Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection - Hidden Instance of iexplore.exe, muting WAV volume


  • This topic is locked This topic is locked
25 replies to this topic

#1 BlackandRed

BlackandRed

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 11 September 2010 - 02:03 PM

I noticed my computer was infected nearly two months ago, and since that time it has mostly been off. My attempts to fix it using Symantec and Malwarebytes have been unsuccessful. Both have detected and deleted Trojans, but my symptoms remain.

Symptoms -

An instance of iexplore.exe starts up when I am connected to the internet. If I start my computer normally without an ethernet cord, iexplore.exe will not start by itself. If I end it in the task manager, another starts up.
When it is created, and at other random instances, I heard clicking sounds and whatever window I'm using is deselected.
Randomly, my WAV volume will be put to zero.
I have seen a few pop up internet explorer windows (very infrequently) that have "This page cannot be displayed" inside them.
I have had some blue screen crashes in both normal start up and safe mode.


I had a friend try to fix this when I first found the infection, and I did most of the things on this site, including running all the diagnostics. These logs are new, and I ran every log again.

One thing to note is I did attempt to run combofix, but as far as I could tell nothing happened.
Combofix gave me a message, something like "The date is X. Combofix has expired, would you like to run in reduced functionality mode?"
I hit YES, then nothing happened. In fact, combofix.exe was removed from my desktop. I couldn't use Start - shutdown - shutdown to turn off my computer. I think I let it run for at least 24 hours before turning it off.

That's about all I know. I hope someone can help. Here are the logs -



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff at 14:44:32.23 on Tue 10/12/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.807 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe 4
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [igndlm.exe] c:\program files\ign\download manager\DLM.exe /windowsstart /startifwork
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\jeff\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\3ehsttfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\jeff\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\jeff\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-6-2 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100909.002\naveng.sys [2010-10-10 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100909.002\navex15.sys [2010-10-10 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-6-23 124608]
S3 wishna1k;Adaptoid Driver Service;c:\windows\system32\drivers\wishk201.sys --> c:\windows\system32\drivers\wishk201.sys [?]

=============== Created Last 30 ================

2010-10-11 19:41:33 1409 ----a-w- c:\windows\QTFont.for
2010-10-11 19:41:32 54156 ---ha-w- c:\windows\QTFont.qfn

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

============= FINISH: 14:45:33.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 11 September 2010 - 06:23 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 11 September 2010 - 07:16 PM

