SpyWare?

[leonarskeatts]

I had caught a "virus" then installed Mbytes.

Using that along with the Rkill, I was able to stop the infection.

Seems I still have "spyware" or something along these lines on my comp.

Google links redirect me to some weird pages and randomly a pop up window comes and wants to tell me about some woman making money from home and I always have to "X" out of it. Happens quite often.

 

[trewyn15]

use CCleaner to try and clean out any files you may not need, see if it works from there.

 

[johnb35]

Trewyn15's advice will not work. You will need to follow this procedure.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

2.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

If running vista or windows 7 you will need to right click on the icon and click on run as. If the run as option doesn't appear, then press and hold the shift key while right clicking on the icon.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces

 

[leonarskeatts]

my comp won't open tdss killer.

what program do I need to open it?

 

[johnb35]

It's an exe file so your file associations must be screwed up as well, so do this.

Please download and run exehelper from here.

http://www.raktor.net/exeHelper/exeHelper.com

This may take a couple minutes to complete. Then try running tdsskiller again.

 

[trewyn15]

ccleaner would work if it's a file stored within his browser, deleting that file would cause the issue to stop, if you can get that first program to work that may work better though.

 

[johnb35]

It's not gonna be a temp file though. Temp files usually don't cause redirects. Usually a mbr/bootkit infection or an addon that causes it.

 

[leonarskeatts]

exeHelper by Raktor
Build 20100414
Run at 22:21:55 on 01/24/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

 

[leonarskeatts]

after that procedure it still asked me to "go online to find a program" to open it or browse

 

[johnb35]

ok, boot to safe mode and do the following.

Download and run this renamed version of rkill

http://download.bleepingcomputer.com/grinler/iExplore.exe

Then download and run combofix.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[voyagerfan99]

Here: Try this .EXE registry fix. Usually always works for me.

http://www.mediafire.com/?awv5o19a6019uur

EDIT: If you can't get Combofix to run (And it just keeps asking what program to run) try my EXE fix. If that doesn't do it, then just open a command prompt manually and navigate to Combofix and run "Combofix.exe"

 

[leonarskeatts]

ComboFix 12-01-23.02 - ThunderLips 01/25/2012 8:35.1.2 - x64 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4026.3429 [GMT -5:00]
Running from: c:\users\ThunderLips\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\users\ThunderLips\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6AEAD87E-2759-4F94-A4CC-299A05EED046}.xps
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-25 13:42 . 2012-01-25 13:48 -------- d-----w- c:\users\ThunderLips\AppData\Local\temp
2012-01-25 13:42 . 2012-01-25 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-20 01:09 . 2012-01-20 01:09 -------- d-----w- c:\users\ThunderLips\AppData\Roaming\DriverCure
2012-01-20 01:09 . 2012-01-20 01:09 -------- d-----w- c:\users\ThunderLips\AppData\Roaming\ParetoLogic
2012-01-20 01:08 . 2012-01-20 01:12 -------- d-----w- c:\programdata\ParetoLogic
2012-01-13 17:53 . 2012-01-13 17:53 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-13 16:03 . 2012-01-13 16:03 -------- d-----w- c:\windows\system32\Macromed
2012-01-13 16:01 . 2012-01-13 16:01 -------- d-----w- c:\users\ThunderLips\AppData\Roaming\Malwarebytes
2012-01-13 16:01 . 2012-01-13 16:01 -------- d-----w- c:\programdata\Malwarebytes
2012-01-13 16:01 . 2012-01-13 16:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-13 16:01 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 11:40 . 2011-12-23 08:34 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5CA72D64-ABCE-4B4A-8093-A3A8CF8732F7}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"ALUAlert"="c:\program files (x86)\Symantec\LiveUpdate\ALuNotify.exe" [2008-02-09 152952]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\ThunderLips\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2119488]
WDSmartWare.lnk - c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ulbrnii]
2011-12-24 15:24 11264 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\ulbrnii.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_48fbb870\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 22:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-18 c:\windows\Tasks\hpwebreg_CN0AD2939305HX.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\hpwebreg.exe [2010-06-15 00:29]
.
2012-01-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - ThunderLips.job
- c:\program files (x86)\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 12:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\ThunderLips\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 181784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1220392]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2008-04-15 444416]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2008-01-24 685568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\SMINST\BLService.exe
c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe
c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files (x86)\Viewpoint\Common\ViewpointService.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
c:\progra~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\SysWOW64\ping.exe
c:\program files (x86)\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SymCUW.exe
.
**************************************************************************
.
Completion time: 2012-01-25 08:59:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-25 13:59
.
Pre-Run: 33,922,351,104 bytes free
Post-Run: 31,974,965,248 bytes free
.
- - End Of File - - D7E8F3885F86C566C14DEDFDF8DFA5F2

