Jump to content

Google Redirect after Windows Recovery Virus


Recommended Posts

A friend of mine had her laptop compromised by the "Windows Recovery" virus. She was able to remove the virus, but the irritating google/bing/etc redirect. I have run multiple av programs against the computer, to no effect. I have run through the steps in the FAQ, including running the defogger.exe file. Below is the DDS.txt contents.

I apologize if I forgot a step. Thank you.

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by Maureeca at 21:49:17 on 2011-06-20

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1012.196 [GMT -5:00]

.

AV: Emsisoft Anti-Malware *Disabled/Outdated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\IDT\WDM\aestsrv.exe

C:\Windows\System32\bgsvcgen.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Hewlett-Packard\HP CloudDrive\zumodrive.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Emsisoft Anti-Malware\a2guard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe

C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [ZumoDrive] "c:\program files\hewlett-packard\hp clouddrive\ZumoLauncher.lnk"

mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{462E1D44-792C-4554-AEE4-7E0F2C6F540F} : DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{73E565AA-2FD6-4DEC-975F-1D4E996EB6FD} : DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{73E565AA-2FD6-4DEC-975F-1D4E996EB6FD}\16474777966696 : DhcpNameServer = 192.168.4.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{73E565AA-2FD6-4DEC-975F-1D4E996EB6FD}\64543523030373 : DhcpNameServer = 192.168.0.1 192.168.0.1

Notify: igfxcui - igfxdev.dll

mASetup: {4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.exe "/installer"

mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\windows\system32\wscript.exe "c:\program files\hewlett-packard\hp media suite\home\PinItem.vbs"

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]

R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-6-20 41928]

R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-6-20 11776]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.0.0.128\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-20 691248]

R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.0.0.128\definitions\ipsdefs\20110128.003\IDSvix86.sys [2011-1-30 353912]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]

R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1206000.01d\symnets.sys [2011-5-9 296568]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-6-20 2978720]

R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2010-11-24 81920]

R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2010-5-21 140272]

R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\hpqwmm\quickweb\qw.sys\config\DVMExportService.exe [2010-7-1 338168]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-6-18 103992]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-10-14 92216]

R2 HPWMISVC;HPWMISVC;c:\program files\hewlett-packard\hp quick launch\HPWMISVC.exe [2010-7-2 27192]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]

R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2010-5-17 1615176]

R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-6-20 73728]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\drivers\RtsPStor.sys [2010-11-24 230944]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-11-24 267880]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-19 366640]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]

.

=============== Created Last 30 ================

.

2011-06-20 18:42:00 -------- d-sh--w- C:\$RECYCLE.BIN

2011-06-20 17:06:49 98816 ----a-w- c:\windows\sed.exe

2011-06-20 17:06:49 518144 ----a-w- c:\windows\SWREG.exe

2011-06-20 17:06:49 256512 ----a-w- c:\windows\PEV.exe

2011-06-20 17:06:49 208896 ----a-w- c:\windows\MBR.exe

2011-06-20 04:56:58 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-06-20 04:53:10 1137360 ----a-w- C:\fsbl.exe

2011-06-20 04:24:48 -------- d-----w- c:\users\maureeca\appdata\roaming\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1

2011-06-20 00:42:08 311296 ----a-w- c:\windows\system32\drivers\srv.sys

2011-06-20 00:42:08 309760 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-06-20 00:42:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-06-20 00:42:00 338944 ----a-w- c:\windows\system32\drivers\afd.sys

2011-06-20 00:42:00 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-20 00:41:50 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-06-20 00:41:37 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-06-20 00:41:27 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-20 00:41:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-06-20 00:41:04 759296 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll

2011-06-20 00:39:46 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-06-20 00:39:46 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-20 00:39:46 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-06-20 00:36:16 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{19600a4b-a981-437c-9565-e1b2816b276b}\mpengine.dll

2011-06-20 00:28:28 -------- d-----w- c:\users\maureeca\appdata\roaming\Malwarebytes

2011-06-20 00:28:17 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-20 00:28:15 -------- d-----w- c:\programdata\Malwarebytes

2011-06-20 00:28:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-18 15:47:18 -------- d-----w- c:\users\maureeca\appdata\local\ElevatedDiagnostics

2011-05-24 21:59:19 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-24 21:59:00 123904 ----a-w- c:\windows\system32\poqexec.exe

.

==================== Find3M ====================

.

2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-13 01:10:49 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-03-31 03:00:09 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys

2011-03-31 03:00:09 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys

2011-03-29 03:07:26 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-03-29 03:06:51 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-29 03:06:47 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-03-29 03:06:43 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-03-29 03:06:39 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-03-29 03:06:37 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-03-29 03:06:34 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

.

============= FINISH: 21:53:24.76 ===============

Link to post
Share on other sites

Hello and :welcome:

I see you have run Combofix. Can you please post me the log at c:\combofix.txt?