Thank you very much for your reply! Here are the scans you requested -

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 196):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 cmdide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4BC000 cpqarray.sys
0xB9F31000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9EBE000 iaStor.sys
0xB9EA6000 atapi.sys
0xBA4C0000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4C4000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4C8000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4CC000 amsint.sys
0xBA340000 asc.sys
0xBA4D0000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4D4000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B6000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9E8D000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5B8000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4D8000 cbidf2k.sys
0xB9E61000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E41000 fltmgr.sys
0xBA178000 PxHelp20.sys
0xB9E2B000 drvmcdb.sys
0xB9E14000 KSecDD.sys
0xB9D87000 Ntfs.sys
0xB9D5A000 NDIS.sys
0xBA188000 sisagp.sys
0xBA198000 viaagp.sys
0xB9D40000 Mup.sys
0xBA1A8000 agp440.sys
0xBA1B8000 alim1541.sys
0xBA1C8000 amdagp.sys
0xBA1D8000 agpCPQ.sys
0xB938B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB5704000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB56F0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB56C2000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB569E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB5A27000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB566A000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB5647000 \SystemRoot\system32\DRIVERS\ks.sys
0xB5548000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB54A1000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xB5A1F000 \SystemRoot\System32\Drivers\Modem.SYS
0xB5461000 \SystemRoot\system32\drivers\smwdm.sys
0xB543D000 \SystemRoot\system32\drivers\portcls.sys
0xB936B000 \SystemRoot\system32\drivers\drmk.sys
0xB538A000 \SystemRoot\system32\drivers\senfilt.sys
0xB5376000 \SystemRoot\system32\DRIVERS\parport.sys
0xB935B000 \SystemRoot\system32\DRIVERS\serial.sys
0xB98FC000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB58D9000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5F8000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xB58C9000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB58B9000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB5A17000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA6C3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9C88000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB47E1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB93EB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB93DB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB47D0000 \SystemRoot\system32\DRIVERS\psched.sys
0xB93CB000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB0ACD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB0AC5000 \SystemRoot\system32\DRIVERS\raspti.sys
0xAECD1000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB0ABD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB0AB5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA648000 \SystemRoot\system32\DRIVERS\swenum.sys
0xABCA4000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA428000 \SystemRoot\system32\DRIVERS\omci.sys
0xB9CE8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9CC8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9C2F000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB4199000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA351F000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys
0xA3502000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xA34EE000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys
0xB4191000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB9C68000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB41E9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA610000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB2775000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA7CA000 \SystemRoot\System32\Drivers\Null.SYS
0xB1597000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA632000 \SystemRoot\System32\Drivers\Beep.SYS
0xAEC91000 \SystemRoot\system32\drivers\lvusbsta.sys
0xACE7C000 \SystemRoot\system32\drivers\ssrtln.sys
0xA32AF000 \SystemRoot\system32\DRIVERS\LV302AV.SYS
0xB4C20000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xA3094000 \SystemRoot\system32\DRIVERS\lvsvf2.sys
0xBA652000 \SystemRoot\system32\DRIVERS\lv302af.sys
0xBA478000 \SystemRoot\System32\drivers\vga.sys
0xB9C78000 \SystemRoot\system32\drivers\usbaudio.sys
0xBA662000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA66A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB41D9000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB335B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA598000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA3061000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA3008000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA2FE2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA2FA2000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xB4279000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB31F8000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xBA5CE000 \SystemRoot\System32\Drivers\SYMDNS.SYS
0xBA238000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
0xA2F79000 \SystemRoot\System32\Drivers\SYMFW.SYS
0xBA418000 \SystemRoot\System32\Drivers\SYMIDS.SYS
0xA2F34000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20100902.001\symidsco.sys
0xA2F0C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA2EEA000 \SystemRoot\System32\drivers\afd.sys
0xB4BF0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA2EBF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA2E4F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAD277000 \SystemRoot\System32\Drivers\Fips.SYS
0xA2DF1000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB9CA8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA2D7E000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB0B99000 \SystemRoot\System32\drivers\Dxapi.sys
0xB3353000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA780000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBA2A8000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA7F8000 \SystemRoot\system32\dla\tfsndres.sys
0xA0D68000 \SystemRoot\system32\dla\tfsnifs.sys
0xB2EE3000 \SystemRoot\system32\dla\tfsnopio.sys
0xAB66D000 \SystemRoot\system32\dla\tfsnpool.sys
0xACE6C000 \SystemRoot\system32\dla\tfsnboio.sys
0xBA2C8000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA7FC000 \SystemRoot\system32\dla\tfsndrct.sys
0xA0D4F000 \SystemRoot\system32\dla\tfsnudf.sys
0xA0D36000 \SystemRoot\system32\dla\tfsnudfa.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA0989000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4219000 \SystemRoot\system32\drivers\sysaudio.sys
0xA0846000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA0715000 \SystemRoot\System32\Drivers\HTTP.sys
0xA0806000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA05A6000 \SystemRoot\system32\DRIVERS\srv.sys
0xA09C6000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xBA7D4000 \??\C:\WINDOWS\system32\STEC3.sys
0x9F92B000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys
0x9F7DF000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100909.002\navex15.sys
0x9F7CB000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100909.002\naveng.sys
0x9F688000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
612 C:\WINDOWS\SYSTEM32\smss.exe
660 csrss.exe
688 C:\WINDOWS\SYSTEM32\winlogon.exe
732 C:\WINDOWS\SYSTEM32\services.exe
744 C:\WINDOWS\SYSTEM32\lsass.exe
916 C:\WINDOWS\SYSTEM32\svchost.exe
996 svchost.exe
1092 C:\WINDOWS\SYSTEM32\svchost.exe
1168 svchost.exe
1288 svchost.exe
1328 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
1416 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1448 C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
1480 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
1524 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1740 C:\WINDOWS\SYSTEM32\svchost.exe
1896 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
1920 C:\WINDOWS\SYSTEM32\spoolsv.exe
1968 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
948 C:\WINDOWS\explorer.exe
1368 C:\WINDOWS\SYSTEM32\svchost.exe
1556 svchost.exe
1700 C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
280 C:\WINDOWS\SYSTEM32\svchost.exe
308 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
388 C:\Program Files\Java\jre6\bin\jqs.exe
424 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
592 C:\Program Files\CDBurnerXP\NMSAccessU.exe
644 C:\WINDOWS\SYSTEM32\PnkBstrA.exe
496 C:\WINDOWS\SYSTEM32\svchost.exe
2112 C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
2324 C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
2528 wmpnetwk.exe
2568 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2640 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe
2692 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2708 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2864 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
2888 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2944 C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
3040 C:\WINDOWS\SYSTEM32\LVCOMSX.EXE
3204 C:\Program Files\Logitech\Video\LogiTray.exe
3368 C:\PROGRA~1\Sony\SONICS~1\SSAAD.exe
3528 C:\Program Files\Java\jre6\bin\jusched.exe
3672 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
3712 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
3748 C:\WINDOWS\SYSTEM32\ctfmon.exe
3964 C:\Program Files\Digital Line Detect\DLG.exe
452 C:\Program Files\Logitech\Video\FxSvr2.exe
460 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3060 C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
3344 iexplore.exe
3756 alg.exe
3224 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1024 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2764 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
240 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2800 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3172 C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2364 C:\Documents and Settings\Jeff\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-75MHB0, Rev: 03.01C03

