Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frozen Black Screen/Unable to boot into Safe Mode....can't recover system..Help!!!


  • This topic is locked This topic is locked
34 replies to this topic

#1 sean209

sean209

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 22 June 2011 - 03:48 PM

Hope somebody out there can help me as I've run out of ideas.....possibly might have picked up a Virus from facebook but I'm not certain.My system started to run slowly a few days ago and a Security centre 2011 box suddenly appeared..wouldn't allow me to open Malwarebytes or access system restore.
I powered down the PC and restarted but a black screen with a flashing cursor appeared before disappearing with the numbers lock light illuminating.
Restarted the PC and F8 into safe mode but system stalls at: multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\Drivers\Mup.sys
Restarted PC again and loaded recovery disc which starts to run but subsequently stops with technical codes showing: 0x0000007B (0xF898A640/OxC0000034/0x00000000/0x00000000).
Don't know if I'm every going to get my system back.....much appreciate anyone's help on this!!
(My PC is Sony Vaio VGC-M1 with Windows XP Home edition)
Thanks.

Edited by hamluis, 22 June 2011 - 04:22 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:39 AM

Posted 23 June 2011 - 04:51 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 23 June 2011 - 12:08 PM

Thanks...any help much appreciated as this never happened before and way out of my league.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 23 June 2011 - 10:35 PM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 24 June 2011 - 11:16 AM

Thanks for the quick response....I've created a CD and also downloaded the files required onto a USB ready to try later today..will post response as soon as I can. :thumbup2:

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 24 June 2011 - 12:37 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 24 June 2011 - 02:19 PM

I followed the instructions as per list but not sure if it's all the info needed will have another go if needed..thanks.

Fri Jun 24 05:30:02 UTC 2011
Driver report for /mnt/sda2/WINDOWS/system32/drivers

009927db8019c54477dabf6f9d795053 1394bus.sys
Microsoft Corporation

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

a10c7534f7223f4a73a948967d00e69b acpi.sys
Microsoft Corporation

11c04b17ed2abbb4833694bcd644ac90 aeaudio.sys
Andrea Electronics Corporation

1ee7b434ba961ef845de136224c30fec aec.sys
Microsoft Corporation

2c5c22990156a1063e19ad162191dc1d AegisP.sys
Meetinghouse Data Communications

944ca435bfcfc82cc1ed9e3a7d731aa9 afd.sys
Microsoft Corporation

dad16a9d5c873e7219e6b43802ed316a amdk6.sys
Microsoft Corporation

680ad1c1bb16239e28d8f33a54a7a3c7 amdk7.sys
Microsoft Corporation

f0d692b0bffb46e30eb3cea168bbc49f arp1394.sys
Microsoft Corporation

02000abf34af4c218c35d257024807d6 asyncmac.sys
Microsoft Corporation

cdfe4411a69c224bd1d11b2da92dac51 atapi.sys
Microsoft Corporation

604cbaf6f8aa2fd1f928dceb8acf7111 ati2mtag.sys
ATI Technologies

ec88da854ab7d7752ec8be11a741bb7f atmarpc.sys
Microsoft Corporation

39a0a59180f19946374275745b21aeba atmepvc.sys
Microsoft Corporation

0128e78fe835f074e469f03db681ca9e atmlane.sys
Microsoft Corporation

e7ef69b38d17ba01f914ae8f66216a38 atmuni.sys
Microsoft Corporation

d9f724aa26c010a217c97606b160ed68 audstub.sys
Microsoft Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

e4e6a0922e3d983728c9ad4e8d466954 bridge.sys
Microsoft Corporation

95ef6f3f386d93ee1e4d9ca45a50252a bthport.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

3823deb17f9f6775de0187a98fa0536d ccdcmbo.sys
tH`MVS_VERSION_INFOaa?"StringFileInfob,CompanyNameNokia^FileDescriptionNokiaUSBPhoneBusDrivernFileVersion....aInternalNameCCDCMBILegalCopyrightCopyright©,,,,,.Nokia.Allrightsreserved.>vOriginalFilenameccdcmb.sysDVarFileInfo$Translationt*

28e36e677849174c910faaead3e60e9e ccdcmb.sys
tH`?VS_VERSION_INFOaa?"StringFileInfob,CompanyNameNokia^FileDescriptionNokiaUSBPhoneBusDrivernFileVersion....aInternalNameCCDCMBILegalCopyrightCopyright©,,,,,.Nokia.Allrightsreserved.>vOriginalFilenameccdcmb.sysDVarFileInfo$Translationt*

6163ed60b684bab19d3352ab22fc48b2 CCDECODE.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

cd7d5152df32b47f4e36f710b35aae02 cdfs.sys
Microsoft Corporation

bf79e659c506674c0497cc9c61f1a165 cdr4_xp.sys
Sonic Solutions

2c41cd49d82d5fd85c72d57b6ca25471 cdralw2k.sys
Sonic Solutions

af9c19b3100fe010496b1a27181fbf72 cdrom.sys
Microsoft Corporation

b562592b7f5759c99e179ca467ecfb4c cinemst2.sys
Ravisent Technologies

d86173b401470f06d9810f7962969ddf classpnp.sys
Microsoft Corporation

9624293e55ad405415862b504ca95b73 cpqdap01.sys
Compaq Computer Corp

6af1684ccaac3f7ef4ee9ba65eb0677a crusoe.sys
Microsoft Corporation

d16c81677a9be399c63cd2ea486472a5 diskdump.sys
Microsoft Corporation

00ca44e4534865f8a3b64f7c0984bff0 disk.sys
Microsoft Corporation

c0fbb516e06e243f0cf31f597e7ebf7d dmboot.sys
Microsoft Corp

526192bf7696f72e29777bf4a180513a DMICall.sys
Sony Corporation

f5e7b358a732d09f4bcf2824b88b9e28 dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

a6f881284ac1150e37d9ae47ff601267 DMusic.sys
Microsoft Corporation

1ed4dbbae9f5d558dbba4cc450e3eb2e drmkaud.sys
Microsoft Corporation

ff86422268de771d571e123eb7092c6a drmk.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

d3dac8432110aad0b02a58b4459ab835 dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

