[Jamazz]

Hey Geeks. Thanks for looking at this thread. Let me get right to the nitty-gritty.

I'm a system administrator, so you guys can get technical, and I'm sure I can follow.

I'm trying to fix my babysitter's laptop and she knows as much about laptops as much as I know about string theory. Needless to say, the laptop was a complete mess. There was a ton of start-up errors. Programs looking to start but missing files, pop-ups of this error and that error. It took forever to do anything. The bloatware was still loaded on it. You get the picture.

I did most of the preliminary clean-up. I removed the old Anti-virus and loaded AVG, ran msconfig and stopped a bunch of suspicious process and start-up progs, removed as much bloatware as I could, and updated the OS, Java, and what-not. One thing I couldn't get to stop was an error pop-up. It reads, "winrscmde has stopped working and was closed". I did some research and found out that not only did I have the MBR virus Trojan:DOS/Alureon.A, but I also had 23 rootkits after doing a full computer scan. The MBR virus obviously keeps putting the virus back on the laptop after removing it. After the third time scanning and a reboot, I had 28 rootkits! LOL This is one of the nastiest infections I've encountered.

I did some forum searching and tried to remedy the MBR and rootkit issues, but since this is the second time in my career ever seeing a MBR virus, I figured I'd leave it up to people who do this often.

I have a few log files... one from OTL (Extras is from OTL as well) and one from aswMBR. I feel that attaching them would be better.

Please take your time, and I appreciate the help. Thank you!

Jamazz

Please note: In the aswMBR file, pay close attention to the following entry:

21:02:25.519 \Driver\atapi[0xfffffa8004a78af0] -> IRP_MJ_CREATE -> 0xfffffa8004b985e8

This was highlighted red in the aswMBR program window. It was the only entry that was red.

Attached Files

•  aswMBR.txt   2.11KB   80 downloads
•  Extras.Txt   53.94KB   100 downloads
•  OTL.Txt   68.82KB   67 downloads

Edited by Jamazz, 25 June 2013 - 08:30 PM.

[Advertisements]

Please zip the C:\Users\karen hastings\Desktop\MBR.dat file and attach the zipped folder to a reply.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[JSntgRvr]

Please zip the C:\Users\karen hastings\Desktop\MBR.dat file and attach the zipped folder to a reply.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Jamazz]

Here are the files, copy/pasted data you requested.

Data from FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-06-2013
Ran by karen hastings (administrator) on 27-06-2013 21:25:57
Running from C:\Users\karen hastings\Desktop
Windows Vista ™ Home Premium Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
() C:\Windows\System32\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Dell Inc.) C:\Windows\System32\bcmwltry.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
(HP) C:\Windows\system32\HPSIsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Windows\System32\WLTRAY.EXE
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) \\.\globalroot\systemroot\svchost.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\WZQKPICK32.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1657128 2008-11-25] (Synaptics, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [4119552 2008-12-21] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [2041112 2008-09-26] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [462848 2009-03-19] (IDT, Inc.)
HKLM-x32\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/w...0"&"ver=9.0.902 [x]
HKCU\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
MountPoints2: {76a0e480-e253-11e1-ba67-0026b90127a2} - H:\TL-Bootstrap.exe
MountPoints2: {8ca78981-17fb-11e2-9573-0026b90127a2} - G:\SISetup.exe
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [250192 2009-04-24] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [HPUsageTrackingLEDM] "C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe" "C:\Program Files (x86)\HP\HP UT LEDM\" [30264 2009-08-04] (Hewlett-Packard Company)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-29] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [BingDesktop] C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop.exe /fromkey [2249352 2013-06-05] (Microsoft Corp.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
SSODL-x32: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
URLSearchHook: (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
URLSearchHook: (No Name) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - No File
HKLM-x32 SearchScopes: DefaultScope {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.condui...&ctid=CT2612669
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.condui...&ctid=CT2612669
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask...E2-39481CD834FF
SearchScopes: HKCU - {25ED73F5-BFFD-4569-9D15-29A237EDC80A} URL = http://search.yahoo....1251,6900,0,5,0
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.condui...&ctid=CT2612669
SearchScopes: HKCU - {BF5CDBD7-EC78-41F8-A1B1-01829572104D} URL = http://search.yahoo....p={searchTerms}
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - No Name - {90B49673-5506-483E-B92B-CA0265BD9CA8} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\karen hastings\AppData\Roaming\Mozilla\Firefox\Profiles\f8fx7ukf.default
FF Homepage: hxxp://www.yahoo.com/?s=https
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=mcafee&p=
FF NetworkProxy: "no_proxies_on", "192.168.*.*,*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Extension: luisguatqg - C:\Users\karen hastings\AppData\Roaming\Mozilla\Firefox\Profiles\f8fx7ukf.default\Extensions\[email protected]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Mozilla Firefox 21.0\Extensions: [Components] C:\Program Files (x86)\Mozilla Firefox\components
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\components
FF HKLM-x32\...\Mozilla Firefox 21.0\Extensions: [Plugins] C:\Program Files (x86)\Mozilla Firefox\plugins
FF HKCU\...\Firefox\Extensions: [{59A40AC9-E67D-4155-B31D-4B7330FCD2D6}] C:\Program Files (x86)\Outerinfo\FF\
FF Extension: Outerinfo Ads - C:\Program Files (x86)\Outerinfo\FF\