Please rerun DDS and post me also attach.txt

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thank you.

I forgot to mention that I tried running the tdsskiller.exe but failed. I downloaded the file, tried executing it. It asked me if I wanted to allow the program to run, and I confirmed, but then nothing else happened. I renamed the file to a random name, epcol.com and re-ran it, to the same effect.

I didn't run combofix, but my friend may have before giving me the file. I will post that file. I thought I had attached the attach.txt but maybe I screwed up; I will attach again. I will rerun DDS as well.

Thank you.

ComboFix.txt

Attach.txt

Link to post
Share on other sites

In that case, lets take the manual approach.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Link to post
Share on other sites

No need for that, we can do this with an USB drive as well. :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt
    Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

Link to post
Share on other sites

Download driver.sh to your USB drive

  • Boot the infected computer in xPUD.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt
    Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

Link to post
Share on other sites

Thanks again. Here are the contents of the report.txt file:

Sat Jun 25 13:14:08 UTC 2011

Driver report for /mnt/sda2/Windows/System32/drivers NIS/1206000.01D/ironx86.sys has NO Company Name! NIS/1206000.01D/srtsp.sys has NO Company Name! NIS/1206000.01D/srtspx.sys has NO Company Name! NIS/1206000.01D/symds.sys has NO Company Name! NIS/1206000.01D/symefa.sys has NO Company Name! NIS/1206000.01D/symnets.sys has NO Company Name!

7c28b63e4c9e5c3be7ffe53789593619 volsnap.sys has NO Company Name!

