Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BankerFox.A


  • This topic is locked This topic is locked
27 replies to this topic

#1 Bob10113

Bob10113

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 05 March 2011 - 03:19 AM

I need some help. I'm getting a couple of alerts, 'cause I have a a virus (or two.)

Here's an example of two of the alerts:

INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper, or similar.

DETAILS
Attack from: (bunch of numbers) , port (bunch of numbers)

Attacked port: (bunch of numbers)

BankerFox.A


I didn't give specific numbers because the numbers always change with each alert.

I also get this same alert with the last line saying "Win32/Nuquel.E"


The other alert I get is this:

Virus Alert!

Application can't be started!
The file wuauclt.exe is damaged.
Do you want to activite your antivirus software now?


My computer is a dell laptop running Windows XP. Part of the problem is, I can't get online from that computer because I get one of those alerts saying "the file Firefox.exe is damaged". And for some strange reason, even when I could go online while I was infected, I was unable to go to www.bleepingcomputer.com.

Please help.

BC AdBot (Login to Remove)

 


#2 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 April 2011 - 03:36 PM

I know you guys are quite busy, but I still need some help and more than a month has gone by. Is there anyone who can help me?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:03 PM

Posted 16 April 2011 - 09:33 PM

Hello, very sorry you got passed by. What AV is aleting you?

BankerFox.A is a dangerous hack tool and rogue anti-spyware program. It installs in user's system automatically and displays fake security alert messages.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Edited by boopme, 16 April 2011 - 09:35 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 21 April 2011 - 11:02 PM

Thank you for taking a look.

What AV is aleting you?

I'm not sure what you mean by "AV", so I'm not sure how to answer that question.

As for the MBAM scan... here ya go.



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6417

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/21/2011 11:24:55 PM
mbam-log-2011-04-21 (23-24-55).txt

Scan type: Quick scan
Objects scanned: 187980
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 23
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 30

Memory Processes Infected:
c:\program files\gamevance\gamevance32.exe (Adware.Gamevance) -> 1336 -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\cmdlelog.dll (Trojan.Dropper) -> Delete on reboot.
c:\program files\gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
c:\WINDOWS\system32\inferno.dll (Worm.KoobFace) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GamevanceText.Linker.1 (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GamevanceText.Linker (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\haspntt (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ineufbr1v (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ndo8thb2ikwe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ALADDINS (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HASPNTT (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aladdins (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uovcwpfi (Trojan.Agent.Gen) -> Value: uovcwpfi -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uovcwpfi (Trojan.Agent.Gen) -> Value: uovcwpfi -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpawrvhf (Trojan.Downloader) -> Value: vpawrvhf -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpawrvhf (Trojan.Downloader) -> Value: vpawrvhf -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jmbwgivg (Trojan.FakeAlert.Gen) -> Value: jmbwgivg -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjstmbha (Trojan.Downloader) -> Value: rjstmbha -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drwkhrpv (Trojan.FakeAlert) -> Value: drwkhrpv -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\emusvc (Worm.KoobFace) -> Value: emusvc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gamevance (Adware.Gamevance) -> Value: Gamevance -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components (Adware.GamesVance) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\cmdlelog.dll (Trojan.Dropper) -> Delete on reboot.
c:\documents and settings\Michael\local settings\application data\liocjruiq\ederdnmtssd.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\application data\anatiahmh\rkfxhnctssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\ntuyisbmh\gudyxdsuerb.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\nhvdrpydx\mpwsctnsjmo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\smucmkcgt\ytyuogysikk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\gvtl.dll (Adware.GameVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\0.20850485386545148.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\0.4468603378366668.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\0.46428647864798067.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\342.tmp (Trojan.Sasfis) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\qorp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temp\YgbS.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\application data\syssvc.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
c:\WINDOWS\bill110.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\maximo.sys (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\inferno.dll (Worm.KoobFace) -> Delete on reboot.
c:\documents and settings\Michael\local settings\application data\048102515610049.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\application data\0535049569854.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\application data\0569949489854.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\program files\gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.xpt (Adware.GamesVance) -> Quarantined and deleted successfully.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:03 PM

Posted 22 April 2011 - 11:10 AM

Sorry ..I'm not sure what you mean by "AV", so I'm not sure how to answer that question. AV = Antivirus.