==================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-14] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
R2 BingDesktopUpdate; C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [173192 2013-06-05] (Microsoft Corp.)
R2 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE [32768 2008-12-21] ()
S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]
S2 WinVNC4; "C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -service [x]

==================== Drivers (Whitelisted) ====================

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-04-04] (Marvell Semiconductor, Inc.)
R3 OA008Ufd; C:\Windows\System32\DRIVERS\OA008Ufd.sys [159840 2009-03-06] (Creative Technology Ltd.)
R3 OA008Vid; C:\Windows\System32\DRIVERS\OA008Vid.sys [313696 2009-05-06] (Creative Technology Ltd.)
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 KAPFA; \??\C:\Windows\system32\drivers\KAPFA.SYS [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-27 21:25 - 2013-06-27 21:20 - 01933484 ____A (Farbar) C:\Users\karen hastings\Desktop\FRST64.exe
2013-06-27 21:24 - 2013-06-27 21:24 - 00000000 ____D C:\FRST
2013-06-27 21:20 - 2013-06-27 21:20 - 01933484 ____A (Farbar) C:\Users\karen hastings\Downloads\FRST64.exe
2013-06-27 21:19 - 2013-06-27 21:19 - 00793536 ____A C:\Users\karen hastings\Downloads\ZipOpenerSetup.exe
2013-06-27 21:13 - 2013-06-27 21:13 - 00000611 ____A C:\Users\karen hastings\Desktop\MBR.zip
2013-06-27 21:13 - 2013-06-27 21:13 - 00000000 ____D C:\Users\karen hastings\AppData\Local\WinZip
2013-06-27 21:12 - 2013-06-27 21:12 - 00001856 ____A C:\Users\Public\Desktop\WinZip.lnk
2013-06-27 09:03 - 2013-06-27 21:13 - 00000000 ____D C:\ProgramData\WinZip
2013-06-27 09:03 - 2013-06-27 21:12 - 00000000 ____D C:\Program Files\WinZip
2013-06-27 08:54 - 2013-06-27 08:54 - 00424360 ____A (WinZip Computing) C:\Users\karen hastings\Downloads\WinZip175.exe
2013-06-27 08:50 - 2013-06-27 08:50 - 00001569 ____A C:\Windows\SysWOW64\UserPref.json
2013-06-25 21:52 - 2013-06-25 21:51 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-06-25 21:52 - 2013-06-25 21:51 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-25 21:31 - 2013-06-25 21:31 - 00002157 ____A C:\Users\karen hastings\Desktop\aswMBR.txt
2013-06-25 21:31 - 2013-06-25 21:31 - 00000512 ____A C:\Users\karen hastings\Desktop\MBR.dat
2013-06-25 20:56 - 2013-06-25 20:57 - 04745728 ____A (AVAST Software) C:\Users\karen hastings\Downloads\aswMBR.exe
2013-06-25 08:35 - 2013-06-25 08:35 - 00055232 ____A C:\Users\karen hastings\Desktop\Extras.Txt
2013-06-25 08:33 - 2013-06-25 08:33 - 00070468 ____A C:\Users\karen hastings\Desktop\OTL.Txt
2013-06-25 08:23 - 2013-06-25 08:23 - 00602112 ____A (OldTimer Tools) C:\Users\karen hastings\Downloads\OTL.exe
2013-06-25 03:01 - 2013-05-16 23:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-25 03:01 - 2013-05-16 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-25 03:01 - 2013-05-16 23:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-25 03:01 - 2013-05-16 23:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-25 03:01 - 2013-05-16 23:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-25 03:01 - 2013-05-16 22:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-25 03:01 - 2013-05-16 22:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-25 03:01 - 2013-05-16 22:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-25 03:01 - 2013-05-16 22:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-25 03:01 - 2013-05-16 22:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-25 03:01 - 2013-05-16 22:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-25 03:01 - 2013-05-16 22:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-25 03:01 - 2013-05-16 22:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-25 03:01 - 2013-05-16 18:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-25 03:01 - 2013-05-16 18:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-25 