3117f595e9615e04f05a54fc15a03b20 fastfat.sys
Microsoft Corporation

ced2e8396a8838e59d8fd529c680e02c fdc.sys
Microsoft Corporation

e153ab8a11de5452bcf5ac7652dbf3ed fips.sys
Microsoft Corporation

0dd1de43115b93f4d85e889d7a86f548 flpydisk.sys
Microsoft Corporation

3d234fb6d6ee875eb009864a299bea29 fltmgr.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

378055ab8dda86228683c697c4e11685 hidclass.sys
Microsoft Corporation

5fff41cd5108e9051d255c37825af697 hidparse.sys
Microsoft Corporation

1de6783b918f540149aa69943bdfeba8 hidusb.sys
Microsoft Corporation

61fbfd1e0270109ab048c38307828b50 HSF_CNXT.sys
Conexant

d82e9458ce89438b5282a77fc46cce4d HSF_DP.sys
Conexant

b391024f411b517f1c947fc6934977a5 HSFHWSIS.sys
Conexant

cb77bb47e67e84deb17ba29632501730 http.sys
Microsoft Corporation

5502b58eef7486ee6f93f3f164dcb808 i8042prt.sys
Microsoft Corporation

f8aa320c6a0409c0380e5d8a99d76ec6 imapi.sys
Microsoft Corporation

b44f0278b080d73a22176d19a5beb409 inidvd.sys
tH`VS_VERSION_INFO?bStringFileInfobFCompanyNameInitioCorporationbFileDescriptionInitioUSBDVDFilterDriverbFileVersion...vInternalNameinidvd.sysn%LegalCopyrightCopyright©InitioCorp.->vOriginalFilenameinidvd.sysLProductNameInitioUSBDVDDriverbProductVersion...DVarFileInfo$Translationt

279fb78702454dff2bb445f238c048d2 intelppm.sys
Microsoft Corporation

4448006b6bc60e6c027932cfc38d6855 ip6fw.sys
Microsoft Corporation

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

e1ec7f5da720b640cd8fb8424f1b14bb ipinip.sys
Microsoft Corporation

e2168cbc7098ffe963c6f23f472a3593 ipnat.sys
Microsoft Corporation

64537aa5c003a6afeee1df819062d0d1 ipsec.sys
Microsoft Corporation

50708daa1b1cbb7d6ac1cf8f56a24410 irenum.sys
Microsoft Corporation

e504f706ccb699c2596e9a3da1596e87 isapnp.sys
Microsoft Corporation

ebdee8a2ee5393890a1acee971c4c246 kbdclass.sys
Microsoft Corporation

e182fa8e49e8ee41b4adc53093f3c7e6 kbdhid.sys
Microsoft Corporation

ba5deda4d934e6288c2f66caf58d2562 kmixer.sys
Microsoft Corporation

eb7ffe87fd367ea8fca0506f74a87fbb ksecdd.sys
Microsoft Corporation

b9540e258f952650de8dec68719a5c97 ks.sys
Microsoft Corporation

419590ebe7855215bb157ea0cf0d0531 Lbd.sys
Lavasoft

c7dd7d9739785bd3a6b8499eec1dee7e mbamswissarmy.sys
Malwarebytes Corporation

67b48a903430c6d4fb58cbaca1866601 mbam.sys
Malwarebytes Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

3c318b9cd391371bed62126581ee9961 mdmxsdk.sys
Conexant

bafdd5e28baea99d7f4772af2f5ec7ee mfeavfk.sys
McAfee

1d003e3056a43d881597d6763e83b943 mfebopk.sys
McAfee

3f138a1c8a0659f329f242d1e389b2cf mfehidk.sys
McAfee

41fe2f288e05a6c8ab85dd56770ffbad mferkdk.sys
McAfee

096b52ea918aa909ba5903d79e129005 mfesmfk.sys
McAfee

729d83e56c29c510258a6e9e79ffddc3 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

6fc6f9d7acc36dca9b914565a3aeda05 modem.sys
Microsoft Corporation

34e1f0031153e491910e12551400192c mouclass.sys
Microsoft Corporation

b1c303e17fb9d46e87a98e4ba6769685 mouhid.sys
Microsoft Corporation

65653f3b4477f3c63e68a9659f85ee2e mountmgr.sys
Microsoft Corporation

136157e79849b9e5316ba4008d6075a8 Mpfp.sys
McAfee

29414447eb5bde2f8397dc965dbb3156 mrxdav.sys
Microsoft Corporation

025af03ce51645c62f3b6907a7e2be5e mrxsmb.sys
Microsoft Corporation

561b3a4333ca2dbdba28b5b956822519 msfs.sys
Microsoft Corporation

c0f1d4a21de5a415df8170616703debf msgpc.sys
Microsoft Corporation

ae431a8dd3c1d0d0610cdbac16057ad0 MSKSSRV.sys
Microsoft Corporation

13e75fef9dfeb08eeded9d0246e1f448 MSPCLOCK.sys
Microsoft Corporation

1988a33ff19242576c3d0ef9ce785da7 MSPQM.sys
Microsoft Corporation

469541f8bfd2b32659d5d463a6714bce mssmbios.sys
Microsoft Corporation

bf13612142995096ab084f2db7f40f77 MSTEE.sys
Microsoft Corporation

82035e0f41c2dd05ae41d27fe6cf7de1 mup.sys
Microsoft Corporation

5c8dc6429c43dc6177c1fa5b76290d1a NABTSFEC.sys
Microsoft Corporation

520ce427a8b298f54112857bcf6bde15 NdisIP.sys
Microsoft Corporation

558635d3af1c7546d26067d5d9b6959e ndis.sys
Microsoft Corporation

08d43bbdacdf23f34d79e44ed35c1b4c ndistapi.sys
Microsoft Corporation

34d6cd56409da9a7ed573e1c90a308bf ndisuio.sys
Microsoft Corporation

0b90e255a9490166ab368cd55a529893 ndiswan.sys
Microsoft Corporation

59fc3fb44d2669bc144fd87826bb571f ndproxy.sys
Microsoft Corporation

3a2aca8fc1d7786902ca434998d7ceb4 netbios.sys
Microsoft Corporation

0c80e410cd2f47134407ee7dd19cc86b netbt.sys
Microsoft Corporation

5c5c53db4fef16cf87b9911c7e8c6fbc nic1394.sys
Microsoft Corporation

be984d604d91c217355cdd3737aad25d nikedrv.sys
Diamond Multimedia Systems

60cf8c7192b3614f240838ddbaa4a245 nmnt.sys
Microsoft Corporation

99fbb538789888e6a48b902417f68dd4 nmwcdnsuc.sys
tHVS_VERSION_INFOU)rU)r?"StringFileInfob,CompanyNameNokiafFileDescriptionNokiaUSBPhoneGenericClientvFileVersion....aInternalNameNMWCDCDLegalCopyrightCopyright©,,,,.Nokia.Allrightsreserved.>vOriginalFilenamenmwcdc.sysDVarFileInfo$Translationt*