We have the pesty worm Koobface... Do you have a flash drive as it will need to be cleaned.

We have to run 2 more scans.


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Let's run an online scan
.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 April 2011 - 12:56 AM

I have a bit of a problem.

After running the SUPERAntiSpyware scan, exiting the program and restarting my computer, I came across this blue screen of death:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000).
The system has been shut down.


Consequently, I am unable to produce a scan log.

Unless I can go online in Safe Mode... haven't tried that yet, but I figured this blue screen of death is alarming enough for me to tell you about it right away without trying to fiddle with booting up in safe mode again.


Edit to add: I do remember that the scan found 484 problems... 1 Memory, 0 Registry, 483 File.

UPDATE: I can't boot in safe mode now either.

Edited by Bob10113, 23 April 2011 - 03:53 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:03 PM

Posted 23 April 2011 - 12:24 PM

I am asking someone to look here that specializes in when malware makes a PC unbootable.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:03 PM

Posted 23 April 2011 - 01:54 PM

Hi, :welcome:

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:03 PM

Posted 23 April 2011 - 02:01 PM

Thx JSntgRvr
Just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logss forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 24 April 2011 - 01:24 AM

I'm having another problem. I can't boot the sick computer from the CD, and probably won't be able to unless I buy an external CD drive. Is there a way to procede without needing a CD?

Update: I got the CD to work.

Edited by Bob10113, 24 April 2011 - 01:31 AM.


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:03 PM

Posted 24 April 2011 - 01:44 AM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 24 April 2011 - 01:54 AM

Report txt:

Sun Apr 24 02:33:26 UTC 2011
Driver report for /mnt/sda1/WINDOWS/system32/drivers

009927db8019c54477dabf6f9d795053 1394bus.sys
Microsoft Corporation

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

a10c7534f7223f4a73a948967d00e69b acpi.sys
Microsoft Corporation

1ee7b434ba961ef845de136224c30fec aec.sys
Microsoft Corporation

375eb0b97e3950adef3633c27a82438b AegisP.sys
Meetinghouse Data Communications

55e6e1c51b6d30e54335750955453702 afd.sys
Microsoft Corporation

dad16a9d5c873e7219e6b43802ed316a amdk6.sys
Microsoft Corporation

680ad1c1bb16239e28d8f33a54a7a3c7 amdk7.sys
Microsoft Corporation

f0d692b0bffb46e30eb3cea168bbc49f arp1394.sys
Microsoft Corporation

02000abf34af4c218c35d257024807d6 asyncmac.sys
Microsoft Corporation

cdfe4411a69c224bd1d11b2da92dac51 atapi.sys
Microsoft Corporation

ec88da854ab7d7752ec8be11a741bb7f atmarpc.sys
Microsoft Corporation

39a0a59180f19946374275745b21aeba atmepvc.sys
Microsoft Corporation

0128e78fe835f074e469f03db681ca9e atmlane.sys
Microsoft Corporation

e7ef69b38d17ba01f914ae8f66216a38 atmuni.sys
Microsoft Corporation

c7a163e379bd136d91a27c8a4bd3a899 atwpkt264.sys
America Online

6276b02b10e55ccbb2a23979ad345aa9 atwpkt2.sys
America Online

d9f724aa26c010a217c97606b160ed68 audstub.sys
Microsoft Corporation

ea22edadf90c0aba8319454b2a07b700 battc.sys
Microsoft Corporation

78123f44be9e4768852a3a017e02d637 bcm4sbxp.sys
Broadcom Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

e4e6a0922e3d983728c9ad4e8d466954 bridge.sys
Microsoft Corporation

95ef6f3f386d93ee1e4d9ca45a50252a bthport.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

