[DanoNH]

Hello Jvescov1,

 

Thanks for posting back about being stuck with aswMBR.  The machine is disconnected from the internet so if a tool tries to download anything, it will fail.  That is a good thing in this case. 

 

For now, I would like you to eject the USB from the infected computer, put it back into the clean computer to copy ERUNT onto it:

 

First

Make a backup of the existing registry using ERUNT:

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

Click here to download the ERUNT installer to your USB stick.

 

When the download is finished, eject the USB stick, and put it back into your infected computer.

 

On the infected computer, copy the ERUNT installer over from the USB stick to your Desktop, and run it. Follow the prompts to create your first registry backup.

 

Second

Please try to run aswMBR.exe in Safe Mode:

 

Boot into Safe Mode in Windows Vista

Note: Please print these instructions or copy/paste them into a notepad file in case you are unable to access this site.

• Turn your computer off through Shut Down.
• Wait a few seconds, then turn it back on.
• Once your computer's manufacturer logo (eg. 'Dell') starts to show, start pressing the F8 key repeatedly.
• Keep pressing it until the Windows Advanced Options Menu loads up.
• Make sure 'Safe Mode' is selected, navigate to it by using the arrow keys.
• Press enter, and your computer will start booting into Safe Mode.

 

Once in Safe Mode, try to run aswMBR.exe from your Desktop again. 

 

If you can't get aswMBR.exe to run in Safe Mode, just copy/paste the log files you already have from your infected computer to your USB stick, and from the clean computer, copy/paste the log file contents back here so we can look at what you have.

 

 

Did you have any problems running TDSSKiller?

 

Looking forward to seeing the Security Check, TDSSKiller and aswMBR logs...

[Advertisements]

Hello Jvescov1,

 

It's been a couple days since my last post here, but I haven't heard back from you.  Have you run my last instructions above?  Do you still need help with your system?

 

Please let me know where things stand. 

[DanoNH]

Hello Jvescov1,

 

It's been a couple days since my last post here, but I haven't heard back from you.  Have you run my last instructions above?  Do you still need help with your system?

 

Please let me know where things stand. 

[Jvescov1]

hey bud sorry for the delay heres the files you requested. answmb is still getting stuck on avast engine error is it beacause i kept avg instead of avast?

 

 

 Results of screen317's Security Check version 1.003  

 Windows Vista Service Pack 2 x86 (UAC is enabled)  

 Internet Explorer 8 Out of date! 

 Internet Explorer 8  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Security Center service is not running! This report may not be accurate! 

avast! antivirus   

 Antivirus out of date!  

`````````Anti-malware/Other Utilities Check:````````` 

 Ad-Aware 

 Java™ 6 Update 30  

 Java version 32-bit out of Date! 

 Adobe Flash Player 17.0.0.169  

 Adobe Reader 9 Adobe Reader out of Date! 

 Mozilla Firefox 17.0.1 Firefox out of Date!  

 Google Chrome (43.0.2357.65) 

 Google Chrome (43.0.2357.81) 

````````Process Check: objlist.exe by Laurent````````  

 Ad-Aware AAWService.exe 

 Ad-Aware AAWTray.exe is disabled! 