fbce2f43185104ae8bf4d32571b19203 1394bus.sys

Microsoft Corporation

6d2aca41739bfe8cb86ee8e85f29697d 1394ohci.sys

Microsoft Corporation

98d81ca942d19f7d9153b095162ac013 acpipmi.sys

Microsoft Corporation

f0e07d144c8685b8774bc32fc8da4df0 acpi.sys

Microsoft Corporation

21e785ebd7dc90a06391141aac7892fb adp94xx.sys

Adaptec

0c676bc278d5b59ff5abd57bbe9123f2 adpahci.sys

Adaptec

7c7b5ee4b7b822ec85321fe23a27db33 adpu320.sys

Adaptec

a7b8a3a79d35215d798a300df49ed23f afc.sys

Arcsoft

0db7a48388d54d154ebec120461a0fcd afd.sys

Microsoft Corporation

57ec4aef73660166074d8f7f31c0d4fd agilevpn.sys

Microsoft Corporation

507812c3054c21cef746b6ee3d04dd6e AGP440.sys

Microsoft Corporation

0d40bcf52ea90fc7df2aeab6503dea44 aliide.sys

Acer Laboratories

3c6600a0696e90a463771c7422e23ab5 AMDAGP.SYS

Microsoft Corporation

cd5914170297126b6266860198d1d4f0 amdide.sys

Microsoft Corporation

00dda200d71bac534bf56a9db5dfd666 amdk8.sys

Microsoft Corporation

3cbf30f5370fda40dd3e87df38ea53b6 amdppm.sys

Microsoft Corporation

19ce906b4cdc11fc4fef5745f33a63b6 amdsata.sys

Advanced Micro Devices

ea43af0c423ff267355f74e7a53bdaba amdsbs.sys

AMD Technologies

869e67d66be326a5a9159fba8746fa70 amdxata.sys

Advanced Micro Devices

feb834c02ce1e84b6a38f953ca067706 appid.sys

Microsoft Corporation

5d6f36c46fd283ae1b57bd2e9feb0bc7 arcsas.sys

Adaptec

2932004f49677bd84dbc72edb754ffb3 arc.sys

Adaptec

add2ade1c2b285ab8378d2daaf991481 asyncmac.sys

Microsoft Corporation

338c86357871c167a96ab976519bf59e atapi.sys

Microsoft Corporation

bca15585efdde7eba8568bdfb75983a3 ataport.sys

Microsoft Corporation

bd8869eb9cde6bbe4508d869929869ee b57nd60x.sys

Broadcom Corporation

2b8ee031fd700ab942ebe60665440e83 battc.sys

Microsoft Corporation

36a47e6ab1f0967c97722183e21adb1a BCMWL6.SYS

Broadcom Corporation

505506526a9d467307b3c393dedaf858 beep.sys

Microsoft Corporation

2287078ed48fcfc477b05b20cf38f36f blbdrive.sys

Microsoft Corporation

9a5c671b7fbae4865149bb11f59b91b2 bowser.sys

Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys

Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys

Brother Industries

77361d72a04f18809d0efb6cceb74d4b bridge.sys

Microsoft Corporation

845b8ce732e67f3b4133164868c666ea BrSerId.sys

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys

Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys

Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys

Brother Industries

ed3df7c56ce0084eb2034432fc56565a bthmodem.sys

Microsoft Corporation

1a231abec60fd316ec54c66715543cec bxvbdx.sys

Broadcom Corporation

77ea11b065e0a8ab902d78145ca51e10 cdfs.sys

Microsoft Corporation

e0042bd5bef17a6a3ef1df576bde24d1 cdrbsdrv.sys

HyVS_VERSION_INFObb?ba@StringFileInfobCommentsDCompanyNameB.H.ACorporationx(FileDescriptionCD-ROMFilterDriverforWindows/xpvFileVersion...:rInternalNameCDRBSDRV.SYSx*LegalCopyrightCopyright©-B.H.ACorporation(LegalTrademarksBrOriginalFilenameCDRBSDRV.SYSvPrivateBuild...DProductNameB'sRecorderGOLD:vProductVersion...SpecialBuildDVarFileInfo$Translationt

ba6e70aa0e6091bc39de29477d866a77 cdrom.sys

Microsoft Corporation

3fe3fe94a34df6fb06e6418d0f6a0060 circlass.sys

Microsoft Corporation

a6388a5abf92c7927c085db0a958125f Classpnp.sys

Microsoft Corporation

dea805815e587dad1dd2c502220b5616 CmBatt.sys

Microsoft Corporation

c537b1db64d495b9b4717b4d6d9edbf2 cmdide.sys

CMD Technology

1b675691ed940766149c93e8f4488d68 cng.sys

Microsoft Corporation

a6023d3823c37043986713f118a89bee compbatt.sys

Microsoft Corporation

f1724ba27e97d627f808fb0ba77a28a6 CompositeBus.sys

Microsoft Corporation

b7efef22ff426ec4158a177cb3b558d3 crashdmp.sys

Microsoft Corporation

2c4ebcfc84a9b44f209dff6c6e6c61d1 crcdisk.sys

Microsoft Corporation

91c1736e77cff029302728b431d0eedb dc3d.sys

Microsoft Corporation

83d1ecea8faae75604c0fa49ac7ad996 dfsc.sys

Microsoft Corporation

1a050b0274bfb3890703d490f330c0da discache.sys

Microsoft Corporation

c78ea24ce267eaa6bf67caaeb11c0520 Diskdump.sys

Microsoft Corporation

565003f326f99802e68ca78f2a68e9ff disk.sys

Microsoft Corporation

8b30250d573a8f6b4bd23195160d8707 djsvs.sys

Adaptec

b918e7c5f9bf77202f89e1a9539f2eb4 drmkaud.sys

Microsoft Corporation

27f9288af019e6daca281ede51ff5928 drmk.sys

Microsoft Corporation

5428227d4730ebdfc842e9fb593f8c8a Dumpata.sys

Microsoft Corporation

62a63ef2f3053b461cb327e4d69aaa74 dumpfve.sys

Microsoft Corporation

ff7a7a1e0f9a0ab892a454ffb9d14bbe dvmio.sys

?taStringFileInfoB>CompanyNameDeviceVM,Inc.`FileDescriptionDVMIOvirtualdevicedriverbFileVersion...nInternalNamedvmio.sysLegalCopyrightCopyright©DeviceVM,Inc.AllRightsReserved.<nOriginalFilenamedvmio.sys,ProductNameDVMIO,ProductVersion.DVarFileInfo$Translationt*