cd7d5152df32b47f4e36f710b35aae02 cdfs.sys
Microsoft Corporation

837eef65af62d4e8a37c41d3879f7274 cdr4_xp.sys
Sonic Solutions

579da2f9f5401f55dae2cf8779d61dfc cdralw2k.sys
Sonic Solutions

af9c19b3100fe010496b1a27181fbf72 cdrom.sys
Microsoft Corporation

b562592b7f5759c99e179ca467ecfb4c cinemst2.sys
Ravisent Technologies

d86173b401470f06d9810f7962969ddf classpnp.sys
Microsoft Corporation

4266be808f85826aedf3c64c1e240203 CmBatt.sys
Microsoft Corporation

df1b1a24bf52d0ebc01ed4ece8979f50 compbatt.sys
Microsoft Corporation

9624293e55ad405415862b504ca95b73 cpqdap01.sys
Compaq Computer Corp

6af1684ccaac3f7ef4ee9ba65eb0677a crusoe.sys
Microsoft Corporation

d16c81677a9be399c63cd2ea486472a5 diskdump.sys
Microsoft Corporation

00ca44e4534865f8a3b64f7c0984bff0 disk.sys
Microsoft Corporation

c0fbb516e06e243f0cf31f597e7ebf7d dmboot.sys
Microsoft Corp

f5e7b358a732d09f4bcf2824b88b9e28 dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

a6f881284ac1150e37d9ae47ff601267 DMusic.sys
Microsoft Corporation

1ed4dbbae9f5d558dbba4cc450e3eb2e drmkaud.sys
Microsoft Corporation

ff86422268de771d571e123eb7092c6a drmk.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

d3dac8432110aad0b02a58b4459ab835 dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

3117f595e9615e04f05a54fc15a03b20 fastfat.sys
Microsoft Corporation

ced2e8396a8838e59d8fd529c680e02c fdc.sys
Microsoft Corporation

e153ab8a11de5452bcf5ac7652dbf3ed fips.sys
Microsoft Corporation

0dd1de43115b93f4d85e889d7a86f548 flpydisk.sys
Microsoft Corporation

3d234fb6d6ee875eb009864a299bea29 fltmgr.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

378055ab8dda86228683c697c4e11685 hidclass.sys
Microsoft Corporation

5fff41cd5108e9051d255c37825af697 hidparse.sys
Microsoft Corporation

1de6783b918f540149aa69943bdfeba8 hidusb.sys
Microsoft Corporation

0c5b9cf1bdf998750d9c5eeb5f8c55ac HSF_CNXT.sys
Conexant

b678fa91cf4a1c19b462d8db04cd02ab HSF_DPV.SYS
Conexant

a84bbbdd125d370593004f6429f8445c HSFHWICH.sys
Conexant

9f8b0f4276f618964fd118be4289b7cd http.sys
Microsoft Corporation

5502b58eef7486ee6f93f3f164dcb808 i8042prt.sys
Microsoft Corporation

240d0f5d7caafd87bd8d801a97bbe041 ialmnt5.sys
Intel Corporation

f8aa320c6a0409c0380e5d8a99d76ec6 imapi.sys
Microsoft Corporation

2d722b2b54ab55b2fa475eb58d7b2aad intelide.sys
Microsoft Corporation

279fb78702454dff2bb445f238c048d2 intelppm.sys
Microsoft Corporation

4448006b6bc60e6c027932cfc38d6855 ip6fw.sys
Microsoft Corporation

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

e1ec7f5da720b640cd8fb8424f1b14bb ipinip.sys
Microsoft Corporation

e2168cbc7098ffe963c6f23f472a3593 ipnat.sys
Microsoft Corporation

64537aa5c003a6afeee1df819062d0d1 ipsec.sys
Microsoft Corporation

50708daa1b1cbb7d6ac1cf8f56a24410 irenum.sys
Microsoft Corporation

e504f706ccb699c2596e9a3da1596e87 isapnp.sys
Microsoft Corporation

ebdee8a2ee5393890a1acee971c4c246 kbdclass.sys
Microsoft Corporation

ba5deda4d934e6288c2f66caf58d2562 kmixer.sys
Microsoft Corporation

674d3e5a593475915dc6643317192403 ksecdd.sys
Microsoft Corporation

b9540e258f952650de8dec68719a5c97 ks.sys
Microsoft Corporation

d68e165c3123aba3b1282eddb4213bd8 mbamswissarmy.sys
Malwarebytes Corporation

836e0e09ca9869be7eb39ef2cf3602c7 mbam.sys
Malwarebytes Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

3c318b9cd391371bed62126581ee9961 mdmxsdk.sys
Conexant

729d83e56c29c510258a6e9e79ffddc3 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

