# Everything is gone

## Recommended Posts

Only if you want to. The easiest course of action may be to simply reformat and reinstall (or in the case of most computers purchased from companies such as Dell, HP, Gateway, Toshiba, etc. you would want to initialize the recovery partition). Let me know if you want to keep trying, however I can make no guarantees that I will be able to assist you in repairing the system with a reinstall.

##### Share on other sites

I do want to keep trying, even though I don't know if it can be repaired with downloading programs. I know that system restore won't fix anything. I don't think its a surprise to you that the hard drive still needs fixing, because I am getting bsod.

##### Share on other sites

Are you no longer able to start the computer in Safe Mode With Networking?

##### Share on other sites

So far I'm able to start in safe mode w/ networking, I was having connection problems for a while in safe mode w/networking, but fortunately I was able to find a way around it. I do currently have connection though in that mode (at least I hope), I also just left that mode and went to linux!

The bsod I am having, I tend to get whenever I am in regular windows, sometimes I need to be in windows briefly to try and galvanize the internet connection!

Edited by Gib
##### Share on other sites

I've been told that the rootkit your infected with should have been removed by TDSSKiller. It's possible that they've updated it to fix this, so lets get a new log from TDSSKiller.

3. Click on Change parameters as it shows in the following screenshot:

4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:

5. Click the Start scan button as in the following screenshot:

6. You will see the following as the scan runs:

7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:

8. Click on Report in the upper-right corner, as in the following screenshot:

9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.

10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.

11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:

13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

##### Share on other sites

Things gets worse, I think three days ago, I had seen your tdsskiller reply, but before I could respond heres what happened. I rebooted the computer and after all of that, working with the disk check I was doing in the past-it did a random disk check, but unfortunately I let it complete, because as soon as it completed I completely lost my internet connection, I don't know if you want me to try the disk check again, just to knock things back to correction, but then again I doubt something like that will work that way!

Linux isn't working anymore either, when it loads at the trademark screen you would hear sound that signifies that its loading and before you could see the f trademark it crashes, but keep in mind that theres a troubleshooting option I noticed.

Then things get worse when I go to check something with my flash dricve and ended up using it improperly and now the flash drive is dead, not only that but I don't have the receipt for the warranty, so I have to think about BUYING a brand new one. I do wonder if flash drives can be fixed though!

##### Share on other sites

That would depend on what is wrong with the flash drive. If it is just a partition/filesystem issue, then that should be fixable.

Also, many retailers can look up your receipt if you paid with a credit or debit card. If you paid with cash then it wouldn't be possible (unless you purchased from Fry's Electronics and one of the sales guys printed out a 'quote' for you).

##### Share on other sites

I got my flash drive from Office Depot. What happened was I inserted the flash drive while the computer was already on and then rebooted which is what I shouldn't have done. When I inserted it an icon was beginning to appear in the system tray and when I rebooted it ruined things, now when I insert it in, nothing happens, but the reason I'm at this library it to try and find a solution to my internet problems, because I need to get my connection back.

##### Share on other sites

You said the Linux disk no longer works? Have you checked to make sure that the disk hasn't gotten dirty and that it can no fingerprints on it? Lasers have a hard time reading CD's when there's something on the disk.

##### Share on other sites

Hopefully I will be getting my internet connection back sometime this week, but I had to send off for a new dsl modem because thwe one I have now, I had since 2006, so these things weren't meant to last a lifetime

The linux disk I will try and clean it before I insert it back in, but I'm almost certain its the laptop and not the disk, btw, I did try troubleshooting option and the pc crashed, not only that but when I try the cd anymore after that it crashes sooner.

##### Share on other sites

Are you certain that there's nothing physically wrong with your laptop? I know it's a long shot, but you wouldn't happen to have a Memtest86+ disk, would you?

##### Share on other sites

My bad, I thought it was the laptop, it isn't, the linux disk works now. I know what to do now when the linux disk have problems. I have a blank cd that I brought with me to the library, so I'm gonna go to the manufacturers website and burn a copy of the network adapter ( I hope I'm saying that right)!

