Please help
I have tried manually to remove from registry and can not find the needed things to delete, have run various programs to remove.
Have included the following scan reports:
MBR & OTL
Thanks
Denyce
HI first we will get a second opinion, but I think it is accurate
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
[*]Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
Hi,
Thank you. I just finished and it found nothing. Sorry Won’t save report
Denyce
13:31:34.0931 0x1b58 [ F6FF8944478594D0E414D3F048F0D778, 6F75E0AE6127B33A92A88E59D4B048FD4C15F997807BE7BF0EFE76F95235B1D9 ] WmiAcpi C:\windows\system32\drivers\wmiacpi.sys
13:31:34.0932 0x1b58 WmiAcpi - ok
13:31:34.0969 0x1b58 [ 38B84C94C5A8AF291ADFEA478AE54F93, 1AC267AC73670BEA5F3785C9AD9DB146F8E993A862C843742B21FDB90D102B2A ] wmiApSrv C:\windows\system32\wbem\WmiApSrv.exe
13:31:34.0974 0x1b58 wmiApSrv - ok
13:31:35.0011 0x1b58 WMPNetworkSvc - ok
13:31:35.0049 0x1b58 [ 96C6E7100D724C69FCF9E7BF590D1DCA, 2E63C9B0893B4FC03B7A71BAEA6202D3D3DB1B52F3643467829B5A573FD7655B ] WPCSvc C:\windows\System32\wpcsvc.dll
13:31:35.0057 0x1b58 WPCSvc - ok
13:31:35.0076 0x1b58 [ 93221146D4EBBF314C29B23CD6CC391D, C0750858A65BF51E210CD244C825C121D67E025CD2D2455139991AAC289A90FE ] WPDBusEnum C:\windows\system32\wpdbusenum.dll
13:31:35.0088 0x1b58 WPDBusEnum - ok
13:31:35.0115 0x1b58 [ 6BCC1D7D2FD2453957C5479A32364E52, E48554D31FBDCF8F985C1C72524CAA9106F5B7CC2B79064F8F5E2562D517F090 ] ws2ifsl C:\windows\system32\drivers\ws2ifsl.sys
13:31:35.0117 0x1b58 ws2ifsl - ok
13:31:35.0134 0x1b58 [ E8B1FE6669397D1772D8196DF0E57A9E, 39FE0819360719F756BD31A1884A0508A1E2371ACC723E25E005CBEC0A7B02FA ] wscsvc C:\windows\System32\wscsvc.dll
13:31:35.0140 0x1b58 wscsvc - ok
13:31:35.0145 0x1b58 WSearch - ok
13:31:35.0257 0x1b58 [ D9EF901DCA379CFE914E9FA13B73B4C4, 3BE9693B7B2AFEE23D72AF5DA211379724D752F0EC18ACB7D3DE3DDFC5AE0004 ] wuauserv C:\windows\system32\wuaueng.dll
13:31:35.0316 0x1b58 wuauserv - ok
13:31:35.0348 0x1b58 [ AB886378EEB55C6C75B4F2D14B6C869F, D6C4602EB8F291DADEDF3CD211013D4AC752DDE7E799C2D8D74AA4F5477CAED6 ] WudfPf C:\windows\system32\drivers\WudfPf.sys
13:31:35.0351 0x1b58 WudfPf - ok
13:31:35.0387 0x1b58 [ DDA4CAF29D8C0A297F886BFE561E6659, 94E5DD649B5D86FA1A7C7D30FCF9644D0EE048D312E626111458ADF66BFBE978 ] WUDFRd C:\windows\system32\DRIVERS\WUDFRd.sys
13:31:35.0392 0x1b58 WUDFRd - ok
13:31:35.0424 0x1b58 [ B20F051B03A966392364C83F009F7D17, 88ECEB55AE91F58F592B96EBC10B572747D5A2F9B7629E8F371761E4F7408A65 ] wudfsvc C:\windows\System32\WUDFSvc.dll
13:31:35.0430 0x1b58 wudfsvc - ok
13:31:35.0463 0x1b58 [ FE90B750AB808FB9DD8FBB428B5FF83B, 3F8F592EC813BE292D305A87C5BA852F8BC3D7CE610612D9871F209A17326AA8 ] WwanSvc C:\windows\System32\wwansvc.dll
13:31:35.0472 0x1b58 WwanSvc - ok
13:31:35.0494 0x1b58 ================ Scan global ===============================
13:31:35.0515 0x1b58 [ BA0CD8C393E8C9F83354106093832C7B, 18D8A4780A2BAA6CEF7FBBBDA0EF6BF2DADF146E1E578A618DD5859E8ADBF1A8 ] C:\windows\system32\basesrv.dll
13:31:35.0548 0x1b58 [ 88EDD0B34EED542745931E581AD21A32, DC2B93E1CEF5B0BCEE08D72669BB0F3AD0E8E6E75BDC08858407ED92F6FFA031 ] C:\windows\system32\winsrv.dll
13:31:35.0564 0x1b58 [ 88EDD0B34EED542745931E581AD21A32, DC2B93E1CEF5B0BCEE08D72669BB0F3AD0E8E6E75BDC08858407ED92F6FFA031 ] C:\windows\system32\winsrv.dll
13:31:35.0592 0x1b58 [ D6160F9D869BA3AF0B787F971DB56368, 0033E6212DD8683E4EE611B290931FDB227B4795F0B17C309DC686C696790529 ] C:\windows\system32\sxssrv.dll