496f34fb30dd541350b29558842cd42a nmwcdnsu.sys
tHVS_VERSION_INFOU)rU)r?StringFileInfob,CompanyNameNokia^FileDescriptionNokiaUSBPhoneBusDrivervFileVersion...,InternalNameNMWCDDLegalCopyrightCopyright©,,,,.Nokia.Allrightsreserved.<nOriginalFilenamenmwcd.sysDVarFileInfo$Translationt*

4f601bcb8f64ea3ac0994f98fed03f8e npfs.sys
Microsoft Corporation

6623e51595c0076755c29c00846c4eb2 npf.sys
tHbVS_VERSION_INFO?aStringFileInfobDCompanyNameCACETechnologiesl"FileDescriptionnpf.sys(NT/x)KernelDrivervFileVersion...nInternalNameNPF+TME`LegalCopyrightCopyright-CACETechnologies.Copyright-NetGroup,PolitecnicodiTorino.(LegalTrademarksbOriginalFilenamenpf.sysbProductNameWinPcap:vProductVersion...,BuildDescriptionDVarFileInfo$Translation*

19a811ef5f1ed5c926a028ce107ff1af ntfs.sys
Microsoft Corporation

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

b305f3fad35083837ef46a0bbce2fc57 nwlnkflt.sys
Microsoft Corporation

c99b3415198d1aab7227f2c88fd664b9 nwlnkfwd.sys
Microsoft Corporation

79ea3fcda7067977625b3363a2657c80 nwlnkipx.sys
Microsoft Corporation

56d34a67c05e94e16377c60609741ff8 nwlnknb.sys
Microsoft Corporation

c0bb7d1615e1acbdc99757f6ceaf8cf0 nwlnkspx.sys
Microsoft Corporation

0951db8e5823ea366b0e408d71e1ba2a ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

3e16eff2a6fed2d8d7f5a66dfe65d183 p3.sys
Microsoft Corporation

29744eb4ce659dfe3b4122deb45bc478 parport.sys
Microsoft Corporation

3334430c29dc338092f79c38ef7b4cd0 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

fd2041e9ba03db7764b2248f02475079 pccsmcfd.sys
tH`CVS_VERSION_INFOaa?StringFileInfob,CompanyNameNokiafFileDescriptionPCCSModeChangeFilterDriverbFileVersion...:rInternalNamepccsmcfd.sys:LegalCopyrightCopyright©,,.Nokia.Allrightsreserved.BrOriginalFilenamepccsmcfd.sysDVarFileInfo$Translationt*

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

520b91ab011456b940d9b05fc91108ff pciidex.sys
Microsoft Corporation

8086d9979234b603ad5bc2f5d890b234 pci.sys
Microsoft Corporation

82a087207decec8456fbe8537947d579 pcmcia.sys
Microsoft Corporation

5b0f00e43a7094c0b7e433cb42c79164 portcls.sys
Microsoft Corporation

0d97d88720a4087ec93af7dbb303b30a processr.sys
Microsoft Corporation

48671f327553dcf1d27f6197f622a668 psched.sys
Microsoft Corporation

80d317bd1c3dbc5d4fe7b1678c60cadd ptilink.sys
Parallel Technologies

f7bb4e7a7c02ab4a2672937e124e306e pxhelp20.sys
Sonic Solutions

fe0d99d6f31e4fad8159f690d68ded9c rasacd.sys
Microsoft Corporation

98faeb4a4dcf812ba1c6fca4aa3e115c rasl2tp.sys
Microsoft Corporation

7306eeed8895454cbed4669be9f79faa raspppoe.sys
Microsoft Corporation

1c5cc65aac0783c344f16353e60b72ac raspptp.sys
Microsoft Corporation

fdbb1d60066fcfbb7452fd8f9829b242 raspti.sys
Microsoft Corporation

01524cd237223b18adbb48f70083f101 rawwan.sys
Microsoft Corporation

03b965b1ca47f6ef60eb5e51cb50e0af rdbss.sys
Microsoft Corporation

4912d5b403614ce99c28420f75353332 rdpcdd.sys
Microsoft Corporation

a2cae2c60bc37e0751ef9dda7ceaf4ad rdpdr.sys
Microsoft Corporation

b54cd38a9ebfbf2b3561426e3fe26f62 rdpwd.sys
Microsoft Corporation

b31b4588e4086d8d84adbf9845c2402b redbook.sys
Microsoft Corporation

a56fe08ec7473e8580a390bb1081cdd7 rio8drv.sys
Diamond Multimedia Systems

0a854df84c77a0be205bfeab2ae4f0ec riodrv.sys
Diamond Multimedia Systems

d18208ed6c768663b08c972eaa7a8b60 rmcast.sys
Microsoft Corporation

af79f98e2a9720995badd93cca1d4e01 RNDISMPK.sys
Microsoft Corporation

7ce8b277f3207ea82d7d22ad348befc6 rndismp.sys
Microsoft Corporation

d8b0b4ade32574b2d9c5cc34dc0dbbe7 rootmdm.sys
Microsoft Corporation

d7fd0ff761e28ac0ea35ad71e0cd67e9 scsiport.sys
Microsoft Corporation

02fc71b020ec8700ee8a46c58bc6f276 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

a2d868aeeff612e70e213c451a70cafb serenum.sys
Microsoft Corporation

cd9404d115a00d249f70a371b46d5a26 serial.sys
Microsoft Corporation

a9573045baa16eab9b1085205b82f1ed serscan.sys
Microsoft Corporation

1d9f1bec651815741f088a8fb88e17ee sffdisk.sys
Microsoft Corporation

586499fd312ffd7f78553f408e71682e sffp_sd.sys
Microsoft Corporation

0d13b6df6e9e101013a7afb0ce629fe0 sfloppy.sys
Microsoft Corporation

61ca562def09a782d26b3e7edec5369a SISAGPX.SYS
Silicon Integrated Systems

8204c49cde112f7b9c2f15707fe2cc5a sisnic.sys
SiS Corporation

5caeed86821fa2c6139e32e9e05ccdc9 SLIP.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