03:01 - 2013-05-16 18:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-25 03:01 - 2013-05-16 18:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-25 03:01 - 2013-05-16 18:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-25 03:01 - 2013-05-16 18:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-25 03:01 - 2013-05-16 18:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-25 03:01 - 2013-05-16 18:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-25 03:01 - 2013-05-16 18:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-25 03:01 - 2013-05-16 18:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-25 03:01 - 2013-05-16 18:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-25 03:01 - 2013-05-16 18:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-25 03:01 - 2013-05-16 18:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-25 03:00 - 2013-05-17 00:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-25 03:00 - 2013-05-16 23:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-25 03:00 - 2013-05-16 22:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-25 03:00 - 2013-05-16 19:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-25 03:00 - 2013-05-16 18:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-25 03:00 - 2013-05-16 18:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-25 01:33 - 2013-06-25 01:33 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-06-25 01:33 - 2013-06-25 01:33 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-06-24 21:47 - 2013-05-08 00:14 - 01417576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-24 21:47 - 2013-05-07 22:27 - 00040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-06-24 21:47 - 2013-05-02 00:16 - 00686080 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-24 21:47 - 2013-05-02 00:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-24 21:47 - 2013-05-02 00:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\printcom.dll
2013-06-24 21:47 - 2013-04-24 00:09 - 01269248 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-24 21:47 - 2013-04-24 00:09 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-24 21:47 - 2013-04-24 00:09 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-24 21:47 - 2013-04-24 00:09 - 00050688 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-24 21:47 - 2013-04-24 00:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-24 21:47 - 2013-04-24 00:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-24 21:47 - 2013-04-24 00:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-24 21:47 - 2013-04-24 00:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-24 21:47 - 2013-04-23 22:10 - 01078272 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-24 21:47 - 2013-04-23 21:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-24 21:47 - 2013-04-17 09:04 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-24 21:47 - 2013-04-17 08:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-01 13:22 - 2013-06-01 16:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-01 12:02 - 2013-06-24 22:24 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-01 12:02 - 2013-06-24 22:24 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-01 10:54 - 2013-06-01 10:54 - 00000000 ____D C:\Users\karen hastings\AppData\Roaming\AVG2013
2013-06-01 10:52 - 2013-06-25 01:33 - 00000874 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-06-01 10:52 - 2013-06-01 10:52 - 00000000 ____D C:\Users\karen hastings\AppData\Roaming\TuneUp Software
2013-06-01 10:35 - 2013-06-01 17:00 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-01 10:35 - 2013-06-01 10:35 - 00000000 ___HD C:\$AVG
2013-06-01 10:28 - 2013-06-27 21:15 - 00000000 ____D C:\ProgramData\MFAData
2013-06-01 10:28 - 2013-06-01 12:30 - 00000000 ____D C:\Users\karen hastings\AppData\Local\Avg2013
2013-06-01 10:28 - 2013-06-01 10:28 - 00000000 ____D C:\Users\karen hastings\AppData\Local\MFAData