5fcd3320aae71506b43f9e12e4e72172 dxapi.sys

Microsoft Corporation

1679a4669326cb1a67cc95658d273234 dxgkrnl.sys

Microsoft Corporation

cf519d46e5b8bde8d7ba981ba9a174cd dxgmms1.sys

Microsoft Corporation

1b6242b20cb56f85a158e67f09ee84fe dxg.sys

Microsoft Corporation

0ed67910c8c326796faa00b2bf6d9d3c elxstor.sys

Emulex

8fc3208352dd3912c94367a206ab3f11 errdev.sys

Microsoft Corporation

024e1b5cac09731e4d868e64dbfb4ab0 evbdx.sys

Broadcom Corporation

2dc9108d74081149cc8b651d3a26207f exfat.sys

Microsoft Corporation

7e0ab74553476622fb6ae36f73d97d35 fastfat.sys

Microsoft Corporation

e817a017f82df2a1f8cfdbda29388b29 fdc.sys

Microsoft Corporation

6cf00369c97f3cf563be99be983d13d8 fileinfo.sys

Microsoft Corporation

42c51dc94c91da21cb9196eb64c45db9 filetrace.sys

Microsoft Corporation

87907aa70cb3c56600f1c2fb8841579b flpydisk.sys

Microsoft Corporation

7520ec808e0c35e0ee6f841294316653 fltMgr.sys

Microsoft Corporation

1a16b57943853e598cff37fe2b8cbf1d fsdepends.sys

Microsoft Corporation

a574b4360e438977038aae4bf60d79a2 fs_rec.sys

Microsoft Corporation

dafbd9fe39197495aed6d51f3b85b5d2 fvevol.sys

Microsoft Corporation

5a50439aac7bb7763237a88f0f3a337f FWPKCLNT.SYS

Microsoft Corporation

65ee0c7a58b65e74ae05637418153938 GAGP30KX.SYS

Microsoft Corporation

c44e3c2bab6837db337ddee7544736db hcw85cir.sys

Hauppauge Computer Works

717a2207fd6f13ad3e664c7d5a43c7bf hdaudbus.sys

Microsoft Corporation

3530cad25deba7dc7de8bb51632cbc5f HdAudio.sys

Microsoft Corporation

1d58a7f3e11a9731d0eaaaa8405acc36 hidbatt.sys

Microsoft Corporation

89448f40e6df260c206a193a4683ba78 hidbth.sys

Microsoft Corporation

b682e1cc0fdc7ac04b71d1fa9a07ef21 hidclass.sys

Microsoft Corporation

cf50b4cf4a4f229b9f3c08351f99ca5e hidir.sys

Microsoft Corporation

6c26122f1931d4d7810240f32ddce890 hidparse.sys

Microsoft Corporation

25072fb35ac90b25f9e4e3bacf774102 hidusb.sys

Microsoft Corporation

295fdc419039090eb8b49ffdbb374549 HpSAMD.sys

Hewlett-Packard

c531c7fd9e8b62021112787c4e2c5a5a http.sys

Microsoft Corporation

8305f33cde89ad6c7a0763ed0b5a8d42 hwpolicy.sys

Microsoft Corporation

f151f0bdc47f4a28b1b20a0818ea36d6 i8042prt.sys

Microsoft Corporation

0baa4115dfffd6a6d809a89d65e1281a iaStor.sys

Intel Corporation

71f1a494fedf4b33c02c4a6a28d6d9e9 iaStorV.sys

Intel Corporation

d0074897c6bc132f3980ea4654bf7fb9 igdkmd32.sys

Intel Corporation

4173ff5708f3236cf25195fecd742915 iirsp.sys

Intel Corp

a0f12f2c9ba6c72f3987ce780e77c130 intelide.sys

Microsoft Corporation

3b514d27bfc4accb4037bc6685f766e0 intelppm.sys

Microsoft Corporation

709d1761d3b19a932ff0238ea6d50200 ipfltdrv.sys

Microsoft Corporation

e4454b6c37d7ffd5649611f6496308a7 IPMIDrv.sys

Microsoft Corporation

a5fa468d67abcdaa36264e463a7bb0cd ipnat.sys

Microsoft Corporation

9f7e491fb0ba0f9e370163834fc1fe31 irda.sys

Microsoft Corporation

42996cff20a3084a56017b7902307e9f irenum.sys

Microsoft Corporation

1f32bb6b38f62f7df1a7ab7292638a35 isapnp.sys

Microsoft Corporation

adef52ca1aeae82b50df86b56413107e kbdclass.sys

Microsoft Corporation

3d9f0ebf350edcfd6498057301455964 kbdhid.sys

Microsoft Corporation

e36a061ec11b373826905b21be10948f ksecdd.sys

Microsoft Corporation

365c6154bbbc5377173f1ca7bfb6cc59 ksecpkg.sys

Microsoft Corporation

9e79e2354301783d5e0d48411c2a7466 ks.sys

Microsoft Corporation

f7611ec07349979da9b0ae1f18ccc7a6 lltdio.sys

Microsoft Corporation

eb119a53ccf2acc000ac71b065b78fef lsi_fc.sys

LSI Corporation

dc9dc3d3daa0e276fd2ec262e38b11e9 lsi_sas2.sys

LSI Corporation

8ade1c877256a22e49b75d1cc9161f9c lsi_sas.sys

LSI Corporation

0a036c7d7cab643a7f07135ac47e0524 lsi_scsi.sys

LSI Corporation

6703e366cc18d3b6e534f5cf7df39cee luafv.sys

