Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Conflicting Protection? [Closed]


  • This topic is locked This topic is locked

#16
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello Jvescov1,

 

Thanks for posting back about being stuck with aswMBR.  The machine is disconnected from the internet so if a tool tries to download anything, it will fail.  That is a good thing in this case.  :)

 

For now, I would like you to eject the USB from the infected computer, put it back into the clean computer to copy ERUNT onto it:

 

First

Make a backup of the existing registry using ERUNT:

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

Click here to download the ERUNT installer to your USB stick.

 

When the download is finished, eject the USB stick, and put it back into your infected computer.

 

On the infected computer, copy the ERUNT installer over from the USB stick to your Desktop, and run it. Follow the prompts to create your first registry backup.

 

Second

Please try to run aswMBR.exe in Safe Mode:

 

Boot into Safe Mode in Windows Vista

Note: Please print these instructions or copy/paste them into a notepad file in case you are unable to access this site.

  • Turn your computer off through Shut Down.
  • Wait a few seconds, then turn it back on.
  • Once your computer's manufacturer logo (eg. 'Dell') starts to show, start pressing the F8 key repeatedly.
  • Keep pressing it until the Windows Advanced Options Menu loads up.
  • Make sure 'Safe Mode' is selected, navigate to it by using the arrow keys.
  • Press enter, and your computer will start booting into Safe Mode.

 

Once in Safe Mode, try to run aswMBR.exe from your Desktop again. 

 

If you can't get aswMBR.exe to run in Safe Mode, just copy/paste the log files you already have from your infected computer to your USB stick, and from the clean computer, copy/paste the log file contents back here so we can look at what you have.

 

 

Did you have any problems running TDSSKiller?

 

Looking forward to seeing the Security Check, TDSSKiller and aswMBR logs... :cool:


  • 0

Advertisements


#17
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello Jvescov1,

 

It's been a couple days since my last post here, but I haven't heard back from you.  Have you run my last instructions above?  Do you still need help with your system?

 

Please let me know where things stand.  :)


  • 0

#18
Jvescov1

Jvescov1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

hey bud sorry for the delay heres the files you requested. answmb is still getting stuck on avast engine error is it beacause i kept avg instead of avast?

 

 

 Results of screen317's Security Check version 1.003  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 8 Out of date! 
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
avast! antivirus   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Ad-Aware 
 Java™ 6 Update 30  
 Java version 32-bit out of Date! 
 Adobe Flash Player 17.0.0.169  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox 17.0.1 Firefox out of Date!  
 Google Chrome (43.0.2357.65) 
 Google Chrome (43.0.2357.81) 
````````Process Check: objlist.exe by Laurent````````  
 Ad-Aware AAWService.exe 
 Ad-Aware AAWTray.exe is disabled! 
 AVG avgrsx.exe 
 AVG avgemc.exe 
 IObit IObit Malware Fighter IMFsrv.exe  
 IObit IObit Malware Fighter IMF.exe  
 IObit IObit Malware Fighter IMFTips.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1 % 
````````````````````End of Log`````````````````````` 
 
 
 
 
 
 
 
 
 
 

18:27:15.0329 0x4ce0  TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04
18:27:21.0257 0x4ce0  ============================================================
18:27:21.0257 0x4ce0  Current date / time: 2015/06/11 18:27:21.0257
18:27:21.0257 0x4ce0  SystemInfo:
18:27:21.0257 0x4ce0  
18:27:21.0257 0x4ce0  OS Version: 6.0.6002 ServicePack: 2.0
18:27:21.0257 0x4ce0  Product type: Workstation
18:27:21.0257 0x4ce0  ComputerName: JOSEPH-PC
18:27:21.0257 0x4ce0  UserName: Joseph
18:27:21.0257 0x4ce0  Windows directory: C:\Windows
18:27:21.0257 0x4ce0  System windows directory: C:\Windows
18:27:21.0257 0x4ce0  Processor architecture: Intel x86
18:27:21.0257 0x4ce0  Number of processors: 4
18:27:21.0257 0x4ce0  Page size: 0x1000
18:27:21.0257 0x4ce0  Boot type: Normal boot
18:27:21.0257 0x4ce0  ============================================================
18:27:24.0642 0x4ce0  KLMD registered as C:\Windows\system32\drivers\01174864.sys
18:27:27.0606 0x4ce0  System UUID: {96266C19-034F-B7E5-CDAF-988BCE946F45}
18:27:32.0754 0x4ce0  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:27:32.0863 0x4ce0  Drive \Device\Harddisk5\DR5 - Size: 0x1E3000000 ( 7.55 Gb ), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:27:32.0863 0x4ce0  ============================================================
18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0:
18:27:32.0863 0x4ce0  MBR partitions:
18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x18000, BlocksNum 0x1400000
18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1418000, BlocksNum 0x38F6D800
18:27:32.0863 0x4ce0  \Device\Harddisk5\DR5:
18:27:32.0863 0x4ce0  MBR partitions:
18:27:32.0863 0x4ce0  \Device\Harddisk5\DR5\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xF17FC1
18:27:32.0863 0x4ce0  ============================================================
18:27:32.0879 0x4ce0  C: <-> \Device\Harddisk0\DR0\Partition2
18:27:32.0926 0x4ce0  D: <-> \Device\Harddisk0\DR0\Partition1
18:27:32.0926 0x4ce0  ============================================================
18:27:32.0926 0x4ce0  Initialize success
18:27:32.0926 0x4ce0  ============================================================
18:27:52.0112 0x4a7c  KLMD registered as C:\Windows\system32\drivers\02198842.sys
18:28:10.0022 0x4a7c  Deinitialize success
 

  • 0

#19
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hi Jvescov1,

 

No problem, I'm happy to see that you have returned.  :)

 

Thanks for the logs so far.  Could you please try aswMBR.exe in Safe Mode again, but this time, deny the definitions prompt.  Then click the Scan button and see if you can get it to run successfully.