What is the version of the last TDSSKiller you sent in reply #105, I'm trying to find out if tdsskillers' been upgraded.

##### Share on other sites

Current version of TDSSKiller appears to be 2.7.34.0 (not sure what it was when I posted my instructions in post #105). It may actually check for updates when it runs, but I cannot guarantee that.

##### Share on other sites

Don't worry, get me the log when you can.

If the topic gets locked, then you can send me a private message asking to have it unlocked.

##### Share on other sites

I can't get to the point of downloading the upgrsaded version, because I lost my connection to the internet, I haven't been able to connect since that random disk check my computer did. I think its been this way since late April, I called connect tech and tech support I don't know how many times but no one seems to have a solution. Tech su[pport told me to uninstall the network adaprtor and that made things worse, I think when the adaptor installs again its going to be Local Area Connection 5, becaue I've been uninstalling. I don't currently have an ip address but when I did have one it was 169.154.122.184 which means theres no communication between the modem and the computer, the local area connection would say "identifying"! I can't connect to the wireless network, because my modem doesn't have wireless capabilities and I would have to buy me a wireless router!

I'm wondering if you could loook for a good network adaptor download, because I created a network adaptor disk from mypcdrivers.com and I really don't know how to use the disk because when I place it in, nothing happens, but I know somethings burned to the disk. I also want to mention that on mypcdrivers.comk I got a message before the cd making that was negative, so if things with the cd is this way, I'm not surprised, here is the network adapter name along with the hardware id and compatible id and driver version:

Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.20)

PCI\VEN_10EC&DEV_8136&SUBSYS_30CC103C&REV_01

PCI\VEN_10EC&DEV_8136&SUBSYS_30CC103C

PCI\VEN_10EC&DEV_8136&CC_020000

PCI\VEN_10EC&DEV_8136&CC_0200

PCI\VEN_10EC&DEV_8136&REV_01

PCI\VEN_10EC&DEV_8136

PCI\VEN_10EC&CC_020000

PCI\VEN_10EC&CC_0200

PCI\VEN_10EC

PCI\CC_020000

PCI\CC_0200

7.2.1127.2008

##### Share on other sites

If you can get the Linux disk to work, then you should be able to download files through it and save them on your hard drive. There should be an Internet browser named Konqueror on the Fedora Linux disk, since it is the KDE version and KDE always comes with Konqueror. It may also come with Firefox, as that at least used to be the default browser on Fedora Linux.

##### Share on other sites

Well, the linux disk is working now and I do have the konqueror, but I am having problems in every way trying to get the internet lately.

##### Share on other sites

What kind of Internet connection do you have? DSL? Cable? Is there a modem or a router that you connect to your computer to access the Internet?

##### Share on other sites

I connect using a dsl modem via at&t, I don't currently have a router but I know you can't just get them for free unfortunately. One thing I want to note is last night I ran tdsskiller (scan)and I was surprised it picked up something entirely different Rootkit.Boot.Pihar.b, I'm not at all stating that I don't have zeroaccess, but I believe one of the reasons I can't connect to the internet is because a virus is blocking me, I might have to go ahead and FIX this, to get the internet going. Coukld you see if tdsskiller would let me run and fix with this version I have, even though I want to use the upgraded version, that the virus has gotten too strong, hindering m,e from the internet, so right now I have 2.7.23.0 which isn't the upgrade!

##### Share on other sites

Lets try this. Please reset the Windows TCP/IP settings by following these steps:

1. Click on the Start button.
2. Go to All Programs.
3. Go to Accessories.
4. Right-click on Command Prompt and select Run as administrator.
5. Type in netsh int ip reset c:\resetlog.txt and then press Enter on your keyboard.

Let me know if that makes any difference.

##### Share on other sites

Well, I forgot to tell you but I already done that before, I also done netsh winsock reset catalog too, nevermind about contacting tdsskiller makers, I copyed the new tdsskiller download to a disk, so I'm hoping that will do the trick. Well thats the good news I have, were you aware that you could copy it to a disk?