Microsoft Corporation

b309912717c29fc67e1ba4730a82b6dd mbamswissarmy.sys

Malwarebytes Corporation

ef08d2ebe3eabba43cc57eee001027b6 mcd.sys

Microsoft Corporation

0fff5b045293002ab38eb1fd1fc2fb74 megasas.sys

LSI Corporation

dcbab2920c75f390caf1d29f675d03d6 MegaSR.sys

LSI Corporation

f001861e5700ee84e2d4e52c712f4964 modem.sys

Microsoft Corporation

79d10964de86b292320e9dfe02282a23 monitor.sys

Microsoft Corporation

fb18cc1d4c2e716b6b903b0ac0cc0609 mouclass.sys

Microsoft Corporation

2c388d2cd01c9042596cf3c8f3c7b24d mouhid.sys

Microsoft Corporation

921c18727c5920d6c0300736646931c2 mountmgr.sys

Microsoft Corporation

2af5997438c55fb79d33d015c30e1974 mpio.sys

Microsoft Corporation

ad2723a7b53dd1aacae6ad8c0bfbf4d0 mpsdrv.sys

Microsoft Corporation

b1be47008d20e43da3adc37c24cdb89d mrxdav.sys

Microsoft Corporation

c108952d3660375dcb716b222912e868 mrxsmb10.sys

Microsoft Corporation

25c38264a3c72594dd21d355d70d7a5d mrxsmb20.sys

Microsoft Corporation

ca7570e42522e24324a12161db14ec02 mrxsmb.sys

Microsoft Corporation

5d9e758baefb5a4f3639e755c66625aa msahci.sys

Microsoft Corporation

455029c7174a2dbb03dba8a0d8bddd9a msdsm.sys

Microsoft Corporation

daefb28e3af5a76abcc2c3078c07327f msfs.sys

Microsoft Corporation

3e1e5767043c5af9367f0056295e9f84 mshidkmdf.sys

Microsoft Corporation

0a4e5757ae09fa9622e3158cc1aef114 msisadrv.sys

Microsoft Corporation

ed46c223ae46c6866ab77cdc41c404b7 msiscsi.sys

Microsoft Corporation

8c0860d6366aaffb6c5bb9df9448e631 mskssrv.sys

Microsoft Corporation

3ea8b949f963562cedbb549eac0c11ce mspclock.sys

Microsoft Corporation

f456e973590d663b1073e9c463b40932 mspqm.sys

Microsoft Corporation

0e008fc4819d238c51d7c93e7b41e560 msrpc.sys

Microsoft Corporation

fc6b9ff600cc585ea38b12589bd4e246 mssmbios.sys

Microsoft Corporation

b42c6b921f61a6e55159b8be6cd54a36 mstee.sys

Microsoft Corporation

33599130f44e1f34631cea241de8ac84 MTConfig.sys

Microsoft Corporation

159fad02f64e6381758c990f753bcc80 mup.sys

Microsoft Corporation

0e1787aa6c9191d3d319e8bafe86f80c ndiscap.sys

Microsoft Corporation

23759d175a0a9baaf04d05047bc135a8 ndis.sys

Microsoft Corporation

e4a8aec125a2e43a9e32afeea7c9c888 ndistapi.sys

Microsoft Corporation

b30ae7f2b6d7e343b0df32e6c08fce75 ndisuio.sys

Microsoft Corporation

267c415eadcbe53c9ca873dee39cf3a4 ndiswan.sys

Microsoft Corporation

af7e7c63dcef3f8772726f86039d6eb4 ndproxy.sys

Microsoft Corporation

80b275b1ce3b0e79909db7b39af74d51 netbios.sys

Microsoft Corporation

dd52a733bf4ca5af84562a5e2f963b91 netbt.sys

Microsoft Corporation

e87fe6daf5a1b0845a0e376f4269f75b netio.sys

Microsoft Corporation

58218ec6b61b1169cf54aab0d00f5fe2 netw5v32.sys

Intel Corporation

1d85c4b390b0ee09c7a46b91efb2c097 nfrd960.sys

IBM Corp

a73399804d5d4a8b20ba60fcf70c9f1f NIS/1206000.01D/ironx86.sys

Symantec Corporation

83726cf02eced69138948083e06b6eac NIS/1206000.01D/srtsp.sys

Symantec Corporation

4e7eab2e5615d39cf1f1df9c71e5e225 NIS/1206000.01D/srtspx.sys

Symantec Corporation

9bbeb8c6258e72d62e7560e6667aad39 NIS/1206000.01D/symds.sys

Symantec Corporation

d5c02629c02a820a7e71bca3d44294a3 NIS/1206000.01D/symefa.sys

Symantec Corporation

cc71cf163de8b62ccd077e20e909c960 NIS/1206000.01D/symnets.sys

Symantec Corporation

1db262a9f8c087e8153d89bef3d2235f npfs.sys

Microsoft Corporation

e9a0a4d07e53d8fea2bb8387a3293c58 nsiproxy.sys

Microsoft Corporation

187002ce05693c306f43c873f821381f ntfs.sys

Microsoft Corporation

ef2b9a14ec5dd74ade3417faf1b45e16 nuidfltr.sys

Microsoft Corporation

f9756a98d69098dca8945d62858a812c null.sys

Microsoft Corporation

5a0983915f02bae73267cc2a041f717d NV_AGP.SYS

Microsoft Corporation

f1b0bed906f97e16f6d0c3629d2f21c6 nvraid.sys

