Skip to content


Reply
Stone Emissary
Sanctioner
Posts: 14
Registered: ‎04-05-2012

Re: Happili Virus/malware issues with Trend

[ Edited ]

hi.

booted computer, logged in got theses errors google installer has stopped working

i ran aswMBR it advised me to download virus definitions but i forgot to unblock network in trend so

first file is without virus def. download.

Second run of aswMBR is after it downloaded virus definitions also while it was updating i had these errors

Malware warned to quarantine "c:\windows\svchost.exe trojan agent Windows media player has stopped working

 

 

***note Anti-Malware and Trend were both running during this.***

---First run---

 aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software

Run date: 2012-04-10 17:09:53 -----------------------------

17:09:53.384    OS Version: Windows x64 6.0.6002 Service Pack 2

17:09:53.385    Number of processors: 2 586 0x1706

17:09:53.385    ComputerName: HOMEULTIMATE-PC  UserName:

17:09:53.916    Initialize success

17:10:32.997    AVAST engine download error: 0

17:11:07.544    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f

17:11:07.545    Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 6

17:11:07.546    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000060

17:11:07.548    Disk 1 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 6

17:11:07.549    Device \Driver\nvstor64 -> MajorFunction fffffa80060925c4

17:11:07.551    Disk 0 MBR read successfully

17:11:07.552    Disk 0 MBR scan

17:11:07.554    Disk 0 Windows VISTA default MBR code

17:11:07.564    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        60000 MB offset 2048

17:11:07.579    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       150000 MB offset 122882048

17:11:07.599    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        28473 MB offset 430082048

17:11:07.624    Disk 0 scanning C:\Windows\system32\drivers

17:11:16.717    Service scanning

17:11:19.033    Service GMSIPCI I:\INSTALL\GMSIPCI.SYS **LOCKED** 21

17:11:26.107    Modules scanning

17:11:26.110    Disk 0 trace - called modules:

17:11:26.114    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa80060925c4]<<hal.dll 17:11:26.116    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a6a730]

17:11:26.119    3 CLASSPNP.SYS[fffffa600120fc33] -> nt!IofCallDriver -> [0xfffffa8004896c20]

17:11:26.121    5 acpi.sys[fffffa60008f3fde] -> nt!IofCallDriver -> \Device\0000005f[0xfffffa80048cf9e0] 17:11:26.124    \Driver\nvstor64[0xfffffa8005f89ad0] -> IRP_MJ_CREATE -> 0xfffffa80060925c4

17:11:26.126    Scan finished successfully

17:12:59.487    Disk 0 MBR has been saved successfully to "J:\Computer fix 04-06-2012\aswMBR\MBR.dat" 17:12:59.533    The log file has been saved successfully to "J:\Computer fix 04-06-2012\aswMBR\aswMBR_first run.txt"

 

---Second run--- aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software

Run date: 2012-04-10 17:13:21 -----------------------------

17:13:21.616    OS Version: Windows x64 6.0.6002 Service Pack 2

17:13:21.616    Number of processors: 2 586 0x1706

17:13:21.616    ComputerName: HOMEULTIMATE-PC  UserName:

17:13:21.958    Initialize success

17:17:38.265    AVAST engine defs: 12041002

17:19:08.755    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f

17:19:08.786    Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 6

17:19:08.791    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000060

17:19:08.793    Disk 1 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 6

17:19:08.795    Device \Driver\nvstor64 -> MajorFunction fffffa80060925c4

17:19:08.797    Disk 0 MBR read successfully

17:19:08.799    Disk 0 MBR scan

17:19:08.802    Disk 0 Windows VISTA default MBR code

17:19:08.863    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        60000 MB offset 2048

17:19:08.886    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       150000 MB offset 122882048

17:19:08.957    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        28473 MB offset 430082048

17:19:09.103    Disk 0 scanning C:\Windows\system32\drivers

17:19:44.235    Service scanning

17:19:49.569    Service GMSIPCI I:\INSTALL\GMSIPCI.SYS **LOCKED** 21

17:20:04.647    Modules scanning

17:20:04.650    Disk 0 trace - called modules:

17:20:04.654    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa80060925c4]<<hal.dll 17:20:04.656    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a6a730]

17:20:04.659    3 CLASSPNP.SYS[fffffa600120fc33] -> nt!IofCallDriver -> [0xfffffa8004896c20]

