Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with boot.tidserve.b on WinXP Home SP3


  • This topic is locked This topic is locked
59 replies to this topic

#1 TOOLguy420

TOOLguy420

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 17 February 2011 - 11:11 AM

Dell dimension 4700 running WinXP Home SP3 is infected with the Boot.tidserv.B virus and Norton Internet Security is unable to remove it.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Jacque $ John at 20:44:44.45 on Wed 02/16/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.887 [GMT -5:00]

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
F:\WINDOWS\system32\PSIService.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\Wacom_Tablet.exe
F:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
F:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
F:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
F:\WINDOWS\system32\Wacom_Tablet.exe
F:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
F:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\Program Files\LogMeIn\x86\LogMeInSystray.exe
F:\WINDOWS\system32\dla\tfswctrl.exe
F:\AA J&J Programs\Acrobat\Acrotray.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\LogMeIn\x86\LMIGuardian.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
F:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
F:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
F:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
F:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
F:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\Documents and Settings\Jacque $ John\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - f:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - f:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - f:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\aa j&j programs\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - f:\program files\acro software\cutepdf pro\CPFillerCo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\aa j&j programs\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - f:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
uRun: [EasyLinkAdvisor] "f:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "f:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [UpdateManager] "f:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] f:\program files\analog devices\core\smax4pnp.exe
mRun: [LogMeIn GUI] "f:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ISUSScheduler] "f:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [igfxtray] f:\windows\system32\igfxtray.exe
mRun: [igfxpers] f:\windows\system32\igfxpers.exe
mRun: [dla] f:\windows\system32\dla\tfswctrl.exe
mRun: [Acrobat Assistant 8.0] "f:\aa j&j programs\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] f:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [EEventManager] f:\program files\epson\creativity suite\event manager\EEventManager.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - f:\aa j&j programs\utility\ColorVisionStartup.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\corelr~1.lnk - f:\program files\corel\wordperfect office 2000\register\Remind32.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - f:\program files\corel\wordperfect office 2000\programs\dad9.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\regist~1.lnk - f:\program files\onone software\mask pro 4.0\<FILE_REGISTRATION_APP>
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - f:\windows\system32\wtablet\TabUserW.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - f:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - f:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\aa j&j programs\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - f:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - f:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175893348187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://pephoto.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://liveideal.webex.com/client/T27LC/webex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;f:\windows\system32\drivers\nis\1205000.07d\symds.sys [2010-12-27 340016]
R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2010-12-27 652336]
R1 BHDrvx86;BHDrvx86;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-18 691248]
R1 SymIRON;Symantec Iron Driver;f:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2010-12-27 136312]
R2 LMIInfo;LogMeIn Kernel Information Provider;f:\program files\logmein\x86\rainfo.sys [2007-9-12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;f:\windows\system32\drivers\LMIRfsDriver.sys [2007-10-7 47640]
R2 NIS;Norton Internet Security;f:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2010-12-27 130000]
R2 TabletServiceWacom;TabletServiceWacom;f:\windows\system32\Wacom_Tablet.exe [2009-9-24 2789672]
R2 WDDMService;WDDMService;f:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-11-8 237568]
R2 WDFME;WD File Management Engine;f:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-11-8 1060352]
R2 WDSC;WD File Management Shadow Engine;f:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-11-8 484352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-9 102448]
R3 IDSxpx86;IDSxpx86;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110211.002\IDSXpx86.sys [2011-2-12 341944]
R3 NAVENG;NAVENG;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110213.003\NAVENG.SYS [2011-2-13 86008]
R3 NAVEX15;NAVEX15;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110213.003\NAVEX15.SYS [2011-2-13 1360760]
S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 wacmoumonitor;Wacom Mode Helper;f:\windows\system32\drivers\wacmoumonitor.sys [2009-9-24 15656]
S3 WDC_SAM;WD SCSI Pass Thru driver;f:\windows\system32\drivers\wdcsam.sys [2011-1-31 11520]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-12 21:47:32 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\NPE
2011-02-12 21:03:41 -------- d-sha-r- F:\cmdcons
2011-02-12 20:33:17 98816 ----a-w- f:\windows\sed.exe
2011-02-12 20:33:17 89088 ----a-w- f:\windows\MBR.exe
2011-02-12 20:33:17 256512 ----a-w- f:\windows\PEV.exe
2011-02-12 20:33:17 161792 ----a-w- f:\windows\SWREG.exe
2011-02-02 17:46:31 -------- d-----w- f:\docume~1\jacque~1\applic~1\webex
2011-01-31 16:17:46 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys
2011-01-31 16:13:52 45568 -c----w- f:\windows\system32\dllcache\wab.exe
2011-01-31 16:08:41 11520 ----a-w- f:\windows\system32\drivers\wdcsam.sys
2011-01-31 15:51:35 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\Western_Digital
2011-01-31 15:49:28 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\Western Digital
2011-01-31 15:49:12 -------- d-----w- f:\docume~1\alluse~1\applic~1\Western Digital
2011-01-31 15:48:40 -------- d-----w- f:\program files\Western Digital
2011-01-28 15:01:15 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\CutePDF_Filler
2011-01-28 14:12:59 87544 ----a-w- f:\windows\system32\cpwmon2k.dll
2011-01-28 14:12:52 -------- d-----w- f:\program files\Acro Software
2011-01-25 14:00:55 -------- d-----w- f:\docume~1\jacque~1\applic~1\Tific
2011-01-24 16:58:20 -------- d-----w- f:\program files\GPLGS
2011-01-24 16:53:36 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\CustomStamp
2011-01-24 16:49:03 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\CutePDF_Pro
2011-01-24 16:49:03 -------- d-----w- f:\docume~1\jacque~1\locals~1\applic~1\CutePDF
2011-01-21 14:44:37 439296 -c----w- f:\windows\system32\dllcache\shimgvw.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- f:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- f:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ------w- f:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- f:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- f:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- f:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- f:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ------w- f:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- f:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ------w- f:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ------w- f:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ------w- f:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ------w- f:\windows\system32\ntkrnlpa.exe
2010-11-30 15:28:09 60808 ----a-w- f:\windows\system32\S32EVNT1.DLL
1996-02-12 23:02:34 288768 -c--a-w- f:\program files\EFWNET.EXE
1996-02-12 23:01:20 296192 -c--a-w- f:\program files\EFWE.DLL
1996-02-12 23:01:08 34048 -c--a-w- f:\program files\EFWL.DLL
1996-02-12 23:01:00 258560 -c--a-w- f:\program files\EFWD.DLL
1996-02-12 23:00:28 285184 -c--a-w- f:\program files\UNINST.EXE
1996-02-12 23:00:12 367616 -c--a-w- f:\program files\EFWPROP.DLL
1996-02-12 22:59:54 30208 -c--a-w- f:\program files\EFWM.DLL
1996-02-12 17:09:14 20512 -c--a-w- f:\program files\EFWTC.DLL
1996-02-12 17:09:12 1463328 -c--a-w- f:\program files\EFW.OVL
1996-02-12 16:44:18 56832 -c--a-w- f:\program files\ROUTER.DLL
1996-02-12 16:41:36 72720 -c--a-w- f:\program files\EFW.EXE
1995-08-29 09:52:00 176128 -c--a-w- f:\program files\CW3215.DLL
1995-05-25 05:00:00 914432 -c--a-w- f:\program files\LEAD51N.DLL
1995-02-28 16:16:20 211488 -c--a-w- f:\program files\BWCC32.DLL
1995-01-11 19:28:00 152304 -c--a-w- f:\program files\BWCC.DLL

