Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirection and audio ads


  • This topic is locked This topic is locked
14 replies to this topic

#1 charliebennett1727

charliebennett1727

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 April 2011 - 01:28 PM

My computer was infected with Security Centre which popped up every time I booted up. I gave it to IT people at my university to remove it. They did remove the problem of security centre popping up and running a 'scan' however now I get google redirection pretty much all the time, and the odd audio advertisement which play even when internet explorer is not open. Ive heard an advertisement for the AA and someone singing twinkle twinkle little star! No detection at all by malwarebytes or microsoft security essentials. Help would be massively appreciated as this is a devious guy!




.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 18:51:54.32 on 01/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1476 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\FSP\fspuip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by MSN & Bing
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [fspuip] "c:\program files\fsp\fspuip.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HallsLogon_All.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsld54c974c;MpKsld54c974c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3961056e-cbf9-4cb5-b74c-a2f67542f94e}\MpKsld54c974c.sys [2011-4-1 28752]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-5-30 159744]
R3 fspad_xp32;Finger-sensing Pad Driver for Windows 2000/XP/Vista_xp32;c:\windows\system32\drivers\fspad_xp32.sys [2009-8-19 32896]
R3 MSILiveVirtualCamera;MSI Live Virtual Camera;c:\windows\system32\drivers\MSILiveVirtualCamera.sys [2007-1-29 449408]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-18 162816]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-04-01 15:57:38 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{3961056e-cbf9-4cb5-b74c-a2f67542f94e}\MpKsld54c974c.sys
2011-03-31 15:52:53 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{3961056e-cbf9-4cb5-b74c-a2f67542f94e}\mpengine.dll
2011-03-30 16:34:28 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-30 16:32:26 -------- dc-h--w- c:\windows\ie8
2011-03-30 11:47:30 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-30 11:46:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-30 11:42:48 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-30 11:31:48 -------- d-----w- C:\HallsNet
2011-03-29 21:54:51 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AskToolbar
2011-03-28 12:05:19 11648 -c--a-w- c:\windows\system32\dllcache\acpiec.sys
2011-03-28 12:05:19 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2011-03-28 09:06:05 514946 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-25 08:55:38 -------- d-----w- c:\program files\CCleaner
2011-03-25 08:54:53 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-03-25 08:52:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-25 08:51:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-25 08:49:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-24 15:52:13 0 ----a-w- c:\windows\AutoKMS.tmp
2011-03-24 14:29:28 -------- d-----w- c:\program files\Malwarebytes
2011-03-24 12:06:43 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-24 12:06:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-15 21:32:14 -------- d-----w- c:\program files\Lx_cats
2011-03-15 21:30:51 -------- d-----w- C:\Lexmark
2011-03-15 17:04:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Musicnotes
2011-03-14 13:21:45 -------- d-----w- c:\program files\Musicnotes
.
==================== Find3M ====================
.
2011-03-20 10:48:23 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-02-13 15:37:53 0 ----a-w- C:\LOG89.tmp
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-06 22:21:47 0 ----a-w- C:\LOG13F.tmp
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 18:52:48.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 16 April 2011 - 03:08 PM

Good evening. :)

Do you have a flashdrive of at least 128Mb that you can wipe clean for a little tool to help diagnose this nasty - it looks to be a new kid on the block and i'd like to know a little more before I play.

I gave it to IT people at my university to remove it.

If I clean this, do I get to know which uni? The opportunity to be smarter than some uni IT people is likely to be the highlight of my week, which is sad I know, assuming it's a decent uni obviously!

So long, and thanks for all the fish.

 

 


#3 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 17 April 2011 - 11:20 AM

Thanks for a prompt response! Yeah ive got a flash drive thats no problem. Lol im at Keele university by the way which is kinda decent.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 17 April 2011 - 02:04 PM

Good evening. :)

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.