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


===========================================================



Partition ID: Disk #0, Partition #0
Size: 54.88 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 145.38 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 3.58 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A05
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

=================================

I will await your next instructions. Thanks again!

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 13 September 2010 - 02:22 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your infected Master Boot Record with a standard one, which doesn't guarantee to put everything right. Some computer manufacturers use custom MBRs which allow boot access to options such as Factory Restore and this infection will render these unavailable until the custom MBR is written back to the hard drive - an issue which a standard MBR won't solve.

From what I can tell, your machine is a Dell and has a System Recovery option installed onto a separate partition on your hard drive, and this is now disabled unfortunately. Do you have any recovery discs that may have come with the PC?

So long, and thanks for all the fish.

 

 


#5 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 September 2010 - 11:14 PM

Good Evening Noviciate -

My computer is a Dell, purchased about 5 years ago. I don't recall any recovery disk. Should I definitely have one? I can look through all the old CDs that are sitting around. Is there anything else I should be doing right now? What is my next step?

PS - I disabled the System Recovery due to bad advice. This was not done by whatever I picked up. I feel like an idiot for not going to the experts first. sad.gif

Edited by BlackandRed, 14 September 2010 - 10:26 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 14 September 2010 - 02:35 PM

Good evening. smile.gif

QUOTE
Should I definitely have one? I can look through all the old CDs that are sitting around.

Not always, but i'd like you to check for two discs - a Windows Recovery disc and a Drivers disc.

QUOTE
I disabled the System Recovery due to bad advice.

Are you referring to the recovery software installed by Dell or System Restore that is part of Windows: Start > All Programs > Accessories > System Tools > System restore.

QUOTE
I feel like an idiot for not going to the experts first.

Have a good night's sleep - you'll feel better in the morning.

So long, and thanks for all the fish.

 

 


#7 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 15 September 2010 - 12:00 AM

Hello again.

QUOTE
Not always, but i'd like you to check for two discs - a Windows Recovery disc and a Drivers disc.


I took a look around the house, but turned up what I believe are CDs for an older computer. I found a "Dell Dimension RecsourceCD." While it says it has device drivers on it, it is copyright 1999 and was packed away next to a WMe reinstallation CD. I found a Windows XP install disk (Dated 2002), but not a recovery disk. I will continue to look, but I'm shooting in the dark at this point. Is there any other ways I can obtain these CDs or a comparable substitute? I do have access to a non-infected computer. What happens if I can't find them? (it's looking pretty bleak at this point)

QUOTE
Are you referring to the recovery software installed by Dell or System Restore that is part of Windows: Start > All Programs > Accessories > System Tools > System restore.


I disabled the System Restore that is a part of Windows. There was removal information on the Symantec Website that suggested System Restore might back up a virus and I should disable it to ensure that I remove the infection.

QUOTE
Have a good night's sleep - you'll feel better in the morning.

I sure hope so. I'm going to go do that now. Thanks again for your help so far.

Edited by BlackandRed, 15 September 2010 - 12:04 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 15 September 2010 - 02:57 PM

Good evening. smile.gif

QUOTE
I disabled the System Restore that is a part of Windows. There was removal information on the Symantec Website that suggested System Restore might back up a virus and I should disable it to ensure that I remove the infection.

The reason that we don't disable System Restore is that it provides a safety net in the event of any sort of oops, and while SR does back up infections, an infected but working PC is better than a clean paperweight!

Please re-enable System Restore and create a nice new restore point before you continue as it never hurts to haver a Plan B.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your machine appears to have your recovery option built-in rather than on disc, which isn't that unusual. The problem is that with the MBR damaged, you won't be able to access this option and so your recovery plan is kaput.
If we fix the MBR with a standard one, the infection will be dealt with and that's a good start, but it doesn't restore your recovery option, which isn't so good.
There is a way, in theory, of putting everything back how it was, but I haven't ever tried it. One the surface this isn't such a lifeline, but somebody wiser than me is happy to oversee things to ensure that it doesn't all end in tears if you are willing to give it a go.