4c177cdfe23146013d0b44d1f4f9686c smrt.sys
Sony Corporation

f1771926a47a18bd3a3edac334fc78e0 smsens.sys
Analog Devices

8c0699b0fc6a220068e9e618be4496d3 smwdm.sys
Analog Devices

addc9e4757a68ab60562ad3cb9c288d6 sonydcam.sys
Microsoft Corporation

40a72ca91954d96ab702e769257b0c63 SonyKBS.sys
Sony Corporation

be6038e0a7d2e2fe69107e41a0265831 SonyNC.sys
Sony Corporation

0ce218578fff5f4f7e4201539c45c78f splitter.sys
Microsoft Corporation

e41b6d037d6cd08461470af04500dc24 sr.sys
Microsoft Corporation

ea554a3ffc3f536fe8320eb38f5e4843 srv.sys
Microsoft Corporation

284c57df5dc7abca656bc2b96a667afb StreamIP.sys
Microsoft Corporation

c43356072eb3e88cd62958db10cead47 stream.sys
Microsoft Corporation

03c1bae4766e2450219d20b993d6e046 swenum.sys
Microsoft Corporation

94abc808fc4b6d7d2bbf42b85e25bb4d swmidi.sys
Microsoft Corporation

650ad082d46bac0e64c9c0e0928492fd sysaudio.sys
Microsoft Corporation

a2a9ca0d1a9ac1ff54220aa0789fe5cf tape.sys
Microsoft Corporation

00586ed87ab564b03870a2a3dcc84b55 tcpip6.sys
Microsoft Corporation

2a5554fc5b1e04e131230e3ce035c3f9 tcpip.sys
Microsoft Corporation

6891b74ab9a016064e82a419388d0601 tdi.sys
Microsoft Corporation

38d437cf2d98965f239b0abcd66dcb0f tdpipe.sys
Microsoft Corporation

ed0580af02502d00ad8c4c066b156be9 tdtcp.sys
Microsoft Corporation

a540a99c281d933f3d69d55e48727f47 termdd.sys
Microsoft Corporation

1a406b0a846fe7250e16e05813aef849 tifmsony.sys
Texas Instruments

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

d74a8ec75305f1d3cfde7c7fc1bd62a9 tsbvcap.sys
Toshiba Corporation

87a0e9e18c10a9e454238e3330e2a26d tunmp.sys
Microsoft Corporation

49c805d42d75eddc9b6a7130999c9054 UAGP35.SYS
Microsoft Corporation

12f70256f140cd7d52c58c7048fde657 udfs.sys
Microsoft Corporation

ced744117e91bdc0beb810f7d8608183 update.sys
Microsoft Corporation

af090265ec388bab320f1ff7e7a7d5ea usb8023.sys
Microsoft Corporation

61018ba9df6b63e51d9753c980e73ec2 usbcamd2.sys
Microsoft Corporation

2654eecc6fb13603ebddcd5c8ea943d1 usbcamd.sys
Microsoft Corporation

bffd9f120cc63bcbaa3d840f3eef9f79 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

15e993ba2f6946b2bfbbfcd30398621e usbehci.sys
Microsoft Corporation

c72f40947f92cea56a8fb532edf025f1 usbhub.sys
Microsoft Corporation

2853fd4c4489e0f8bfcf78efcdb7e998 usbintel.sys
Microsoft Corporation

bdfe799a8531bad8a5a985821fe78760 usbohci.sys
Microsoft Corporation

2034ca78f9c6e787b4b76d81ac888351 usbport.sys
Microsoft Corporation

a42369b7cd8886cd7c70f33da6fcbcf5 usbprint.sys
Microsoft Corporation

98e1ff1d732c6c7200b6c59d4ff8c1c3 usbser_lowerfltj.sys
tH`VS_VERSION_INFOaa?@StringFileInfob,CompanyNameNokia-FileDescriptionFilterDriverforNokiaUSBPhoneBusDrivernFileVersion...@InternalNameusbser_lowerfltLegalCopyrightCopyright©-.Nokia.Allrightsreserved.POriginalFilenameusbser_lowerflt.sysDVarFileInfo$Translationt

b1b8bee26227dad9835019201552cb05 usbser_lowerflt.sys
tH`VS_VERSION_INFOaa?@StringFileInfob,CompanyNameNokia-FileDescriptionFilterDriverforNokiaUSBPhoneBusDrivernFileVersion...@InternalNameusbser_lowerfltLegalCopyrightCopyright©-.Nokia.Allrightsreserved.POriginalFilenameusbser_lowerflt.sysDVarFileInfo$Translationt

49106ee29074e6a3d3ac9e24c6d791d8 usbser.sys
Microsoft Corporation

6cd7b22193718f1d17a47a1cd6d37e75 USBSTOR.SYS
Microsoft Corporation

55e01061c74a8cefff58dc36114a8d3f vdmindvd.sys
Ravisent Technologies

8a60edd72b4ea5aea8202daf0e427925 vga.sys
Microsoft Corporation

d5a9d123f5ed7c9965a481bd20cf66d8 videoprt.sys
Microsoft Corporation

ee4660083deba849ff6c485d944b379b volsnap.sys
Microsoft Corporation

984ef0b9788abf89974cfed4bfbaacbc wanarp.sys
Microsoft Corporation

bbcfeab7e871cddac2d397ee7fa91fdc wdf01000.sys
Microsoft Corporation

6aa8bb224b30a20a5d07a2734568d6d7 wdfldr.sys
Microsoft Corporation

efd235ca22b57c81118c1aeb4798f1c1 wdmaud.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

cf4def1bf66f06964dc0d91844239104 wpdusb.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

d5842484f05e12121c511aa93f6439ec WSTCODEC.SYS
Microsoft Corporation

6ff66513d372d479ef1810223c8d20ce WudfPf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WudfRd.sys
Microsoft Corporation