6fc6f9d7acc36dca9b914565a3aeda05 modem.sys
Microsoft Corporation

34e1f0031153e491910e12551400192c mouclass.sys
Microsoft Corporation

b1c303e17fb9d46e87a98e4ba6769685 mouhid.sys
Microsoft Corporation

65653f3b4477f3c63e68a9659f85ee2e mountmgr.sys
Microsoft Corporation

eee50bf24caeedb515a8f3b22756d3bb mqac.sys
Microsoft Corporation

29414447eb5bde2f8397dc965dbb3156 mrxdav.sys
Microsoft Corporation

fb6c89bb3ce282b08bdb1e3c179e1c39 mrxsmb.sys
Microsoft Corporation

561b3a4333ca2dbdba28b5b956822519 msfs.sys
Microsoft Corporation

c0f1d4a21de5a415df8170616703debf msgpc.sys
Microsoft Corporation

ae431a8dd3c1d0d0610cdbac16057ad0 MSKSSRV.sys
Microsoft Corporation

13e75fef9dfeb08eeded9d0246e1f448 MSPCLOCK.sys
Microsoft Corporation

1988a33ff19242576c3d0ef9ce785da7 MSPQM.sys
Microsoft Corporation

469541f8bfd2b32659d5d463a6714bce mssmbios.sys
Microsoft Corporation

82035e0f41c2dd05ae41d27fe6cf7de1 mup.sys
Microsoft Corporation

558635d3af1c7546d26067d5d9b6959e ndis.sys
Microsoft Corporation

08d43bbdacdf23f34d79e44ed35c1b4c ndistapi.sys
Microsoft Corporation

34d6cd56409da9a7ed573e1c90a308bf ndisuio.sys
Microsoft Corporation

0b90e255a9490166ab368cd55a529893 ndiswan.sys
Microsoft Corporation

59fc3fb44d2669bc144fd87826bb571f ndproxy.sys
Microsoft Corporation

3a2aca8fc1d7786902ca434998d7ceb4 netbios.sys
Microsoft Corporation

0c80e410cd2f47134407ee7dd19cc86b netbt.sys
Microsoft Corporation

5c5c53db4fef16cf87b9911c7e8c6fbc nic1394.sys
Microsoft Corporation

be984d604d91c217355cdd3737aad25d nikedrv.sys
Diamond Multimedia Systems

60cf8c7192b3614f240838ddbaa4a245 nmnt.sys
Microsoft Corporation

4f601bcb8f64ea3ac0994f98fed03f8e npfs.sys
Microsoft Corporation

19a811ef5f1ed5c926a028ce107ff1af ntfs.sys
Microsoft Corporation

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

b305f3fad35083837ef46a0bbce2fc57 nwlnkflt.sys
Microsoft Corporation

c99b3415198d1aab7227f2c88fd664b9 nwlnkfwd.sys
Microsoft Corporation

79ea3fcda7067977625b3363a2657c80 nwlnkipx.sys
Microsoft Corporation

56d34a67c05e94e16377c60609741ff8 nwlnknb.sys
Microsoft Corporation

c0bb7d1615e1acbdc99757f6ceaf8cf0 nwlnkspx.sys
Microsoft Corporation

3f18d9365be71c7b2e43b7cf4a0c1a10 nwrdr.sys
Microsoft Corporation

0951db8e5823ea366b0e408d71e1ba2a ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

3e16eff2a6fed2d8d7f5a66dfe65d183 p3.sys
Microsoft Corporation

29744eb4ce659dfe3b4122deb45bc478 parport.sys
Microsoft Corporation

3334430c29dc338092f79c38ef7b4cd0 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

