Help! Virus redirects google and disabled MBAM

[James A]

Tried it all with the same result ; \

Task manager says that a bunch of explorer.exe's open after i open fun.com, like 4 or 5 maybe

and a file: n.pif opens and then closes after explorer seems to refresh. the description for all of the files is Nircmd

[James A]

Tried it all with the same result ; \

Task manager says that a bunch of explorer.exe's open after i open fun.com, like 4 or 5 maybe

and a file: n.pif opens and then closes after explorer seems to refresh. the description for all of the files is Nircmd

[Elise]

Nircommand belongs to Combofix.

Lets see if we can disable some parts of the infection differently. Please let me know if you have a Vista DVD at hand. In case you own an XP CD it can also be of help.

[James A]

Don't have a vista cd around ; \

That option to repair windows does come up when i f8 though

[James A]

Don't have a vista cd around ; \

That option to repair windows does come up when i f8 though

[Elise]

That will do as well.

Please use that option, and wait for the recovery environment to load. If asked provide your login data (if you have no password set, just leave it blank).

Choose the Command Prompt option. A command window will open.

Once at the command prompt type the following and press enter after each line:

c:

cd windows\system32\drivers

ren vbma92a1.sys vbma92a1.vir

exit

Now restart, boot in normal mode and run tdsskiller once again, post me the log if possible.

[James A]

2 infections, delete them?

2010/11/19 02:57:13.0948 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12

2010/11/19 02:57:13.0948 ================================================================================

2010/11/19 02:57:13.0949 SystemInfo:

2010/11/19 02:57:13.0949

2010/11/19 02:57:13.0949 OS Version: 6.0.6000 ServicePack: 0.0

2010/11/19 02:57:13.0949 Product type: Workstation

2010/11/19 02:57:13.0949 ComputerName: JAMES-PC

2010/11/19 02:57:13.0949 UserName: James

2010/11/19 02:57:13.0949 Windows directory: C:\Windows

2010/11/19 02:57:13.0949 System windows directory: C:\Windows

2010/11/19 02:57:13.0949 Processor architecture: Intel x86

2010/11/19 02:57:13.0949 Number of processors: 2

2010/11/19 02:57:13.0949 Page size: 0x1000

2010/11/19 02:57:13.0949 Boot type: Normal boot

2010/11/19 02:57:13.0949 ================================================================================

2010/11/19 02:57:14.0430 !crdlk

2010/11/19 02:57:14.0797 Initialize success

2010/11/19 02:57:18.0345 ================================================================================

2010/11/19 02:57:18.0345 Scan started

2010/11/19 02:57:18.0345 Mode: Manual;

2010/11/19 02:57:18.0345 ================================================================================

2010/11/19 02:57:18.0948 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys

2010/11/19 02:57:19.0025 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

2010/11/19 02:57:19.0135 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

2010/11/19 02:57:19.0252 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

2010/11/19 02:57:19.0308 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

2010/11/19 02:57:19.0401 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys

2010/11/19 02:57:19.0566 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys

2010/11/19 02:57:19.0632 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2010/11/19 02:57:19.0715 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys

2010/11/19 02:57:19.0775 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys

2010/11/19 02:57:19.0912 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys

2010/11/19 02:57:19.0987 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

2010/11/19 02:57:20.0046 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

2010/11/19 02:57:20.0190 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

2010/11/19 02:57:20.0276 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

2010/11/19 02:57:20.0354 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys

2010/11/19 02:57:20.0411 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys

2010/11/19 02:57:20.0586 atksgt (3c4b9850a2631c2263507400d029057b) C:\Windows\system32\DRIVERS\atksgt.sys

2010/11/19 02:57:20.0748 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\Windows\system32\Drivers\avgldx86.sys

2010/11/19 02:57:20.0815 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\Windows\system32\Drivers\avgmfx86.sys

2010/11/19 02:57:20.0871 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\Windows\system32\Drivers\avgtdix.sys

2010/11/19 02:57:20.0994 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys

2010/11/19 02:57:21.0095 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys

2010/11/19 02:57:21.0187 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2010/11/19 02:57:21.0218 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2010/11/19 02:57:21.0284 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2010/11/19 02:57:21.0328 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2010/11/19 02:57:21.0413 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2010/11/19 02:57:21.0506 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2010/11/19 02:57:21.0566 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2010/11/19 02:57:21.0628 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys

2010/11/19 02:57:21.0716 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys

2010/11/19 02:57:21.0810 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys

2010/11/19 02:57:21.0861 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys

2010/11/19 02:57:21.0999 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

2010/11/19 02:57:22.0079 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

2010/11/19 02:57:22.0119 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

2010/11/19 02:57:22.0194 DfsC (8c03182e50c8e41f3b06c07d6d2781fb) C:\Windows\system32\Drivers\dfsc.sys

2010/11/19 02:57:22.0312 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys

2010/11/19 02:57:22.0403 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys

2010/11/19 02:57:22.0515 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys

2010/11/19 02:57:22.0622 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys

2010/11/19 02:57:22.0693 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys

2010/11/19 02:57:22.0800 DXGKrnl (b95202efd0464d226e7542c1e319c028) C:\Windows\System32\drivers\dxgkrnl.sys

2010/11/19 02:57:22.0876 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys

2010/11/19 02:57:22.0947 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

2010/11/19 02:57:23.0049 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys

2010/11/19 02:57:23.0112 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

2010/11/19 02:57:23.0220 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys

2010/11/19 02:57:23.0320 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys

2010/11/19 02:57:23.0386 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys

2010/11/19 02:57:23.0414 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys

2010/11/19 02:57:23.0521 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys

2010/11/19 02:57:23.0559 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys

2010/11/19 02:57:23.0609 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys

2010/11/19 02:57:23.0715 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

2010/11/19 02:57:23.0789 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys

2010/11/19 02:57:23.0839 giveio (77ebf3e9386daa51551af429052d88d0) C:\Windows\system32\giveio.sys

2010/11/19 02:57:23.0920 hcw18bda (6279a1be790eb8572c35c74dfcd4f411) C:\Windows\system32\drivers\hcw18bda.sys

2010/11/19 02:57:23.0934 Suspicious file (Forged): C:\Windows\system32\drivers\hcw18bda.sys. Real md5: 6279a1be790eb8572c35c74dfcd4f411, Fake md5: 1d85ac0c6a8cf43b654695d7947c6823

2010/11/19 02:57:23.0941 hcw18bda - detected Forged file (1)

2010/11/19 02:57:23.0994 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys

2010/11/19 02:57:24.0054 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys

2010/11/19 02:57:24.0136 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2010/11/19 02:57:24.0170 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\DRIVERS\hidir.sys

2010/11/19 02:57:24.0209 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys

2010/11/19 02:57:24.0294 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

2010/11/19 02:57:24.0490 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys

2010/11/19 02:57:24.0634 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys

2010/11/19 02:57:24.0772 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys

2010/11/19 02:57:24.0860 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

2010/11/19 02:57:24.0999 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys

2010/11/19 02:57:25.0085 iaStor (de01bf14ffb150c779fd561bd0e3c5c5) C:\Windows\system32\drivers\iastor.sys