Driver report for /mnt/sda1/Minint/system32/drivers

2b3ab725f78e3e5bf476c4a4764c486a 1394bus.sys
Microsoft Corporation

f5e227af17514d92c180b7723573a7de 1394vdbg.sys
Microsoft Corporation

6abb91494fe6c59089b9336452ab2ea3 abp480n5.sys
Microsoft Corporation

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

94ddd4b3acbd7a9558e1762cd58386f9 acpi.sys
Microsoft Corporation

9a11864873da202c996558b2106b0bbc adpu160m.sys
Microsoft Corporation

51b1872b62d1c335bac53313913c8d5b afd.sys
Microsoft Corporation

c23ea9b5f46c7f7910db3eab648ff013 aha154x.sys
Microsoft Corporation

19dd0fb48b0c18892f70e2e7d61a1529 aic78u2.sys
Microsoft Corporation

b7fe594a7468aa0132deb03fb8e34326 aic78xx.sys
Microsoft Corporation

1140ab9938809700b46bb88e46d72a96 aliide.sys
Acer Laboratories

79f5add8d24bd6893f2903a3e2f3fad6 amsint.sys
Microsoft Corporation

69eb0cc7714b32896ccbfd5edcbea447 asc3350p.sys
Microsoft Corporation

5d8de112aa0254b907861e9e9c31d597 asc3550.sys
Advanced System Products

62d318e9a0c8fc9b780008e724283707 asc.sys
Advanced System Products

f1d915c3870e741d83b5142f3b358761 atapi.sys
Microsoft Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

f3ec03299634490e97bbce94cd2954c7 cd20xrnt.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

049a38451f2611caf2fd528e023a0b5a cdfs.sys
Microsoft Corporation

6506e033ad04cfec9ee56dbefd1083dd cdrom.sys
Microsoft Corporation

4e86b33aff1a6af46889cbcf90f0c8f0 classpnp.sys
Microsoft Corporation

e5dcb56c533014ecbc556a8357c929d5 cmdide.sys
CMD Technology

3ee529119eed34cd212a215e8c40d4b6 cpqarray.sys
Microsoft Corporation

e550e7418984b65a78299d248f0a7f36 dac2w2k.sys
Mylex Corporation

683789caa3864eb46125ae86ff677d34 dac960nt.sys
Microsoft Corporation

16a6f479f49fd1fa06bb5539a3d493f8 diapi2.sys
Eicon Technology

99a1ffd0e527d3b88e34735d85eaaa04 dimaint.sys
Eicon Technology

188eb90ac2b70c41fdd41ee36ae2a592 diskdump.sys
Microsoft Corporation

d1b16340ceaceecbf52340a0cbdf43e1 disk.sys
Microsoft Corporation

e18132d39407aadca6b1d19adf408a8a dmboot.sys
Microsoft Corp

526192bf7696f72e29777bf4a180513a DMICall.sys
Sony Corporation

aca44e9a8e2ff7c833664263c8478629 dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

40f3b93b4e5b0126f2f5c0a7a5e22660 dpti2o.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

3d1383ae689ebc3a0f938b0aaece5596 dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

4063a77fa6f2c8cd48cbe9ac6eb8d213 em556n4.sys
Com Corporation

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

52016d76b6f9810186dfdd5ccd53fa79 et4000.sys
Microsoft Corporation

e4a3a8f3e60b542a747b10e86faa5dad fastfat.sys
Microsoft Corporation

19c5c7eac0190a42522290bf002f64ea fdc.sys
Microsoft Corporation

8f70d1f7606f7442e2f7383f3701d728 flpydisk.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

151b49e5cc28b76d84225ae2b69e02da hidclass.sys
Microsoft Corporation

d099d5a07e97b09ca6a8070ca58678e7 hidparse.sys
Microsoft Corporation

1de6783b918f540149aa69943bdfeba8 hidusb.sys
Microsoft Corporation

b028377dea0546a5fcfba928a8aefae0 hpn.sys
Microsoft Corporation

aeb15ed12bb5a2ce62d900a97207e78b i2omgmt.sys
Microsoft Corporation

83e0f7a55077ba8d13421f0febbae2fa i2omp.sys
Microsoft Corporation

7080f46568108cc6ea73e460ee6ee702 i8042prt.sys
Microsoft Corporation

4a40e045faee58631fd8d91afc620719 ini910u.sys
Microsoft Corporation

17c67d4ffd7217bc851969c550131108 inport.sys
Microsoft Corporation

3049227da71a4a68515dcdce3030eacd intelide.sys
Microsoft Corporation

8f1604ad7f8f8b6339e53d93c46187a8 io8.sys
Perle Systems

e504f706ccb699c2596e9a3da1596e87 isapnp.sys
Microsoft Corporation

1e7f78c2fc393356cd884c6fde7966f9 kbdclass.sys
Microsoft Corporation

4e33c6dea3bcc50776f02a1c1ae28671 kbdhid.sys
Microsoft Corporation

abc70e8b89cce44731a346deb764bf95 ksecdd.sys
Microsoft Corporation

29f4584e6bdf44b39123622a65e25314 ks.sys
Microsoft Corporation

db35284e9acd15ec5337a50023d5394c lbrtfdc.sys
Toshiba Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

9c46695db5d49d9a7333807430a43be2 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

81fb25d6ee5e0728d2c0630c58d7d908 mouclass.sys
Microsoft Corporation

b1c303e17fb9d46e87a98e4ba6769685 mouhid.sys
Microsoft Corporation

d4face53a1c48cf8419b4cf494d2ee2e mountmgr.sys
Microsoft Corporation

3f4bb95e5a44f3be34824e8e7caf0737 mraid35x.sys
American Megatrends

a1831538e119363d0d90d757ac8a2012 msfs.sys
Microsoft Corporation

08c56887f06473b09fc1b39e7dec0fb6 mup.sys
Microsoft Corporation

3b350e5a2a5e951453f3993275a4523a ndis.sys
Microsoft Corporation

59fc3fb44d2669bc144fd87826bb571f ndproxy.sys
Microsoft Corporation

20aba9f035e3a98877480e34fcc4dcb3 npfs.sys
Microsoft Corporation

e3ae9c79498210a5f39fe5a9ad62bc55 ntfs.sys
Microsoft Corporation

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

52c36c911f83f200130b2f84e01f3511 ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

67fd105f525a94c0246c9088e85a2f3b parport.sys
Microsoft Corporation

3334430c29dc338092f79c38ef7b4cd0 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