520b91ab011456b940d9b05fc91108ff pciidex.sys
Microsoft Corporation

8086d9979234b603ad5bc2f5d890b234 pci.sys
Microsoft Corporation

82a087207decec8456fbe8537947d579 pcmcia.sys
Microsoft Corporation

5b0f00e43a7094c0b7e433cb42c79164 portcls.sys
Microsoft Corporation

0d97d88720a4087ec93af7dbb303b30a processr.sys
Microsoft Corporation

48671f327553dcf1d27f6197f622a668 psched.sys
Microsoft Corporation

80d317bd1c3dbc5d4fe7b1678c60cadd ptilink.sys
Parallel Technologies

e42e3433dbb4cffe8fdd91eab29aea8e PxHelp20.sys
Sonic Solutions

fe0d99d6f31e4fad8159f690d68ded9c rasacd.sys
Microsoft Corporation

98faeb4a4dcf812ba1c6fca4aa3e115c rasl2tp.sys
Microsoft Corporation

7306eeed8895454cbed4669be9f79faa raspppoe.sys
Microsoft Corporation

1c5cc65aac0783c344f16353e60b72ac raspptp.sys
Microsoft Corporation

fdbb1d60066fcfbb7452fd8f9829b242 raspti.sys
Microsoft Corporation

01524cd237223b18adbb48f70083f101 rawwan.sys
Microsoft Corporation

03b965b1ca47f6ef60eb5e51cb50e0af rdbss.sys
Microsoft Corporation

4912d5b403614ce99c28420f75353332 rdpcdd.sys
Microsoft Corporation

a2cae2c60bc37e0751ef9dda7ceaf4ad rdpdr.sys
Microsoft Corporation

b54cd38a9ebfbf2b3561426e3fe26f62 rdpwd.sys
Microsoft Corporation

b31b4588e4086d8d84adbf9845c2402b redbook.sys
Microsoft Corporation

2c4fb2e9f039287767c384e46ee91030 RimSerial.sys
Research in Motion

92d33f76769a028ddc54a863eb7de4a2 RimUsb.sys
tH``VS_VERSION_INFOnn?StringFileInfobVCompanyNameResearchInMotionLimitedZFileDescriptionBlackBerryDeviceDrivertFileVersion....aInternalNameRimUsbx*LegalCopyrightCopyrightResearchInMotionLimited(LegalTrademarks<nOriginalFilenameRimUsb.rcRProductNameBlackBerryDeviceDrivertProductVersion...DVarFileInfo$Translationt*

a56fe08ec7473e8580a390bb1081cdd7 rio8drv.sys
Diamond Multimedia Systems

0a854df84c77a0be205bfeab2ae4f0ec riodrv.sys
Diamond Multimedia Systems

d18208ed6c768663b08c972eaa7a8b60 rmcast.sys
Microsoft Corporation

7ce8b277f3207ea82d7d22ad348befc6 rndismp.sys
Microsoft Corporation

d8b0b4ade32574b2d9c5cc34dc0dbbe7 rootmdm.sys
Microsoft Corporation

e2c6abcbefb1d44f6aaeb1cd5d6062d4 s24trans.sys
Intel Corporation

d7fd0ff761e28ac0ea35ad71e0cd67e9 scsiport.sys
Microsoft Corporation

02fc71b020ec8700ee8a46c58bc6f276 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

a2d868aeeff612e70e213c451a70cafb serenum.sys
Microsoft Corporation

cd9404d115a00d249f70a371b46d5a26 serial.sys
Microsoft Corporation

1d9f1bec651815741f088a8fb88e17ee sffdisk.sys
Microsoft Corporation

586499fd312ffd7f78553f408e71682e sffp_sd.sys
Microsoft Corporation

0d13b6df6e9e101013a7afb0ce629fe0 sfloppy.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

3e102e8fbbc59c91f52be2cc6b4c3b4c SndTAudio.sys
?tStringFileInfoBv+CompanyNameWindows®CodenameLonghornDDKproviderFFileDescriptionSupportDevice`FileVersion...builtby:WinDDK.aInternalNameDriverTLegalCopyrightCopyright©-aOriginalFilenameDriverr)ProductNameWindows®CodenameLonghornDDKdriverBProductVersion...DVarFileInfo$Translationt