17:20:04.661    5 acpi.sys[fffffa60008f3fde] -> nt!IofCallDriver -> \Device\0000005f[0xfffffa80048cf9e0] 17:20:04.664    \Driver\nvstor64[0xfffffa8005f89ad0] -> IRP_MJ_CREATE -> 0xfffffa80060925c4

17:20:05.441    AVAST engine scan C:\Windows

17:20:09.406    AVAST engine scan C:\Windows\system32

17:24:36.555    AVAST engine scan C:\Windows\system32\drivers

17:24:47.981    AVAST engine scan C:\Users\Home Ultimate 01

17:25:59.315    AVAST engine scan C:\ProgramData

17:26:50.301    Scan finished successfully

17:27:51.668    Disk 0 MBR has been saved successfully to "J:\Computer fix 04-06-2012\aswMBR\MBR.dat" 17:27:51.712    The log file has been saved successfully to "J:\Computer fix 04-06-2012\aswMBR\aswMBR_second run.txt"

 

 

So i still have some questions about Trend and Malware running at the same time is that okay? or should i shut one or the other down? i dont know if they will conflict with each other or not.

okay thank you agian and i wait for the next instructions.

 

 "S"

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,925
Registered: ‎08-08-2011

Re: Happili Virus/malware issues with Trend

I would suggest a rescue disk now as your issues point me thats the way to check for malware.....

 

 

STEP 1: Download Kaspersky Rescue Disk 

You can download the Kaspersky Rescue Disk ISO image from the Kaspersky Lab server.

[Image: downloadbutton.gif]




STEP 2: Burn the Image to a Disc

In order to create a bootable disk you need to use an application to burn that ISO image file to an optical disk,we prefer using ImgBurn, but there’s plenty of ways to burn an ISO to a disc.

  1. Download the latest version of ImgBurn.
    [Image: downloadbutton.gif]
  2. Insert your blank DVD/CD in your burner now.
  3. Install ImgBurn and then start the program.
  4. Click on the 'Write image file to disc' button.
    [Image: 1.png]
  5. Under 'Source' click on the 'Browse for file' button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)
    [Image: 2.png]
  6. Click the big 'Write' button.
    [Image: 4.png]
  7. The disc creation process will now start and it will take around 5-10 minutes to complete.



Note: It is strongly recommended to record the disk with minimum available speed. Otherwise, it can cause record errors.




STEP 3: Configure the computer to boot from CD-ROM

Use the Delete or F2 keys, to load the BIOS menu. The keys F1, F10, F11, F12 might be used for some motherboards, as well as the following key combinations:

  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S

Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:
[Image: krd_6813_01_en.png]

  1. In the BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device (the BIOS interface may vary depending on the version).
    [Image: krd_4470_1_en.png]
  2. Insert a drive/removable device into the CD/DVD ROM drive with <b.<strong>B Kaspersky Rescue Disk image.


Kaspersky USB Rescue Disk is ready for work. You can boot a computer from it and start the system scan.




STEP 4:Boot your computer from Kaspersky Rescue Disk

  1. Restart your computer. After reboot, a message will appear on the screen: Press any key to enter the menu.
    [Image: krd_4470_2_en.png]
  2. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
  3. In the start up wizard window that opens, select the graphic interface language using the cursor moving keys. Press the ENTER key on the keyboard.
  4. Select one of the following start up methods:
    • Kaspersky Rescue Disk. Graphic Mode loads the graphic subsystem.
    • Kaspersky Rescue Disk. Text Mode loads the text user interface represented by the Midnight Commander (MC) console file manager.
    • Boot from Hard Disk.
    We highly recommed that you select the Kaspersky Rescue Disk. Graphic Mode. then press ENTER.
  5. The End User License Agreement of Kaspersky Rescue Disk 10 is displayed on the screen. Read carefully the agreement. If you agree with all the statements of the agreement press the Cbutton on your keyboard.
    [Image: aa.png]
  6. Once the actions described above have been performed, the operating system starts.

 




STEP 5: Scan your system with Kaspersky Rescue Disk

You have now successfully booted your system from Kaspersky Rescue Disk and you will be presented with the Kaspersky Rescue Disk interface.In order to perform a system scan please follow the below steps.