 

[leonarskeatts]

now posting from my droid

I ran the combofix and after reseting my comp continues to say ""internet explorer" is not working.

I'm trying to download the hijack but, I continue being kicked off.

 

[johnb35]

Can you access safe mode with networking and download hijackthis and run tdsskiller again?

 

[leonarskeatts]

At this time:

I am running the computer on "full operations" mode. (normal)

I have downloaded and installed HiJackthis
-The scan won't allow me to copy/paste

TDSS killer still won't open
-I ran the combo fix and posted it earlier

 

[johnb35]

You have to click on do a system scan and save a logfile. Then the log pops up in notepad which you can copy and paste. Have you tried safemode yet? It may help to run tdsskiller.

 

[leonarskeatts]

In safe mode w/ networking and tdss still wants me to pick a program to open it in.

should I run the highjack this again or...


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:34:14 AM, on 1/25/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files (x86)\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ALUAlert] "c:\Program Files (x86)\Symantec\LiveUpdate\ALuNotify.exe" "/LOWDISKSPACE C"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Dropbox.lnk = C:\Users\ThunderLips\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O20 - Winlogon Notify: ulbrnii - C:\Windows\system32\config\systemprofile\AppData\Local\ulbrnii.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_48fbb870\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_48fbb870\STacSV64.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: WD SmartWare Drive Manager Service (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11694 bytes

 

[johnb35]

The problem I see is that you are able to run exe files just fine, hijackthis, combofix and assuming you've ran malwarebytes. Try redownloading tdsskiller from this link.

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

If it still don't work, do this.

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  Found non-standard or infected MBR.
  Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

 

[leonarskeatts]