  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows - this is the center of operations as far as the file system is concerned.
  • You are going to identify the folder that represents your C: drive, which is probably sda1.
  • Double click on the sda1 folder and check that you can see a folder called Windows.
  • If not, try the next folder to sda1 and so on until you get the right one.
  • Once you've got the C: drive folder, navigate to the file WINDOWS\system32\drivers\volsnap.sys
  • Right click it, just like Windows, and Copy it.
  • Next go back to the mnt folder and find the folder that represents your flash drive, which is likely to be sdb1.
  • Open that folder and check that the file syslinux.cfg is present - that will confirm that it's the right folder.
  • Right click and Paste the file you copied earlier.
  • Click the Home icon on the left and Power off the machine
  • Remove the flashdrive and reboot your system - into Windows as normal.

Assuming that all goes well with the above, and I don't have any reason to think that it won't, do the below and post accordingly:

Please go to Jotti's and click on the Browse... button at the top and navigate to where you've got the volsnap.sys file that you harvested earlier and then click on Submit

When all the scans have been completed, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

So long, and thanks for all the fish.

 

 


#5 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 17 April 2011 - 03:20 PM

http://virusscan.jotti.org/en-GB/scanresult/9a7e03cbfe1b92512158b811085a2d97496d13ed/15e6cce86c24b1c1d208e7d5cb42b7b7ad58019d

Clear instructions nice one. Cheers for the ongoing help ;)

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 17 April 2011 - 04:38 PM

Not the results I was expecting - ah well.

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 17 April 2011 - 06:10 PM

Hello again!

I tried the program and nothing happens, tried 'run as' and 'run as administrator' and the program just doesnt do anything on the infected computer. It does work on a healthy laptop though. Even tried connecting to the internet on the sick one and downloading it onto there and running still didnt work. Also tried booting in safe mode, double clicked it and nothing.

This is a wiley bugger! Any thoughts?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 18 April 2011 - 01:52 PM

Good evening. :)

This is a wiley bugger! Any thoughts?

Yeah, I may not be as smart as the uni IT people. Damn but that's depressing! :ranting:

I have a plan, so let's see where that gets us. Go here and follow step 6 to disable your CD emulation software and then step 8 to create a fresh GMER log and let me have it once you've done.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As I know you student types like to experiment, you can have a dabble with something that I haven't used before - it's safe, so there's no adrenaline rush i'm afraid.

  • Download spla.sh from here and transfer it to the flashdrive with the little OS on it that you created earlier.
  • Go to Start > All Programs > Accessories > Notepad and create a new text file with the following content:

    find::
    splj....$
    VolSnap....$
    
    
  • Please make sure that there is at least one blank line at the end of the text file or it won't work properly - more than one blank line is OK too but not necessary.
  • You need to save the file as target.txt.
  • Boot the PC using the flashdrive OS as before.
  • Once up and running I want you to use File to navigate to your flashdrive, as before.
  • If you find spla.sh and target.txt you know you're there.
  • Open a Terminal window - Tool > Open Terminal.
  • Enter bash spla.sh (case sensitive) and wait.
  • Once you get the "All done" message, Click the Home icon on the left and Power Off the machine
  • Assuming the machine doesn't self-destruct, and it's always an outside possibility, i'd like a copy of the text file output.txt that should be found in the output folder that has been created on the flashdrive - Copy and Paste will be fine.

So long, and thanks for all the fish.

 

 


#9 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 19 April 2011 - 04:33 PM

Hello Again,

Haha there is still opportunity to prove you are smarter! The output is below and ive attached the GMER log.