146d37a214304bd3432cfd3360ff067f pciidex.sys
Microsoft Corporation

9390447f3b1be5064a3ebe98c555a1e5 pci.sys
Microsoft Corporation

4ca446e011e2f61ac45eb2e3bc3f1584 pcmcia.sys
Microsoft Corporation

f50f7c27f131afe7beba13e14a3b9416 perc2hib.sys
Microsoft Corporation

6c14b9c19ba84f73d3a86dba11133101 perc2.sys
Microsoft Corporation

33d363e8a6c7c81cd653e8d118f4a519 ppa3.sys
Microsoft Corporation

0a63fb54039eb5662433caba3b26dba7 ql1080.sys
QLogic Corporation

6503449e1d43a0ff0201ad5cb1b8c706 ql10wnt.sys
Microsoft Corporation

156ed0ef20c15114ca097a34a30d8a01 ql12160.sys
QLogic Corporation

70f016bebde6d29e864c1230a07cc5e6 ql1240.sys
Microsoft Corporation

907f0aeea6bc451011611e732bd31fcf ql1280.sys
QLogic Corporation

231aa81e1ce4f7b6fbc77121155a67eb ramdisk.sys
Microsoft Corporation

f18e651e4b6c7d8bd367454e016ab5d4 rndismp.sys
Microsoft Corporation

c4cc1f6343c1879b446840e807305bb8 sbp2port.sys
Microsoft Corporation

f1d2d6d805ae2856f3d923e949ad917d scsiport.sys
Microsoft Corporation

65a7c4d86c153c82e33a552c217abb29 serenum.sys
Microsoft Corporation

dc7cbfec14b1b38bcf32aba922ffeaad serial.sys
Microsoft Corporation

4589eaa485a6216e6bec50f95a5d2c5c setupdd.sys
Microsoft Corporation

4e1b8866f3d208dee3906a191cb493e3 sfloppy.sys
Microsoft Corporation

80b86f9b9ec4cd0e25627e4a7c54826a slip.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

83c0f71f86d3bdaf915685f3d568b20e sparrow.sys
Adaptec

9addfd4855a56b3dea541ef760c258d4 spddlang.sys
Microsoft Corporation

c0e7e159415c1d10a88297b7eba01066 streamip.sys
Microsoft Corporation

064740c5c02de46723c4b8200ee876df swenum.sys
Microsoft Corporation

1ff3217614018630d0a6758630fc698c symc810.sys
Symbios Logic

070e001d95cf725186ef8b20335f933c symc8xx.sys
LSI Logic

80ac1c4abbe2df3b738bf15517a51f2c sym_hi.sys
LSI Logic

bf4fab949a382a8e105f46ebb4937058 sym_u3.sys
LSI Logic

d1570ddee0b8ad173a689f1a9a343b57 tape.sys
Microsoft Corporation

fd6a09d156139030729cf5f08f5d0cb9 tdi.sys
Microsoft Corporation

e51a3f6a0f6f868beeb7785764dc219c tffsport.sys
M-Systems

f2790f6af01321b172aa62f8e1e187d9 toside.sys
Microsoft Corporation

01ca8ec606522d2f60820b0c0086fdd5 udfs.sys
Microsoft Corporation

1b698a51cd528d8da4ffaed66dfc51b9 ultra.sys
Promise Technology
Promise Technology
Promise Technology
Promise Technology
Promise Technology

164cfae1d766905f56c432acfc54f28c update.sys
Microsoft Corporation

567d6c305295fea98e02fd3e5258ca89 usb8023.sys
Microsoft Corporation

79fee3cfec5b14194dbe0a703d82b2a4 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

2d0c2f3836f72e85d41d9c50aeeb5423 usbehci.sys
Microsoft Corporation

d7bf70ac85e48b6c4df953401eccb75a usbhub.sys
Microsoft Corporation

4e7d2f6df7a7e02d80fe0b109f0c9f02 usbohci.sys
Microsoft Corporation

2ecaba73e8a4e58499bcc1fdb534ef34 usbport.sys
Microsoft Corporation

4923c60f9c381eae679db04021d26abb usbstor.sys
Microsoft Corporation

49ec068278d85bc1e20ac7f3d315e940 usbuhci.sys
Microsoft Corporation

08d2edfd7261242b8aea27f1fe11e120 vga.sys
Microsoft Corporation

fe2a9e925030fd316680680a2eb9ea63 viaide.sys
Microsoft Corporation

9b900adeee167b99207ececccb5712a9 videoprt.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation


Search results for Winlogon.exe

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 4 2004

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/system32/winlogon.exe
490.5K Aug 4 2004

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/winlogon.exe
496.0K Apr 14 2008

2246d8d8f4714a2cedb21ab9b1849abb /mnt/sda1/Minint/system32/winlogon.exe
504.5K Aug 29 2002


Search results for volsnap.sys

ee4660083deba849ff6c485d944b379b /mnt/sda2/WINDOWS/system32/dllcache/volsnap.sys
51.1K Aug 4 2004

ee4660083deba849ff6c485d944b379b /mnt/sda2/WINDOWS/system32/drivers/volsnap.sys
51.1K Aug 4 2004

4c8fcb5cc53aab716d810740fe59d025 /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/volsnap.sys
51.1K Apr 13 2008


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/system32/dllcache/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/explorer.exe
1009.5K Apr 14 2008

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/explorer.exe
1009.0K Jun 13 2007

a0732187050030ae399b241436565e64 /mnt/sda2/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004


Search results for Userinit.exe

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/system32/dllcache/userinit.exe
24.0K Aug 4 2004

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/system32/userinit.exe
24.0K Aug 4 2004

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/userinit.exe
25.5K Apr 14 2008

e931e0a2b8bf0019db902e98d03662cb /mnt/sda1/Minint/system32/userinit.exe
21.5K Aug 29 2002


Search results for Exit


Search results for bash query.sh

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 24 June 2011 - 05:06 PM

There are two reports missing, the RegReport.txt and mbr.bin zipped file that must be attached to your reply. Let me know if having problems producing them.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 25 June 2011 - 05:31 AM

Have managed to obtain the RegReport.txt and mbr.bin - RegReport.txt is as follows:

Remote Registry Report

Hive </mnt/sda2/WINDOWS/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 2
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\WINDOWS
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> cat_vk: No such value <Userinit>
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 9 subkeys and 0 values
<crypt32chain>
<cryptnet>
<cscdll>
<ScCertProp>
<Schedule>
<sclgntfy>
<SensLogn>
<termsrv>
<wlballoon>
\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 31 values
size type value name [value if type DWORD]
26 REG_SZ <ATIModeChange>
130 REG_SZ <ATIPTA>
96 REG_SZ <HKSERV.EXE>
126 REG_SZ <VAIO Update 2>
48 REG_SZ <SiSUSBRG>
124 REG_SZ <VZRemoteCommander>
122 REG_SZ <PDService.exe>
122 REG_SZ <SunJavaUpdateSched>
62 REG_SZ <wltray.exe>
108 REG_SZ <Motive SmartBridge>
84 REG_SZ <btbb_wcm_McciTrayApp>
80 REG_SZ <YBrowser>
140 REG_SZ <TkBellExe>
94 REG_SZ <Ad-Watch>
168 REG_SZ <AppleSyncNotifier>
142 REG_SZ <PCSuiteTrayApplication>
112 REG_SZ <mcagent_exe>
104 REG_SZ <QuickTime Task>
86 REG_SZ <iTunesHelper>
158 REG_SZ <NokiaMServer>
148 REG_SZ <NokiaMusic FastStart>
332 REG_SZ <UpdateLBPShortCut>
100 REG_SZ <CLMLServer>
320 REG_SZ <UpdateP2GoShortCut>
106 REG_SZ <RemoteControl8>
122 REG_SZ <PDVD8LanguageShortcut>
350 REG_SZ <UpdatePPShortCut>
308 REG_SZ <UCam_Menu>
100 REG_SZ <LGODDFU>
324 REG_SZ <UpdatePSTShortCut>
96 REG_SZ <Tbuvopibanovek>
(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 5 values
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
4 REG_DWORD <legalnoticecaption> 1 [0x1]
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]


Hive </mnt/sda1/Minint/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <CSDVersion>
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <SystemRoot>
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 18 [0x12]
userinit
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 4 subkeys and 0 values
<cscdll>
<ScCertProp>
<SensLogn>
<wlballoon>
\Microsoft\Windows\CurrentVersion\RunOnce> Node has 0 subkeys and 0 values


Hive </mnt/sda2/Documents and Settings/Owner/ntuser.dat>
> Node has 0 subkeys and 0 values


Hive </mnt/sda2/Documents and Settings/Sean Aspey/ntuser.dat>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 11 values
size type value name [value if type DWORD]
100 REG_SZ <Yahoo! Pager>
114 REG_SZ <MsnMsgr>
172 REG_SZ <swg>
114 REG_SZ <BTAgile>
98 REG_SZ <Picasa Media Detector>
112 REG_SZ <SpybotSD TeaTimer>
182 REG_SZ <yheric>
182 REG_SZ <ywihor>
92 REG_SZ <Ehilogol>
62 REG_SZ <ctfmon.exe>
154 REG_SZ <790504059>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]

Attached Files

  • Attached File  mbr.zip   540bytes   3 downloads


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 25 June 2011 - 01:34 PM

Download xPUD_userinit_fix by noahdfear to the USB drive.
  • Remove the USB insert it in the sick computer and boot to xPUD.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see the file xPUD_userinit_fix in your USB drive and double click on it.
  • After it has finished a report will be located in your USB drive named UserinitReport.txt
  • Post the contents of this file to a reply and if successful, attempt to boot in Normal mode

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 25 June 2011 - 03:18 PM

Here are the results of the Userinit report...did try booting in normal mode but no luck on that one.

Remote Registry Userinit Report
userinit.exe search results

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/system32/dllcache/userinit.exe
24.0K Aug 4 2004
39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/system32/userinit.exe
24.0K Aug 4 2004
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/userinit.exe
25.5K Apr 14 2008
e931e0a2b8bf0019db902e98d03662cb /mnt/sda1/Minint/system32/userinit.exe
21.5K Aug 29 2002

winlogon.exe search results

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 4 2004
01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/system32/winlogon.exe
490.5K Aug 4 2004
ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/winlogon.exe
496.0K Apr 14 2008
2246d8d8f4714a2cedb21ab9b1849abb /mnt/sda1/Minint/system32/winlogon.exe
504.5K Aug 29 2002

explorer.exe search results

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007
97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/system32/dllcache/explorer.exe
1009.0K Jun 13 2007
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/explorer.exe
1009.5K Apr 14 2008
97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/explorer.exe
1009.0K Jun 13 2007
a0732187050030ae399b241436565e64 /mnt/sda2/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 25 June 2011 - 08:20 PM

My intentions above were to reset the Userinit entry in the registry that appeared to be missing. Lets confirm that.

Remove the current Regreport.txt from the USB drive and boot to xPUD once again.

  • Browse to the folder that represent your USB drive
  • Press Tool at the top
  • Choose Open Terminal
  • type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt

Post the new Regreport.txt in your next reply.

In case we need to build another tool, do you have a Windows XP install CD?

Edited by JSntgRvr, 25 June 2011 - 08:22 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 26 June 2011 - 02:50 AM

The latest Regreport is listed below....didn't have a Windows XP CD when I bought the PC as it was already pre-installed but I did purchase a new Sony Vaio recovery CD from Sony a few days ago and there are 2 recovery discs in this.

Remote Registry Report


This is all that is showing...have repeated this procdure to double check and the same comes up again - will await your further instruction. :thumbsup2:

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 PM

Posted 26 June 2011 - 10:54 AM

Please re-attempt the bash query.sh command and allow enough time to finish.

In addition, lets see if we have restore points available.

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Copy and paste the enum.log for my review.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 sean209

sean209
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 26 June 2011 - 02:57 PM

I've carried out bash query.sh but result still is the same...also posting results of enum log - please see results below.Thanks.

Remote Registry Report



Enum log report is as follows:


612.0K Jan 16 2005 /mnt/sda1/Minint/system32/config/software
32.9M Jun 19 11:34 /mnt/sda2/WINDOWS/system32/config/software
5.0M Jun 19 11:34 /mnt/sda2/WINDOWS/system32/config/system