 

If you do get it to run, when it finishes, only click on the Save log button, save the log to the Desktop or your USB stick, then click the Exit button.

 

Let me know the results please.

 

Also: I have to travel for work today (@5:30AM EST), so my availability may be limited for most of the day.  I'll try to check in here while traveling to see if you've responded back and provide what I can for answers and/or steps to continue on our path of getting that machine clean... ;)


  • 0

#20
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello Jvescov1,

 

Just checking in with you here.  Were you able to get aswMBR to run in Safe Mode

 

If you have trouble running it, please let me know so we can try something else.  :D


  • 0

#21
Jvescov1

Jvescov1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
here we bud info you requested! :)
 
 
 
aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-06-16 12:11:18
-----------------------------
12:11:18.037    OS Version: Windows 6.0.6002 Service Pack 2
12:11:18.037    Number of processors: 4 586 0xF0B
12:11:18.037    ComputerName: JOSEPH-PC  UserName: Joseph
12:11:19.129    Initialize success
12:11:27.132    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
12:11:27.147    Disk 0 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
12:11:27.147    Disk 0 MBR read successfully
12:11:27.147    Disk 0 MBR scan
12:11:27.163    Disk 0 Windows VISTA default MBR code
12:11:27.163    Disk 0 Partition 1 00     DE   Dell Utility Dell 8.0       47 MB offset 63
12:11:27.163    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS        10240 MB offset 98304
12:11:27.178    Disk 0 Partition 3 80 (A) 07      HPFS/NTFS NTFS       466651 MB offset 21069824
12:11:27.194    Disk 0 scanning sectors +976771072
12:11:27.288    Disk 0 scanning C:\Windows\system32\drivers
12:11:34.900    Service scanning
12:11:44.822    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
12:11:48.706    Modules scanning
12:11:48.706    Disk 0 trace - called modules:
12:11:48.722    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86afb1f8]<<
12:11:48.738    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8713eac8]
12:11:48.738    3 CLASSPNP.SYS[8a1b18b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x86f67030]
12:11:48.738    \Driver\iaStorV[0x86b3fa40] -> IRP_MJ_CREATE -> 0x86afb1f8
12:11:48.753    Disk 0 statistics 77352/0/0 @ 6.34 MB/s
12:11:48.753    Scan finished successfully
12:17:58.754    Disk 0 MBR has been saved successfully to "K:\MBR.dat"
12:17:58.785    The log file has been saved successfully to "K:\aswMBR.txt"

Edited by Jvescov1, 16 June 2015 - 11:20 PM.

  • 0

#22
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello Jvescov1,

 

Thanks for the log.  I'd like you to take these steps now:

 

First

Get the files you will need

 

Download the following files to your USB stick from your clean computer:

Plug your USB drive into the infected computer and copy the fixlist.txt and FSS.exe files to the Desktop.

 

Second

Run a FRST Fix
 

  •  Make sure the fixlist.txt file is on your the Desktop (where FRST.exe is located).

    (Note: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.)

    Notice: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
  • Run FRST/FRST64 from your Desktop and press the Fix button just once and wait.
    FRST_Fix_zps8lrdygec.png
  • If for some reason the tool needs a restart, please make sure you let the system restart normally.  After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop named Fixlog.txt. Please copy and paste the log to your USB stick.

Third

 

Run a scan with Farbar Service Scanner

Please run FSS.exe from the infected computer's the Desktop, and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run (the Desktop).
  • Please copy and paste the log to your USB stick.

 

 

Then

Plug your USB stick into the clean computer, and copy/paste the contents of the following logs in your reply:

  • FRST fixlog
  • FSS log

 

 


  • 0

#23
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello Jvescov1,

 

Are you having trouble or do you need more time?


  • 0

#24
Jvescov1

Jvescov1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hey bud I thought I posted a message apparently it didnt go through but im outta town till friday when I can get back on it thanks!
  • 0

#25
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

OK, if the thread gets closed (by others) in the interim for inactivity, please PM a moderator or myself so someone can reopen it to continue.

 

Looking forward to your return to the thread.  I thought we had lost you... :)


  • 0

Advertisements


#26
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Just checking in here.  Let me know when you're ready to continue.  :)


  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0

#28
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

OK, Jvescov1, the thread has been reopened. :)

 

Please continue with my instructions in Post #22 above.


  • 0

#29
Jvescov1

Jvescov1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

workin on it now!


  • 0

#30
Jvescov1

Jvescov1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

theres not a link for the Recovery scan tool just the service scanner


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP