Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request Assistance with Removing Windows Vista Recovery


  • This topic is locked This topic is locked
54 replies to this topic

#1 Esco01

Esco01

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 14 June 2011 - 08:55 PM

Good evening all.

I have the Windows Vista Recovery malware installed on my system and I have had no luck getting it removed by myself. I have all the symptoms, no visible icons, false error messages, recovery tool notification stating my system is infected. I have followed the instructions from the following link and have come to a dead end: http://www.bleepingcomputer.com/virus-removal/remove-windows-vista-recovery.

I was able to do the following:
  • See my hidden files again.
  • Run RKill to stop WVR processes.
  • Run TDSSKiller. Unfortunately the rootkit was unable to be cleaned as the "cure" option was not available, just the "skip" option. The instructions stated if this did not work seek the help of the malware experts on the forum.

I have now downloaded and ran all the necessary programs to ask for assistance, with the one exception being GMER. My system would crash each time I tried to run the scan. Incidentally, when I went through the removal process again RKill was not able to stop any processes and stated "access denied". I'm not sure if this had to do with my virus programs automatically quarantining the malware but I have since shutdown my virus programs.

I sincerely appreciate your time and assistance with this problem. I have (unfortunately?) frequently taken advantage of this wonderful site and have found all the information needed to resolve my problems. Thank you very much.

DDS log:
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Administrator at 20:27:40 on 2011-06-14
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2046.982 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\System32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyServer = http=127.0.0.1:18810
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.symantec.com
uWinlogon: Shell=explorer.exe,c:\users\administrator\appdata\roaming\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [vpystvof] c:\users\admini~1\appdata\local\temp\ouyqxgdig\incbrqkaffm.exe
uRun: [aoyynprm] c:\users\admini~1\appdata\local\temp\qiklaemen\wdosejjsika.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CuSMrYclQUshYk] c:\programdata\CuSMrYclQUshYk.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Yahoo Messenger]
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: HideClock = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: fazed.org\www
Trusted Zone: yahoo.com\music
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219191595287&h=a2327ddad27cfd44cbe156e5b56d2765/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{80498525-F1F1-4CBE-9C66-29460A81AD6D} : DhcpNameServer = 209.18.47.61 209.18.47.62
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\7l9pa81f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-7-10 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-7-10 27656]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-6 2228008]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-7-10 4368952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 135664]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-3-19 79360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
.
=============== Created Last 30 ================
.
2011-06-15 01:21:54 120832 ----a-w- c:\windows\system32\drivers\196E946.sys
2011-06-15 01:20:45 120832 ----a-w- c:\windows\system32\drivers\1853E8.tmp
2011-06-15 01:19:53 120832 ----a-w- c:\windows\system32\drivers\2131110.sys
2011-06-15 01:19:23 120832 ----a-w- c:\windows\system32\drivers\1053E8.tmp
2011-06-15 01:18:33 120832 ----a-w- c:\windows\system32\drivers\616D74B.sys
2011-06-15 00:59:30 120832 ----a-w- c:\windows\system32\drivers\6863E8.tmp
2011-06-15 00:58:40 120832 ----a-w- c:\windows\system32\drivers\197B6B1.sys
2011-06-15 00:56:20 120832 ----a-w- c:\windows\system32\drivers\1539339.sys
2011-06-15 00:54:54 120832 ----a-w- c:\windows\system32\drivers\4103E8.tmp
2011-06-15 00:54:04 120832 ----a-w- c:\windows\system32\drivers\1678065.sys
2011-06-15 00:52:15 120832 ----a-w- c:\windows\system32\drivers\2513E8.tmp
2011-06-15 00:51:25 120832 ----a-w- c:\windows\system32\drivers\19712D4.sys
2011-06-15 00:42:43 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c607375a-63ea-4827-9338-60d56a6a7908}\mpengine.dll
2011-06-15 00:06:47 41680 ----a-w- c:\windows\system32\drivers\ncvcgljr.sys
2011-06-15 00:03:42 120832 ----a-w- c:\windows\system32\drivers\5193E8.tmp
2011-06-15 00:02:52 120832 ----a-w- c:\windows\system32\drivers\1672867.sys
2011-06-15 00:01:25 120832 ----a-w- c:\windows\system32\drivers\3813E8.tmp
2011-06-15 00:00:35 120832 ----a-w- c:\windows\system32\drivers\1631083.sys
2011-06-14 23:59:11 120832 ----a-w- c:\windows\system32\drivers\2483E8.tmp
2011-06-14 23:58:21 120832 ----a-w- c:\windows\system32\drivers\13380B.sys
2011-06-14 23:56:58 120832 ----a-w- c:\windows\system32\drivers\1143E8.tmp
2011-06-14 01:40:52 120832 ----a-w- c:\windows\system32\drivers\6022461.sys
2011-06-14 01:35:12 120832 ----a-w- c:\windows\system32\drivers\1779A6A.sys
2011-06-14 01:31:13 120832 ----a-w- c:\windows\system32\drivers\1508EE6.sys
2011-06-13 23:38:59 388096 ----a-w- c:\programdata\44949240.exe
2011-06-13 23:32:56 6144 ----a-w- c:\windows\system32\beep.sys
2011-06-13 23:31:30 494592 ----a-w- c:\programdata\CuSMrYclQUshYk.exe
2011-06-07 04:37:51 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-06-06 04:32:32 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7dfca015-43a9-4b11-9225-3b3024e2fba0}\gapaengine.dll
2011-06-06 04:31:02 -------- d-----w- c:\program files\Microsoft Security Client
.
==================== Find3M ====================
.
2011-06-13 00:02:42 140024 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-13 00:02:31 280768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-13 00:02:31 280768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-13 00:00:13 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
.
============= FINISH: 20:28:00.24 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 11:34 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 12:38 PM

