Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safe Mode Stops Loading After crcdisk.sys


  • This topic is locked This topic is locked
4 replies to this topic

#1 eylikedag

eylikedag

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 19 July 2011 - 10:20 PM

Hey everyone. Recently my computer crashed and when I was trying to start it up again on Safe Mode to fix it, it just hangs on crcdisk.sys. When I try to load it "normally" it justs stops at the loading bar and doesn't load from there. I heard the only way to fix this is to just re-install Vista again. Now before I do this, I'm using a partition to back-up my hard drive onto another external hard drive as I don't want it to wipe out while I re-install Vista. I was wondering if there was any way I could re-install Vista without the cd? I was also wondering what re-isntalling Vista meant because I know there is a difference between setting your computer to factory settings and just re-installing Vista. I have a Sony Vaio NR430e running on a 32-bit system. Thanks!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:39 AM

Posted 19 July 2011 - 11:17 PM

:welcome:

Before performing such a drastic measure, lets take a look at the system from an external environment.

You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 eylikedag

eylikedag
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 20 July 2011 - 01:36 AM

report.txt
Tue Jul 19 23:20:59 UTC 2011
Driver report for /mnt/sda2/Windows/System32/drivers

0349be02f329f4f48f1d48097fd65974 1394bus.sys
Microsoft Corporation

fcb8c7210f0135e24c6580f7f649c73c acpi.sys
Microsoft Corporation

04f0fcac69c7c71a3ac4eb97fafc8303 adp94xx.sys
Adaptec

60505e0041f7751bdbb80f88bf45c2ce adpahci.sys
Adaptec

8a42779b02aec986eab64ecfc98f8bd7 adpu160m.sys
Adaptec

241c9e37f8ce45ef51c3de27515ca4e5 adpu320.sys
Adaptec

48eb99503533c27ac6135648e5474457 afd.sys
Microsoft Corporation

13f9e33747e6b41a3ff305c37db0d360 AGP440.sys
Microsoft Corporation

9eaef5fc9b8e351afa7e78a6fae91f91 aliide.sys
Acer Laboratories

c47344bc706e5f0b9dce369516661578 AMDAGP.SYS
Microsoft Corporation

9b78a39a4c173fdbc1321e0dd659b34c amdide.sys
Microsoft Corporation

18f29b49ad23ecee3d2a826c725c8d48 amdk7.sys
Microsoft Corporation

93ae7f7dd54ab986a6f1a1b37be7442d amdk8.sys
Microsoft Corporation

9325e49d555d8f12ce1735227dbb3d80 Apfiltr.sys
Alps Electric

5e2a321bd7c8b3624e41fdec3e244945 arcsas.sys
Adaptec

5d2888182fb46632511acee92fdad522 arc.sys
Adaptec

53b202abee6455406254444303e87be1 asyncmac.sys
Microsoft Corporation

2d9c903dc76a66813d350a562de40ed9 atapi.sys
Microsoft Corporation

d1c03ae69c29e239fc8000c5c0dea709 ataport.sys
Microsoft Corporation

bc12f2404bb6f2b6b2ff3c4c246cb752 avgldx86.sys
AVG Technologies

5903d729d4f0c5bca74123c96a1b29e0 avgmfx86.sys
AVG Technologies

92d8e1e8502e649b60e70074eb29c380 avgtdix.sys
AVG Technologies

2b8a5a8879238c3ba9a89a8e3ac4e45d battc.sys
Microsoft Corporation

9f5f8f2318dfa3974a6f6a5602733929 bdasup.sys
Microsoft Corporation

67e506b75bd5326a3ec7b70bd014dfb6 beep.sys
Microsoft Corporation

d4df28447741fd3d953526e33a617397 blbdrive.sys
Microsoft Corporation

8153396d5551276227fa146900f734e6 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

72df06d26ae4ced2e08f428b96302b0e bridge.sys
Microsoft Corporation

b304e75cff293029eddf094246747113 BrSerId.sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys
Microsoft Corporation

