Reply
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: cpv.servefed.info

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

     

    NEXT


    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
rhc123
Posts: 32
Registered: ‎11-06-2011

Re: cpv.servefed.info

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-09 06:11:34
-----------------------------
06:11:34.223    OS Version: Windows x64 6.1.7600
06:11:34.223    Number of processors: 2 586 0x602
06:11:34.224    ComputerName: LIVINGROOM  UserName: Robert
06:11:38.319    Initialize success
06:11:53.107    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005e
06:11:53.109    Disk 0 Vendor: ST350041 HP34 Size: 476940MB BusType: 3
06:11:53.121    Disk 0 MBR read successfully
06:11:53.123    Disk 0 MBR scan
06:11:53.124    Disk 0 unknown MBR code
06:11:53.135    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
06:11:53.144    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       466726 MB offset 206848
06:11:53.175    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        10112 MB offset 956061696
06:11:53.178    Service scanning
06:11:54.297    Modules scanning
06:11:54.300    Disk 0 trace - called modules:
06:11:54.311    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
06:11:54.314    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003356060]
06:11:54.317    3 CLASSPNP.SYS[fffff8800196943f] -> nt!IofCallDriver -> [0xfffffa80030db7a0]
06:11:54.321    5 ACPI.sys[fffff88000f97781] -> nt!IofCallDriver -> \Device\0000005e[0xfffffa80030db060]
06:11:54.326    Scan finished successfully
06:13:16.370    Disk 0 MBR has been saved successfully to "C:\uploads\MBR.dat"
06:13:16.375    The log file has been saved successfully to "C:\uploads\aswMBR.txt"

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.03

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Robert :: LIVINGROOM [administrator]

2/9/2012 6:14:37 AM
mbam-log-2012-02-09 (06-14-37).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 808452
Time elapsed: 1 hour(s), 31 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: cpv.servefed.info

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

 

XP

Do the following: 
Start -> Run 
type diskmgmt.msc 
Click "OK
 
Disk Management will open. 
 
Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns. 
 
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

VISTA - 7

Do the following: 

  • Click on the Start button and then choose Control Panel
  • Click on the System and Security link
     
    Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4. 
  • In the System and Security window, click on the Administrative Tools heading located near the bottom of the window. 
  • In the Administrative Tools window, double-click on the Computer Management icon. 
  • When Computer Management opens, click on Disk Management on the left side of the window, located under Storage
     
    After a brief loading period, Disk Management should now appear on the right side of the Computer Management window. 
     
    Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
rhc123
Posts: 32
Registered: ‎11-06-2011

Re: cpv.servefed.info

[ Edited ]

 

 

 

 

 Bootkit Remover
(c) 2009 Esage Lab
esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: f02cd0c236b17be4997ac672167e6b71

     Size  Device Name          MBR Status
 --------------------------------------------
   465 GB  \\.\PhysicalDrive0   Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

Please use plain text.
Stone Emissary
rhc123
Posts: 32
Registered: ‎11-06-2011

Re: cpv.servefed.info

Had to attach screenshot

 

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: cpv.servefed.info

[ Edited ]
  • Download RogueKiller and save it on your desktop.  
  •     Quit all programs 
  •     Start RogueKiller.exe.  
  •     Wait until Prescan has finished ... 
  •     Click on Scan

  
   

  • Wait for the end of the scan.   
  •     The report has been created on the desktop.   
  •     Click on the Delete button.

  
   

  • The report has been created on the desktop.
  • Next click on the ShortcutsFix  
      
      
  • The report has been created on the desktop.

Please post:  
  
All RKreport logs located on your desktop.

 

NEXT

 

 

Download OTL  to your Desktop.

http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
rhc123
Posts: 32
Registered: ‎11-06-2011

Re: cpv.servefed.info

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Robert [Admin rights]
Mode: Scan -- Date : 02/12/2012 15:51:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
::1 localhost
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] 478cfdd535ea4be06ed8fb97fc6cf8be
[BSP] bd2594b1bf406cdf459a438723ab3fd1 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 466726 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 956061696 | Size: 10112 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt




Please use plain text.
Stone Emissary
rhc123
Posts: 32
Registered: ‎11-06-2011

Re: cpv.servefed.info

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Robert [Admin rights]
Mode: Remove -- Date : 02/12/2012 18:00:19

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
::1 localhost
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] 478cfdd535ea4be06ed8fb97fc6cf8be
[BSP] bd2594b1bf406cdf459a438723ab3fd1 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 466726 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 956061696 | Size: 10112 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: cpv.servefed.info

Please attach the OTL log as requested...

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: cpv.servefed.info

[ Edited ]

OK...i realized u alerdy attached the OTL logs...i see the bad boys...I see u have stopzilla which is related to TDSS infections...I will remove it for u.

 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems 

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot 

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
:OTL
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E E3 35 00 E8 39 F2 41 90 B6 01 BB 18 81 9D AC  [binary data]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E E3 35 00 E8 39 F2 41 90 B6 01 BB 18 81 9D AC  [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E E3 35 00 E8 39 F2 41 90 B6 01 BB 18 81 9D AC  [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E E3 35 00 E8 39 F2 41 90 B6 01 BB 18 81 9D AC  [binary data]
IE - HKU\S-1-5-21-918244078-1702145985-1200703881-1001\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E E3 35 00 E8 39 F2 41 90 B6 01 BB 18 81 9D AC  [binary data]
FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1043669&SearchSource=3&q="
FF - prefs.js..browser.search.selectedEngine: "Informative Google Search"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.rr.com/"
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:3.3.5.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.9.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}:1.1.3
FF - prefs.js..extensions.enabledItems: {15392110-3e64-431c-a489-793eec3c1686}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {22C7F6C6-8D67-4534-92B5-529A0EC09405}:6.8.0.1073
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..keyword.URL: "chrome://browser-region/locale/region.properties"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 9877
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\mxvlxq6s.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2011/04/05 22:16:01 | 000,000,000 | ---D | M] ("Search Engine Security") -- 
PRC - [2011/12/07 17:12:30 | 000,183,336 | R--- | M] (iS3, Inc.) -- c:\Program Files (x86)\STOPzilla!\STOPzilla.exe
@Alternate Data Stream - 151 bytes -> C:\ProgramData\Temp:4673E9EA
@Alternate Data Stream - 149 bytes -> C:\ProgramData\Temp:260575F1
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:B63300D1
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:B755D674
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:78E0DF72
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:1AAB2E68



ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please attach the log generated after the fix completion.

 NEXT

 

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into it:

 

Folder::
c:\Program Files (x86)\STOPzilla!
c:\Program Files (x86)\Common Files\iS3

Save this as CFScript.txt, in the same location as ComboFix.exe

 

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.