addc9e4757a68ab60562ad3cb9c288d6 sonydcam.sys
Microsoft Corporation

0ce218578fff5f4f7e4201539c45c78f splitter.sys
Microsoft Corporation

71e276f6d189413266ea22171806597b sptd.sys
Duplex Secure

e41b6d037d6cd08461470af04500dc24 sr.sys
Microsoft Corporation

7a4f147cc6b133f905f6e65e2f8669fb srv.sys
Microsoft Corporation

5813d453ef8ce49d607c255cf128aceb stac97.sys
SigmaTel

c43356072eb3e88cd62958db10cead47 stream.sys
Microsoft Corporation

03c1bae4766e2450219d20b993d6e046 swenum.sys
Microsoft Corporation

94abc808fc4b6d7d2bbf42b85e25bb4d swmidi.sys
Microsoft Corporation

650ad082d46bac0e64c9c0e0928492fd sysaudio.sys
Microsoft Corporation

a2a9ca0d1a9ac1ff54220aa0789fe5cf tape.sys
Microsoft Corporation

be4007ab8c9b62e3688fc2f469b98190 tcpip6.sys
Microsoft Corporation

2a5554fc5b1e04e131230e3ce035c3f9 tcpip.sys
Microsoft Corporation

6891b74ab9a016064e82a419388d0601 tdi.sys
Microsoft Corporation

38d437cf2d98965f239b0abcd66dcb0f tdpipe.sys
Microsoft Corporation

ed0580af02502d00ad8c4c066b156be9 tdtcp.sys
Microsoft Corporation

a540a99c281d933f3d69d55e48727f47 termdd.sys
Microsoft Corporation

465c92a7cb4fc1885b0018ba6325b463 tifm.sys
Texas Instruments

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

d74a8ec75305f1d3cfde7c7fc1bd62a9 tsbvcap.sys
Toshiba Corporation

87a0e9e18c10a9e454238e3330e2a26d tunmp.sys
Microsoft Corporation

12f70256f140cd7d52c58c7048fde657 udfs.sys
Microsoft Corporation

ced744117e91bdc0beb810f7d8608183 update.sys
Microsoft Corporation

af090265ec388bab320f1ff7e7a7d5ea usb8023.sys
Microsoft Corporation

45a0d14b26c35497ad93bce7e15c9941 USBAUDIO.sys
Microsoft Corporation

61018ba9df6b63e51d9753c980e73ec2 usbcamd2.sys
Microsoft Corporation

2654eecc6fb13603ebddcd5c8ea943d1 usbcamd.sys
Microsoft Corporation

bffd9f120cc63bcbaa3d840f3eef9f79 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

15e993ba2f6946b2bfbbfcd30398621e usbehci.sys
Microsoft Corporation

c72f40947f92cea56a8fb532edf025f1 usbhub.sys
Microsoft Corporation

2853fd4c4489e0f8bfcf78efcdb7e998 usbintel.sys
Microsoft Corporation

2034ca78f9c6e787b4b76d81ac888351 usbport.sys
Microsoft Corporation

a6bc71402f4f7dd5b77fd7f4a8ddba85 usbscan.sys
Microsoft Corporation

6cd7b22193718f1d17a47a1cd6d37e75 USBSTOR.SYS
Microsoft Corporation

f8fd1400092e23c8f2f31406ef06167b usbuhci.sys
Microsoft Corporation

55e01061c74a8cefff58dc36114a8d3f vdmindvd.sys
Ravisent Technologies

8a60edd72b4ea5aea8202daf0e427925 vga.sys
Microsoft Corporation

d5a9d123f5ed7c9965a481bd20cf66d8 videoprt.sys
Microsoft Corporation

ee4660083deba849ff6c485d944b379b volsnap.sys
Microsoft Corporation

d6006de6a6ed423d8016a03bc50cbe6b w29n51.sys
Intel Corporation

984ef0b9788abf89974cfed4bfbaacbc wanarp.sys
Microsoft Corporation

0a716c08cb13c3a8f4f51e882dbf7416 wanatw4.sys
America Online

d918617b46457b9ac28027722e30f647 wdf01000.sys
Microsoft Corporation

399c974dda25fd3e59f22bab787f662b wdfldr.sys
Microsoft Corporation

efd235ca22b57c81118c1aeb4798f1c1 wdmaud.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

cf4def1bf66f06964dc0d91844239104 wpdusb.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

f15feafffbb3644ccc80c5da584e6311 WudfPf.sys
Microsoft Corporation

28b524262bce6de1f7ef9f510ba3985b WudfRd.sys
Microsoft Corporation




filefind:

Search results for Winlogon.exe

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/winlogon.exe
490.5K Aug 4 2004

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 4 2004

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/ERDNT/cache/winlogon.exe
490.5K Aug 4 2004


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda1/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/explorer.exe
1009.5K Apr 14 2008

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/system32/dllcache/explorer.exe
1009.0K Jun 13 2007

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/ERDNT/cache/explorer.exe
1009.0K Jun 13 2007

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/explorer.exe
1009.0K Jun 13 2007