NVIDIA Corporation

4520b63899e867f354ee012d34e11536 nvstor.sys

NVIDIA Corporation

26384429fcd85d83746f63e798ab1480 nwifi.sys

Microsoft Corporation

08a70a1f2cdde9bb49b885cb817a66eb ohci1394.sys

Microsoft Corporation

6270ccae2a86de6d146529fe55b3246a pacer.sys

Microsoft Corporation

2ea877ed5dd9713c5ac74e8ea7348d14 parport.sys

Microsoft Corporation

ff4218952b51de44fe910953a3e686b9 partmgr.sys

Microsoft Corporation

eb0a59f29c19b86479d36b35983daadc parvdm.sys

Microsoft Corporation

afe86f419014db4e5593f69ffe26ce0a pciide.sys

Microsoft Corporation

ede040d666ff81bf1978d0f19f799e7a pciidex.sys

Microsoft Corporation

c858cb77c577780ecc456a892e7e7d0f pci.sys

Microsoft Corporation

f396431b31693e71e8a80687ef523506 pcmcia.sys

Microsoft Corporation

250f6b43d2b613172035c6747aeeb19f pcw.sys

Microsoft Corporation

9e0104ba49f4e6973749a02bf41344ed PEAuth.sys

Microsoft Corporation

60a044879c4fa76314494f5fddc43b93 point32.sys

Microsoft Corporation

d72708c9f49500c13d7d067e169b7715 portcls.sys

Microsoft Corporation

85b1e3a0c7585bc4aae6899ec6fcf011 processr.sys

Microsoft Corporation

ab95ecf1f6659a60ddc166d8315b0751 ql2300.sys

QLogic Corporation

b4dd51dd25182244b86737dc51af2270 ql40xx.sys

QLogic Corporation

584078ca1b95ca72df2a27c336f9719d qwavedrv.sys

Microsoft Corporation

30a81b53c766d0133bb86d234e5556ab rasacd.sys

Microsoft Corporation

d9f91eafec2815365cbe6d167e4e332a rasl2tp.sys

Microsoft Corporation

0fe8b15916307a6ac12bfb6a63e45507 raspppoe.sys

Microsoft Corporation

631e3e205ad6d86f2aed6a4a8e69f2db raspptp.sys

Microsoft Corporation

44101f495a83ea6401d886e7fd70096b rassstp.sys

Microsoft Corporation

835d7e81bf517a3b72384bdcc85e1ce6 rdbss.sys

Microsoft Corporation

0d8f05481cb76e70e1da06ee9f0da9df rdpbus.sys

Microsoft Corporation

1e016846895b15a99f9a176a05029075 RDPCDD.sys

Microsoft Corporation

5a53ca1598dd4156d44196d200c94b8a RDPENCDD.sys

Microsoft Corporation

44b0a53cd4f27d50ed461dae0c0b4e1f RDPREFMP.sys

Microsoft Corporation

801371ba9782282892d00aadb08ee367 rdpwd.sys

Microsoft Corporation

4ea225bf1cf05e158853f30a99ca29a7 rdyboost.sys

Microsoft Corporation

b4090006a82eeb608c358ab5d37de85a rmcast.sys

Microsoft Corporation

7400cfab5cf36f2294e80b3f3bda3ebc RNDISMP.sys

Microsoft Corporation

564297827d213f52c7a3a2ff749568ca rootmdm.sys

Microsoft Corporation

032b0d36ad92b582d869879f5af5b928 rspndr.sys

Microsoft Corporation

0516998076ad894ae7e362c3110aa071 Rt86win7.sys

?bStringFileInfoBCompanyNameRealtek*

2ad7b2b3d7a10ae3d534877d543eed74 RtsPStor.sys

Realtek Semiconductor

34ee0c44b724e3e4ce2eff29126de5b5 sbp2port.sys

Microsoft Corporation

a95c54b2ac3cc9c73fcdf9e51a1d6b51 scfilter.sys

Microsoft Corporation

f9882099e58ecf8b0e1c7afa5d2cc56d scsiport.sys

Microsoft Corporation

7b48cff3a475fe849dea65ec4d35c425 sdbus.sys

Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys

Macrovision Corporation

9ad8b8b515e3df6acd4212ef465de2d1 serenum.sys

Microsoft Corporation

5fb7fcea0490d821f26f39cc5ea3d1e2 serial.sys

Microsoft Corporation

79bffb520327ff916a582dfea17aa813 sermouse.sys

Microsoft Corporation

9f976e1eb233df46fce808d9dea3eb9c sffdisk.sys

Microsoft Corporation

932a68ee27833cfd57c1639d375f2731 sffp_mmc.sys

Microsoft Corporation

a0708bbd07d245c06ff9de549ca47185 sffp_sd.sys

Microsoft Corporation

db96666cc8312ebc45032f30b007a547 sfloppy.sys

Microsoft Corporation

2565cac0dc9fe0371bdce60832582b2e SISAGP.SYS

Microsoft Corporation

a9f0486851becb6dda1d89d381e71055 sisraid2.sys

Silicon Integrated Systems

3727097b55738e2f554972c3be5bc1aa sisraid4.sys

Silicon Integrated Systems

3e21c083b8a01cb70ba1f09303010fce smb.sys

Microsoft Corporation