2010/11/19 02:57:25.0175 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

2010/11/19 02:57:25.0403 IDSvix86 (67070d3859bde8ef7dbc995ebd49227e) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys

2010/11/19 02:57:25.0635 igfx (62f534791ae488a475a3e508d92af4cc) C:\Windows\system32\DRIVERS\igdkmd32.sys

2010/11/19 02:57:25.0717 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2010/11/19 02:57:25.0875 IKFileFlt (72842d30081ab20d7c5d25695f18ed0e) C:\Windows\system32\drivers\ikfileflt.sys

2010/11/19 02:57:25.0949 IKFileSec (ae5686dcef113164dcd0b4e37845e016) C:\Windows\system32\drivers\ikfilesec.sys

2010/11/19 02:57:26.0018 IkSysFlt (96f3b8e177fc06a7779bd7f8a8801e90) C:\Windows\system32\drivers\iksysflt.sys

2010/11/19 02:57:26.0137 IKSysSec (3983be160661109470967d956d851848) C:\Windows\system32\drivers\iksyssec.sys

2010/11/19 02:57:26.0267 IntcAzAudAddService (4a705bf2a6f7972f2f2ad8a0d8079f95) C:\Windows\system32\drivers\RTKVHDA.sys

2010/11/19 02:57:26.0406 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys

2010/11/19 02:57:26.0519 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys

2010/11/19 02:57:26.0597 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2010/11/19 02:57:26.0742 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

2010/11/19 02:57:26.0800 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys

2010/11/19 02:57:26.0856 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys

2010/11/19 02:57:26.0902 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys

2010/11/19 02:57:27.0022 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys

2010/11/19 02:57:27.0084 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2010/11/19 02:57:27.0160 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2010/11/19 02:57:27.0289 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys

2010/11/19 02:57:27.0358 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys

2010/11/19 02:57:27.0442 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys

2010/11/19 02:57:27.0661 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\Windows\system32\DRIVERS\lirsgt.sys

2010/11/19 02:57:27.0725 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys

2010/11/19 02:57:27.0808 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

2010/11/19 02:57:27.0926 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

2010/11/19 02:57:27.0996 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

2010/11/19 02:57:28.0065 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys

2010/11/19 02:57:28.0207 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys

2010/11/19 02:57:28.0260 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

2010/11/19 02:57:28.0394 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys

2010/11/19 02:57:28.0526 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys

2010/11/19 02:57:28.0593 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys

2010/11/19 02:57:28.0686 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys

2010/11/19 02:57:28.0736 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys

2010/11/19 02:57:28.0790 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

2010/11/19 02:57:28.0875 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys

2010/11/19 02:57:28.0976 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2010/11/19 02:57:29.0055 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys

2010/11/19 02:57:29.0090 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys

2010/11/19 02:57:29.0117 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2010/11/19 02:57:29.0179 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2010/11/19 02:57:29.0219 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys

2010/11/19 02:57:29.0296 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

2010/11/19 02:57:29.0389 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys

2010/11/19 02:57:29.0546 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys

2010/11/19 02:57:29.0585 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys

2010/11/19 02:57:29.0638 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys

2010/11/19 02:57:29.0678 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys

2010/11/19 02:57:29.0775 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys

2010/11/19 02:57:29.0808 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys

2010/11/19 02:57:29.0836 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys

2010/11/19 02:57:29.0874 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys

2010/11/19 02:57:29.0988 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys

2010/11/19 02:57:30.0119 NAVENG (bd8898ecb2f507f6c029a8c7d94e944a) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070110.052\NAVENG.SYS

2010/11/19 02:57:30.0206 NAVEX15 (d294639bef45a623b9b8c1f144a54c59) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070110.052\NAVEX15.SYS

2010/11/19 02:57:30.0351 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys

2010/11/19 02:57:30.0426 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys

2010/11/19 02:57:30.0547 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys

2010/11/19 02:57:30.0585 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys

2010/11/19 02:57:30.0661 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys

2010/11/19 02:57:30.0747 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys

2010/11/19 02:57:30.0981 netbt (74a204745d324776da88a13b16db382f) C:\Windows\system32\DRIVERS\netbt.sys

2010/11/19 02:57:31.0074 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2010/11/19 02:57:31.0166 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys

2010/11/19 02:57:31.0205 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys

2010/11/19 02:57:31.0289 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys

2010/11/19 02:57:31.0378 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2010/11/19 02:57:31.0433 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys

2010/11/19 02:57:31.0512 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

2010/11/19 02:57:31.0569 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys

2010/11/19 02:57:31.0671 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys

2010/11/19 02:57:31.0817 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys

2010/11/19 02:57:31.0874 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2010/11/19 02:57:31.0909 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys

2010/11/19 02:57:31.0978 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2010/11/19 02:57:32.0021 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys

2010/11/19 02:57:32.0056 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys

2010/11/19 02:57:32.0113 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2010/11/19 02:57:32.0244 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2010/11/19 02:57:32.0376 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys

2010/11/19 02:57:32.0444 PRISM_A02 (9d8f196d9fbb74f8e3ec5cdfd77c90e6) C:\Windows\system32\DRIVERS\WUSBGXP.sys

2010/11/19 02:57:32.0573 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

2010/11/19 02:57:32.0654 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys

2010/11/19 02:57:32.0693 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys

2010/11/19 02:57:32.0793 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

2010/11/19 02:57:32.0868 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2010/11/19 02:57:32.0937 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys

2010/11/19 02:57:33.0025 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys

2010/11/19 02:57:33.0081 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys

2010/11/19 02:57:33.0128 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys

2010/11/19 02:57:33.0183 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys

2010/11/19 02:57:33.0211 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys

2010/11/19 02:57:33.0339 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys

2010/11/19 02:57:33.0403 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys

2010/11/19 02:57:33.0511 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys

2010/11/19 02:57:33.0623 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys

2010/11/19 02:57:33.0705 RTL8192su (3edfb0089b9455b26154b572db650ee3) C:\Windows\system32\DRIVERS\RTL8192su.sys

2010/11/19 02:57:33.0778 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/11/19 02:57:33.0837 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2010/11/19 02:57:33.0877 SASKUTIL (67d2688756dd304af655349baad82bff) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2010/11/19 02:57:33.0983 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2010/11/19 02:57:34.0133 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\Windows\system32\drivers\SCDEmu.sys

2010/11/19 02:57:34.0257 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2010/11/19 02:57:34.0312 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