information and logs:


In your next post I need the following


  • logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo


Thank you for your reply Gringo. I do hope you can help me with this issue.

Logs are below with the Attach text file attached. As for the issues I'm having, I get numerous warnings about certain MS Windows functions "have stopped working". Usually when I turn my system back on I'll easily get a warning of a dozen processes that have stopped warning (some duplicate warnings). I have to "unhide" my icons to see everything and if I download a new program I have to unhide again to see it on my desktop. Also, though I have turned off my virus protection programs when I log in one of them (Prevex) will often notify about the infections. I'm concerned that these are automatically quarantined and may not show up in the logs I have run. I do turn Prevex off again so I'm not sure what happens to the infections it discovered.

----------Start of Logs-------------
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Administrator at 12:20:05 on 2011-06-21
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2046.1029 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wermgr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
F:\Fix\unhide.exe
C:\Windows\system32\attrib.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyServer = http=127.0.0.1:18810
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.symantec.com
uWinlogon: Shell=explorer.exe,c:\users\administrator\appdata\roaming\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [vpystvof] c:\users\admini~1\appdata\local\temp\ouyqxgdig\incbrqkaffm.exe
uRun: [aoyynprm] c:\users\admini~1\appdata\local\temp\qiklaemen\wdosejjsika.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Yahoo Messenger]
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: HideClock = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: fazed.org\www
Trusted Zone: yahoo.com\music
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219191595287&h=a2327ddad27cfd44cbe156e5b56d2765/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{80498525-F1F1-4CBE-9C66-29460A81AD6D} : DhcpNameServer = 209.18.47.61 209.18.47.62
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\7l9pa81f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-7-10 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-7-10 27656]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl2b7a05bd;MpKsl2b7a05bd;c:\programdata\microsoft\microsoft antimalware\definition updates\{c607375a-63ea-4827-9338-60d56a6a7908}\MpKsl2b7a05bd.sys [2011-6-19 28752]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-6 2228008]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-7-10 4368952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 135664]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-3-19 79360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
SUnknown rmwhanrz;rmwhanrz; [x]
SUnknown swnbaeid;swnbaeid; [x]
.
=============== Created Last 30 ================
.
2011-06-21 17:18:42 120832 ----a-w- c:\windows\system32\drivers\16711DB.sys
2011-06-21 17:16:25 120832 ----a-w- c:\windows\system32\drivers\158FD03.sys
2011-06-21 17:14:12 120832 ----a-w- c:\windows\system32\drivers\261F565.sys
2011-06-21 17:12:00 120832 ----a-w- c:\windows\system32\drivers\178EEE0.sys
2011-06-21 17:09:47 120832 ----a-w- c:\windows\system32\drivers\150EA6D.sys
2011-06-21 17:07:34 120832 ----a-w- c:\windows\system32\drivers\128E32D.sys
2011-06-21 17:05:20 120832 ----a-w- c:\windows\system32\drivers\196D641.sys
2011-06-21 17:04:15 120832 ----a-w- c:\windows\system32\drivers\688D6AF.sys
2011-06-19 06:51:12 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c607375a-63ea-4827-9338-60d56a6a7908}\MpKsl2b7a05bd.sys
2011-06-15 00:42:43 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c607375a-63ea-4827-9338-60d56a6a7908}\mpengine.dll
2011-06-15 00:06:47 41680 ----a-w- c:\windows\system32\drivers\ncvcgljr.sys
2011-06-13 23:32:56 120832 ----a-w- c:\windows\system32\beep.sys
2011-06-07 04:37:51 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-06-06 04:32:32 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7dfca015-43a9-4b11-9225-3b3024e2fba0}\gapaengine.dll
2011-06-06 04:31:02 -------- d-----w- c:\program files\Microsoft Security Client
.
==================== Find3M ====================
.
2011-06-21 17:19:32 120832 ----a-w- c:\windows\system32\drivers\beep.sys
2011-06-13 00:02:42 140024 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-13 00:02:31 280768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-13 00:02:31 280768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-13 00:00:13 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
.
============= FINISH: 12:20:15.93 ===============