That gives you two choices:

1) We write a standard MBR, which i've done enough times to be confident of success, and the infection dies but you no longer have the Dell System Restore option.
2) We go with the "full" fix and both the infection and Dell SR are dealt with.

Please let me know what you decide to do, but do bear in mind that the first option is going to be quicker as I won't need to refer anything to anybody. With the second option i'll need to check things out each step of the way to ensure that I understand what it entails before I pass on the instructions to you.

So long, and thanks for all the fish.

 

 


#9 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 15 September 2010 - 05:24 PM

Hello Noviciate,

First, thanks for the tip on Windows System Restore. I'll turn it back on right away.

QUOTE
1) We write a standard MBR, which i've done enough times to be confident of success, and the infection dies but you no longer have the Dell System Restore option.


If I turn back on Windows XP System Restore, is there a reason I would want the Dell System Restore option? Is it superior in some way? If there isn't a compelling reason to keep the Dell System Restore, I would go with #1.

QUOTE
2) We go with the "full" fix and both the infection and Dell SR are dealt with.


If #1 has a possibility of not eliminating the infection, I would be willing to wait and do #2. One thing I would ask before we proceed with this approach is if my computer is "safe" to use in the meantime. Can I connect my infected PC to the internet without further risking my security? Should I even be turning it on?


Your responses will inform my decision. I'm glad we have a plan of action. Thank you for all of your help!

Edited by BlackandRed, 15 September 2010 - 09:14 PM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 16 September 2010 - 02:09 PM

Good evening. smile.gif

QUOTE
If I turn back on Windows XP System Restore, is there a reason I would want the Dell System Restore option? Is it superior in some way?

Windows System Restore and Dell System Restore are two different beasts.

DSR allows you to turn back the clock to a point when you first turned the PC on when it was new. It writes a completely new version of the original operating system to your hard drive that allows you to start computing afresh. Consider it to be the nuclear option when dealing with malware, or any other PC problem.

WSR is a limited way to turn back the clock on your PC. It is much less severe in it's actions which cuts down on it's effectiveness in serious cases of PC poorliness.

If you ever have a situation where Windows ceases to operate correctly, and this happens simply with the passage of time and installations/uninstallations and updates to your system leaving detritus behind, DSR will solve the issue whereas WSR won't.
You should have a way to reinstall Windows, either through a Factory Restore option such as DSR or via a Recovery Disc as a matter of course.

If it was my PC I would either seek to repair DSR or obtain a Recovery Disc from Dell because when the worst happens, and it has on my machines over a dozen times over the years, no recovery option means no working PC.

QUOTE
If #1 has a possibility of not eliminating the infection, I would be willing to wait and do #2.

Either option one or two will solve the infection, but only option one will make DSR workable again.

QUOTE
One thing I would ask before we proceed with this approach is if my computer is "safe" to use in the meantime. Can I connect my infected PC to the internet without further risking my security? Should I even be turning it on?

As far as i'm aware, it's just irritating rather than a security risk, but I don't know that 100%. If you are in any doubt, don't access bank accounts or shop online until this issue is resolved.

So long, and thanks for all the fish.

 

 


#11 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 17 September 2010 - 12:04 AM

Good evening Noviciate,

QUOTE
You should have a way to reinstall Windows, either through a Factory Restore option such as DSR or via a Recovery Disc as a matter of course.


Well that sounds like a compelling enough reason. Let's go with option number two.

Fingers Crossed! I await your instructions.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 17 September 2010 - 03:05 PM

Good evening. smile.gif

You shouldn't need to cross your fingers, but feel free to if it makes you any happier.

Please download NTBR_CD.exe by noahdfear from here and save it to your Desktop.
  • Double click the file and all being well a folder of the same name will appear.
  • Open the folder and locate BurnItCD.cmd and give it a double click - be careful as your optical drive may open under the control of the program.
  • Follow the prompts to burn the CD.
While you're doing that, i'm playing with the various options so that I have a better idea how best to address this problem. Let me know when you've sorted this bit and we'll continue.

So long, and thanks for all the fish.

 

 


#13 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 18 September 2010 - 12:03 PM

Good Afternoon Noviciate,

I burned the disc successfully. I'll await your next instructions.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 18 September 2010 - 05:08 PM

Good evening. smile.gif

Please read through all the steps BEFORE you begin and ask any questions that you may have. Please remember that it's better to be thought of as stupid for asking something obvious rather than to be known as stupid for not asking and later regretting it! (In the event of you not asking and later confiding in me that you wished you had, I WILL remind you of the previous sentence!)
  • Insert the disc that you burned into the appropriate drive and reboot your machine.
  • You will now need to set the CD-Rom as first boot device if it isn't already - there's a handy pictorial guide here.