2010/11/19 02:57:34.0357 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

2010/11/19 02:57:34.0414 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys

2010/11/19 02:57:34.0522 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

2010/11/19 02:57:34.0605 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

2010/11/19 02:57:34.0645 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

2010/11/19 02:57:34.0687 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

2010/11/19 02:57:34.0757 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys

2010/11/19 02:57:34.0852 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

2010/11/19 02:57:34.0949 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

2010/11/19 02:57:35.0016 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys

2010/11/19 02:57:35.0139 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\Windows\system32\speedfan.sys

2010/11/19 02:57:35.0170 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys

2010/11/19 02:57:35.0248 sptd (afa91d542fa0ffc0471f43de0de34f0b) C:\Windows\system32\Drivers\sptd.sys

2010/11/19 02:57:35.0396 SRTSP (ed5e9f3bf11d0bb770f652b22ec26465) C:\Windows\system32\Drivers\SRTSP.SYS

2010/11/19 02:57:35.0556 SRTSPL (c70a2581e35e03c85f29aa1bc723659a) C:\Windows\system32\Drivers\SRTSPL.SYS

2010/11/19 02:57:35.0626 SRTSPX (05f2db228922e6b8a001ed83ee4d1153) C:\Windows\system32\Drivers\SRTSPX.SYS

2010/11/19 02:57:35.0725 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys

2010/11/19 02:57:35.0812 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys

2010/11/19 02:57:35.0838 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys

2010/11/19 02:57:35.0938 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys

2010/11/19 02:57:36.0040 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2010/11/19 02:57:36.0154 SymEvent (403bd24fa5c55fc648abdd039629a954) C:\Windows\system32\Drivers\SYMEVENT.SYS

2010/11/19 02:57:36.0248 SYMREDRV (829830a3ca1c5e329d68e26c9cd2de8d) C:\Windows\System32\Drivers\SYMREDRV.SYS

2010/11/19 02:57:36.0353 SYMTDI (b1aa9704124b494c34e8d372e6654196) C:\Windows\System32\Drivers\SYMTDI.SYS

2010/11/19 02:57:36.0525 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2010/11/19 02:57:36.0675 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2010/11/19 02:57:36.0814 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys

2010/11/19 02:57:36.0875 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys

2010/11/19 02:57:36.0918 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys

2010/11/19 02:57:37.0008 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys

2010/11/19 02:57:37.0058 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys

2010/11/19 02:57:37.0102 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys

2010/11/19 02:57:37.0139 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys

2010/11/19 02:57:37.0249 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys

2010/11/19 02:57:37.0350 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys

2010/11/19 02:57:37.0376 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys

2010/11/19 02:57:37.0419 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

2010/11/19 02:57:37.0508 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys

2010/11/19 02:57:37.0562 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys

2010/11/19 02:57:37.0647 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

2010/11/19 02:57:37.0755 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2010/11/19 02:57:37.0819 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2010/11/19 02:57:37.0886 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys

2010/11/19 02:57:37.0954 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys

2010/11/19 02:57:38.0051 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys

2010/11/19 02:57:38.0105 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys

2010/11/19 02:57:38.0164 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\DRIVERS\usbcir.sys

2010/11/19 02:57:38.0331 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys

2010/11/19 02:57:38.0384 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys

2010/11/19 02:57:38.0511 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

2010/11/19 02:57:38.0699 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys

2010/11/19 02:57:38.0791 usbscan (b1f95285c08ddfe00c0b955462637ec7) C:\Windows\system32\DRIVERS\usbscan.sys

2010/11/19 02:57:38.0864 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2010/11/19 02:57:39.0106 usbuhci (d864735b0bfcb65440960a0b7cc1a38d) C:\Windows\system32\DRIVERS\usbuhci.sys

2010/11/19 02:57:39.0533 vbma92a1 (1f5e1900459233d9b41793f9e531ef4c) C:\Windows\system32\drivers\vbma92a1.sys

2010/11/19 02:57:39.0556 Suspicious file (NoAccess): C:\Windows\system32\drivers\vbma92a1.sys. md5: 1f5e1900459233d9b41793f9e531ef4c

2010/11/19 02:57:39.0573 vbma92a1 - detected Locked file (1)

2010/11/19 02:57:40.0062 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

2010/11/19 02:57:40.0194 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys

2010/11/19 02:57:40.0327 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys

2010/11/19 02:57:40.0408 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

2010/11/19 02:57:40.0546 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys

2010/11/19 02:57:40.0736 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys

2010/11/19 02:57:40.0852 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys

2010/11/19 02:57:41.0040 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys

2010/11/19 02:57:41.0330 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

2010/11/19 02:57:41.0762 VSTHWBS2 (c466021d31ff6c0a6069d12299d80c0b) C:\Windows\system32\DRIVERS\VSTBS23.SYS

2010/11/19 02:57:42.0150 VST_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS

2010/11/19 02:57:42.0783 VX3000 (bd32d7007cb505d3b1c29e3d0ef2a46a) C:\Windows\system32\DRIVERS\VX3000.sys

2010/11/19 02:57:42.0926 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2010/11/19 02:57:43.0000 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys

2010/11/19 02:57:43.0033 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys

2010/11/19 02:57:43.0203 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

2010/11/19 02:57:43.0434 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys

2010/11/19 02:57:43.0915 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys

2010/11/19 02:57:44.0424 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

2010/11/19 02:57:44.0777 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys

2010/11/19 02:57:45.0202 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys

2010/11/19 02:57:45.0506 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys

2010/11/19 02:57:45.0966 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys

2010/11/19 02:57:46.0364 ================================================================================

2010/11/19 02:57:46.0364 Scan finished

2010/11/19 02:57:46.0364 ================================================================================

2010/11/19 02:57:46.0384 Detected object count: 2

2010/11/19 02:58:00.0072 Forged file(hcw18bda) - User select action: Skip

2010/11/19 02:58:00.0073 Locked file(vbma92a1) - User select action: Skip

[Elise]

No need to try, since it won't work, we need to work again from the command prompt. Since we now know the second file involved, it will be a bit easier though.

First we need to locate a replacement copy for the forged file.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  hcw18bda.sys

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

This appears to be related to Hauppauge. Do you know if this is used on this computer? Just asking in order to determine if we can safely delete the file in case no replacement copies are found.

[James A]

not even sure what Hauppauge is, so it's never been used on this computer to my knowledge

SystemLook 04.09.10 by jpshortstuff

Log created at 03:56 on 19/11/2010 by James

Administrator - Elevation successful

========== filefind ==========

Searching for "hcw18bda.sys"

C:\hp\DRIVERS\Hauppauge_Phantom\Driver18\hcw18bda.sys --a---- 354432 bytes [07:28 15/05/2007] [07:43 15/01/2007] 1D85AC0C6A8CF43B654695D7947C6823

C:\Windows\System32\drivers\hcw18bda.sys --a---- 354432 bytes [07:28 15/05/2007] [07:43 15/01/2007] 1D85AC0C6A8CF43B654695D7947C6823

C:\Windows\System32\DriverStore\FileRepository\hcw18bda.inf_2e22357d\Driver18\hcw18bda.sys --a---- 354432 bytes [07:28 15/05/2007] [07:43 15/01/2007] 1D85AC0C6A8CF43B654695D7947C6823

-= EOF =-

[Elise]

Please navigate to this file: C:\hp\DRIVERS\Hauppauge_Phantom\Driver18\hcw18bda.sys <-- right click the file and select "copy".