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x8BA09000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7741440 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 182.50 )
0x81C34000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x946E0000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8B604000 C:\Windows\system32\drivers\P17.sys 1429504 bytes (Creative Technology Ltd., WDM Audio Miniport (Basic) Driver)
0x82A0F000 C:\Windows\System32\Drivers\Ntfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x82280000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8B80F000 C:\Windows\system32\DRIVERS\nvmfdx32.sys 1036288 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
0x8280A000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x80470000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9D206000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8DCD8000 C:\Windows\system32\drivers\spsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x8B90C000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x80550000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8220F000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9920F000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8D999000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x9937F000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x806A9000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8D888000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8060D000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8042F000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C1B0000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x82965000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8D939000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x823B6000 C:\Windows\system32\drivers\NETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0x99306000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x82B1E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x80793000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x81C01000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x80747000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8D8D0000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8C182000 C:\Windows\system32\DRIVERS\msiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8B761000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8238B000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8B7B3000 C:\Windows\system32\drivers\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8DC57000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x99357000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x82B6E000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x807D8000 C:\Windows\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x80664000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8B78E000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8B9CD000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x82BA6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8D80B000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x992C7000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x992E7000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x80729000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x9927C000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x828F4000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8291F000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x99299000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x829B2000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9933F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x82943000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x8DC09000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8B9AB000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8DCA8000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8DC41000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8D902000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8D85E000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x992B2000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x829E8000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x9D2FA000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x8B7DD000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8D874000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8DD97000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8D926000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8D975000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 73728 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x9D30F000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x82B95000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x807C7000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80416000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8290F000 C:\Windows\system32\DRIVERS\amdk8.sys 65536 bytes (Microsoft Corporation, Processor Device Driver)
0x80779000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8DC29000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x8DD87000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80708000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x829CA000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x823F0000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8DCC9000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x82B5F000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x8068B000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8B9F0000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x829A3000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8069A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x829DA000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x94920000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8D918000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8D847000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x806FA000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8DC7F000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x82200000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8C16D000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x805CC000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x9D2EE000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x805E0000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8DC8C000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8B800000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8B7F1000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8D83C000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8B9C2000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8C1F1000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x82BF0000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8DCBF000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x82800000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8D989000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x80789000 C:\Windows\System32\drivers\pxsec.sys 40960 bytes (Prevx, Prevx Realtime Analysis)
0x9D2E4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x82939000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x8295B000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x993CD000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x9D384000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x82BC7000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8BA00000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8DC20000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8DC9F000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x80718000 C:\Windows\System32\drivers\pxscan.sys 36864 bytes (Prevx, Prevx Scanner)
0x8D855000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94900000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x82A00000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80653000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8C17A000 C:\Windows\system32\DRIVERS\ASACPI.sys 32768 bytes (-, ATK0110 ACPI Utility)
0x80721000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80427000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8DC97000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x8040E000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8DC39000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8065C000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8D82C000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8D834000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x82B57000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x80400000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x9D3E7000 C:\Users\ADMINI~1\AppData\Local\Temp\mbr.sys 28672 bytes
0x80600000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x993D6000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x806F3000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8D993000 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C607375A-63EA-4827-9338-60D56A6A7908}\MpKsl2b7a05bd.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0x8C16B000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 182.50 )
0x8C1FC000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8D987000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x85B12A91 Unknown page with executable code, 1391 bytes
0x82B1E000 WARNING: Virus alike driver modification [volsnap.sys], 233472 bytes
0x85B11288 Unknown page with executable code, 3448 bytes
0x85B13191 Unknown page with executable code, 3695 bytes
0x85B15E7A Unknown thread object [ ETHREAD 0x85F55D78 ] TID: 272, 600 bytes
0x85B18008 Unknown thread object [ ETHREAD 0x85F48020 ] TID: 276, 600 bytes
0x85B17CDC Unknown page with executable code, 804 bytes

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 12:56 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 05:57 PM

Disabled all virus/antimal protection.
Downloaded combofix.exe. Double-click and ran the program.
Combofix said VOLSNAP.SYS was infected with rootkit, attempting to clean.
Combofix said it needed to reboot, which it did.
System crashed (BSOD)
Tried to boot up normally, received the following error:

windows\system32\drivers\volsnap.sys
status: 0xc0000221
Info: Windows failed to load because a critical system driver is missing or corrupt


Boot up menu came up again, tried to boot up in safe mode, received error above.
Tried rest of the safe modes, no luck.
Tried to restore to last known safe configuration, see error above.

I can not load up my system at all at this point. I'm panicking. Help Please!! In the meantime, I'm trying to track down my windows CD ... :(

Edited by Esco01, 21 June 2011 - 05:58 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 07:07 PM

Hello

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 09:15 PM

I had a few issues getting this done. The boot option wouldn't come up even though I selected f12. It would automatically take me to the safemode menu because windows would not load properly. I did a hard boot and the option finally came up to boot by USB.

Once I got everything installed and xPUD running it wouldn't recognize my USB drive under the MNT folders, even though I had booted from that mnt. I re-downloaded driver.sh on another thumb drive and xPUD recognized that drive and I found the file. Incidentally, I disconnected my original thumb drive and moved it over for my larger thumb drive, and xPUD finally recognized the mnt.

Again, I appreciate your assistance.