2e467e6ca8e0a140c08011844c0d3936 smclib.sys

Microsoft Corporation

95cf1ae7527fb70f7816563cbc09d942 spldr.sys

Microsoft Corporation

d16d818e9930a6e5b4f6476dd0998d1a spsys.sys

Microsoft Corporation

414bb592cad8a79649d01f9d94318fb3 srv2.sys

Microsoft Corporation

ff207d67700aa18242aaf985d3e7d8f4 srvnet.sys

Microsoft Corporation

c4a027b8c0bd3fc0699f41fa5e9e0c87 srv.sys

Microsoft Corporation

db32d325c192b801df274bfd12a7e72b stexstor.sys

Promise Technology

32c8e15e6f1ef98949a96451d42cec70 storport.sys

Microsoft Corporation

45b44fc9e5ac0db02b19d515ee809de5 stream.sys

Microsoft Corporation

f71736dc79731c98698b93326e01a6bd stwrt.sys

n?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

e58c78a848add9610a4db6d214af5224 swenum.sys

Microsoft Corporation

ab33c3b196197ca467cbdda717860dba SYMEVENT.SYS

Symantec Corporation

0e8676fb3bb95aa40fdf7a4a31018c8b SynTP.sys

Synaptics

949c35bf4ae6c110a924ab5e2175dda7 tape.sys

Microsoft Corporation

e64444523add154f86567c469bc0b17f tcpipreg.sys

Microsoft Corporation

0158d5e9982e9d6a90dfc802f618e130 tcpip.sys

Microsoft Corporation

52639c994fe3cd975bfe7428b939b320 tdi.sys

Microsoft Corporation

1875c1490d99e70e449e3afae9fcbadf tdpipe.sys

Microsoft Corporation

7551e91ea999ee9a8e9c331d5a9c31f3 tdtcp.sys

Microsoft Corporation

cb39e896a2a83702d1737bfd402b3542 tdx.sys

Microsoft Corporation

c36f41ee20e6999dbf4b0425963268a5 termdd.sys

Microsoft Corporation

98ae6fa07d12cb4ec5cf4a9bfa5f4242 tssecsrv.sys

Microsoft Corporation

3e461d890a97f9d4c168f5fda36e1d00 tunnel.sys

Microsoft Corporation

750fbcb269f4d7dd2e420c56b795db6d UAGP35.SYS

Microsoft Corporation

2efee45a340e1590e37c2f2bac16d051 udfs.sys

Microsoft Corporation

44e8048ace47befbfdc2e9be4cbc8880 ULIAGPKX.SYS

Microsoft Corporation

049b3a50b3d646baeeee9eec9b0668dc umbus.sys

Microsoft Corporation

7550ad0c6998ba1cb4843e920ee0feac umpass.sys

Microsoft Corporation

b71da871254d96d0349639d03e4c1cc1 usb8023.sys

Microsoft Corporation

2436a42aab4ad48a9b714e5b0f344627 USBAUDIO.sys

Microsoft Corporation

2190f65ec7e9ae7a301e01e4261acef8 USBCAMD2.sys

Microsoft Corporation

47d88f155eb4e4be60ebd76ac8d17db7 USBCAMD.sys

Microsoft Corporation

5c233aefb566ee78c1efbc0493fb066a usbccgp.sys

Microsoft Corporation

04ec7cec62ec3b6d9354eee93327fc82 usbcir.sys

Microsoft Corporation

93830f54044c63877f681d30ec50c5df usbd.sys

Microsoft Corporation

5b71019a6aca0116fd21b368f19c0b91 usbehci.sys

Microsoft Corporation

5823d3965c2a4f6f785ed1a3b403f3b8 usbhub.sys

Microsoft Corporation

e753ed6c49da13967ebabf9ea616454a usbohci.sys

Microsoft Corporation

40048b479ae6d7f0528033376513ab73 usbport.sys

Microsoft Corporation

797d862fe0875e75c7cc4c1ad7b30252 usbprint.sys

Microsoft Corporation

fb9f340ecacdaeb939372cc543e72c6d usbrpm.sys

Microsoft Corporation

1c4287739a93594e57e2a9e6a3ed7353 USBSTOR.SYS

Microsoft Corporation

6a30928a469ce802600e1ea8c0f2f53f usbuhci.sys

Microsoft Corporation

b5f6a992d996282b7fae7048e50af83a usbvideo.sys

Microsoft Corporation

a059c4c3edb09e07d21a8e5c0aabd3cb vdrvroot.sys

Microsoft Corporation

17c408214ea61696cec9c66e388b14f3 vgapnp.sys

Microsoft Corporation

8e38096ad5c8570a6f1570a61e251561 vga.sys

Microsoft Corporation

3be6e1f3a4f1afec8cee0d7883f93583 vhdmp.sys

Microsoft Corporation

c829317a37b4bea8f39735d4b076e923 VIAAGP.SYS

Microsoft Corporation

e02f079a6aa107f06b16549c6e5c7b74 viac7.sys

Microsoft Corporation

e43574f6a56a0ee11809b48c09e4fd3c viaide.sys

VIA Technologies

15c126d1b55814b9e5cab10a9c1f4c67 videoprt.sys

Microsoft Corporation

384e5a2aa49934295171e499f86ba6f3 volmgr.sys

Microsoft Corporation

b5bb72067ddddbbfb04b2f89ff8c3c87 volmgrx.sys