Now navigate to c:\windows, right click in an empty space and select "paste". You should now have the following file: c:\windows\hcw18bda.sys

Once that file is there, please reboot in the Recovery environment and start the Command prompt.

Type the following lines and press enter after each one.

c:

cd windows\system32\drivers

ren vbma92a1.sys vbma92a1.vir

ren hcw18bda.sys hcw18bda.vir

copy c:\windows\hcw18bda.sys hcw18bda.sys (you should now see: 1 file(s) copied)

exit

Restart and rerun TDSSkiller. Try to cure any forged file found (although nothing should be detected anymore).

You can now drag/drop any file that gives you an access denied error, on inheret.exe in order to restore its permissions.

[James A]

Okay so, when I did the command prompt all of the lines worked except for:

ren vbma92a1.sys vbma92a1.vir

It said "Duplicate file exists or the file cannot be found"

The others worked though, and after rerunning TDSS killer it found a forged file:

service name:disk

service type:kernel driver (0x1)

service start:boot

file:c:\windows\system32\drivers\disk.sys

and a locked file:

service name:vbma92a1

type:kernel

start:demand

file:c:\windows\system32\drivers\vbma92a1.sys

selected delete for the forged file and skipped the locked, came up with this log:

HKLM\SYSTEM\ControlSet001\services\disk - will be deleted after reboot

HKLM\SYSTEM\ControlSet002\services\disk - will be deleted after reboot

C:\Windows\system32\drivers\disk.sys - will be deleted after reboot

Now when I drag OTL on inherit, it gives me access to the program again, but still shuts down after i click quick scan, and then have to redrag for permission.

[Elise]

Sorry, my bad, we already renamed the vmba file once which is why it didn't work.

Since there is now another file infected (disk.sys), we need to find first a replacement. Delete also this file: c:\windows\system32\drivers\vbma92a1.vir

Please run the following script with SystemLook:

:filefind
disk.sys

[James A]

Sorry for the delayed responses. Windows is failing to start even after repair now

[Elise]

Did you attempt to delete the disk.sys file?

What happens when you try to start windows?

[James A]

Did you attempt to delete the disk.sys file?

What happens when you try to start windows?

Ugh yes i told tdss killer to delete disk.sys and vmba92a1. Did i totally screw up? It just says windows failed to launch. Then gives me option to repair or start windows normally, which goes to windows load bar and resets after a few seconds each time i try to boot windows

[Elise]

Did you try Repair Windows > Startup Repair?

The computer cannot start without disk.sys, but the computer should have some spare copies around. A startup repair should repair that.

In case startup repair doesn't work, we still have quite a few options left to fix it manually.

[James A]

Did you try Repair Windows > Startup Repair?

The computer cannot start without disk.sys, but the computer should have some spare copies around. A startup repair should repair that.

In case startup repair doesn't work, we still have quite a few options left to fix it manually.

Yes ive ran the repair several times with no luck.

And thank you for your continued help

[Elise]

You are quite welcome. This is an extremely annoying infection due to the fact that it has two components, one of which patches a necessary windows file. If one of the components is kept alive, it regenerates anything and in the process prevents any tool of use from running.

The following should help us locate a copy of disk.sys we can use to replace the deleted copy with.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download driver.sh to your USB drive
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh
  
• Press Enter
  
• After it has finished a report will be located on your USB drive named report.txt
  
• Remove the USB drive and insert it back in your working computer and navigate to report.txt
  Please note - all text entries are case sensitive
  

Copy and paste the report.txt for my review

[James A]

Sat Nov 20 01:56:32 UTC 2010

Driver report for /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys has NO Company Name! /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys has NO Company Name! /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys has NO Company Name!

e0af52a80fa12202bd6e91fd3d03005c /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys

Symantec Corporation

f29be5027b6fd3459fc7818d463b3dd8 /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys

Symantec Corporation

8d8f19162c6191a8829d0bbde659a20b /mnt/sda2/hp/apps/APP06783/src/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys

Symantec Corporation

Driver report for /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys has NO Company Name! /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys has NO Company Name! /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys has NO Company Name!

c70a2581e35e03c85f29aa1bc723659a /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys

Symantec Corporation

ed5e9f3bf11d0bb770f652b22ec26465 /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys

Symantec Corporation

05f2db228922e6b8a001ed83ee4d1153 /mnt/sda2/hp/apps/APP06783/src/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys

Symantec Corporation

Driver report for /mnt/sda1/Windows/System32/drivers

3c4b9850a2631c2263507400d029057b atksgt.sys has NO Company Name!

4127e8b6ddb4090e815c1f8852c277d3 lirsgt.sys has NO Company Name!

1f5e1900459233d9b41793f9e531ef4c vbma92a1.sys has NO Company Name!