============= FINISH: 20:45:49.35 ===============

Attached Files


Push the Envelope...Watch it Bend

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 17 February 2011 - 03:29 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 22 February 2011 - 07:17 PM

I'm sorry for the late reply, but I did not receive notification of your post even though I have my settings configured to do so. I will run TDSSKiller.exe now and post the results as soon as I get them. Thank you.
Push the Envelope...Watch it Bend

#4 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 22 February 2011 - 07:33 PM

2011/02/22 19:27:13.0390 1760 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/22 19:27:13.0421 1760 ================================================================================
2011/02/22 19:27:13.0421 1760 SystemInfo:
2011/02/22 19:27:13.0421 1760
2011/02/22 19:27:13.0421 1760 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/22 19:27:13.0421 1760 Product type: Workstation
2011/02/22 19:27:13.0421 1760 ComputerName: DELL
2011/02/22 19:27:13.0421 1760 UserName: Jacque $ John
2011/02/22 19:27:13.0421 1760 Windows directory: F:\WINDOWS
2011/02/22 19:27:13.0421 1760 System windows directory: F:\WINDOWS
2011/02/22 19:27:13.0421 1760 Processor architecture: Intel x86
2011/02/22 19:27:13.0421 1760 Number of processors: 1
2011/02/22 19:27:13.0421 1760 Page size: 0x1000
2011/02/22 19:27:13.0421 1760 Boot type: Normal boot
2011/02/22 19:27:13.0421 1760 ================================================================================
2011/02/22 19:27:13.0875 1760 Initialize success
2011/02/22 19:27:16.0281 2436 ================================================================================
2011/02/22 19:27:16.0281 2436 Scan started
2011/02/22 19:27:16.0281 2436 Mode: Manual;
2011/02/22 19:27:16.0281 2436 ================================================================================
2011/02/22 19:27:17.0218 2436 ACPI (8fd99680a539792a30e97944fdaecf17) F:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/22 19:27:17.0265 2436 ACPIEC (9859c0f6936e723e4892d7141b1327d5) F:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/22 19:27:17.0375 2436 aec (8bed39e3c35d6a489438b8141717a557) F:\WINDOWS\system32\drivers\aec.sys
2011/02/22 19:27:17.0421 2436 AegisP (2f7f3e8da380325866e566f5d5ec23d5) F:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/02/22 19:27:17.0484 2436 AFD (7e775010ef291da96ad17ca4b17137d7) F:\WINDOWS\System32\drivers\afd.sys
2011/02/22 19:27:17.0656 2436 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) F:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/22 19:27:17.0687 2436 atapi (9f3a2f5aa6875c72bf062c712cfa2674) F:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/22 19:27:17.0828 2436 ati2mtag (b2580f3de6a4e84060f8073df2ca0951) F:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/02/22 19:27:17.0890 2436 Atmarpc (9916c1225104ba14794209cfa8012159) F:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/22 19:27:17.0937 2436 audstub (d9f724aa26c010a217c97606b160ed68) F:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/22 19:27:17.0984 2436 BCM42RLY (438179abe9b7a922a21b8d6369ff52ff) F:\WINDOWS\System32\BCM42RLY.SYS
2011/02/22 19:27:18.0031 2436 Beep (da1f27d85e0d1525f6621372e7b685e9) F:\WINDOWS\system32\drivers\Beep.sys
2011/02/22 19:27:18.0156 2436 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) F:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
2011/02/22 19:27:18.0281 2436 bvrp_pci (c945dc4eee3f624dfd07788ea7f0db0a) F:\WINDOWS\system32\drivers\bvrp_pci.sys
2011/02/22 19:27:18.0453 2436 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) F:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/22 19:27:18.0546 2436 Cdaudio (c1b486a7658353d33a10cc15211a873b) F:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/22 19:27:18.0609 2436 Cdfs (c885b02847f5d2fd45a24e219ed93b32) F:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/22 19:27:18.0640 2436 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) F:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/22 19:27:18.0984 2436 cvspydr2 (c6644d1a70c050fdd7ecbe8c3ac05313) F:\WINDOWS\system32\DRIVERS\cvspydr2.sys
2011/02/22 19:27:19.0078 2436 Disk (044452051f3e02e7963599fc8f4f3e25) F:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/22 19:27:19.0156 2436 dmboot (d992fe1274bde0f84ad826acae022a41) F:\WINDOWS\system32\drivers\dmboot.sys
2011/02/22 19:27:19.0218 2436 dmio (7c824cf7bbde77d95c08005717a95f6f) F:\WINDOWS\system32\drivers\dmio.sys
2011/02/22 19:27:19.0265 2436 dmload (e9317282a63ca4d188c0df5e09c6ac5f) F:\WINDOWS\system32\drivers\dmload.sys
2011/02/22 19:27:19.0312 2436 DMusic (8a208dfcf89792a484e76c40e5f50b45) F:\WINDOWS\system32\drivers\DMusic.sys
2011/02/22 19:27:19.0375 2436 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) F:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/22 19:27:19.0437 2436 drvmcdb (b15f9e526ba511a48b1b1b8537815740) F:\WINDOWS\system32\drivers\drvmcdb.sys
2011/02/22 19:27:19.0468 2436 drvnddm (fa4670cae95ae2bb857c68e535661145) F:\WINDOWS\system32\drivers\drvnddm.sys
2011/02/22 19:27:19.0515 2436 E100B (7d91dc6342248369f94d6eba0cf42e99) F:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/22 19:27:19.0671 2436 eeCtrl (089296aedb9b72b4916ac959752bdc89) F:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/22 19:27:19.0796 2436 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) F:\WINDOWS\system32\DRIVERS\elagopro.sys
2011/02/22 19:27:19.0890 2436 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) F:\WINDOWS\system32\DRIVERS\elaunidr.sys
2011/02/22 19:27:19.0953 2436 Eplpdx02 (f9472131367d39435d750f5fa3d23582) F:\WINDOWS\system32\Drivers\EPLPDX02.SYS
2011/02/22 19:27:20.0109 2436 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) F:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/02/22 19:27:20.0234 2436 Fastfat (38d332a6d56af32635675f132548343e) F:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/22 19:27:20.0281 2436 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) F:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/22 19:27:20.0312 2436 Fips (d45926117eb9fa946a6af572fbe1caa3) F:\WINDOWS\system32\drivers\Fips.sys
2011/02/22 19:27:20.0359 2436 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) F:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/22 19:27:20.0390 2436 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) F:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/22 19:27:20.0453 2436 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) F:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/22 19:27:20.0484 2436 Ftdisk (6ac26732762483366c3969c9e4d2259d) F:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/22 19:27:20.0531 2436 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) F:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/22 19:27:20.0578 2436 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) F:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/22 19:27:20.0781 2436 HTTP (f80a415ef82cd06ffaf0d971528ead38) F:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/22 19:27:20.0937 2436 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) F:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/22 19:27:21.0265 2436 ialm (5a8e05f1d5c36abd58cffa111eb325ea) F:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/22 19:27:21.0593 2436 IDSxpx86 (0308238c582a55d83d34feee39542793) F:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110211.002\IDSxpx86.sys
2011/02/22 19:27:21.0734 2436 Imapi (083a052659f5310dd8b6a6cb05edcf8e) F:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/22 19:27:21.0906 2436 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) F:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/02/22 19:27:22.0046 2436 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) F:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/02/22 19:27:22.0078 2436 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) F:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/02/22 19:27:22.0234 2436 IntelIde (b5466a9250342a7aa0cd1fba13420678) F:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/22 19:27:22.0390 2436 intelppm (8c953733d8f36eb2133f5bb58808b66b) F:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/22 19:27:23.0718 2436 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) F:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/22 19:27:23.0828 2436 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) F:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/22 19:27:23.0859 2436 IpInIp (b87ab476dcf76e72010632b5550955f5) F:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/22 19:27:24.0000 2436 IpNat (cc748ea12c6effde940ee98098bf96bb) F:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/22 19:27:24.0046 2436 IPSec (23c74d75e36e7158768dd63d92789a91) F:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/22 19:27:24.0078 2436 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) F:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/22 19:27:24.0125 2436 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) F:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/22 19:27:24.0156 2436 Kbdclass (463c1ec80cd17420a542b7f36a36f128) F:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/22 19:27:24.0203 2436 kbdhid (9ef487a186dea361aa06913a75b3fa99) F:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/22 19:27:24.0265 2436 kmixer (692bcf44383d056aed41b045a323d378) F:\WINDOWS\system32\drivers\kmixer.sys
2011/02/22 19:27:24.0328 2436 KSecDD (b467646c54cc746128904e1654c750c1) F:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/22 19:27:24.0500 2436 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) F:\Program Files\LogMeIn\x86\RaInfo.sys
2011/02/22 19:27:24.0578 2436 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) F:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/02/22 19:27:24.0656 2436 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) F:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/02/22 19:27:24.0703 2436 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) F:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/22 19:27:24.0781 2436 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) F:\WINDOWS\system32\drivers\Modem.sys
2011/02/22 19:27:24.0828 2436 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) F:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/22 19:27:24.0859 2436 mohfilt (59b8b11ff70728eec60e72131c58b716) F:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/02/22 19:27:24.0921 2436 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) F:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/22 19:27:25.0000 2436 mouhid (b1c303e17fb9d46e87a98e4ba6769685) F:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/22 19:27:25.0078 2436 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) F:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/22 19:27:25.0125 2436 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) F:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/22 19:27:25.0203 2436 MRxSmb (f3aefb11abc521122b67095044169e98) F:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/22 19:27:25.0234 2436 Msfs (c941ea2454ba8350021d774daf0f1027) F:\WINDOWS\system32\drivers\Msfs.sys
2011/02/22 19:27:25.0281 2436 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) F:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/22 19:27:25.0312 2436 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) F:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/22 19:27:25.0343 2436 MSPQM (bad59648ba099da4a17680b39730cb3d) F:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/22 19:27:25.0375 2436 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) F:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/22 19:27:25.0406 2436 Mup (2f625d11385b1a94360bfc70aaefdee1) F:\WINDOWS\system32\drivers\Mup.sys
2011/02/22 19:27:25.0640 2436 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) F:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110213.003\NAVENG.SYS
2011/02/22 19:27:25.0703 2436 NAVEX15 (94b3164055d821a62944d9fe84036470) F:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110213.003\NAVEX15.SYS
2011/02/22 19:27:25.0843 2436 NDIS (1df7f42665c94b825322fae71721130d) F:\WINDOWS\system32\drivers\NDIS.sys
2011/02/22 19:27:25.0890 2436 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) F:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/22 19:27:25.0921 2436 Ndisuio (f927a4434c5028758a842943ef1a3849) F:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/22 19:27:25.0968 2436 NdisWan (edc1531a49c80614b2cfda43ca8659ab) F:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/22 19:27:26.0000 2436 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) F:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/22 19:27:26.0062 2436 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) F:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/22 19:27:26.0093 2436 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) F:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/22 19:27:26.0171 2436 Npfs (3182d64ae053d6fb034f44b6def8034a) F:\WINDOWS\system32\drivers\Npfs.sys
2011/02/22 19:27:26.0187 2436 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) F:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/22 19:27:26.0250 2436 Null (73c1e1f395918bc2c6dd67af7591a3ad) F:\WINDOWS\system32\drivers\Null.sys
2011/02/22 19:27:26.0296 2436 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) F:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/22 19:27:26.0328 2436 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) F:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/22 19:27:26.0375 2436 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) F:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/02/22 19:27:26.0437 2436 Parport (5575faf8f97ce5e713d108c2a58d7c7c) F:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/22 19:27:26.0468 2436 PartMgr (beb3ba25197665d82ec7065b724171c6) F:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/22 19:27:26.0500 2436 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) F:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/22 19:27:26.0531 2436 PCI (a219903ccf74233761d92bef471a07b1) F:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/22 19:27:26.0609 2436 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) F:\WINDOWS\system32\drivers\PCIIde.sys
2011/02/22 19:27:26.0656 2436 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) F:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/22 19:27:26.0796 2436 PenClass (4a108cc9cc0e0605e68cce7021479879) F:\WINDOWS\system32\Drivers\PenClass.sys
2011/02/22 19:27:27.0171 2436 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) F:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/22 19:27:27.0203 2436 PSched (09298ec810b07e5d582cb3a3f9255424) F:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/22 19:27:27.0234 2436 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) F:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/22 19:27:27.0296 2436 PxHelp20 (86724469cd077901706854974cd13c3e) F:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/22 19:27:27.0437 2436 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) F:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/22 19:27:27.0500 2436 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) F:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/22 19:27:27.0531 2436 RasPppoe (5bc962f2654137c9909c3d4603587dee) F:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/22 19:27:27.0562 2436 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) F:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/22 19:27:27.0609 2436 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) F:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/22 19:27:27.0640 2436 RDPCDD (4912d5b403614ce99c28420f75353332) F:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/22 19:27:27.0703 2436 RDPWD (6728e45b66f93c08f11de2e316fc70dd) F:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/22 19:27:27.0750 2436 redbook (f828dd7e1419b6653894a8f97a0094c5) F:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/22 19:27:27.0828 2436 RT73 (7436bfd3a542cf6ff55097200031b293) F:\WINDOWS\system32\DRIVERS\rt73.sys