32.9M Apr 17 16:35 /sda2/~/RP915/~SOFTWARE
32.9M Apr 18 20:34 /sda2/~/RP916/~SOFTWARE
32.9M Apr 20 19:40 /sda2/~/RP917/~SOFTWARE
32.9M Apr 22 09:01 /sda2/~/RP918/~SOFTWARE
32.9M Apr 22 13:31 /sda2/~/RP919/~SOFTWARE
32.9M Apr 22 13:32 /sda2/~/RP920/~SOFTWARE
32.9M Apr 22 13:33 /sda2/~/RP921/~SOFTWARE
32.9M Apr 22 13:33 /sda2/~/RP922/~SOFTWARE
32.9M Apr 23 19:56 /sda2/~/RP923/~SOFTWARE
32.9M Apr 25 02:24 /sda2/~/RP924/~SOFTWARE
32.9M Apr 26 20:48 /sda2/~/RP925/~SOFTWARE
32.9M Apr 28 07:31 /sda2/~/RP926/~SOFTWARE
32.9M Apr 29 13:09 /sda2/~/RP927/~SOFTWARE
32.9M May 2 07:59 /sda2/~/RP928/~SOFTWARE
32.9M May 4 07:19 /sda2/~/RP929/~SOFTWARE
32.9M May 8 16:37 /sda2/~/RP930/~SOFTWARE
32.9M May 9 18:54 /sda2/~/RP931/~SOFTWARE
32.9M May 14 11:00 /sda2/~/RP932/~SOFTWARE
32.9M May 15 19:56 /sda2/~/RP933/~SOFTWARE
32.9M May 19 20:01 /sda2/~/RP934/~SOFTWARE
32.9M May 19 23:33 /sda2/~/RP935/~SOFTWARE
32.9M May 21 18:59 /sda2/~/RP936/~SOFTWARE
32.9M May 22 20:34 /sda2/~/RP937/~SOFTWARE
32.9M May 25 20:21 /sda2/~/RP938/~SOFTWARE
32.9M May 27 20:04 /sda2/~/RP939/~SOFTWARE
32.9M May 29 13:29 /sda2/~/RP940/~SOFTWARE
32.9M May 30 18:52 /sda2/~/RP941/~SOFTWARE
32.9M May 31 18:11 /sda2/~/RP942/~SOFTWARE
33.2M May 31 21:06 /sda2/~/RP943/~SOFTWARE
32.9M Jun 4 13:24 /sda2/~/RP944/~SOFTWARE
32.9M Jun 7 19:01 /sda2/~/RP945/~SOFTWARE
32.9M Jun 8 20:09 /sda2/~/RP946/~SOFTWARE
32.9M Jun 10 21:57 /sda2/~/RP947/~SOFTWARE
32.9M Jun 13 07:39 /sda2/~/RP948/~SOFTWARE
32.9M Mar 16 20:33 /sda2/~/RP906/~SOFTWARE
32.9M Mar 17 20:42 /sda2/~/RP907/~SOFTWARE
32.9M Mar 19 12:08 /sda2/~/RP908/~SOFTWARE
32.9M Mar 20 12:41 /sda2/~/RP909/~SOFTWARE
32.9M Mar 30 18:38 /sda2/~/RP910/~SOFTWARE
32.9M Apr 1 19:24 /sda2/~/RP911/~SOFTWARE
32.9M Apr 2 22:20 /sda2/~/RP912/~SOFTWARE
32.9M Apr 4 18:56 /sda2/~/RP913/~SOFTWARE
32.9M Apr 7 07:29 /sda2/~/RP914/~SOFTWARE
4.9M Apr 17 16:35 /sda2/~/RP915/~SYSTEM
4.9M Apr 18 20:34 /sda2/~/RP916/~SYSTEM
4.9M Apr 20 19:40 /sda2/~/RP917/~SYSTEM
4.9M Apr 22 09:01 /sda2/~/RP918/~SYSTEM
4.9M Apr 22 13:31 /sda2/~/RP919/~SYSTEM
4.9M Apr 22 13:32 /sda2/~/RP920/~SYSTEM
4.9M Apr 22 13:33 /sda2/~/RP921/~SYSTEM
4.9M Apr 22 13:33 /sda2/~/RP922/~SYSTEM
4.9M Apr 23 19:56 /sda2/~/RP923/~SYSTEM
4.9M Apr 25 02:24 /sda2/~/RP924/~SYSTEM
4.9M Apr 26 20:48 /sda2/~/RP925/~SYSTEM
4.9M Apr 28 07:31 /sda2/~/RP926/~SYSTEM
4.9M Apr 29 13:09 /sda2/~/RP927/~SYSTEM
4.9M May 2 07:59 /sda2/~/RP928/~SYSTEM
4.9M May 4 07:19 /sda2/~/RP929/~SYSTEM
4.9M May 8 16:37 /sda2/~/RP930/~SYSTEM
4.9M May 9 18:54 /sda2/~/RP931/~SYSTEM
4.9M May 14 11:00 /sda2/~/RP932/~SYSTEM
4.9M May 15 19:56 /sda2/~/RP933/~SYSTEM
4.9M May 19 20:01 /sda2/~/RP934/~SYSTEM
4.9M May 19 23:33 /sda2/~/RP935/~SYSTEM
4.9M May 21 18:59 /sda2/~/RP936/~SYSTEM
4.9M May 22 20:34 /sda2/~/RP937/~SYSTEM
4.9M May 25 20:21 /sda2/~/RP938/~SYSTEM
4.9M May 27 20:04 /sda2/~/RP939/~SYSTEM
4.9M May 29 13:29 /sda2/~/RP940/~SYSTEM
4.9M May 30 18:52 /sda2/~/RP941/~SYSTEM
4.9M May 31 18:11 /sda2/~/RP942/~SYSTEM
4.9M May 31 21:06 /sda2/~/RP943/~SYSTEM
4.9M Jun 4 13:24 /sda2/~/RP944/~SYSTEM
4.9M Jun 7 19:01 /sda2/~/RP945/~SYSTEM
4.9M Jun 8 20:09 /sda2/~/RP946/~SYSTEM
4.9M Jun 10 21:57 /sda2/~/RP947/~SYSTEM
4.9M Jun 13 07:39 /sda2/~/RP948/~SYSTEM
4.9M Mar 16 20:33 /sda2/~/RP906/~SYSTEM
4.9M Mar 17 20:42 /sda2/~/RP907/~SYSTEM
4.9M Mar 19 12:08 /sda2/~/RP908/~SYSTEM
4.9M Mar 20 12:41 /sda2/~/RP909/~SYSTEM
4.9M Mar 30 18:38 /sda2/~/RP910/~SYSTEM
4.9M Apr 1 19:24 /sda2/~/RP911/~SYSTEM
4.9M Apr 2 22:20 /sda2/~/RP912/~SYSTEM
4.9M Apr 4 18:56 /sda2/~/RP913/~SYSTEM
4.9M Apr 7 07:29 /sda2/~/RP914/~SYSTEM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users