Tue Apr 19 22:29:48 UTC 2011

~~~~~~~~~~~~
Action: find
~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~
Target: splj....$
~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~
Target: VolSnap....$
~~~~~~~~~~~~~~~~~~~~~~~~

/mnt/sdb1/volsnap.sys
Size: 227896 bytes d8b4a53dd2769f226b3eb374374987c9

/mnt/sda2/WINDOWS/system32/dllcache/volsnap.sys
Size: 52352 bytes 4c8fcb5cc53aab716d810740fe59d025

/mnt/sda2/WINDOWS/system32/drivers/volsnap.sys
Size: 52352 bytes 7c38f81f40d61d1607ddb62fe5817bb9

/mnt/sda2/WINDOWS/I386/VOLSNAP.IN_
Size: 698 bytes 62c53d73b499df617902eea3c96f7d89

/mnt/sda2/WINDOWS/I386/VOLSNAP.SY_
Size: 25386 bytes 64409f40c23b1395594b71e4eb54e019

/mnt/sda2/WINDOWS/inf/volsnap.inf
Size: 1095 bytes 1c43f4d998567c9d2463e18669f33a3c

/mnt/sda2/WINDOWS/inf/volsnap.PNF
Size: 4964 bytes 280ccb302aa6dea6fd2fffabce6cd46e

/mnt/sda1/Windows/inf/volsnap.inf
Size: 1790 bytes a23d6645c1f0d6c4a4ddd930fa853298

/mnt/sda1/Windows/inf/volsnap.pnf
Size: 4804 bytes 82a2b103adf5dbe655cbfe2026be31f6

/mnt/sda1/Windows/System32/drivers/volsnap.sys
Size: 227896 bytes d8b4a53dd2769f226b3eb374374987c9

/mnt/sda1/Windows/System32/DriverStore/FileRepository/volsnap.inf_b06f2d33/volsnap.inf
Size: 1790 bytes a23d6645c1f0d6c4a4ddd930fa853298

/mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_c4d713d0/volsnap.sys
Size: 227896 bytes d8b4a53dd2769f226b3eb374374987c9


================= EOF =================

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 19 April 2011 - 05:08 PM

Good evening. :)

Looks like the GMER log got lost somewhere. I'll have it in the next post, if you'd be so kind. Also:

  • Boot the PC as before into xPud - the OS on the flashdrive.
  • Navigate to WINDOWS\system32\drivers\volsnap.sys - the file you copied earlier.
  • Right click it and rename it to oldvolsnap.sys - this will disable the file but keep it handy should we need it later.
  • Now you need to navigate to the clean copy - WINDOWS/system32/dllcache/volsnap.sys
  • You want to right click and COPY the file - leave the original where it is, just in case.
  • Now go back to the WINDOWS\system32\drivers folder and paste the clean file into it's new home.
  • Make sure that you can see volsnap.sys before you congratulate yourself.
  • Finally, shut down the PC as before, whip out the flashdrive and reboot into Windows.
Let me know how you get on and also how the PC is behaving with regard to the redirections.

So long, and thanks for all the fish.

 

 


#11 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 21 April 2011 - 07:29 AM

Hello again!

Ok i copied the clean volsnap.sys over successfully in xpud however when i next booted up i got a message at the windows login, saying that a regisrty file was missing but had been recovered successfully.

Had a look to see if the redirects were still happening and found that they were.

Ive attached the gmer log again must have forgotten to hit 'attach' last time lol

Cheers mate

Attached Files

  • Attached File  ark.txt   3.13KB   3 downloads

Edited by charliebennett1727, 21 April 2011 - 07:59 AM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 21 April 2011 - 01:53 PM

Good evening. :)

Did you follow step 6 to disable your CD emulation software before you created the GMER log?

So long, and thanks for all the fish.

 

 


#13 charliebennett1727

charliebennett1727
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 21 April 2011 - 05:57 PM

Yeah, doubled checked it too.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 21 April 2011 - 06:27 PM

Will you delete the "output" folder on the flashdrive and then run the bash spla.sh instructions again. I want to see what went wrong as the theory was that one infected file swapped for one clean one meant all clear - apparently not!

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:09 AM

Posted 27 April 2011 - 02:35 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users