-------------------Report.txt log below----------------------------
Tue Jun 21 20:57:44 UTC 2011
Driver report for /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys has NO Company Name! /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys has NO Company Name! /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys has NO Company Name!

e0af52a80fa12202bd6e91fd3d03005c /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys
Symantec Corporation

f29be5027b6fd3459fc7818d463b3dd8 /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys
Symantec Corporation

8d8f19162c6191a8829d0bbde659a20b /mnt/sda1/Temp_NIS/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys
Symantec Corporation

Driver report for /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys has NO Company Name! /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys has NO Company Name! /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys has NO Company Name!

c70a2581e35e03c85f29aa1bc723659a /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys
Symantec Corporation

ed5e9f3bf11d0bb770f652b22ec26465 /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys
Symantec Corporation

05f2db228922e6b8a001ed83ee4d1153 /mnt/sda1/Temp_NIS/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys
Symantec Corporation

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 09:39 PM

Once I got everything installed and xPUD running it wouldn't recognize my USB drive under the MNT folders, even though I had booted from that mnt. I re-downloaded driver.sh on another thumb drive and xPUD recognized that drive and I found the file. Incidentally, I disconnected my original thumb drive and moved it over for my larger thumb drive, and xPUD finally recognized the mnt.

Next time this happens just remove the jumpdrive and put it back in


  • Boot the computer with the USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    volsnap.sys

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 09:48 PM

-------------------filefind.txt log below----------------------------
Search results for volsnap.sys

0b91f93264b06ee3fceba84ef4676995 /mnt/sda1/Qoobox/32788R22FWJFW/volsnap.sys
222.6K Jan 21 2008

6f5fa2b4bc6e4a5f74e2382d4b6b5d4e /mnt/sda1/Windows/System32/drivers/volsnap.sys
222.6K Jan 21 2008

11ef6c1caef76b685233450a126125d6 /mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys
222.6K Jan 21 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda1/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd/volsnap.sys
222.6K Jan 21 2008

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 10:05 PM

Hello

reboot into the usb and navigate to this file /mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys

Right click on the file and select copy

Now navigate to this folder - /mnt/sda1/Windows/System32/drivers search for this file volsnap.sys right click on this file and select rename and rename the file to volsnap.old

now right click on an empty space in the folder and select paste

remove usb - restart comuter

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 10:33 PM

After navigating to the driver repository and the folder you referenced above, I copied the volsnap.sys file.
I navigated to the drivers folder you referenced, located the volsnap.sys file, renamed it to volsnap.OLD, and right-clicked pasted the volsnap.sys file I copied from the drivers repository.
Removed the thumb drive and rebooted:

System crashed (BSOD)
Rebooted to safemode menu.
Tried to boot up normally,safemode, safemode with connections, received the following error:

windows\system32\drivers\volsnap.sys
status: 0xc0000221
Info: Windows failed to load because a critical system driver is missing or corrupt

:(

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 21 June 2011 - 10:39 PM

run the things in post 8 again and send me the new report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 June 2011 - 10:50 PM

Is there a difference in the files in each folder? I know the drivers file is the same size as the repository one, but the drivers one is the corrupt one. Curious if the smaller file would work?

I'm really sorry this is so difficult. I'm not sure how I got this but I assure you I'll be purchasing the full version of MBAW.

Search results for volsnap.sys

0b91f93264b06ee3fceba84ef4676995 /mnt/sda1/Qoobox/32788R22FWJFW/volsnap.sys
222.6K Jan 21 2008

4bd39d48340aa44467c2a90e95f3f00f /mnt/sda1/Windows/System32/drivers/volsnap.sys
222.6K Jan 21 2008

11ef6c1caef76b685233450a126125d6 /mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda1/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys
222.6K Jan 21 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda1/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd/volsnap.sys
222.6K Jan 21 2008

Edited by Esco01, 21 June 2011 - 10:55 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:23 AM

Posted 22 June 2011 - 06:21 AM

try it as it is just an older file


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Esco01

Esco01
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 June 2011 - 07:53 PM

No luck with the other file in the different folder.

Did step 8 again and got the same results as before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users