Windows 7 Home Professional 64-bit

Dell Studio 1555 notebook. Was running McAfee Total Security. That has been removed using singularlabs link. Also had MSE and AVG installed while McAfee was active, used the same to remove all remnants before installing Avast! Avast! is running normally and is reporting no errors.

All Microsoft Updates applied. Avast! Free version 7.0.1466 (holding off until all issues resolved) vps 121106-2, Online Armor Free version 6.0.0.1736. Running IE 9 & FF 16.0.1.

Laptop brought in due to infections. Avast! detected 4, Malwarebytes found 1, and SUPERAntispyware 1, all were trojans or java exploits.

Programs downloaded so far:

  • AdwCleaner
  • Malwarebytes Free
  • OTL
  • aswMBR.exe

Of the above, only AdwCleaner and Malwarebytes have been run so far, and have produced needed logs. OTL is repeatedly hanging on Pattern Search when it is scanning …\Roaming Profiles\firefox\extensions.… and, consequently is taking a very long time, over an hour so far, to run this part of the scan. Nothing like the “should not take very long”.

Firefox itself has hanging problems as when completing a download called for and must then be forcefully closed. Now using IE 9 to download all requested programs to begin the needed analysis. Will be using a second computer to transfer requested programs and logs if needed.

Have seen BSOD where page_fault_in_non_paged_area has popped up twice so far.

Strongly suspect a deeper infection not found or removed by the above programs; likely inside FF (for the most part.)

Will attach the OTL scan logs when they are produced; should be in an hour or so.

Second post to follow when OTL is done.

It is running, but it is struggling at times. Logs will be attached when that is done. Some logs were done on earlier initial scanning and cleaning; these date from 10/19/12; these are the initial logs produced, so they will be attached first.

Attached below are logs from programs run on 10/18/2012.

Attached: 1/18/2012 files.

Scans made 11/6-7/2012:

EDIT: Unable to run aswMBR either in normal admin or safe mode. Program hung about 2/3 done. OTL quick scan only and safe mode only. Program hung otherwise. All Users selected and 64-bit scan selected.

You will need to remove Norton as all of its drivers are running… Lets look at the MBR another way

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Thanks for getting back here.

Total numpty here. Posted OTL logs for XP pro system instead of the proper one, Win7.

Correct OTL logs posted below; OTL was never run on this system and has no Norton drivers.

Really sorry about this.

Have removed logs incorrectly posted above. Have not run RogueKiller yet due to this mistake.

Win7 task manager attached below:

I would still like RogueKiller run but just the scan part

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2012/10/28 14:27:58 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{88616112-f088-6e2b-0f89-0d559648f3a3}
O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3117434815-1429745481-3712008996-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll File not found
O4:64bit: - HKLM..\Run: [] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3117434815-1429745481-3712008996-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Key error.)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Key error.)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

:Files
C:\Program Files (x86)\Search Toolbar

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

Thank you.

Due to the fact it is difficult to run OTL in normal admin mode, may not be until tomorrow, that a reply will be posted. RogueKiller will be run only in scan mode.

Will get back to you as soon as these logs are done.

WOW!

Making good progress here. OTL only took 20 minutes quick scan vs. close to three hours quick scan yesterday in safe mode. Scan in normal admin today. RK scan only; exited out without deleting anything.

Also temporarily disabled both Avast! and Online Armor for both scans. Windows Defender present, not active, need to keep that?

Thanks.

It seems as though Roguekiller has problems reading LL2

Do you have a usb drive handy ?

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64 bit RC
  3. ListParts64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy Listparts64 to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\Listparts.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

https://dl.dropbox.com/u/73555776/listparts.GIF

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

This LL2 problem may refer to an USB drive I left in by mistake while running RK.

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++ --- User --- [MBR] 1da897fc40e78a095c0d8328c4805f40 [BSP] e46f1b3991362d5a2c626fdccd4750dc : MBR Code unknown Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 52 | Size: 15275 Mo User = LL1 ... OK! Error reading LL2 MBR!
Scan for C: drive may be normal? I could see if aswMBR.exe will now run, as some important cleansing/removal has been performed. That OK to try?

hi essexboy,

Successfully run aswMBR.exe. Attached below. Seems to hang on path for Windows Live for some reason, but today, scan completed.

Still need other programs run? Will RepairDiscWin7 require a cd to run? System has no cd/dvd drive atm, am replacing asap as the original broke when attempting to run Windows Image Backup around 10/18/2012. Means tearing the thing completely open once again, so…

Have copy of MBR.dat, need that also?

Wintobootic will create a USB with the windows recovery console on it, so it is always a handy thing to have. The MBR looks clean

What are the current problems on the system ?

essexboy,

It is now running faster than in possibly two years, thanks to you and our teamwork here. Windows and browsers now snap in place, boot is half the time it was, generally much improved over the state it was in. It was in a bad place when I got it on 10/18/2012.

The fact that we got aswMBR.exe to run is significant. Top of the line job here.

Will run the system for about 48 hours under normal usage with the tools still in place and see how it goes.

BTW, have run sfc /scannow twice; both times it reported errors it could not fix. Something about a CBS log, unable to find that yet.

Also need to put the refurbished DVD/CD drive in, so that will take a little time.

Reset the folder options back to default settings, as I see two desktop.ini files on the desktop?

Attached find png where aswMBR.exe would hang forever before successful run. Why there? Seems strange to me.

Where was McAfee during all this? Asleep at the switch? ;D Avast! rules!

There was probably a corruption within that folder somewhere

Generally I find the unfixable problems on sfc are .ini files, which are of no import

You can run this from a command prompt to make the CBS log readable

findstr /c:“[SR]” %windir%\logs\cbs\cbs.log > c:\test.txt

Thanks.

As for the FF issues, primary one was that the browser would freeze/hang when downloading a file or visiting certain web pages. These issues seemed to come up after running the initial AdwCleaner scan and repair, but running that tool was necessary, in my view.

I now have tracked the freezing issue down to Flash. Attached .png to see the plugin responsible below. If disabled, FF works normally. If enabled, freeze will result. I think that there may be flash content not viewable in the web page window that is causing this crash.

Have taken the steps necessary to ensure a clean install of Flash by running Adobe Flash Uninstaller tool, rebooting, and then installing the latest 11.5 version. No dice when that is done. As things stand now, Flash videos cannot be viewed in FF, as it is either disabled or uninstalled. IE9 does not have Flash installed either, due to the difficulties here on this system; but this is by choice, not because it will not run in IE9.

This is the only issue left so far, excellent job. Am glad issues here did not require we delve more deeply into the system; as in a rootkit removal and then repairs afterwards.

As for the command line instructions, thank you for that.

Have a look here for flash it may help http://support.mozilla.org/en-US/questions/930267

hi,

Ran cmd above, and got the test file. However, nothing is found. See below. Just out of curiosity here to see if anything needs to be fixed.

Nothing that I can see… It all now hinges on how you perceive the performance