Also, with whatever I find on the tdsskiller, could I go ahead and do the fix ( I also plan to do the fix on rootkit.boot.pihar.b ) , because I do intend to let you know what I find with the scanner!

##### Share on other sites

I recommend not allowing TDSSKiller to delete anything. Select Cure if it is available, otherwise select Skip.

##### Share on other sites

Ok, thats great, did you already know about copying tdsskiller to a disk?

##### Share on other sites

Yes, you can copy files to a CD if the CD is formatted with a UDF filesystem. TDSSKiller can be run from a CD or from a flash drive, if you need to download it from another computer.

##### Share on other sites

Ok, heres the informetion I have, I'm over at a mothers friend house right now, and I bought over a linux disk and a flash drive, but I couldn't for some reason get the com[puter to recognize the disk. I was planning on sending you a tdsskiller log, but I still have the log and my last try is the librarys' computer. What Office Depot left behind on my pc was a program called Malwarebytes Anti-Malware and I did an over 1 hr. scan on my computer yesterday and some 119 things came up, but I chose to try and fix 2 of them: rootkit.0access C:\system volume information\system restore\F... and rootkit.0access C:\tdsskiller_Quarantine\30.03.2012_12.36.16... when I made that attempt it said that there has to be a reboot process and I click it, then the pc went back to check disk mode at reboot.

Well I'll get back with you soon, because I have to also show you the log for MAM as well!

PS. as you already know I bought a new flash drive and I fixed the problem with my network adapter last night!

##### Share on other sites

Malwarebytes Anti-Malware is a popular removal tool (especially on UNITE and ASAP help forums), however it is not currently the most effective against rootkits. I actually use it myself, alongside Emsisoft Anti-Malware of course.

##### Share on other sites

Yes, I saw that you also use Malwarebytes, under your avatar !

So, right now here are the logs and I want to apologize that it isn't May 26th (today) but yesterdays logs:

##### Share on other sites

OK, I'm seeing some stuff in the MBAM log that needs removed. Only remove the things I have listed in the box below, as well as anything related to MyWebSearch (they are too numerous to list below and still be easy to follow):

C:\Windows\System32\config\systemprofile\AppData\Roaming\Yahoo!\Yahoo!\ulbzyvwiq.dll (Trojan.Agent.GMAGen) -> No action taken.
...
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Yahoo!\Yahoo!\ulbzyvwiq.dll",DllRegisterServer -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Yahoo!\Yahoo!\ulbzyvwiq.dll",DllRegisterServer -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> No action taken.
...
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\c3478a0-6f42fcd2 (Trojan.Zbot.Gen) -> No action taken.
...
C:\Windows\System32\config\systemprofile\AppData\Roaming\Yahoo!\Yahoo!\ulbzyvwiq.dll (Trojan.Agent.GMAGen) -> No action taken.

As for the TDSSKiller log, I do see a TDSS filesystem that could be removed, so go ahead and do that after running Malwarebytes Anti-Malware again and removing the items I listed above. Make sure that you select to skip everything else in TDSSKiller, unless there is a Cure option. Do not select Delete for any detections except the TDSS filesystem. You most certainly do not want TDSSKiller to delete unsigned drivers, as not every unsigned driver is malicious (even some of our drivers lack a digital signature).

##### Share on other sites

I know that trojan is sort of like spyware, but I only removed what you told me to remove.

There were trojan.agent..... threats which MBAM picked up, but I chose to leave those blank and

there were trojan.fakealert threats, one in particular had at the end of the directory something

familiar called "Cloud AV"!

I'm happy to say that I am at home, because I finally fixed the problem with my internet connection(problem fixed on Saturday)!

btw, with TDSSKiller Filesystem, there were only skip, copy to quarantine and delete options.

##### Share on other sites

OK, that MBAM log shows a couple of things were scheduled to be deleted on reboot, so I'll need you to run another Quick Scan with MBAM just to make sure that it did remove them. Also, make sure to update it before running the scan.

Yes, TDSSKiller has no 'cure' option for removing the TDSS filesystem. That's because the only way to deal with the TDSS filesystem is by deleting it. Technically, it should have been disabled by an earlier TDSSKiller run where I asked you to 'Cure' the detections that had that option (should be on the first page of this topic somewhere), however deleting it should still be safe.