  • As long as you don't get too carried away you won't do any harm, and you should get the option to exit the BIOS without saving any changes if you happen to be unsure that what you did was right. Obviously if you are happy, make sure that you exit with changes saved.
  • If instead of the BIOS screen Windows boots then just reboot the PC and try again. On some machines the window of opportunity to access the BIOS is short lived.
  • If things with the BIOS went according to plan you should see a different boot screen to normal - this is your machine accessing the disc that you burned. If not, Windows will boot instead and you'll need to reboot and try the BIOS step again.
  • Assuming all goes well, you get to work through the following which i've split it into sections to make it easier to work with:

    Section One

  • Hit <ENTER> when prompted to continue booting from CD - you have a whole 15 seconds to do this or Windows will take over and you'll need to reboot.
  • Read the warning and then continue as prompted.
  • Select your keyboard layout - hit <ENTER> if you want the default English one.
  • At the menu screen enter 5 for Command Prompt.
  • You should now see X:\> and a flashing cursor.

    Section Two

  • Enter the following command:

    tools\dsrfix\dsrfix /d > dsrfix.txt

    After a second or two you should see X:\> and the cursor reappear.

  • Next you need to enter the following command:

    tools\tbos\tbosdt

    This should result in the prompt changing to @X:\>

  • If you get an error message when entering either command, simply repeat it checking for accuracy. Should you still not have any luck, make a note of the error message and skip to Section Five.

    Section Three

  • Enter the following command:

    list hd 0 (that's zero.)

    This is a list of the partitions on your hard drive and you need to identify what Windows calls C:. The simplest way is to check the Size column and look for the biggest number - make a note of the corresponding number under ID.

  • Now enter the following command:

    open fs 1: 0 ID number

    For example, if the ID was (02) you would enter the following: open fs 1: 0 2

  • To check that you have got the right partition, enter the following command:

    dir /p 1:

    You should see the contents of C:, both folders and files, appear on screen one page at a time - if you see the instruction Press any key to continue... do so until the prompt reappears.

  • If you don't recognise the contents as that of C: then you need to enter the following command:

    close fs 1:

    Now run through Section Three again and ensure that you have got the correct ID number. If you still don't see the correct contents of C: then, after entering the close command above, skip to Section Five.

    Section Four

  • Assuming that all is in order, enter the following command:

    copy dsrfix.txt 1:

    You should see 1 file(s) copied which means that you're almost done. If you don't, repeat the command checking for accuracy.

  • Once you've got the OK from the above, or if repeating the command fails to elicit the correct response, enter the following command:

    close fs 1:

  • Approaching the final steps, enter the following command:

    exit

    You should now see the prompt revert to X:\>

    Section Five

  • Now enter the following command:

    menu

    This returns you to the menu screen - not a surprise, I hope!

  • Almost there - enter 6 to QUIT
  • When prompted to Press CTRL+ Alt+Del to restart, remove the disc from your PC and then do as you were told to reboot.
  • Windows should now appear as normal, or as normal as Windows ever is!
I would like you to attach the text file C:\dsrfix.txt in your next reply, assuming that all went well. If you had any problems, post them instead.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've done the best that I can to ensure that i've made the instructions as simple and comprehensive as I can, but nothing is ever guaranteed where i'm concerned. If you have any problems when you follow them, or if you don't find things running exactly as I described, then please let me know and i'll correct them for future use.

Finally, I may not get chance to reply tomorrow as i've got some other threads that i've left alone this evening and i'll need to work those first. Sit tight and i'll get to you when I can.

So long, and thanks for all the fish.

 

 


#15 BlackandRed

BlackandRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 18 September 2010 - 11:43 PM

Hi Noviciate,

Thank you very much for taking the time to do this! It looks very well layed out. Before we proceed I would like to ask you two (stupid?) questions.

1 - Will I experience any data loss? I have only backed up "important" files such as documents, etc. I need to do that if that is something to expect.

QUOTE
For example, if the ID was (02) you would enter the following: open fs 1: 0 2


The other question is -

2 - In this line, do I type "open fs 1: 02" or open fs 1: 0 02" ? I am ignoring that 0 if the ID was 02? If I have ID number that is say, 34, do I type "open fs 1: 0 34" or "open fs 1: 0 4"?

I know this is a silly question but I was a little unsure of the answer.

You have been extremely helpful, and I am glad we are near the end of the road.
I will (patiently) await your answers and then begin this process. Thanks again.

Edited by BlackandRed, 18 September 2010 - 11:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users