==================== One Month Modified Files and Folders =======

2013-06-27 21:24 - 2013-06-27 21:24 - 00000000 ____D C:\FRST
2013-06-27 21:20 - 2013-06-27 21:25 - 01933484 ____A (Farbar) C:\Users\karen hastings\Desktop\FRST64.exe
2013-06-27 21:20 - 2013-06-27 21:20 - 01933484 ____A (Farbar) C:\Users\karen hastings\Downloads\FRST64.exe
2013-06-27 21:19 - 2013-06-27 21:19 - 00793536 ____A C:\Users\karen hastings\Downloads\ZipOpenerSetup.exe
2013-06-27 21:15 - 2013-06-01 10:28 - 00000000 ____D C:\ProgramData\MFAData
2013-06-27 21:15 - 2009-08-26 12:23 - 01424723 ____A C:\Windows\WindowsUpdate.log
2013-06-27 21:13 - 2013-06-27 21:13 - 00000611 ____A C:\Users\karen hastings\Desktop\MBR.zip
2013-06-27 21:13 - 2013-06-27 21:13 - 00000000 ____D C:\Users\karen hastings\AppData\Local\WinZip
2013-06-27 21:13 - 2013-06-27 09:03 - 00000000 ____D C:\ProgramData\WinZip
2013-06-27 21:13 - 2006-11-02 11:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-27 21:13 - 2006-11-02 11:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-27 21:12 - 2013-06-27 21:12 - 00001856 ____A C:\Users\Public\Desktop\WinZip.lnk
2013-06-27 21:12 - 2013-06-27 09:03 - 00000000 ____D C:\Program Files\WinZip
2013-06-27 21:12 - 2011-12-19 13:52 - 00000914 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-27 08:54 - 2013-06-27 08:54 - 00424360 ____A (WinZip Computing) C:\Users\karen hastings\Downloads\WinZip175.exe
2013-06-27 08:54 - 2006-11-02 08:46 - 00842866 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-27 08:50 - 2013-06-27 08:50 - 00001569 ____A C:\Windows\SysWOW64\UserPref.json
2013-06-27 03:00 - 2011-12-19 13:52 - 00000910 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-25 22:05 - 2011-12-12 03:19 - 00000428 ____A C:\Windows\Tasks\PC Optimizer Pro64 startups.job
2013-06-25 22:04 - 2006-11-02 11:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-25 22:03 - 2006-11-02 11:42 - 00032538 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-25 21:51 - 2013-06-25 21:52 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-06-25 21:51 - 2013-06-25 21:52 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-25 21:51 - 2013-06-25 21:51 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-25 21:51 - 2012-03-06 22:17 - 00000000 ____D C:\Program Files (x86)\Java
2013-06-25 21:51 - 2011-12-12 03:34 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-06-25 21:31 - 2013-06-25 21:31 - 00002157 ____A C:\Users\karen hastings\Desktop\aswMBR.txt
2013-06-25 21:31 - 2013-06-25 21:31 - 00000512 ____A C:\Users\karen hastings\Desktop\MBR.dat
2013-06-25 20:57 - 2013-06-25 20:56 - 04745728 ____A (AVAST Software) C:\Users\karen hastings\Downloads\aswMBR.exe
2013-06-25 08:35 - 2013-06-25 08:35 - 00055232 ____A C:\Users\karen hastings\Desktop\Extras.Txt
2013-06-25 08:33 - 2013-06-25 08:33 - 00070468 ____A C:\Users\karen hastings\Desktop\OTL.Txt
2013-06-25 08:23 - 2013-06-25 08:23 - 00602112 ____A (OldTimer Tools) C:\Users\karen hastings\Downloads\OTL.exe
2013-06-25 03:43 - 2006-11-02 09:33 - 00000000 ____D C:\Windows\rescache
2013-06-25 03:05 - 2012-08-16 03:02 - 00000129 ____A C:\Windows\System32\MRT.INI
2013-06-25 03:03 - 2006-11-02 08:35 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-25 01:33 - 2013-06-25 01:33 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-06-25 01:33 - 2013-06-25 01:33 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-06-25 01:33 - 2013-06-01 10:52 - 00000874 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-06-24 22:41 - 2012-03-15 22:14 - 00000000 ____D C:\Windows\Minidump
2013-06-24 22:24 - 2013-06-01 12:02 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-24 22:24 - 2013-06-01 12:02 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-01 17:02 - 2012-06-01 23:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-01 17:00 - 2013-06-01 10:35 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-01 16:27 - 2013-06-01 13:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-01 12:30 - 2013-06-01 10:28 - 00000000 ____D C:\Users\karen hastings\AppData\Local\Avg2013
2013-06-01 12:02 - 2010-02-21 02:22 - 00000000 ____D C:\Users\karen hastings\AppData\Local\Adobe
2013-06-01 11:56 - 2009-08-26 17:56 - 00000000 ____D C:\ProgramData\Adobe
2013-06-01 11:42 - 2012-05-01 19:27 - 00001945 ____A C:\Windows\epplauncher.mif
2013-06-01 10:54 - 2013-06-01 10:54 - 00000000 ____D C:\Users\karen hastings\AppData\Roaming\AVG2013
2013-06-01 10:52 - 2013-06-01 10:52 - 00000000 ____D C:\Users\karen hastings\AppData\Roaming\TuneUp Software
2013-06-01 10:35 - 2013-06-01 10:35 - 00000000 ___HD C:\$AVG
2013-06-01 10:32 - 2012-06-01 23:41 - 00000000 ____D C:\Program Files (x86)\AVG
2013-06-01 10:28 - 2013-06-01 10:28 - 00000000 ____D C:\Users\karen hastings\AppData\Local\MFAData
2013-06-01 10:27 - 2009-09-02 11:09 - 00000000 ____D C:\users\karen hastings

Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!


LastRegBack: 2013-06-25 22:13

==================== End Of Log ============================

Attached Files

•  MBR.zip   611bytes   78 downloads
•  Addition.txt   20.06KB   103 downloads

Edited by Jamazz, 27 June 2013 - 07:55 PM.