 AVG avgrsx.exe 

 AVG avgemc.exe 

 IObit IObit Malware Fighter IMFsrv.exe  

 IObit IObit Malware Fighter IMF.exe  

 IObit IObit Malware Fighter IMFTips.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 1 % 

````````````````````End of Log`````````````````````` 

 

 

 

 

 

 

 

 

 

 

18:27:15.0329 0x4ce0  TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04

18:27:21.0257 0x4ce0  ============================================================

18:27:21.0257 0x4ce0  Current date / time: 2015/06/11 18:27:21.0257

18:27:21.0257 0x4ce0  SystemInfo:

18:27:21.0257 0x4ce0  

18:27:21.0257 0x4ce0  OS Version: 6.0.6002 ServicePack: 2.0

18:27:21.0257 0x4ce0  Product type: Workstation

18:27:21.0257 0x4ce0  ComputerName: JOSEPH-PC

18:27:21.0257 0x4ce0  UserName: Joseph

18:27:21.0257 0x4ce0  Windows directory: C:\Windows

18:27:21.0257 0x4ce0  System windows directory: C:\Windows

18:27:21.0257 0x4ce0  Processor architecture: Intel x86

18:27:21.0257 0x4ce0  Number of processors: 4

18:27:21.0257 0x4ce0  Page size: 0x1000

18:27:21.0257 0x4ce0  Boot type: Normal boot

18:27:21.0257 0x4ce0  ============================================================

18:27:24.0642 0x4ce0  KLMD registered as C:\Windows\system32\drivers\01174864.sys

18:27:27.0606 0x4ce0  System UUID: {96266C19-034F-B7E5-CDAF-988BCE946F45}

18:27:32.0754 0x4ce0  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

18:27:32.0863 0x4ce0  Drive \Device\Harddisk5\DR5 - Size: 0x1E3000000 ( 7.55 Gb ), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

18:27:32.0863 0x4ce0  ============================================================

18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0:

18:27:32.0863 0x4ce0  MBR partitions:

18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x18000, BlocksNum 0x1400000

18:27:32.0863 0x4ce0  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1418000, BlocksNum 0x38F6D800

18:27:32.0863 0x4ce0  \Device\Harddisk5\DR5:

18:27:32.0863 0x4ce0  MBR partitions:

18:27:32.0863 0x4ce0  \Device\Harddisk5\DR5\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xF17FC1

18:27:32.0863 0x4ce0  ============================================================

18:27:32.0879 0x4ce0  C: <-> \Device\Harddisk0\DR0\Partition2

18:27:32.0926 0x4ce0  D: <-> \Device\Harddisk0\DR0\Partition1

18:27:32.0926 0x4ce0  ============================================================

18:27:32.0926 0x4ce0  Initialize success

18:27:32.0926 0x4ce0  ============================================================

18:27:52.0112 0x4a7c  KLMD registered as C:\Windows\system32\drivers\02198842.sys

18:28:10.0022 0x4a7c  Deinitialize success

 

[DanoNH]

Hi Jvescov1,

 

No problem, I'm happy to see that you have returned. 

 

Thanks for the logs so far.  Could you please try aswMBR.exe in Safe Mode again, but this time, deny the definitions prompt.  Then click the Scan button and see if you can get it to run successfully.

 

If you do get it to run, when it finishes, only click on the Save log button, save the log to the Desktop or your USB stick, then click the Exit button.

 

Let me know the results please.

 

Also: I have to travel for work today (@5:30AM EST), so my availability may be limited for most of the day.  I'll try to check in here while traveling to see if you've responded back and provide what I can for answers and/or steps to continue on our path of getting that machine clean...

[DanoNH]

Hello Jvescov1,

 

Just checking in with you here.  Were you able to get aswMBR to run in Safe Mode? 

 

If you have trouble running it, please let me know so we can try something else. 

[Jvescov1]

here we bud info you requested!

 

 

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software

Run date: 2015-06-16 12:11:18

-----------------------------

12:11:18.037    OS Version: Windows 6.0.6002 Service Pack 2

12:11:18.037    Number of processors: 4 586 0xF0B

12:11:18.037    ComputerName: JOSEPH-PC  UserName: Joseph

12:11:19.129    Initialize success

12:11:27.132    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2

12:11:27.147    Disk 0 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3

12:11:27.147    Disk 0 MBR read successfully

12:11:27.147    Disk 0 MBR scan

12:11:27.163    Disk 0 Windows VISTA default MBR code

12:11:27.163    Disk 0 Partition 1 00     DE   Dell Utility Dell 8.0       47 MB offset 63

12:11:27.163    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS        10240 MB offset 98304

12:11:27.178    Disk 0 Partition 3 80 (A) 07      HPFS/NTFS NTFS       466651 MB offset 21069824

12:11:27.194    Disk 0 scanning sectors +976771072

12:11:27.288    Disk 0 scanning C:\Windows\system32\drivers

12:11:34.900    Service scanning

12:11:44.822    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32

12:11:48.706    Modules scanning

12:11:48.706    Disk 0 trace - called modules:

12:11:48.722    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86afb1f8]<<

12:11:48.738    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8713eac8]

12:11:48.738    3 CLASSPNP.SYS[8a1b18b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x86f67030]

12:11:48.738    \Driver\iaStorV[0x86b3fa40] -> IRP_MJ_CREATE -> 0x86afb1f8

12:11:48.753    Disk 0 statistics 77352/0/0 @ 6.34 MB/s

12:11:48.753    Scan finished successfully

12:17:58.754    Disk 0 MBR has been saved successfully to "K:\MBR.dat"

12:17:58.785    The log file has been saved successfully to "K:\aswMBR.txt"

Edited by Jvescov1, 16 June 2015 - 11:20 PM.

[DanoNH]

Hello Jvescov1,

 

Thanks for the log.  I'd like you to take these steps now:

 

First

Get the files you will need

 

Download the following files to your USB stick from your clean computer:

• This attached fixlist.txt file:  fixlist.txt   598bytes   191 downloads
• Farbar Service Scanner (FSS.exe)

Plug your USB drive into the infected computer and copy the fixlist.txt and FSS.exe files to the Desktop.

 

Second

Run a FRST Fix
 

•  Make sure the fixlist.txt file is on your the Desktop (where FRST.exe is located).
  
  (Note: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.)
  
  Notice: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
• Run FRST/FRST64 from your Desktop and press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally.  After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop named Fixlog.txt. Please copy and paste the log to your USB stick.

Third

 

Run a scan with Farbar Service Scanner

Please run FSS.exe from the infected computer's the Desktop, and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run (the Desktop).
• Please copy and paste the log to your USB stick.

 

 

Then

Plug your USB stick into the clean computer, and copy/paste the contents of the following logs in your reply:

• FRST fixlog
• FSS log

 

 

[DanoNH]

Hello Jvescov1,

 

Are you having trouble or do you need more time?

[Jvescov1]

Hey bud I thought I posted a message apparently it didnt go through but im outta town till friday when I can get back on it thanks!

[DanoNH]

OK, if the thread gets closed (by others) in the interim for inactivity, please PM a moderator or myself so someone can reopen it to continue.

 

Looking forward to your return to the thread.  I thought we had lost you...

[DanoNH]

Just checking in here.  Let me know when you're ready to continue. 

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[DanoNH]

OK, Jvescov1, the thread has been reopened.

 

Please continue with my instructions in Post #22 above.

[Jvescov1]

workin on it now!

[Jvescov1]

theres not a link for the Recovery scan tool just the service scanner