  1. It is recommended to update the Kaspersky Rescue Disk database prior to starting a Scan. Click on My Update Center, then Start update. If you cannot update, try connecting to the Internet using a wired (rather than wireless connection) and restart the Rescue Disk.
    [Image: 99001-01-krd-update-first_boxed.png]
    When the update completes, the light at the top of the window will turn green, and the databases release date will be updated.
    [Image: 99001-02-krd-update-done.png]
  2. Click on the Objects Scan tab, and check any hard disks you wish to scan. Then click Start Objects Scan to begin the scan.
    [Image: 99001-03-krd-scan-enable-c-boxed.png]
  3. If any malicious items are found, the default settings are to prompt you for action s a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect or quarantine the infected files just to be on the safe side.
    [Image: 99001-04-krd-detection.png]
  4. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.
    [Image: 99001-05-krd-scan-complete.png]
  5. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.
    [Image: 99001-06-krd-start-menu-boxed.png]
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Sanctioner
Posts: 14
Registered: ‎04-05-2012

Re: Happili Virus/malware issues with Trend

Sorry for the delay in getting back to you.

 

I did as instructed and this is what was found.

Root kit.boot.pihar.b

I was not given the option to delete.

I was only allowed to quarentine the file.

 

After which i rebooted and the svc hoost etc failures stopped.

The OP sys booted much faster.

I did not get any redirects so far.

 

So at this point i am not sure if everything is fine or not but it seems to be.

 

I would really like to know if its in my best interest to invest into some of the programs you have had me use.

I would really like some opinions of how to better setup my system to best avoid this in the future.

of the programs you had me use can i run :

Kaspersky

Malwarebytes

and trend all at the same time or will there be conflics between them?

 

Please advise me as to what you think my next move might be and if you think the problem is solved.

 

Thank you very much for your time and help with this issue, many many thanks :smileyhappy:

 

"S"

 

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,925
Registered: ‎08-08-2011

Re: Happili Virus/malware issues with Trend

[ Edited ]

Hi lets ensure u are clean so far...also lets fix your PC unstablility

 

Download the latest version of TDSSKiller from here and save it to your Desktop.

http://support.kaspersky.com/viruses/utility

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image

  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image

  • Click the Start Scan button.

    Posted Image

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image

  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image

  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.If TDLFS File system is found it can be deleted.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

 

NEXT

 

Download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/win...n_one.html

Install the program then run

Go to step 2 and allow it to run Disc check
[Image: Capture3.gif]


Once that is done then go to step 3 and allow it to run SFC


[Image: Capture.gif]

 

On the start repairs tab select advanced mode and click start


[Image: Capture1.gif]

 

Select all the items given and tick restart system when finished then click Start

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Sanctioner
Posts: 14
Registered: ‎04-05-2012

Re: Happili Virus/malware issues with Trend

Hi,

Here is the file requested.

 

I was not able to monitor the windows repair utility once it was running, when I got back it had rebooted the computer

so I can only assume it has done its job.

 

I haven't seen anything abnormal at this time.

 

Thank you very much for your efforts.

 

"S"

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,925
Registered: ‎08-08-2011

Re: Happili Virus/malware issues with Trend

[ Edited ]

Re-run TDSSKiller adn when select delete for the following results and attach the fresh log:

\Device\Harddisk0\DR0 ( TDSS File System ) 
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Sanctioner
Posts: 14
Registered: ‎04-05-2012

Re: Happili Virus/malware issues with Trend

Hi,

I was a bit confused about how much to edit so i am attaching the Unmodified file and the one i edited.

The one i edited there were two lines i removed.

If i did it wrong let me know and i will try agian.

 

Also the program updated before running to a new version.

 

Hope this helps.

 

Thank you very much

 

"S"

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,925
Registered: ‎08-08-2011

Re: Happili Virus/malware issues with Trend

i meant to re-run TDSSKiller ans select delete for TDSS File system and attach the new log.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Sanctioner
Posts: 14
Registered: ‎04-05-2012

Re: Happili Virus/malware issues with Trend

Hi,

 

Okay i updated TDSSKiller to current and re-ran it when it was done i left the top two on skip and choose delete for the TDS file system, the one i believe you wanted me to select delete on.

 

Here is the log file for you, let me know if its what you wanted.

 

Thank you agian.

 

"S"

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,925
Registered: ‎08-08-2011

Re: Happili Virus/malware issues with Trend

 How is the computer running??

 

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the  button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on  to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the  icon on your desktop.

•Check 
•Click the  button.
•Accept any security warnings from your browser.
•Check 
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push 
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the  button.
•Push 
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt 

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.