b46aa621e7bd4fe150bcc140daceda1b 1394bus.sys

Microsoft Corporation

84fc6df81212d16be5c4f441682feccc acpi.sys

Microsoft Corporation

2edc5bbac6c651ece337bde8ed97c9fb adp94xx.sys

Adaptec

b84088ca3cdca97da44a984c6ce1ccad adpahci.sys

Adaptec

7880c67bccc27c86fd05aa2afb5ea469 adpu160m.sys

Adaptec

9ae713f8e30efc2abccd84904333df4d adpu320.sys

Adaptec

5d24caf8efd924a875698ff28384db8b afd.sys

Microsoft Corporation

ef23439cdd587f64c2c1b8825cead7d8 AGP440.sys

Microsoft Corporation

90395b64600ebb4552e26e178c94b2e4 aliide.sys

Acer Laboratories

2b13e304c9dfdfa5eb582f6a149fa2c7 AMDAGP.SYS

Microsoft Corporation

0577df1d323fe75a739c787893d300ea amdide.sys

Microsoft Corporation

dc487885bcef9f28eece6fac0e5ddfc5 amdk7.sys

Microsoft Corporation

0ca0071da4315b00fc1328ca86b425da amdk8.sys

Microsoft Corporation

957f7540b5e7f602e44648c7de5a1c05 arcsas.sys

Adaptec

5f673180268bb1fdb69c99b6619fe379 arc.sys

Adaptec

e86cf7ce67d5de898f27ef884dc357d8 asyncmac.sys

Microsoft Corporation

b35cfcef838382ab6490b321c87edf17 atapi.sys

Microsoft Corporation

a928bbca9235ac328953b34ca0c1f5a0 ataport.sys

Microsoft Corporation

3c4b9850a2631c2263507400d029057b atksgt.sys

b8c187439d27aba430dd69fdcf1fa657 avgldx86.sys

AVG Technologies

53b3f979930a786a614d29cafe99f645 avgmfx86.sys

AVG Technologies

22e3b793c3e61720f03d3a22351af410 avgtdix.sys

AVG Technologies

87d8e49d1615d419efceddefe02161cc battc.sys

Microsoft Corporation

7e1a145a316da06d339df644dee86c4c bdasup.sys

Microsoft Corporation

ac3dd1708b22761ebd7cbe14dcc3b5d7 beep.sys

Microsoft Corporation

913cd06fbe9105ce6077e90fd4418561 bowser.sys

Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys

Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys

Brother Industries

2ac8f5b88771c31c4211a11be6bffe14 bridge.sys

Microsoft Corporation

b304e75cff293029eddf094246747113 BrSerId.sys

Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys

Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys

Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys

Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys

Microsoft Corporation

6c3a437fc873c6f6a4fc620b6888cb86 cdfs.sys

Microsoft Corporation

837eef65af62d4e8a37c41d3879f7274 cdr4_xp.sys

Sonic Solutions

579da2f9f5401f55dae2cf8779d61dfc cdralw2k.sys

Sonic Solutions

8d1866e61af096ae8b582454f5e4d303 cdrom.sys

Microsoft Corporation

d1d2b10698d97df0fc95bc8c108f09c1 Classpnp.sys

Microsoft Corporation

45201046c776ffdaf3fc8a0029c581c8 cmdide.sys

CMD Technology

82b8c91d327cfecf76cb58716f7d4997 compbatt.sys

Microsoft Corporation

3596cb9ea8a12e6e858107912973ebfb crashdmp.sys

Microsoft Corporation

2a213ae086bbec5e937553c7d9a2b22c crcdisk.sys

Microsoft Corporation

22a7f883508176489f559ee745b5bf5d crusoe.sys

Microsoft Corporation

a7179de59ae269ab70345527894ccd7c dfsc.sys

Microsoft Corporation

f2e3834562c0b1b577ab4b5c405e6c5b Diskdump.sys

Microsoft Corporation

1ad3cc89d124bfc2e7c903834f3460fc disk.sys

Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys

Adaptec

d93fa484bb62fbe7e5ef335c5415d3cf Dot4Prt.sys

Microsoft Corporation

57b2d433a08b95e4f1b53a919937f3e5 Dot4.sys

Microsoft Corporation

599742c4260fb3e8edb3be148b8ce856 Dot4usb.sys

Microsoft Corporation

ee472cd2c01f6f8e8aa1fa06ffef61b6 drmkaud.sys

Microsoft Corporation

1660613337e5ebe07b4dd78c1a55c5c0 drmk.sys

Microsoft Corporation

5d975cd05fc673794501e3ce37aea6e0 Dumpata.sys

Microsoft Corporation

a253aa14ca560a4b8ba6e9d1f78ef10e dxapi.sys

Microsoft Corporation

b95202efd0464d226e7542c1e319c028 dxgkrnl.sys

Microsoft Corporation

61d4d58d09357f0598a04d1192a4b76c dxg.sys

Microsoft Corporation

c0b00e55cf82d122d25983c7a6a53dea e100b325.sys

Intel Corporation

f88fb26547fd2ce6d0a5af2985892c48 E1G60I32.sys

Intel Corporation

0efc7531b936ee57fdb4e837664c509f ecache.sys

Microsoft Corporation

e8f3f21a71720c84bcf423b80028359f elxstor.sys

Emulex

84a317cb0b3954d3768cdcd018dbf670 fastfat.sys

Microsoft Corporation

63bdada84951b9c03e641800e176898a fdc.sys

Microsoft Corporation

65773d6115c037ffd7ef8280ae85eb9d fileinfo.sys

Microsoft Corporation

c226dd0de060745f3e042f58dcf78402 filetrace.sys

Microsoft Corporation

6603957eff5ec62d25075ea8ac27de68 flpydisk.sys

Microsoft Corporation

a6a8da7ae4d53394ab22ac3ab6d3f5d3 fltMgr.sys

Microsoft Corporation

66a078591208baa210c7634b11eb392c fs_rec.sys

Microsoft Corporation

e216cf8c8605e546981098484b78d08b FWPKCLNT.SYS

Microsoft Corporation

4e1cd0a45c50a8882616cae5bf82f3c5 GAGP30KX.SYS

Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys

GEAR Software

1d85ac0c6a8cf43b654695d7947c6823 hcw18bda.sys

Hauppauge Computer Works

0db613a7e427b5663563677796fd5258 hdaudbus.sys

Microsoft Corporation

cb04c744be0a61b1d648faed182c3b59 HdAudio.sys

Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys

Microsoft Corporation

081655939fa6c09eec56da090f461ecc hidclass.sys

Microsoft Corporation

ff3160c3a2445128c5a6d9b076da519e hidir.sys

Microsoft Corporation

451a4d76448cee21407fb0a9a362c057 hidparse.sys

Microsoft Corporation

3c64042b95e583b366ba4e5d2450235e hidusb.sys

Microsoft Corporation

df353b401001246853763c4b7aaa6f50 HpCISSs.sys

Hewlett-Packard

72cc6a8ca7891031d6380db5025c773c HSX_CNXT.sys

Conexant

88749fbf8beb18c90e7d6626c8c1910b HSX_DP.sys

Conexant

fe440536bd98af772130dc3a6fe1915f HSXHWBS2.sys

Conexant

ea24fe637d974a8a31bc650f478e3533 http.sys

Microsoft Corporation

8420bf9ad8ae0b4a96f30bd7c8fb9adf i2omgmt.sys

Microsoft Corporation

324c2152ff2c61abae92d09f3cca4d63 i2omp.sys

Microsoft Corporation

1c9ee072baa3abb460b91d7ee9152660 i8042prt.sys

Microsoft Corporation

de01bf14ffb150c779fd561bd0e3c5c5 iaStor.sys

Intel Corporation

c957bf4b5d80b46c5017bf0101e6c906 iaStorV.sys

Intel Corporation

62f534791ae488a475a3e508d92af4cc igdkmd32.sys

Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys

Intel Corp

72842d30081ab20d7c5d25695f18ed0e ikfileflt.sys

PC Tools

ae5686dcef113164dcd0b4e37845e016 ikfilesec.sys

PC Tools

96f3b8e177fc06a7779bd7f8a8801e90 iksysflt.sys

PC Tools

3983be160661109470967d956d851848 iksyssec.sys

PC Tools

988981c840084f480ba9e3319cebde1b intelide.sys

Microsoft Corporation

ce44cc04262f28216dd4341e9e36a16f intelppm.sys

Microsoft Corporation

880c6f86cc3f551b8fea2c11141268c0 ipfltdrv.sys

Microsoft Corporation

40f34f8aba2a015d780e4b09138b6c17 IPMIDrv.sys

Microsoft Corporation

10077c35845101548037df04fd1a420b ipnat.sys

Microsoft Corporation

f11a90fb3f44f37ad10a4893bb690065 irda.sys

Microsoft Corporation

a82f328f4792304184642d6d397bb1e3 irenum.sys

Microsoft Corporation

350fca7e73cf65bcef43fae1e4e91293 isapnp.sys

Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys

Integrated Technology Express

06fa654504a498c30adca8bec4e87e7e iteraid.sys

Integrated Technology Express

b076b2ab806b3f696dab21375389101c kbdclass.sys

Microsoft Corporation

ed61dbc6603f612b7338283edbacbc4b kbdhid.sys

Microsoft Corporation

8638b6e2f34dc26ad3f98c89317c4104 kcom.sys

PC Tools

f1abf067a2e84352fc29dd4e0b12a20e klmdb.sys

Kaspersky Lab

0a829977b078dea11641fc2af87ceade ksecdd.sys

Microsoft Corporation

48314cdd79ce94b8f36bd6243323a310 ks.sys

Microsoft Corporation

4127e8b6ddb4090e815c1f8852c277d3 lirsgt.sys

fd015b4f95daa2b712f0e372a116fbad lltdio.sys

Microsoft Corporation

a2262fb9f28935e862b4db46438c80d2 lsi_fc.sys

LSI Logic

30d73327d390f72a62f32c103daf1d6d lsi_sas.sys

LSI Logic

e1e36fefd45849a95f1ab81de0159fe3 lsi_scsi.sys

LSI Logic

42885bb44b6e065b8575a8dd6c430c52 luafv.sys

Microsoft Corporation

c0d40beaa6dfc05602fc8f484696f7f5 mbamswissarmy.sys

Malwarebytes Corporation

654a3f014903dc62caf5e037f3d316d2 mbam.sys

Malwarebytes Corporation

0447888a6feb655068bd1696d1c16a5b mcd.sys

Microsoft Corporation

0cea2d0d3fa284b85ed5b68365114f76 mdmxsdk.sys

Conexant

d153b14fc6598eae8422a2037553adce megasas.sys

LSI Logic

21755967298a46fb6adfec9db6012211 modem.sys

Microsoft Corporation

7446e104a5fe5987ca9e4983fbac4f97 monitor.sys

Microsoft Corporation

5fba13c1a1841b0885d316ed3589489d mouclass.sys

Microsoft Corporation

b569b5c5d3bde545df3a6af512cccdba mouhid.sys

Microsoft Corporation

01f1e5a3e4877c931cbb31613fec16a6 mountmgr.sys

Microsoft Corporation

583a41f26278d9e0ea548163d6139397 mpio.sys

Microsoft Corporation

6e7a7f0c1193ee5648443fe2d4b789ec mpsdrv.sys

Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x.sys

LSI Logic

1d8828b98ee309d65e006f0829e280e5 mrxdav.sys

Microsoft Corporation

47e13ab23371be3279eef22bbfa2c1be mrxsmb10.sys

Microsoft Corporation

90b3fc7bd6b3d7ee7635debba2187f66 mrxsmb20.sys

Microsoft Corporation

8af705ce1bb907932157fab821170f27 mrxsmb.sys

Microsoft Corporation

742aed7939e734c36b7e8d6228ce26b7 msahci.sys

Microsoft Corporation

3fc82a2ae4cc149165a94699183d3028 msdsm.sys

Microsoft Corporation

729eafefd4e7417165f353a18dbe947d msfs.sys

Microsoft Corporation

5f454a16a5146cd91a176d70f0cfa3ec msisadrv.sys

Microsoft Corporation

4dca456d4d5723f8fa9c6760d240b0df msiscsi.sys

Microsoft Corporation

892cedefa7e0ffe7be8da651b651d047 mskssrv.sys

Microsoft Corporation

ae2cb1da69b2676b4cee2a501af5871c mspclock.sys