13:31:35.0619 0x1b58 [ 24ACB7E5BE595468E3B9AA488B9B4FCB, 63541E3432FCE953F266AE553E7A394978D6EE3DB52388D885F668CF42C5E7E2 ] C:\windows\system32\services.exe
13:31:35.0628 0x1b58 [ Global ] - ok
13:31:35.0629 0x1b58 ================ Scan MBR ==================================
13:31:35.0639 0x1b58 [ AF00FC1920E1CF861B39B90A4375EDF3 ] \Device\Harddisk0\DR0
13:31:36.0042 0x1b58 \Device\Harddisk0\DR0 - ok
13:31:36.0043 0x1b58 ================ Scan VBR ==================================
13:31:36.0077 0x1b58 [ 49CB008650366A15E1472CD4209CCAD4 ] \Device\Harddisk0\DR0\Partition1
13:31:36.0079 0x1b58 \Device\Harddisk0\DR0\Partition1 - ok
13:31:36.0109 0x1b58 [ 29E674A731682AD1CAF8626DE26066E4 ] \Device\Harddisk0\DR0\Partition2
13:31:36.0144 0x1b58 \Device\Harddisk0\DR0\Partition2 - ok
13:31:36.0145 0x1b58 Waiting for KSN requests completion. In queue: 348
13:31:37.0145 0x1b58 Waiting for KSN requests completion. In queue: 40
13:31:38.0145 0x1b58 Waiting for KSN requests completion. In queue: 40
13:31:39.0190 0x1b58 AV detected via SS2: avast! Internet Security, C:\Program Files\AVAST Software\Avast\VisthAux.exe ( 9.0.2008.177 ), 0x41000 ( enabled : updated )
13:31:39.0192 0x1b58 FW detected via SS2: avast! Internet Security, C:\Program Files\AVAST Software\Avast\VisthAux.exe ( 9.0.2008.177 ), 0x41010 ( enabled )
13:31:42.0072 0x1b58 ============================================================
13:31:42.0072 0x1b58 Scan finished
13:31:42.0072 0x1b58 ============================================================
13:31:42.0085 0x1bf4 Detected object count: 0
13:31:42.0085 0x1bf4 Actual detected object count: 0
OK lets try another check … Are you experiencing redirects ?
[*] Download RogueKiller and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
https://dl.dropbox.com/u/73555776/RKScan.GIF
[]Wait for the end of the scan.
[] The report has been created on the desktop.
Done It created a quarantine for avast & pc cleaner
Denyce
Nothing evident there … I think Avast is hitting on the partition 4 due to the size. Although I would expect this partition to be hidden and active if it was bad
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MQ01ABD075 ATA Device +++++ --- User --- [MBR] 0b11fc6025f3978bb813d9a76c5b2cfc [BSP] b8996950a1d301798fab0fb61d2dde23 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 701592 Mo 2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1439934464 | Size: 12311 Mo 3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1465149152 | Size: 0 Mo User = LL1 ... OK! User = LL2 ... OK!
Could you go Start > Run and type in the following command followed by enter :
compmgmt.msc
In the page that opens select Storage > Disc Management
Then take a screen shot of that page and attach it here
HI I’m sorry but won’t let me print screen
Denyce
Use the snipping tool… http://windows.microsoft.com/en-gb/windows7/use-snipping-tool-to-capture-screen-shots
Ok ty here it is
OK can you see the partition marked RAW could you right click that > Select Properties and snip the tab that opens
done
Denyce
OK now right click that partition again and select delete
Once done re-run Aswmbr
You are wonderful! It’s gone!
Denyce
It was a kind of false positive due to it being such a small unformatted partition
Any further problems ?
Not a one! Thank you so very much!
Denyce
Run OTL and press cleanup to remove it and associated files
done