2011/02/22 19:27:27.0906 2436 Secdrv (90a3935d05b494a5a39d37e71f09a677) F:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/22 19:27:28.0000 2436 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) F:\WINDOWS\system32\drivers\senfilt.sys
2011/02/22 19:27:28.0062 2436 serenum (0f29512ccd6bead730039fb4bd2c85ce) F:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/22 19:27:28.0093 2436 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) F:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/22 19:27:28.0156 2436 sermouse (1f16931c722c69e4a7866244796c66a0) F:\WINDOWS\system32\DRIVERS\sermouse.sys
2011/02/22 19:27:28.0187 2436 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) F:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/22 19:27:28.0281 2436 smwdm (c6d9959e493682f872a639b6ec1b4a08) F:\WINDOWS\system32\drivers\smwdm.sys
2011/02/22 19:27:28.0390 2436 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) F:\WINDOWS\system32\drivers\splitter.sys
2011/02/22 19:27:28.0421 2436 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) F:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/22 19:27:28.0515 2436 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) F:\WINDOWS\System32\Drivers\NIS\1205000.07D\SRTSP.SYS
2011/02/22 19:27:28.0578 2436 SRTSPX (2833445f786bd000bb14c84a9d91347a) F:\WINDOWS\system32\drivers\NIS\1205000.07D\SRTSPX.SYS
2011/02/22 19:27:28.0640 2436 Srv (0f6aefad3641a657e18081f52d0c15af) F:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/22 19:27:28.0687 2436 sscdbhk5 (d7968049be0adbb6a57cee3960320911) F:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/02/22 19:27:28.0718 2436 ssrtln (c3ffd65abfb6441e7606cf74f1155273) F:\WINDOWS\system32\drivers\ssrtln.sys
2011/02/22 19:27:28.0781 2436 swenum (3941d127aef12e93addf6fe6ee027e0f) F:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/22 19:27:28.0812 2436 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) F:\WINDOWS\system32\drivers\swmidi.sys
2011/02/22 19:27:28.0968 2436 SymDS (bdf077b897b5f9f929b6bf0cfd436962) F:\WINDOWS\system32\drivers\NIS\1205000.07D\SYMDS.SYS
2011/02/22 19:27:29.0031 2436 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) F:\WINDOWS\system32\drivers\NIS\1205000.07D\SYMEFA.SYS
2011/02/22 19:27:29.0156 2436 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) F:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/02/22 19:27:29.0250 2436 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) F:\WINDOWS\system32\drivers\NIS\1205000.07D\Ironx86.SYS
2011/02/22 19:27:29.0312 2436 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) F:\WINDOWS\System32\Drivers\NIS\1205000.07D\SYMTDI.SYS
2011/02/22 19:27:29.0421 2436 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) F:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/22 19:27:29.0515 2436 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) F:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/22 19:27:29.0562 2436 TDPIPE (6471a66807f5e104e4885f5b67349397) F:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/22 19:27:29.0640 2436 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) F:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/22 19:27:29.0687 2436 TermDD (88155247177638048422893737429d9e) F:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/22 19:27:29.0781 2436 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) F:\WINDOWS\system32\dla\tfsnboio.sys
2011/02/22 19:27:29.0796 2436 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) F:\WINDOWS\system32\dla\tfsncofs.sys
2011/02/22 19:27:29.0828 2436 tfsndrct (a2f380f9252ab3464c859adf91eead9c) F:\WINDOWS\system32\dla\tfsndrct.sys
2011/02/22 19:27:29.0859 2436 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) F:\WINDOWS\system32\dla\tfsndres.sys
2011/02/22 19:27:29.0906 2436 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) F:\WINDOWS\system32\dla\tfsnifs.sys
2011/02/22 19:27:29.0953 2436 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) F:\WINDOWS\system32\dla\tfsnopio.sys
2011/02/22 19:27:29.0984 2436 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) F:\WINDOWS\system32\dla\tfsnpool.sys
2011/02/22 19:27:30.0015 2436 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) F:\WINDOWS\system32\dla\tfsnudf.sys
2011/02/22 19:27:30.0062 2436 tfsnudfa (79f60822224256b49bfc855da8d651d5) F:\WINDOWS\system32\dla\tfsnudfa.sys
2011/02/22 19:27:30.0171 2436 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) F:\WINDOWS\system32\drivers\Udfs.sys
2011/02/22 19:27:30.0296 2436 Update (402ddc88356b1bac0ee3dd1580c76a31) F:\WINDOWS\system32\DRIVERS\update.sys
2011/02/22 19:27:30.0390 2436 usbccgp (173f317ce0db8e21322e71b7e60a27e8) F:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/22 19:27:30.0421 2436 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) F:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/22 19:27:30.0484 2436 usbhub (1ab3cdde553b6e064d2e754efe20285c) F:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/22 19:27:30.0546 2436 usbprint (a717c8721046828520c9edf31288fc00) F:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/22 19:27:30.0593 2436 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) F:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/22 19:27:30.0671 2436 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/22 19:27:30.0703 2436 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) F:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/22 19:27:30.0734 2436 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) F:\WINDOWS\System32\drivers\vga.sys
2011/02/22 19:27:30.0781 2436 VolSnap (4c8fcb5cc53aab716d810740fe59d025) F:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/22 19:27:30.0875 2436 wacmoumonitor (9a03558c37e919b9d6a50864aea0a168) F:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
2011/02/22 19:27:30.0921 2436 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) F:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/02/22 19:27:30.0968 2436 wacomvhid (6843fd7db708b14ea4d8092abb464244) F:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/02/22 19:27:31.0000 2436 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) F:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2011/02/22 19:27:31.0078 2436 Wanarp (e20b95baedb550f32dd489265c1da1f6) F:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/22 19:27:31.0125 2436 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) F:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/02/22 19:27:31.0187 2436 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) F:\WINDOWS\system32\DRIVERS\wdcsam.sys
2011/02/22 19:27:31.0296 2436 wdmaud (6768acf64b18196494413695f0c3a00f) F:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/22 19:27:31.0375 2436 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) F:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/22 19:27:31.0468 2436 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/22 19:27:31.0625 2436 ================================================================================
2011/02/22 19:27:31.0625 2436 Scan finished
2011/02/22 19:27:31.0625 2436 ================================================================================
2011/02/22 19:27:31.0640 2020 Detected object count: 1
2011/02/22 19:27:39.0296 2020 \HardDisk0 - will be cured after reboot
2011/02/22 19:27:39.0296 2020 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/22 19:27:44.0281 1716 Deinitialize success