heck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 64-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv5 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 165):
0x01E0D000 \SystemRoot\system32\ntoskrnl.exe
0x02325000 \SystemRoot\system32\hal.dll
0x00608000 \SystemRoot\system32\kdcom.dll
0x00612000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x0063F000 \SystemRoot\system32\PSHED.dll
0x00653000 \SystemRoot\system32\CLFS.SYS
0x006B0000 \SystemRoot\system32\CI.dll
0x0080C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E6000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F4000 \SystemRoot\system32\drivers\acpi.sys
0x0094A000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00953000 \SystemRoot\system32\drivers\msisadrv.sys
0x0095D000 \SystemRoot\system32\drivers\pci.sys
0x0098D000 \SystemRoot\system32\drivers\isapnp.sys
0x00996000 \SystemRoot\system32\drivers\mpio.sys
0x009B8000 \SystemRoot\System32\drivers\partmgr.sys
0x009CD000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x009D1000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x009DD000 \SystemRoot\system32\drivers\volmgr.sys
0x00762000 \SystemRoot\System32\drivers\volmgrx.sys
0x009F1000 \SystemRoot\system32\drivers\intelide.sys
0x007C8000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009F9000 \SystemRoot\system32\drivers\pciide.sys
0x00800000 \SystemRoot\system32\drivers\aliide.sys
0x007D8000 \SystemRoot\system32\drivers\amdide.sys
0x007DF000 \SystemRoot\system32\drivers\cmdide.sys
0x007E7000 \SystemRoot\System32\drivers\mountmgr.sys
0x00A0A000 \SystemRoot\system32\drivers\msdsm.sys
0x00A28000 \SystemRoot\system32\drivers\nvraid.sys
0x00A4B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x00A77000 \SystemRoot\system32\drivers\viaide.sys
0x00A7F000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x00C07000 \SystemRoot\system32\drivers\iastorv.sys
0x00CCE000 \SystemRoot\system32\drivers\atapi.sys
0x00CD6000 \SystemRoot\system32\drivers\ataport.SYS
0x00CFA000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x00D18000 \SystemRoot\system32\drivers\storport.sys
0x00D75000 \SystemRoot\system32\drivers\nvstor.sys
0x00D85000 \SystemRoot\system32\drivers\msahci.sys
0x00D8F000 \SystemRoot\system32\drivers\hpcisss.sys
0x00E0A000 \SystemRoot\system32\drivers\adp94xx.sys
0x00E83000 \SystemRoot\system32\drivers\adpahci.sys
0x00ED9000 \SystemRoot\system32\drivers\adpu160m.sys
0x00EFA000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x00F28000 \SystemRoot\system32\drivers\adpu320.sys
0x00F57000 \SystemRoot\system32\drivers\djsvs.sys
0x00F6F000 \SystemRoot\system32\drivers\arc.sys
0x00F88000 \SystemRoot\system32\drivers\arcsas.sys
0x01004000 \SystemRoot\system32\drivers\elxstor.sys
0x010A7000 \SystemRoot\system32\drivers\i2omp.sys
0x010B2000 \SystemRoot\system32\drivers\iirsp.sys
0x010C3000 \SystemRoot\system32\drivers\iteatapi.sys
0x010D0000 \SystemRoot\system32\drivers\iteraid.sys
0x010DD000 \SystemRoot\system32\drivers\lsi_fc.sys
0x010FB000 \SystemRoot\system32\drivers\lsi_sas.sys
0x01117000 \SystemRoot\system32\drivers\megasas.sys
0x01123000 \SystemRoot\system32\drivers\megasr.sys
0x011EA000 \SystemRoot\system32\drivers\mraid35x.sys
0x00FA1000 \SystemRoot\system32\drivers\nfrd960.sys
0x01204000 \SystemRoot\system32\drivers\ql2300.sys
0x01356000 \SystemRoot\system32\drivers\ql40xx.sys
0x013B4000 \SystemRoot\system32\drivers\sisraid2.sys
0x013C2000 \SystemRoot\system32\drivers\sisraid4.sys
0x013D8000 \SystemRoot\system32\drivers\symc8xx.sys
0x013E6000 \SystemRoot\system32\drivers\sym_hi.sys
0x00FB1000 \SystemRoot\system32\drivers\sym_u3.sys
0x00D9D000 \SystemRoot\system32\drivers\uliahci.sys
0x00FBF000 \SystemRoot\system32\drivers\ulsata.sys
0x00B8D000 \SystemRoot\system32\drivers\ulsata2.sys
0x00BCF000 \SystemRoot\system32\drivers\vsmraid.sys
0x0140C000 \SystemRoot\system32\drivers\fltmgr.sys
0x01452000 \SystemRoot\system32\drivers\fileinfo.sys
0x01466000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0160A000 \SystemRoot\system32\drivers\ndis.sys
0x014ED000 \SystemRoot\system32\drivers\msrpc.sys
0x0153D000 \SystemRoot\system32\drivers\NETIO.SYS
0x01806000 \SystemRoot\System32\drivers\tcpip.sys
0x0197A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A01000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01B85000 \SystemRoot\system32\drivers\wd.sys
0x01B8D000 \SystemRoot\system32\drivers\volsnap.sys
0x01BD9000 \SystemRoot\system32\drivers\sbp2port.sys
0x019A6000 \SystemRoot\System32\Drivers\mup.sys
0x019B8000 \SystemRoot\System32\drivers\ecache.sys
0x01BF2000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x019E4000 \SystemRoot\system32\drivers\disk.sys
0x017CD000 \SystemRoot\system32\drivers\crcdisk.sys
0x02B16000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x02B22000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x02B2B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x02B37000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x02B7D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x02B8E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x02E06000 \SystemRoot\system32\DRIVERS\NETw5v64.sys