Microsoft Corporation

f910da84fa90c44a3addb7cd874463fd mspqm.sys

Microsoft Corporation

84571c0ae07647ba38d493f5f0015df7 msrpc.sys

Microsoft Corporation

4385c80ede885e25492d408cad91bd6f mssmbios.sys

Microsoft Corporation

c826dd1373f38afd9ca46ec3c436a14e mstee.sys

Microsoft Corporation

fa7aa70050cf5e2d15de00941e5665e5 mup.sys

Microsoft Corporation

227c11e1e7cf6ef8afb2a238d209760c ndis.sys

Microsoft Corporation

81659cdcbd0f9a9e07e6878ad8c78d3f ndistapi.sys

Microsoft Corporation

5de5ee546bf40838ebe0e01cb629df64 ndisuio.sys

Microsoft Corporation

397402adcbb8946223a1950101f6cd94 ndiswan.sys

Microsoft Corporation

1b24fa907af283199a81b3bb37e5e526 ndproxy.sys

Microsoft Corporation

356dbb9f98e8dc1028dd3092fceeb877 netbios.sys

Microsoft Corporation

e3a168912e7eefc3bd3b814720d68b41 netbt.sys

Microsoft Corporation

325d94481d81b7e909681de1f6a10cd7 netio.sys

Microsoft Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys

IBM Corp

4f9832beb9fafd8ceb0e541f1323b26e npfs.sys

Microsoft Corporation

b488dfec274de1fc9d653870ef2587be nsiproxy.sys

Microsoft Corporation

37430aa7a66d7a63407adc2c0d05e9f6 ntfs.sys

Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys

N-trig Innovative Technologies

ec5efb3c60f1b624648344a328bce596 null.sys

Microsoft Corporation

07c186427eb8fcc3d8d7927187f260f7 NV_AGP.SYS

Microsoft Corporation

e69e946f80c1c31c53003bfbf50cbb7c nvraid.sys

NVIDIA Corporation

9e0ba19a28c498a6d323d065db76dffc nvstor.sys

NVIDIA Corporation

6da4a0fc7c0e83df0cb3cfd0a514c3bc nwifi.sys

Microsoft Corporation

be32da025a0be1878f0ee8d6d9386cd5 ohci1394.sys

Microsoft Corporation

2c8bae55247c4e09352e870292e4d1ab pacer.sys

Microsoft Corporation

0fa9b5055484649d63c303fe404e5f4d parport.sys

Microsoft Corporation

555a5b2c8022983bc7467bc925b222ee partmgr.sys

Microsoft Corporation

4f9a6a8a31413180d0fcb279ad5d8112 parvdm.sys

Microsoft Corporation

3b1901e401473e03eb8c874271e50c26 pciide.sys

Microsoft Corporation

406d01679063768e1a033b6afe2551b3 pciidex.sys

Microsoft Corporation

1085d75657807e0e8b32f9e19a1647c3 pci.sys

Microsoft Corporation

e6f3fb1b86aa519e7698ad05e58b04e5 pcmcia.sys

Microsoft Corporation

6349f6ed9c623b44b52ea3c63c831a92 PEAuth.sys

Microsoft Corporation

9a23e21eca1246950e440e158de50750 portcls.sys

Microsoft Corporation

0e3cef5d28b40cf273281d620c50700a processr.sys

Microsoft Corporation

d86b4a68565e444d76457f14172c875a pxhelp20.sys

Sonic Solutions

ccdac889326317792480c0a67156a1ec ql2300.sys

QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys

QLogic Corporation

d2b3e2b7426dc23e185fbc73c8936c12 qwavedrv.sys

Microsoft Corporation

bd7b30f55b3649506dd8b3d38f571d2a rasacd.sys

Microsoft Corporation

68b0019fee429ec49d29017af937e482 rasl2tp.sys

Microsoft Corporation

ccf4e9c6cbbac81437f88cb2ae0b6c96 raspppoe.sys

Microsoft Corporation

c04dec5ace67c5247b150c4223970bb7 raspptp.sys

Microsoft Corporation

54129c5d9581bbec8bd1ebd3ba813f47 rdbss.sys

Microsoft Corporation

794585276b5d7fca9f3fc15543f9f0b9 RDPCDD.sys

Microsoft Corporation

e8bd98d46f2ed77132ba927fccb47d8b rdpdr.sys

Microsoft Corporation

980b56e2e273e19d3a9d72d5c420f008 RDPENCDD.sys

Microsoft Corporation

8830e790a74a96605faba74f9665bb3c rdpwd.sys

Microsoft Corporation

8804bcb4383859f66ffd51f049a1d744 rmcast.sys

Microsoft Corporation

09de72fcfc9c7ff59d6da1d5ae70a48f RNDISMP.sys

Microsoft Corporation

d49d61312b273de069584d48c81c8b1d rootmdm.sys

Microsoft Corporation

97e939d2128fec5d5a3e6e79b290a2f4 rspndr.sys

Microsoft Corporation

4a705bf2a6f7972f2f2ad8a0d8079f95 RTKVHDA.sys

Realtek Semiconductor

3edfb0089b9455b26154b572db650ee3 RTL8192su.sys

Realtek Semiconductor

3ce8f073a557e172b330109436984e30 sbp2port.sys

Microsoft Corporation

4019149e4e296072831c8855605d9fdc SBREDrv.sys

m?nStringFileInfoeBCompanyNameSunbeltSoftwarePFileDescriptionAnti-RootkitEnginetFileVersion..tInternalNameSBRE.sys=LegalCopyrightCopyright-SunbeltSoftware.Allrightsreserved.LegalTrademarksSUNBELTSOFTWAREandthe"S"logoareregisteredtrademarksofSunbeltSoftware.CounterSpySDKisatrademarkofSun

beltSoftware.:tOriginalFilenameSBRE.sysvProductNameCounterSpytProductVersion..VP

r

oductBuildDate//::AMDVarFileInfo$TranslationtPADDINGXXPAD

612a3d69e603dbbe5c3c1079186a0393 scdemu.sys

tHqVS_VERSION_INFObb?StringFileInfobHCommentshttp://www.poweriso.comRCompanyNamePowerISOComputing,Inc.VFileDescriptionPowerISOVirtua

lDrivevFileVersion,,,.aInternalNameSCDEMUTLegalCopyrightCopyright©-(LegalTrademarks>vOriginalFilenamescdemu.sysPrivateBuild.aProductNamescdemu:vProductVersion,,,