Virus WAS NOT removed after reboot.

Edited by TOOLguy420, 22 February 2011 - 07:34 PM.

Push the Envelope...Watch it Bend

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 23 February 2011 - 03:17 PM

Good evening. :)

Plan B then. Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#6 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 23 February 2011 - 11:17 PM

ComboFix 11-02-23.05 - Jacque $ John 02/23/2011 22:43:09.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.887 [GMT -5:00]
Running from: f:\documents and settings\Jacque $ John\Desktop\FixMe.exe
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
/wow section - STAGE 25
The system cannot find the path specified.
@DO was unexpected at this time.


((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
.

2011-02-12 21:47 . 2011-02-12 23:37 -------- d-----w- f:\documents and settings\Jacque $ John\Local Settings\Application Data\NPE
2011-02-10 19:35 . 2011-02-10 19:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\T5Qx1.js
2011-02-10 18:35 . 2011-02-10 18:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\LbahXC3.js
2011-02-10 17:35 . 2011-02-10 17:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\mSbHHqo.js
2011-02-10 16:35 . 2011-02-10 16:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\mltjX.js
2011-02-10 15:35 . 2011-02-10 15:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\TdWwOnyu.js
2011-02-10 07:35 . 2011-02-10 07:35 15205 ----a-w- f:\documents and settings\Jacque $ John\Application Data\a1xd04bZa.js
2011-02-10 06:35 . 2011-02-10 06:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\TaP3my.js
2011-02-10 05:35 . 2011-02-10 05:35 15205 ----a-w- f:\documents and settings\Jacque $ John\Application Data\ciZZsD.js
2011-02-10 04:35 . 2011-02-10 04:35 15205 ----a-w- f:\documents and settings\Jacque $ John\Application Data\irKmK.js
2011-02-10 03:35 . 2011-02-10 03:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\iTohcU88t.js
2011-02-10 02:35 . 2011-02-10 02:35 15201 ----a-w- f:\documents and settings\Jacque $ John\Application Data\WPT5V6A.js
2011-02-10 01:35 . 2011-02-10 01:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\Ro8wo.js
2011-02-10 00:35 . 2011-02-10 00:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\ajwi4.js
2011-02-09 23:35 . 2011-02-09 23:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\lGNAmB.js
2011-02-09 22:35 . 2011-02-09 22:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\n5BaKZcWn.js
2011-02-09 20:35 . 2011-02-09 20:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\eOU1cSy.js
2011-02-09 19:35 . 2011-02-09 19:35 15201 ----a-w- f:\documents and settings\Jacque $ John\Application Data\EIQjG.js
2011-02-09 18:35 . 2011-02-09 18:35 15201 ----a-w- f:\documents and settings\Jacque $ John\Application Data\BTlCkt3.js
2011-02-09 17:35 . 2011-02-09 17:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\zhtRFB.js
2011-02-09 16:35 . 2011-02-09 16:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\cjCCQtmy.js
2011-02-09 15:35 . 2011-02-09 15:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\IVsKjd2xGi.js
2011-02-09 13:35 . 2011-02-09 13:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\IJrXiq.js
2011-02-09 12:35 . 2011-02-09 12:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\YdjdvdM6x.js
2011-02-09 11:35 . 2011-02-09 11:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\yLpmAi5B.js
2011-02-09 10:35 . 2011-02-09 10:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\v9DfjmS0TU.js
2011-02-09 09:35 . 2011-02-09 09:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\AoHOjkHvZz.js
2011-02-09 08:35 . 2011-02-09 08:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\WN5TO6z.js
2011-02-09 07:35 . 2011-02-09 07:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\NODd5.js
2011-02-09 06:35 . 2011-02-09 06:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\YmyVizzjP.js
2011-02-09 05:35 . 2011-02-09 05:35 15201 ----a-w- f:\documents and settings\Jacque $ John\Application Data\f05dw.js
2011-02-09 04:35 . 2011-02-09 04:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\Eow0er5.js
2011-02-09 03:35 . 2011-02-09 03:35 15205 ----a-w- f:\documents and settings\Jacque $ John\Application Data\kphVvel9iY.js
2011-02-09 02:35 . 2011-02-09 02:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\aW7Th5YBo.js
2011-02-09 01:35 . 2011-02-09 01:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\xcByXabv.js
2011-02-09 00:35 . 2011-02-09 00:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\APx8ExFO.js
2011-02-08 23:35 . 2011-02-08 23:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\a8jeExcKK8.js
2011-02-08 22:35 . 2011-02-08 22:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\FWCJ0.js
2011-02-08 21:35 . 2011-02-08 21:35 15203 ----a-w- f:\documents and settings\Jacque $ John\Application Data\zwoxSWwx0.js
2011-02-08 20:35 . 2011-02-08 20:35 15201 ----a-w- f:\documents and settings\Jacque $ John\Application Data\IX8Tk.js
2011-02-08 19:35 . 2011-02-08 19:35 15202 ----a-w- f:\documents and settings\Jacque $ John\Application Data\cM0ie.js
2011-02-08 18:35 . 2011-02-08 18:35 15204 ----a-w- f:\documents and settings\Jacque $ John\Application Data\TlFhoJdp.js
2011-02-08 17:35 . 2011-02-08 17:35 15200 ----a-w- f:\documents and settings\Jacque $ John\Application Data\khboDL4HL.js
2011-02-08 16:35 . 2011-02-08 16:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\WJ6fUhIZ2.js
2011-02-08 15:35 . 2011-02-08 15:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\dKuh9.js
2011-02-06 12:35 . 2011-02-06 12:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\j7nWBdJzvS.js
2011-02-06 11:35 . 2011-02-06 11:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\OzARt1.js