Microsoft Corporation

7c28b63e4c9e5c3be7ffe53789593619 volsnap.sys

9dfa0cc2f8855a04816729651175b631 vsmraid.sys

VIA Technologies

e00fdfaff025e94f9821153750c35a6d VSTAZL3.SYS

Conexant

bc0c7ea89194c299f051c24119000e17 VSTCNXT3.SYS

Conexant

ceb4e3b6890e1e42dca6694d9e59e1a0 VSTDPV3.SYS

Conexant

90567b1e658001e79d7c8bbd3dde5aa6 vwifibus.sys

Microsoft Corporation

7090d3436eeb4e7da3373090a23448f7 vwififlt.sys

Microsoft Corporation

a3f04cbea6c2a10e6cb01f8b47611882 vwifimp.sys

Microsoft Corporation

de3721e89c653aa281428c8a69745d90 wacompen.sys

Microsoft Corporation

692a712062146e96d28ba0b7d75de31b wanarp.sys

Microsoft Corporation

cb45a417c8ef7ba6bac67edcdded8700 watchdog.sys

Microsoft Corporation

9950e3d0f08141c7e89e64456ae7dc73 Wdf01000.sys

Microsoft Corporation

fe7a7675c26fe936226641ef32ae9bb5 WdfLdr.sys

Microsoft Corporation

1112a9badacb47b7c0bb0392e3158dff wd.sys

Microsoft Corporation

8b9a943f3b53861f2bfaf6c186168f79 wfplwf.sys

Microsoft Corporation

5cf95b35e59e2a38023836fff31be64c wimmount.sys

Microsoft Corporation

0217679b8fca58714c3bf2726d2ca84e wmiacpi.sys

Microsoft Corporation

9a5b1059fe015db5269fbb25acbf841d wmilib.sys

Microsoft Corporation

6db3276587b853bf886b69528fdb048c ws2ifsl.sys

Microsoft Corporation

6f9b6c0c93232cff47d0f72d6db1d21e WUDFPf.sys

Microsoft Corporation

f91ff1e51fca30b3c3981db7d5924252 WUDFRd.sys

Microsoft Corporation

b07c5b7efdf936ff93d4f540938725be yk62x86.sys

Marvell

Link to post
Share on other sites

Please reboot in xPUD, make sure you see driver.sh on your USB drive, click Tool > Open terminal.

Type bash driver.sh -f and press enter.

Type volsnap.sys and press enter.

Post me the resulting filefind.txt (please copy/paste it into the reply box).

Link to post
Share on other sites

Oddly enough, the filefind.txt file contains only:

Search results for volsnap.sys

But the screen has the following:

Searching for volsnap.sys.... please wait

/mnt/sda2/Windows/System32/drivers/volsnap.sys

/mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_293

64d30156a24ca/volsnap.sys

/mnt/sda2/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7600.16835_none_158

d0da45d68903e/volsnap.sys

Done

sh-4.0#

Link to post
Share on other sites

Search results for volsnap.sys

7c28b63e4c9e5c3be7ffe53789593619 /mnt/sda2/Windows/System32/drivers/volsnap.sys

239.6K Jul 14 2009

58df9d2481a56edde167e51b334d44fd /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_29364d30156a24ca/volsnap.sys

239.6K Jul 14 2009

58df9d2481a56edde167e51b334d44fd /mnt/sda2/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e/volsnap.sys

239.6K Jul 14 2009

Link to post
Share on other sites

Hi, in xPUD, please navigate to the following file:

/mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_29364d30156a24ca/volsnap.sys

Right click the file and select Copy.

Then navigate to: /mnt/sda2/Windows/System32/drivers/volsnap.sys <-- right click that file and select Rename. Rename it to volsnap.vir

Now right click in an empty space in the drivers folder and select Paste. This should paste the volsnap.sys file you copied.

After doing this, restart your computer and try to run TDSSkiller.

Link to post
Share on other sites

Yes, this was indeed a rootkit causing redirects. Because TDSSkiller couldn't fix it, we did it manually. :)

Lets see what else the rootkit has been hiding.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi, that is looking better. :) How are things running now? Any problem left?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

I'm glad to hear that! :) Lets run one last scan before calling it clean.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.