0x03294000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x032BF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x032D5000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x032E1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x032EF000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x03344000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03346000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03352000 \SystemRoot\system32\DRIVERS\enecir.sys
0x0336E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0338A000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x03397000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x033A0000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x033AC000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x033E4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02BA1000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x033F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x02BC4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x017E5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x01595000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x015B3000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x015CB000 \SystemRoot\system32\DRIVERS\termdd.sys
0x033FD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x02C0F000 \SystemRoot\system32\DRIVERS\ks.sys
0x02C54000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02C5F000 \SystemRoot\system32\DRIVERS\umbus.sys
0x02C6F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x02CB6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x02CCA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x02CD4000 \SystemRoot\System32\Drivers\Null.SYS
0x02CDD000 \SystemRoot\System32\drivers\vga.sys
0x02CEB000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02D10000 \SystemRoot\System32\drivers\watchdog.sys
0x02D1F000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02D28000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02D33000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02D44000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x02D4D000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02DB3000 \SystemRoot\system32\DRIVERS\smb.sys
0x07204000 \SystemRoot\system32\drivers\afd.sys
0x07270000 \SystemRoot\System32\DRIVERS\netbt.sys
0x072B4000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x072BF000 \SystemRoot\system32\DRIVERS\pacer.sys
0x072DD000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x072E7000 \SystemRoot\system32\DRIVERS\netbios.sys
0x072F6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x07344000 \SystemRoot\system32\drivers\nsiproxy.sys
0x07350000 \SystemRoot\System32\Drivers\dfsc.sys
0x0736D000 \SystemRoot\system32\drivers\RTSTOR64.SYS
0x07381000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02A00000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x0738F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x073AB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x073B4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x073C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x073CE000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x073D8000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0x073E1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x00060000 \SystemRoot\System32\win32k.sys
0x073EC000 \SystemRoot\System32\drivers\Dxapi.sys
0x00400000 \SystemRoot\System32\drivers\dxg.sys
0x00640000 \SystemRoot\System32\TSDDD.dll
0x00820000 \SystemRoot\System32\framebuf.dll
0x02D6A000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x02D9E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x02DCE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x08007000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x08030000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x08079000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x08098000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x080B4000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77790000 \WINDOWS\System32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
460 C:\WINDOWS\System32\smss.exe
540 csrss.exe
580 csrss.exe
588 C:\WINDOWS\System32\wininit.exe
628 C:\WINDOWS\System32\winlogon.exe
668 C:\WINDOWS\System32\services.exe
680 C:\WINDOWS\System32\lsass.exe
688 C:\WINDOWS\System32\lsm.exe
836 C:\WINDOWS\System32\svchost.exe
892 C:\WINDOWS\System32\svchost.exe
984 C:\WINDOWS\System32\svchost.exe
1012 C:\WINDOWS\System32\svchost.exe
236 C:\WINDOWS\System32\svchost.exe
376 C:\WINDOWS\System32\svchost.exe
396 C:\WINDOWS\System32\svchost.exe
1316 C:\WINDOWS\explorer.exe
372 C:\Program Files\Windows Media Player\wmpnscfg.exe
1380 C:\Program Files (x86)\Internet Explorer\iexplore.exe
1624 C:\Users\ThunderLips\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`6f500000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC44C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

 

[johnb35]

Are you still getting the message saying to pick a program to run tdsskiller? If so, I can't figure it out since you are able to run all other exe files.

Try this instead, download the zip file of tdsskiller and extract and try running it.

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Not too long ago there was this user that coudn't run exe files but if he downloaded the zipped version, then unzipped it, it would work.

If all else fails, I recommend doing a system restore back to a day before you got infected as usually this will fix your issues but you would still have to scan your system with malwarebytes again to make sure you are clean.