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004


Search results for Userinit.exe

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/userinit.exe
25.5K Apr 14 2008

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/system32/userinit.exe
25.5K Apr 14 2008


Search results for Exit


Search results for bash query.sh




RegReport:

Remote Registry Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 2
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\WINDOWS
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 11 subkeys and 0 values
<!SASWinLogon>
<crypt32chain>
<cryptnet>
<cscdll>
<igfxcui>
<ScCertProp>
<Schedule>
<sclgntfy>
<SensLogn>
<termsrv>
<wlballoon>
\Microsoft\Windows\CurrentVersion\Run> Node has 1 subkeys and 14 values
<OptionalComponents>
size type value name [value if type DWORD]
66 REG_SZ <igfxtray>
60 REG_SZ <igfxhkcmd>
66 REG_SZ <igfxpers>
150 REG_SZ <McAfeeUpdaterUI>
100 REG_SZ <IntelZeroConfig>
154 REG_SZ <IntelWireless>
126 REG_SZ <GrooveMonitor>
140 REG_SZ <TkBellExe>
122 REG_SZ <SunJavaUpdateSched>
104 REG_SZ <QuickTime Task>
86 REG_SZ <iTunesHelper>
122 REG_SZ <DivXUpdate>
114 REG_SZ <Adobe Reader Speed Launcher>
118 REG_SZ <Adobe ARM>
(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 6 values
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
4 REG_DWORD <legalnoticecaption> 1 [0x1]
6 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
4 REG_DWORD <DisableRegistryTools> 0 [0x0]


Hive </mnt/sda1/Documents and Settings/Administrator/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 0 values
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
size type value name [value if type DWORD]
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda1/Documents and Settings/Administrator.ROBERT-AB413770/ntuser.dat>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 0 values
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
size type value name [value if type DWORD]
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda1/Documents and Settings/HelpAssistant/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 1 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 1 subkeys and 3 values
<run>
4 REG_DWORD <NoDriveTypeAutoRun> 323 [0x143]
4 REG_DWORD <NoDriveAutoRun> 67108863 [0x3ffffff]
4 REG_DWORD <NoDrives> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableRegistryTools> 0 [0x0]
\Software\Policies\Microsoft\Windows\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableCMD> 0 [0x0]


Hive </mnt/sda1/Documents and Settings/Michael/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
110 REG_SZ <SUPERAntiSpyware>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 1 subkeys and 3 values
<run>
4 REG_DWORD <NoDriveTypeAutoRun> 323 [0x143]
4 REG_DWORD <NoDriveAutoRun> 67108863 [0x3ffffff]
4 REG_DWORD <NoDrives> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableRegistryTools> 0 [0x0]
\Software\Policies\Microsoft\Windows\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableCMD> 0 [0x0]

Attached Files

  • Attached File  mbr.zip   499bytes   3 downloads


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:03 PM

Posted 24 April 2011 - 02:29 AM

Lets replace the Winlogon.exe and Explorer.exe files.

Download and save the enclosed file in the USB drive.

  • Boot the computer with the xPUD CD.
  • Follow the prompts
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh and the Replace.txt files
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -r
  • Press Enter
  • After it has finished a report will be located on your USB drive named filerep.txt
  • Plug the USB back into the clean computer, and post the contents of the filerep.txt

Attempt to boot in Normal Mode.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Bob10113

Bob10113
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 24 April 2011 - 09:06 AM

Beginning replacement procedure

mv "/mnt/sda1/WINDOWS/system32/winlogon.exe" "/mnt/sda1/WINDOWS/system32/winlogon.exe.orig"
cp "/mnt/sda1/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/winlogon.exe" "/mnt/sda1/WINDOWS/system32/winlogon.exe"
mv "/mnt/sda1/WINDOWS/explorer.exe" "/mnt/sda1/WINDOWS/explorer.exe.orig"
cp "/mnt/sda1/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/explorer.exe" "/mnt/sda1/WINDOWS/explorer.exe"




I tried to boot my computer normally... and I got the same blue screen of death as before.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:03 PM

Posted 24 April 2011 - 12:01 PM

In xPUD, browse to to the mnt/sda1/WINDOWS folder. Identify if there is a folder within labeled minidump. If present, copy that folder to the USB, zip it and attach it to a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users