7add03e75beb9e6dd102c3081d29840a cdfs.sys
Microsoft Corporation

d3ba7bf8ace02cc8aff8410cb0729898 cdr4_xp.sys
Sonic Solutions

5afc3b4d53788ff23c171c87e1c20747 cdralw2k.sys
Sonic Solutions

1ec25cea0de6ac4718bf89f9e1778b57 cdrom.sys
Microsoft Corporation

e5d4133f37219dbcfe102bc61072589d circlass.sys
Microsoft Corporation

4388cebb2c6a7f484ac409a90a3c9fae Classpnp.sys
Microsoft Corporation

99afc3795b58cc478fbbbcdc658fcb56 CmBatt.sys
Microsoft Corporation

0ca25e686a4928484e9fdabd168ab629 cmdide.sys
CMD Technology

6afef0b60fa25de07c0968983ee4f60a compbatt.sys
Microsoft Corporation

e9acae97f17c99cb735a1e08859bf806 crashdmp.sys
Microsoft Corporation

741e9dff4f42d2d8477d0fc1dc0df871 crcdisk.sys
Microsoft Corporation

1f07becdca750766a96cda811ba86410 crusoe.sys
Microsoft Corporation

9e635ae5e8ad93e2b5989e2e23679f97 dfsc.sys
Microsoft Corporation

0183496303b4f8a5878d99a667f33170 Diskdump.sys
Microsoft Corporation

64109e623abd6955c8fb110b592e68b7 disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys
Adaptec

f206e28ed74c491fd5d7c0a1119ce37f DMICall.sys
Sony Corporation

97fef831ab90bee128c9af390e243f80 drmkaud.sys
Microsoft Corporation

7be5a3c671a2cb56e94403bfc2020a0d drmk.sys
Microsoft Corporation

c078d2b163f090601200fa5a6ff3ce0a Dumpata.sys
Microsoft Corporation

eaaafef04fbb45665c9576e525d45a12 dxapi.sys
Microsoft Corporation

85f33880b8cfb554bd3d9ccdb486845a dxgkrnl.sys
Microsoft Corporation

6d16255c9eb5683f83a472e1679ed2e4 dxg.sys
Microsoft Corporation

5425f74ac0c1dbd96a1e04f17d63f94c E1G60I32.sys
Intel Corporation

dd2cd259d83d8b72c02c5f2331ff9d68 ecache.sys
Microsoft Corporation

23b62471681a124889978f6295b3f4c6 elxstor.sys
Emulex

3db974f3935483555d7148663f726c61 errdev.sys
Microsoft Corporation

0d858eb20589a34efb25695acaa6aa2d exfat.sys
Microsoft Corporation

3c489390c2e2064563727752af8eab9e fastfat.sys
Microsoft Corporation

afe1e8b9782a0dd7fb46bbd88e43f89a fdc.sys
Microsoft Corporation

a8c0139a884861e3aae9cfe73b208a9f fileinfo.sys
Microsoft Corporation

0ae429a696aecbc5970e3cf2c62635ae filetrace.sys
Microsoft Corporation

85b7cf99d532820495d68d747fda9ebd flpydisk.sys
Microsoft Corporation

05ea53afe985443011e36dab07343b46 fltMgr.sys
Microsoft Corporation

65ea8b77b5851854f0c55c43fa51a198 fs_rec.sys
Microsoft Corporation

495fa4351a96f228b4301d1e616defa0 FWPKCLNT.SYS
Microsoft Corporation

34582a6e6573d54a07ece5fe24a126b5 GAGP30KX.SYS
Microsoft Corporation

5dc17164f66380cbfefd895c18467773 GEARAspiWDM.sys
GEAR Software

c87b1ee051c0464491c1a7b03fa0bc99 hdaudbus.sys
Microsoft Corporation

cb04c744be0a61b1d648faed182c3b59 HdAudio.sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys
Microsoft Corporation

04f49ddd00a26c6ca984a9b480fdaa33 hidclass.sys
Microsoft Corporation

ff3160c3a2445128c5a6d9b076da519e hidir.sys
Microsoft Corporation

175444d3a01ca45d0e1c5dc5f48df7cd hidparse.sys
Microsoft Corporation

854ca287ab7faf949617a788306d967e hidusb.sys
Microsoft Corporation

16ee7b23a009e00d835cdb79574a91a6 HpCISSs.sys
Hewlett-Packard

5a77ac34a0ffb70ce8b35b524fede9ba HSX_CNXT.sys
Conexant

7bc42c65b5c6281777c1a7605b253ba8 HSX_DPV.sys
Conexant

9ebf2d102ccbb6bcdfbf1b7922f8ba2e HSXHWAZL.sys
Conexant

96e241624c71211a79c84f50a8e71cab http.sys
Microsoft Corporation

95bd3ea81ebe6b8cacafdb6cdab3586c i2omgmt.sys
Microsoft Corporation

c6b032d69650985468160fc9937cf5b4 i2omp.sys
Microsoft Corporation

22d56c8184586b7a1f6fa60be5f5a2bd i8042prt.sys
Microsoft Corporation

fd7f9d74c2b35dbda400804a3f5ed5d8 iaStor.sys
Intel Corporation

54155ea1b0df185878e0fc9ec3ac3a14 iaStorV.sys
Intel Corporation

62448322731ac1beda52e2b3327046ee igdkmd32.sys
Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys
Intel Corp