2011-02-06 10:35 . 2011-02-06 10:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\HcqS1UIvH.js
2011-02-06 09:35 . 2011-02-06 09:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\qZ1RGoPFu.js
2011-02-06 08:35 . 2011-02-06 08:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\J5OyvHUTWX.js
2011-02-06 07:35 . 2011-02-06 07:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\FK9eOtM.js
2011-02-06 06:35 . 2011-02-06 06:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\AKKGdYFK.js
2011-02-06 05:35 . 2011-02-06 05:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\uJgtqrsV.js
2011-02-06 04:35 . 2011-02-06 04:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\KQBIa.js
2011-02-06 03:35 . 2011-02-06 03:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\UWTFkwW.js
2011-02-06 02:35 . 2011-02-06 02:35 15204 ----a-w- f:\documents and settings\NetworkService\Application Data\s6suT.js
2011-02-06 01:35 . 2011-02-06 01:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\COMWjKtAnw.js
2011-02-06 00:35 . 2011-02-06 00:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\eRDrTIVos3.js
2011-02-05 23:35 . 2011-02-05 23:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\uGCMrqBY.js
2011-02-05 22:35 . 2011-02-05 22:35 15204 ----a-w- f:\documents and settings\NetworkService\Application Data\z1uEJ.js
2011-02-05 21:35 . 2011-02-05 21:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\FtiJit.js
2011-02-05 20:35 . 2011-02-05 20:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\NBMHcLqIC.js
2011-02-05 19:35 . 2011-02-05 19:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\Z70Zc.js
2011-02-05 18:35 . 2011-02-05 18:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\FGgelMS.js
2011-02-05 17:35 . 2011-02-05 17:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\BAD0hCy4.js
2011-02-05 16:35 . 2011-02-05 16:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\xv55O0iLT.js
2011-02-05 15:35 . 2011-02-05 15:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\JqwJDgU.js
2011-02-05 14:35 . 2011-02-05 14:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\aDccv.js
2011-02-05 13:35 . 2011-02-05 13:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\LD3Cuc16.js
2011-02-05 12:35 . 2011-02-05 12:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\I3seOjMqNy.js
2011-02-05 11:35 . 2011-02-05 11:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\SRR7kY.js
2011-02-05 10:35 . 2011-02-05 10:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\uBXWo0.js
2011-02-05 09:35 . 2011-02-05 09:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\UUvIR.js
2011-02-05 08:35 . 2011-02-05 08:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\uJM46zKiAQ.js
2011-02-05 07:35 . 2011-02-05 07:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\z8fZ12f.js
2011-02-05 06:35 . 2011-02-05 06:35 15203 ----a-w- f:\documents and settings\NetworkService\Application Data\ROIc4uf.js
2011-02-05 05:35 . 2011-02-05 05:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\TSQVJDt9U.js
2011-02-05 04:35 . 2011-02-05 04:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\ucbTrU39WT.js
2011-02-05 03:35 . 2011-02-05 03:35 15201 ----a-w- f:\documents and settings\NetworkService\Application Data\RSdEawh7.js
2011-02-05 02:35 . 2011-02-05 02:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\etZUe.js
2011-02-05 01:35 . 2011-02-05 01:35 15204 ----a-w- f:\documents and settings\NetworkService\Application Data\Rla08k.js
2011-02-05 00:35 . 2011-02-05 00:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\RS7ib.js
2011-02-04 23:35 . 2011-02-04 23:35 15200 ----a-w- f:\documents and settings\NetworkService\Application Data\nMoHl5g.js
2011-02-04 22:35 . 2011-02-04 22:35 15205 ----a-w- f:\documents and settings\NetworkService\Application Data\FkXoP23.js
2011-02-04 21:35 . 2011-02-04 21:35 15202 ----a-w- f:\documents and settings\NetworkService\Application Data\Z5K5Xi.js
2011-02-02 17:46 . 2011-02-02 17:46 -------- d-----w- f:\documents and settings\Jacque $ John\Application Data\webex
2011-02-01 10:35 . 2011-02-01 10:38 -------- d-----w- f:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-31 16:17 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys
2011-01-31 16:13 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe
2011-01-31 16:09 . 2011-01-31 16:09 -------- d-----w- f:\documents and settings\Default User\Local Settings\Application Data\Western Digital
2011-01-31 16:08 . 2009-02-13 16:02 11520 ----a-w- f:\windows\system32\drivers\wdcsam.sys
2011-01-31 15:51 . 2011-01-31 15:51 -------- d-----w- f:\documents and settings\Jacque $ John\Local Settings\Application Data\Western_Digital
2011-01-31 15:49 . 2011-01-31 15:49 -------- d-----w- f:\documents and settings\Jacque $ John\Local Settings\Application Data\Western Digital
2011-01-31 15:49 . 2011-01-31 15:49 -------- d-----w- f:\documents and settings\All Users\Application Data\Western Digital
2011-01-31 15:49 . 2011-01-31 16:08 -------- dc----w- f:\windows\system32\DRVSTORE
2011-01-31 15:48 . 2011-01-31 16:04 -------- d-----w- f:\program files\Western Digital
2011-01-28 20:35 . 2011-01-28 20:35 -------- d-----w- f:\documents and settings\NetworkService\Local Settings\Application Data\CutePDF
2011-01-28 15:01 . 2011-01-28 15:01 -------- d-----w- f:\documents and settings\Jacque $ John\Local Settings\Application Data\CutePDF_Filler
2011-01-28 14:12 . 2010-03-11 19:22 87544 ----a-w- f:\windows\system32\cpwmon2k.dll
2011-01-28 14:12 . 2011-01-28 14:12 -------- d-----w- f:\program files\Acro Software
2011-01-25 14:00 . 2011-01-25 14:00 -------- d-----w- f:\documents and settings\Jacque $ John\Application Data\Tific

