After the excellent help I received with a problem machine last year, I have another project that my niece dropped (literally) in my lap. Computer is a Gateway NV52 laptop and the OS is Vista Home Premium SP1 that hasn’t had an antivirus scan or update in over a year; first clue that there was a serious problem was that shortcuts for IE and Explorer were missing from the Start menu, although both programs could accessed if you searched for them. I’ve been able to clean out a number of toolbars and other garbage and get the laptop’s software more up to date but still have the redirect issue (I haven’t tried any other browsers other than IE yet since I don’t want make things worse). The blocked URL’s are the same two or three although one of the the notices does not report a URL.

The first full scan with Avast found two instances of Win32:Trojan-gen in the user\appdata\local folders and two of WMA:Wimad [Drp] attached to .mp3 files; Avast successfully cleaned them and hasn’t reported any further problems. I’ve attached the log from he first time I ran MBAM; all later ones show the machine to be clean. I do not have a log file from aswMBR as I can’t get it to run.

Thanks!

did you try aswMBR from safe mode?

@ MikeB97
A malware removal specialist has been informed of your topic.

OK I will use a different tool to look at the MBR

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Bucksbee Loyalty Plugin - W3i) - {626A9BF6-A6F4-18F4-159B-52A7A586C40B} - C:\Program Files (x86)\Bucksbee Loyalty Plugin - W3i\BucksBee Loyalty Plugin.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - !{8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKU\S-1-5-21-4254752156-878005671-2507473072-1000..\Run: [YwqLFybcKWoAhAh.exe] C:\ProgramData\YwqLFybcKWoAhAh.exe File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
[2012/12/08 21:00:36 | 000,000,368 | -H-- | M] () -- C:\ProgramData\ibzYjyDDtExm6O
[2012/09/14 13:39:16 | 000,000,368 | -H-- | C] () -- C:\ProgramData\ibzYjyDDtExm6O

:Files
C:\Program Files (x86)\Bucksbee Loyalty Plugin - W3i

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks for the quick replies!

Pondus - I did try aswMBR in safe mode, no luck.

Files attached - Note, Rogue Killer crashed on fix shortcuts.

Still not happy on the MBR so

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Sorry, no luck with TDSS Killer; it won’t run either…

Me thought so

When you get to the safe mode menu is there the option to "Repair my Computer "
If there is are you able to access the command prompt ?

Yes - I have options for Repair my Computer and Safe Mode w/command prompt.

OK I will give full instructions including the download and installation of the recovery console if your installed copy does not work
Initially just download Listparts to the USB and run it from your recovery console.
Run from the bolded red section
If that should fail then download the other two programmes to create a recovery console on the stick

Download the following three programmes to your desktop :

1. WiNTBootIc
2. Windows RC
3. ListParts

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy Listparts to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\Listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

https://dl.dropbox.com/u/73555776/listparts.GIF

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

Here you go:

Download the attached fix.txt to the same USB as listparts
Run Listparts as before then press FIX

When you reboot the computer go to the safe mode menu and select startup repair.
Then boot back to normal windows and try TDSSKiller again

The fix let both TDSSKiller and aswMBR run - TDSS found some things but I wasn’t able to copy the entire log file. I’ve attached screen shots of where the software flagged something.

So you’ll have it, here is the aswMBR log file. FWIW, I haven’t had a blocked URL warning since I ran the partition fix this morning; they had been popping about once a minute. Also tried Google in IE, no redirects…

Yep that killed the bad partition, could you run one more OTL quick scan please, selecting all users, and let me know of any outstanding problems

Here you go.

That looks good, I would recommend that you update to IE9 http://www.microsoft.com/en-us/download/details.aspx?id=16792

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2013/01/05 14:40:31 | 000,000,000 | ---D | C] -- C:\Users\Ashley\Desktop\RK_Quarantine [2013/01/05 13:06:29 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Ashley\Desktop\aswMBR.exe [2013/01/05 11:08:03 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Ashley\Desktop\tdsskiller.exe [2013/01/06 06:53:13 | 000,000,512 | ---- | M] () -- C:\Users\Ashley\Desktop\MBR.dat [2013/01/06 06:36:37 | 000,208,216 | ---- | M] () -- C:\Windows\SysNative\drivers\20574043.sys [2013/01/05 16:03:52 | 000,815,681 | ---- | M] (Farbar) -- C:\Users\Ashley\Desktop\ListParts64.exe [2013/01/05 16:01:32 | 000,858,112 | ---- | M] () -- C:\Users\Ashley\Desktop\WiNToBootic.exe [2013/01/05 14:36:40 | 000,761,856 | ---- | M] () -- C:\Users\Ashley\Desktop\RogueKiller.exe [2013/01/05 11:36:00 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Ashley\Desktop\aswMBR.exe [2013/01/02 23:21:42 | 000,000,981 | -H-- | M] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer (2).lnk [2013/01/02 23:16:33 | 000,000,981 | -H-- | M] () -- C:\Users\Ashley\Desktop\Internet Explorer (3).lnk [2013/01/02 21:24:11 | 000,000,981 | -H-- | M] () -- C:\Users\Ashley\Desktop\Internet Explorer (2).lnk

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Will do - I know that there’s at least one service pack that this machine needs; I’ll get everything up to date before I give it back to her. Thanks again!

My pleasure… Ooops missed sp2