
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AIM ("C:\Users\Maria\AppData\Local\AOL\AIM\aim.exe") -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : sjqkiflacifihvq (C:\ProgramData\sjqkifla.exe) -> DELETED
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\@ --> REMOVED AT REBOOT
[Del.Parent][FILE] 00000004.$ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\U\00000004.$ --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\U\00000004.@ --> REMOVED AT REBOOT
[Del.Parent][FILE] 80000064.@ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\U\80000064.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{59ab826b-e7fc-36ac-e4bd-b9837d5554d8}\L --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> REMOVED AT REBOOT
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\ERDNT\cache64\services.exe)
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST95005620AS +++++
--- User ---
[MBR] 998e180e35cfee96266bbf21d55dd65e
[BSP] 1309998eb66b033b3bdba9aaa135e71e : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 64 | Size: 20000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40960064 | Size: 119235 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 285154408 | Size: 337704 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
and then now number 4 text:
RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Maria [Admin rights]
Mode : Shortcuts HJfix -- Date : 11/03/2012 17:40:58
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 45 / Fail 0
Start menu: Success 2 / Fail 0
User folder: Success 209 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 104 / Fail 0
Backup: [NOT FOUND]
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[Q:] \Device\SftVol -- 0x3 --> Restored
¤¤¤ Infection : ZeroAccess ¤¤¤
Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users