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- f:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- f:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 14:09 1854976 ------w- f:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-12 13:58 301568 ----a-w- f:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-12 14:09 916480 ----a-w- f:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-12 13:59 43520 ----a-w- f:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-12 13:58 1469440 ----a-w- f:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-12 13:59 730112 ------w- f:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-12 13:57 385024 ----a-w- f:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-12 14:02 718336 ------w- f:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-12 13:56 33280 ------w- f:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-12 14:02 2148864 ------w- f:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ------w- f:\windows\system32\ntkrnlpa.exe
2010-12-01 05:24 . 2010-12-27 21:37 368248 ----a-w- f:\windows\system32\drivers\NIS\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2010-12-27 21:37 295032 ----a-w- f:\windows\system32\drivers\NIS\1205000.07D\symnets.sys
2010-12-01 05:23 . 2010-12-27 21:37 330360 ----a-w- f:\windows\system32\drivers\NIS\1205000.07D\symtdiv.sys
2010-11-30 15:28 . 2010-11-30 15:28 60808 ----a-w- f:\windows\system32\S32EVNT1.DLL
2010-11-30 15:28 . 2010-11-30 15:28 126512 ----a-w- f:\windows\system32\drivers\SYMEVENT.SYS
1996-02-12 23:02 . 2006-03-15 21:01 288768 -c--a-w- f:\program files\EFWNET.EXE
1996-02-12 23:01 . 2006-03-15 21:01 296192 -c--a-w- f:\program files\EFWE.DLL
1996-02-12 23:01 . 2006-03-15 21:01 34048 -c--a-w- f:\program files\EFWL.DLL
1996-02-12 23:01 . 2006-03-15 21:01 258560 -c--a-w- f:\program files\EFWD.DLL
1996-02-12 23:00 . 2006-03-15 21:02 285184 -c--a-w- f:\program files\UNINST.EXE
1996-02-12 23:00 . 2006-03-15 21:01 367616 -c--a-w- f:\program files\EFWPROP.DLL
1996-02-12 22:59 . 2006-03-15 21:01 30208 -c--a-w- f:\program files\EFWM.DLL
1996-02-12 17:09 . 2006-03-15 21:01 20512 -c--a-w- f:\program files\EFWTC.DLL
1996-02-12 17:09 . 2006-03-15 20:59 1463328 -c--a-w- f:\program files\EFW.OVL
1996-02-12 16:44 . 2006-03-15 21:02 56832 -c--a-w- f:\program files\ROUTER.DLL
1996-02-12 16:41 . 2006-03-15 21:01 72720 -c--a-w- f:\program files\EFW.EXE
1995-08-29 09:52 . 2006-03-15 20:59 176128 -c--a-w- f:\program files\CW3215.DLL
1995-05-25 05:00 . 2006-03-15 21:00 914432 -c--a-w- f:\program files\LEAD51N.DLL
1995-02-28 16:16 . 2006-03-15 21:00 211488 -c--a-w- f:\program files\BWCC32.DLL
1995-01-11 19:28 . 2006-03-15 20:59 152304 -c--a-w- f:\program files\BWCC.DLL
.

((((((((((((((((((((((((((((( SnapShot@2011-02-12_21.23.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-23 00:30 . 2011-02-23 00:30 16384 f:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2011-02-23 00:28 . 2011-02-23 00:28 16384 f:\windows\Temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="f:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="f:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="f:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"LogMeIn GUI"="f:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"ISUSScheduler"="f:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"igfxtray"="f:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="f:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"dla"="f:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"Acrobat Assistant 8.0"="f:\aa j&j programs\Acrobat\Acrotray.exe" [2010-09-23 624056]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-07-27 148888]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"NeroFilterCheck"="f:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"EEventManager"="f:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
ColorVisionStartup.lnk - f:\aa j&j programs\Utility\ColorVisionStartup.exe [2006-1-31 385024]
Corel Registration.lnk - f:\program files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2005-10-11 67584]
Desktop Application Director 9.LNK - f:\program files\Corel\WordPerfect Office 2000\programs\dad9.exe [2005-10-11 225280]
Register Mask Pro 3.0.lnk - f:\program files\onOne Software\Mask Pro 4.0\<FILE_REGISTRATION_APP> [N/A]
TabUserW.exe.lnk - f:\windows\system32\WTablet\TabUserW.exe [2006-8-17 114688]
WDDMStatus.lnk - f:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-11-8 3986944]
Windows Search.lnk - f:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "f:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-11-19 00:12 87352 ----a-w- f:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 SymDS;Symantec Data Store;f:\windows\system32\drivers\NIS\1205000.07D\symds.sys [12/27/2010 4:37 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\NIS\1205000.07D\symefa.sys [12/27/2010 4:37 PM 652336]
R1 BHDrvx86;BHDrvx86;f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/18/2011 8:58 PM 691248]
R1 SymIRON;Symantec Iron Driver;f:\windows\system32\drivers\NIS\1205000.07D\ironx86.sys [12/27/2010 4:37 PM 136312]
R2 LMIInfo;LogMeIn Kernel Information Provider;f:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 9:21 AM 12856]
R2 NIS;Norton Internet Security;f:\program files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe [12/27/2010 4:37 PM 130000]
R2 TabletServiceWacom;TabletServiceWacom;f:\windows\system32\Wacom_Tablet.exe [9/24/2009 1:45 PM 2789672]
R2 WDDMService;WDDMService;f:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/8/2010 11:40 AM 237568]
R2 WDFME;WD File Management Engine;f:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [11/8/2010 11:43 AM 1060352]
R2 WDSC;WD File Management Shadow Engine;f:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [11/8/2010 11:43 AM 484352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/9/2010 1:19 PM 102448]
R3 IDSxpx86;IDSxpx86;f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110211.002\IDSXpx86.sys [2/12/2011 3:12 PM 341944]
S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:41 AM 135664]
S3 wacmoumonitor;Wacom Mode Helper;f:\windows\system32\drivers\wacmoumonitor.sys [9/24/2009 1:45 PM 15656]
S3 WDC_SAM;WD SCSI Pass Thru driver;f:\windows\system32\drivers\wdcsam.sys [1/31/2011 11:08 AM 11520]
.
Contents of the 'Scheduled Tasks' folder