[JSntgRvr]

Download the enclosed file.

Save it next to FRST.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
• Put a checkmark beside loaded modules.
  
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
  
• Click the Start Scan button.
  
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

[Jamazz]

What do you mean by,

Save it next to FRST.

Do you mean for me to save it in the same location as the exe for FRST? In this case my Desktop?

[JSntgRvr]

What do you mean by,

Save it next to FRST.

Do you mean for me to save it in the same location as the exe for FRST? In this case my Desktop?

Yes.

[Jamazz]

Here are the logs you requested.
Pasted TDSSKiller Log and attached Fixlog

Data from TDSSKiller

08:42:32.0330 4428 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
08:42:32.0739 4428 ============================================================
08:42:32.0739 4428 Current date / time: 2013/06/29 08:42:32.0739
08:42:32.0739 4428 SystemInfo:
08:42:32.0740 4428
08:42:32.0740 4428 OS Version: 6.0.6002 ServicePack: 2.0
08:42:32.0740 4428 Product type: Workstation
08:42:32.0740 4428 ComputerName: TOMDELLSTUDIO
08:42:32.0740 4428 UserName: karen hastings
08:42:32.0740 4428 Windows directory: C:\Windows
08:42:32.0740 4428 System windows directory: C:\Windows
08:42:32.0740 4428 Running under WOW64
08:42:32.0740 4428 Processor architecture: Intel x64
08:42:32.0740 4428 Number of processors: 2
08:42:32.0740 4428 Page size: 0x1000
08:42:32.0740 4428 Boot type: Normal boot
08:42:32.0740 4428 ============================================================
08:42:34.0403 4428 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
08:42:34.0410 4428 ============================================================
08:42:34.0410 4428 \Device\Harddisk0\DR0:
08:42:34.0411 4428 MBR partitions:
08:42:34.0411 4428 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x1D4C000
08:42:34.0411 4428 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D5F9C5, BlocksNum 0x1B4657AB
08:42:34.0411 4428 ============================================================
08:42:34.0455 4428 C: <-> \Device\Harddisk0\DR0\Partition2
08:42:34.0546 4428 D: <-> \Device\Harddisk0\DR0\Partition1
08:42:34.0546 4428 ============================================================
08:42:34.0546 4428 Initialize success
08:42:34.0546 4428 ============================================================
08:43:35.0411 4964 Deinitialize success

Attached Files

•  Fixlog.txt   572bytes   80 downloads

[JSntgRvr]

The MBR shows a zero byte partition. TDSSkiller seems to missed it.

Please download Listparts to a flash drive.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Put check mark on List BCD.
• Press Scan button.
• It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

[Jamazz]

I downloaded ListParts to a flshdrive and rebooted to F8. I get the usual list of boot options, including "Repair your computer", but after I select it, it loads into windows. It is a generic windows sign-in display with "Other User" listed as the only account. Nothing I use works. I tried the Admin account (Karen), the Guest account and a random account with no password. I was not able to log-in.

Just to be thorough:

I start to deviate from your directions, as they are listed under the blue text, after I, "Click on Repair your computer menu item". After that, I get no choice for Keyboard Language settings, it just boots to a low resolution, user log-in screen that I cannot shutdown or restart from.

[JSntgRvr]

Let me confirm the presence on that partition.

Download the enclosed file.

Save it next to FRST, overwriting the existing one if present.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log next to FRST (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

[Jamazz]

I ran FRST from the desktop after putting the new fixlist.txt file next to it. I ran fix and not even a second later it completes and displays the log. However, unless it put the dumpfile somewhere else, I didn't get one on the desktop.

Fixlog data

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-06-2013 01
Ran by karen hastings at 2013-06-30 10:01:25 Run:2
Running from C:\Users\karen hastings\Desktop
Boot Mode: Normal
==============================================


==== End of Fixlog ====

[JSntgRvr]

My fault. Wrong command. Try this fixlist.txt:

[Jamazz]

That worked.

Fixlog data

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-06-2013 01
Ran by karen hastings at 2013-06-30 10:26:52 Run:3
Running from C:\Users\karen hastings\Desktop
Boot Mode: Normal
==============================================

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

Attached Files

•  MBRDUMP.txt   512bytes   172 downloads

[Jamazz]

I'd like to add that I have done a full, exhaustive system scan with AVG after each of the last few reboots and it has found nothing. I appreciate the help you have provided, thus far, and I'm eager to continue with your instructions.

[JSntgRvr]

The MBR is now clear. The copy I saw earlier, perhaps was produced prior to TDSSKiller.

Lets scan for remnants:

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.