SpecialBuildDVarFileInfo$Translationt

f5dbd29fbdb39bf49af7bb81a4d9561d scsiport.sys

Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys

Macrovision Corporation

68e44e331d46f0fb38f0863a84cd1a31 serenum.sys

Microsoft Corporation

c70d69a918b178d3c3b06339b40c2e1b serial.sys

Microsoft Corporation

450accd77ec5cea720c1cdb9e26b953b sermouse.sys

Microsoft Corporation

103b79418da647736ee95645f305f68a sffdisk.sys

Microsoft Corporation

8fd08a310645fe872eeec6e08c6bf3ee sffp_mmc.sys

Microsoft Corporation

9cfa05fcfcb7124e69cfc812b72f9614 sffp_sd.sys

Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy.sys

Microsoft Corporation

d2a595d6eebeeaf4334f8e50efbc9931 SISAGP.SYS

Microsoft Corporation

cedd6f4e7d84e9f98b34b3fe988373aa sisraid2.sys

Silicon Integrated Systems

df843c528c4f69d12ce41ce462e973a7 sisraid4.sys

Silicon Integrated Systems

ac0d90738adb51a6fd12ff00874a2162 smb.sys

Microsoft Corporation

4e7bb783f21efba4b563f1b8f79e5c98 smclib.sys

Microsoft Corporation

426f9b029aa9162ceccf65369457d046 spldr.sys

Microsoft Corporation

297ed36343de583013757975af58da84 spsys.sys

Microsoft Corporation

afa91d542fa0ffc0471f43de0de34f0b sptd.sys

Duplex Secure

c70a2581e35e03c85f29aa1bc723659a srtspl.sys

Symantec Corporation

ed5e9f3bf11d0bb770f652b22ec26465 srtsp.sys

Symantec Corporation

05f2db228922e6b8a001ed83ee4d1153 srtspx.sys

Symantec Corporation

6971a757af8cb5e2cbcbb76cc530db6c srv2.sys

Microsoft Corporation

9e1a4603b874eebce0298113951abefb srvnet.sys

Microsoft Corporation

038579c35f7cad4a4bbf735dbf83277d srv.sys

Microsoft Corporation

ed386e31d263448b2ed36d4839f2ca04 Storport.sys

Microsoft Corporation

c13b3688451d86e8557ba9486ddbb2d1 stream.sys

Microsoft Corporation

1379bdb336f8158c176a465e30759f57 swenum.sys

Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys

LSI Logic

a16d76baa5d2cbe45c57fa582c1208e5 symdns.sys

Symantec Corporation

403bd24fa5c55fc648abdd039629a954 SYMEVENT.SYS

Symantec Corporation

c64d200569a18ea6c676266dee3ac158 symfw.sys

Symantec Corporation

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys

LSI Logic

7764d3d7a3c858f04ced3c1f16410d89 symids.sys

Symantec Corporation

d193684004658fe4f3f143ca6dd9ef8b symndisv.sys

Symantec Corporation

829830a3ca1c5e329d68e26c9cd2de8d symredrv.sys

Symantec Corporation

b1aa9704124b494c34e8d372e6654196 symtdi.sys

Symantec Corporation

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys

LSI Logic

c92e9f3e4154415ceebeb80250e32d19 tape.sys

Microsoft Corporation

5ce0c4a7b12d0067dad527d72b68c726 tcpipreg.sys

Microsoft Corporation

4a82fa8f0df67aa354580c3faaf8bde3 tcpip.sys

Microsoft Corporation

bbe07d2766fb165bdf1f49107dabce85 tdi.sys

Microsoft Corporation

964248aef49c31fa6a93201a73ffaf50 tdpipe.sys

Microsoft Corporation

7d2c1ae1648a60fce4aa0f7982e419d3 tdtcp.sys

Microsoft Corporation

ab4fde8af4a0270a46a001c08cbce1c2 tdx.sys

Microsoft Corporation

2c549bd9dd091fbfaa0a2a48e82ec2fb termdd.sys

Microsoft Corporation

29f0eca726f0d51f7e048bdb0b372f29 tssecsrv.sys

Microsoft Corporation

65e953bc0084d44498b51f59784d2a82 TUNMP.SYS

Microsoft Corporation

4a39bda5e0fd30bdf4884f9d33ae6105 tunnel.sys

Microsoft Corporation

c3ade15414120033a36c0f293d4a4121 UAGP35.SYS

Microsoft Corporation

6348da98707ceda8a0dfb05820e17732 udfs.sys

Microsoft Corporation

75e6890ebfce0841d3291b02e7a8bdb0 ULIAGPKX.SYS

Microsoft Corporation

3cd4ea35a6221b85dcc25daa46313f8d uliahci.sys

ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys

Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys

Promise Technology

3fb78f1d1dd86d87bececd9dffa24dd9 umbus.sys

Microsoft Corporation

08ea9c0247f391af4d4a16885a1c159d umpass.sys

Microsoft Corporation

b930b3e1f15824cee12b5838ed8ee40b usb8023.sys

Microsoft Corporation

4b8a9c16b6d9258ed99c512aecb8c555 usbaapl.sys

Apple

f6bf998ae33e3fb6c7d27f0560f1173f USBAUDIO.sys

Microsoft Corporation

d2f0639163b12f791f81b52dc1155863 USBCAMD2.sys

Microsoft Corporation

391e74f5c8c5b3c41c360b71798e2801 USBCAMD.sys

Microsoft Corporation

b0ba9caffe9b0555ec0317f30cb79cd2 usbccgp.sys

Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir.sys

Microsoft Corporation

4c54f915bf3542be3decdb1a933c4c45 usbd.sys

Microsoft Corporation

c9fcd05b0a80ea08c2768e5a279b14de usbehci.sys

Microsoft Corporation

5e44f7d957f7560da06bfe6b84b58a35 usbhub.sys

Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys

Microsoft Corporation

97706e9e0eb6e454db1b1ff5c3a4f00d usbport.sys

Microsoft Corporation

b51e52acf758be00ef3a58ea452fe360 usbprint.sys

Microsoft Corporation

b1f95285c08ddfe00c0b955462637ec7 usbscan.sys

Microsoft Corporation

7887ce56934e7f104e98c975f47353c5 USBSTOR.SYS

Microsoft Corporation

d864735b0bfcb65440960a0b7cc1a38d usbuhci.sys

Microsoft Corporation

1f5e1900459233d9b41793f9e531ef4c vbma92a1.sys

7d92be0028ecdedec74617009084b5ef vgapnp.sys

Microsoft Corporation

17a8f877314e4067f8c8172cc6d9101c vga.sys

Microsoft Corporation

045d9961e591cf0674a920b6ba3ba5cb VIAAGP.SYS

Microsoft Corporation

56a4de5f02f2e88182b0981119b4dd98 viac7.sys

Microsoft Corporation

fd2e3175fcada350c7ab4521dca187ec viaide.sys

VIA Technologies

d1fa901e4878b7011fe8a8c2890e90c7 videoprt.sys

Microsoft Corporation

103e84c95832d0ed93507997cc7b54e8 volmgr.sys

Microsoft Corporation

294da8d3f965f6a8db934a83c7b461ff volmgrx.sys

Microsoft Corporation

80dc0c9bcb579ed9815001a4d37cbfd5 volsnap.sys

Microsoft Corporation

d984439746d42b30fc65a4c3546c6829 vsmraid.sys

VIA Technologies

c466021d31ff6c0a6069d12299d80c0b VSTBS23.SYS

Conexant

5c7bdcf5864db00323fe2d90fa26a8a2 VSTCNXT3.SYS

Conexant

ec36f1d542ed4252390d446bf6d4dfd0 VSTDPV3.SYS

Conexant

bd32d7007cb505d3b1c29e3d0ef2a46a VX3000.sys

Microsoft Corporation

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys

Microsoft Corporation

6798c1209a53b5a0ded8d437c45145ff wanarp.sys

Microsoft Corporation

3a1f38a6fb749fc7a57a2826f6f8fb01 watchdog.sys

Microsoft Corporation

7b5f66e4a2219c7d9daf9e738480e534 Wdf01000.sys

Microsoft Corporation

7bfdaa4b0b327d13c0ff60d00cf4f113 WdfLdr.sys

Microsoft Corporation

afc5ad65b991c1e205cf25cfdbf7a6f4 wd.sys

Microsoft Corporation

701a9f884a294327e9141d73746ee279 wmiacpi.sys

Microsoft Corporation

20b05e362bb678cf51d610673c9a12e7 wmilib.sys

Microsoft Corporation

2d27171b16a577ef14c1273668753485 WpdUsb.sys

Microsoft Corporation

84620aecdcfd2a7a14e6263927d8c0ed ws2ifsl.sys

Microsoft Corporation

3d80328aa84d9fe130d869cf83923d74 WUDFPf.sys

Microsoft Corporation

a2aafcc8a204736296d937c7c545b53f WUDFRd.sys

Microsoft Corporation

9d8f196d9fbb74f8e3ec5cdfd77c90e6 WUSBGXP.sys

Cisco-Linksys

dab33cfa9dd24251aaa389ff36b64d4b XAudio.sys

Conexant

[Elise]

Can you please delete the following file:

/mnt/sda1/Windows/System32/drivers/vbma92a1.sys (you can browse to it using xPUD and then right click > delete).

I think TDSSkiller also nicely got rid of the disk service, which is a bit difficult to recreate, so we'll need to use a spare copy of the registry hives.

We can also do this with a system restore, but that will get us back to the point where we are not sure what file is infected this time.

The following will look for any system restore points available (if we do it this way, the registry will be restored, but not the associated files, vbma92a1.sys in our case, nor will disk.sys be re-infected).

Download http://noahdfear.net/downloads/rst.sh to the USB drive

• Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  
• Press File
  
• Expand mnt
  
• Expand your USB (sdb1)
  
• Confirm that you see rst.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash rst.sh
  
• Press Enter
  
• After it has finished a report will be located at sdb1 named enum.log
  
• Plug that USB back into the clean computer and open it
  

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

[James A]

48.5M Nov 20 2010 /mnt/sda1/Windows/System32/config/SOFTWARE

23.5M Nov 20 2010 /mnt/sda1/Windows/System32/config/SYSTEM

[Elise]

No luck there. Can you try to do a System Restore (using the Repair Windows option on startup) to a date before you last ran TDSSkiller?

If you are not sure which point to choose, please list them for me (if available).

If none is available, we can use the Repair hives, however, I'd rather not do that since they are quite old.

[James A]

when i try to do system restore it tells me i have no restore points. which i'm pretty sure i saved some with cc cleaner. ; \

[Elise]

Do you know if Combofix ever got at creating a registry backup?

Please look for a folder named \windows\erdnt

Did you create a registry backup with CCleaner?

[James A]

found ERDNT, and i'm pretty certain i've made registry backups with cc