2011-02-19 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-02-23 f:\windows\Tasks\Google Software Updater.job
- f:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-11 02:44]

2011-02-23 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:41]

2011-02-24 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\aa j&j programs\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://pephoto.lifepics.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 22:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"f:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"f:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,06,da,80,4f,51,bb,4f,84,43,41,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,06,da,80,4f,51,bb,4f,84,43,41,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
f:\windows\system32\Ati2evxx.dll
f:\windows\system32\LMIinit.dll
f:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1180)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
.
Completion time: 2011-02-23 22:52:31
ComboFix-quarantined-files.txt 2011-02-24 03:52
ComboFix2.txt 2011-02-12 21:39

Pre-Run: 43,345,043,456 bytes free
Post-Run: 43,321,692,160 bytes free

- - End Of File - - 13DD01273C6A5E044918FEA96F0D3DA2

Virus was not removed after reboot.

Edited by TOOLguy420, 24 February 2011 - 06:31 PM.

Push the Envelope...Watch it Bend

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 24 February 2011 - 03:42 PM

Virus WAS NOT removed after reboot.

Capital letters, and for me that includes enlarged and emboldened text, are the online equivalent of shouting and do nothing to endear you to anyone offering their time free of charge to help you solve issues that they are not responsible for - please don't do it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Do you have access to a small flashdrive that you can wipe and use to boot from - 75Mb is ample.

So long, and thanks for all the fish.

 

 


#8 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 24 February 2011 - 06:28 PM


Virus WAS NOT removed after reboot.

Capital letters, and for me that includes enlarged and emboldened text, are the online equivalent of shouting and do nothing to endear you to anyone offering their time free of charge to help you solve issues that they are not responsible for - please don't do it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I am aware of that; I wasn't trying to "shout" or tick anybody off, I was just trying to differentiate my text from the ComboFix log...my apologies if I offended anyone, and I'll just use a different font from now on if that is acceptable. I really do appreciate all the help.

Do you have access to a small flashdrive that you can wipe and use to boot from - 75Mb is ample.


I sure do.

Edited by TOOLguy420, 24 February 2011 - 06:32 PM.

Push the Envelope...Watch it Bend

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 25 February 2011 - 03:24 PM

Good evening. :)

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.

  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder and check that you can see two folders, boot and opt that you installed on the flashdrive earlier - this will confirm you've found the right folder.
  • Next click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type the following: dd if=/dev/sda of=mbr.bin bs=512 count=1 and then hit <ENTER>.
  • This will make a copy of the Master Boot Record and drop it on the flashdrive as a file called mbr.bin.
  • Once the Terminal Window reports that it has completed it's task, close the widow - you should now be able to see the newly created file.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and navigate to mbr.bin

    Please note - all text entries are case sensitive

    Please attach the file mbr.bin in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#10 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 25 February 2011 - 06:07 PM

Thanks, I'm all over it. I will be using a different PC to set up the flash drive, and then again to retrieve the mbr.bin file. One question: does this procedure pose any risk of corrupting anything and/or rendering the infected PC unbootable?

Edited by TOOLguy420, 25 February 2011 - 06:07 PM.

Push the Envelope...Watch it Bend

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 25 February 2011 - 06:51 PM

Not if you follow the instructions. The command you will be entering has the potential to cause problems if you swap the if= and of= around, but if you enter exactly what i've typed, all will be well - it worked fine on my system when I tested it beforehand to ensure it's safety.

All it will do is to create a copy of the MBR so it can be analysed for slime. Unfortunately some slime will interfere with this process if it is running, which it would be under Windows, so we use an alternative operating system to give us a free run at the task.

So long, and thanks for all the fish.

 

 


#12 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 25 February 2011 - 06:54 PM

Good stuff, thanks again...I'll be back to you shortly.

EDIT: Should I format the flash drive as FAT or FAT32, or does it matter?

Edited by TOOLguy420, 25 February 2011 - 07:00 PM.

Push the Envelope...Watch it Bend

#13 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 25 February 2011 - 09:47 PM

OK, now that the sick machine is booted with the flash drive, a couple of questions:

The terminal window opened with this text: sh-4.0# Is this just a "prefix" similar to C:\Documents and Settings\User in the Windows command prompt?

My flash drive is showing up as sdc1; do I need to change anything in the dd if=/dev/sda of=mbr.bin bs=512 count=1 command?

One more thing: Before starting this step, I did a full scan with Norton and it came up completely clean; however, when I rebooted the virus "came back". Thought you should know.

Thanks,
Mark

Edited by TOOLguy420, 25 February 2011 - 09:52 PM.

Push the Envelope...Watch it Bend

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 AM

Posted 26 February 2011 - 02:59 PM

Good evening. :)

The terminal window opened with this text: sh-4.0# Is this just a "prefix" similar to C:\Documents and Settings\User in the Windows command prompt?

Possibly. I use Linux now in the same way that I originally used Windows - I get it to do what I want but how it does it is a mystery! If that's what the prompt is, then that's what it is.

My flash drive is showing up as sdc1; do I need to change anything in the dd if=/dev/sda of=mbr.bin bs=512 count=1 command?

Nope. As long as you open the flashdrive folder before the Terminal window, and the file(s) that are created have no file path, as the mbr dump won't, then they are dropped in the current location - which is on the flashdrive.

One more thing: Before starting this step, I did a full scan with Norton and it came up completely clean; however, when I rebooted the virus "came back". Thought you should know.

Some slime has an ability to hide which is why we are using a non-Windows environment to see what's what. It won't be active, so it can't affect any tools we run.

So long, and thanks for all the fish.

 

 


#15 TOOLguy420

TOOLguy420
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Maine
  • Local time:07:39 PM

Posted 26 February 2011 - 03:37 PM

Looks like it went off without a hitch; please find mbr.bin attached to this post. Thanks again for your continued help.

Attached Files


Push the Envelope...Watch it Bend




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users