##### Share on other sites

Ok, theres a tdsskiller upgrade I have now, but MBAM has picked up trojan.happili.xgen, atm.

How do I get the linux disk to work on all computers, what is it that I select at the disk prompt that shows at desktop?

##### Share on other sites

Go ahead and delete everything that MBAM is detecting, and get me a fresh Quick Scan log. After that, I want to see a ComboFix log (I'm not certain if there is still an infection loading on your system), so here's the instructions again:

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

##### Share on other sites

Soemthing is wrong with my pc again, it definitely happened after cf scan & reboot. My computer now takes ages to complete page loads, so there is definitely something in that CF log that says something (probably HKEY Local Machine) important has been deleted!

##### Share on other sites

Aha, some light has been shed on this issue. Lets see if this fix will work. I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script:

[list=]
2. BleepingComputer
3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

##### Share on other sites

I still have the problem with almost neverending loading, I also want to note my homepage has changed I don't know how it happened, even though I included a log, I want to let you know I think I forgot to disable the anti virus I apologize.

##### Share on other sites

OK, that logs looks a lot better.

Your homepages in IE and Firefox were changed by my script. You can change them back if you want.

Could you let me know which browser you are having this issue with (or if it is both of them)? Also, I need to see a fresh OTL log, because I don't see anything in the ComboFix log that explains this:

2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

##### Share on other sites

Its ie, I've been using the ie browser forever, about the otl log, I had seen something on it about the svchost file missing. I couldn't produce an EXTRAS log, but thats nothing new.

##### Share on other sites

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
2. Then click the Run Fix button at the top.
3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Ok, heree it is.

##### Share on other sites

OK, that looks better. Are you still having trouble browsing the Internet? If so, is it just Firefox or is it Internet Explorer as well?

##### Share on other sites

I'm still having problems, but its just with the ie browser. I just checked the firefox browser and everything seems to be ok with the performance.

##### Share on other sites

OK, try following the instructions at this link and see if that resolves the problem. Those are instructions on how to reset Internet Explorer to default settings (there's a 'FixIt' you can run at that link as well, if you don't want to try and do it on your own). Note that it will also reset your homepage again, so don't be too surprised when it happens.

##### Share on other sites

I'm still having problems, one thing that might help you that I spotted a while ago is that I noticed the absence of svchost (process) in the task manager!

##### Share on other sites

2. Copy and paste the following into the rectangular white box in MiniRegTool:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

3. Check Export keys radio button.
4. Press Go button and post the result.

##### Share on other sites

I think that did it, I think that fixed the problem I was having with the ie browser!

I searched all over my computer for that 'Result' log to no avail, so what I did was this: File > Save As > Result.txt!

##### Share on other sites

OK, I have written a script that will tell ComboFix how to fix one of the entries I saw in your log. Here are instructions on what to do with the script:

[list=]
2. BleepingComputer
3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

##### Share on other sites

Things are messing up again in ie, unfortunately, its going to take you a while to analyze this log, because its lonnnnnnng.

##### Share on other sites

I got your private message saying things are fine now. When you are having trouble with Internet Explorer, does it get better after a restart, or does it just get better on its own after a while? Does the trouble only start after running ComboFix?

Also, lets get an anti-virus scan just to make sure that we are not missing anything. Please run an online virus scan through ESET by following the steps below:

1. Turn off your anti-virus software.
3. Click on the ESET Online Scanner button.
5. Click the 'Start' button just to the right of the checkbox.
6. Uncheck the box that says Remove found threats (this is very important).
8. Put a check in the box that says Scan for potentially unsafe applications.
9. Verify that Scan for potentially unwanted applications is also checked.
10. Verify that Enable Anti-Stealth technology is also checked.
11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

##### Share on other sites

Ok, heres the log, theres no doubt that the problem starts after running cf, however I opened firefox and was using that for a while then decided to go back to the ie browser and to my surprise I didn't get the loading problem that I got before. Also, I don't really think that restarting the pc was what did the trick!