83aa759f3189e6370c30de5dc5590718 intelide.sys
Microsoft Corporation

224191001e78c89dfa78924c3ea595ff intelppm.sys
Microsoft Corporation

62c265c38769b864cb25b4bcf62df6c3 ipfltdrv.sys
Microsoft Corporation

b25aaf203552b7b3491139d582b39ad1 IPMIDrv.sys
Microsoft Corporation

8793643a67b42cec66490b2a0cf92d68 ipnat.sys
Microsoft Corporation

e50a95179211b12946f7e035d60af560 irda.sys
Microsoft Corporation

109c0dfb82c3632fbd11949b73aeeac9 irenum.sys
Microsoft Corporation

6c70698a3e5c4376c6ab5c7c17fb0614 isapnp.sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys
Integrated Technology Express

06fa654504a498c30adca8bec4e87e7e iteraid.sys
Integrated Technology Express

37605e0a8cf00cbba538e753e4344c6e kbdclass.sys
Microsoft Corporation

18247836959ba67e3511b62846b9c2e0 kbdhid.sys
Microsoft Corporation

7a0cf7908b6824d6a2a1d313e5ae3dca ksecdd.sys
Microsoft Corporation

47cb1cbb1d80517d7909d0860128e860 ks.sys
Microsoft Corporation

d1c5883087a0c3f1344d9d55a44901f6 lltdio.sys
Microsoft Corporation

c7e15e82879bf3235b559563d4185365 lsi_fc.sys
LSI Logic

ee01ebae8c9bf0fa072e0ff68718920a lsi_sas.sys
LSI Logic

912a04696e9ca30146a62afa1463dd5c lsi_scsi.sys
LSI Logic

8f5c7426567798e62a3b3614965d62cc luafv.sys
Microsoft Corporation

b271ec02e71271a2da28b3b7bc4e4f15 mcd.sys
Microsoft Corporation

0cea2d0d3fa284b85ed5b68365114f76 mdmxsdk.sys
Conexant

0001ce609d66632fa17b84705f658879 megasas.sys
LSI Corporation

c252f32cd9a49dbfc25ecf26ebd51a99 MegaSR.sys
LSI Corporation

e13b5ea0f51ba5b1512ec671393d09ba modem.sys
Microsoft Corporation

0a9bb33b56e294f686abb7c1e4e2d8a8 monitor.sys
Microsoft Corporation

5bf6a1326a335c5298477754a506d263 mouclass.sys
Microsoft Corporation

93b8d4869e12cfbe663915502900876f mouhid.sys
Microsoft Corporation

bdafc88aa6b92f7842416ea6a48e1600 mountmgr.sys
Microsoft Corporation

626d05c243935bea615ab736ee5bc5bf MpFilter.sys
Microsoft Corporation

511d011289755dd9f9a7579fb0b064e6 mpio.sys
Microsoft Corporation

22241feba9b2defa669c8cb0a8dd7d2e mpsdrv.sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x.sys
LSI Logic

ae3de84536b6799d2267443cec8edbb9 mrxdav.sys
Microsoft Corporation

cf6e972f8e0d0f2970360a17572b366b mrxsmb10.sys
Microsoft Corporation

5c80d8159181c7abf1b14ba703b01e0b mrxsmb20.sys
Microsoft Corporation

5734a0f2be7e495f7d3ed6efd4b9f5a1 mrxsmb.sys
Microsoft Corporation

28023e86f17001f7cd9b15a5bc9ae07d msahci.sys
Microsoft Corporation

4468b0f385a86ecddaf8d3ca662ec0e7 msdsm.sys
Microsoft Corporation

a9927f4a46b816c92f461acb90cf8515 msfs.sys
Microsoft Corporation

95cd714fd2697aa2be43a2f219c64d49 msfwdrv.sys
Microsoft Corporation

c50fb8f0929b9fe8f75467c67270f420 msfwhlpr.sys
Microsoft Corporation

0f400e306f385c56317357d6dea56f62 msisadrv.sys
Microsoft Corporation

f247eec28317f6c739c16de420097301 msiscsi.sys
Microsoft Corporation

d8c63d34d9c9e56c059e24ec7185cc07 mskssrv.sys
Microsoft Corporation

1d373c90d62ddb641d50e55b9e78d65e mspclock.sys
Microsoft Corporation

b572da05bf4e098d4bba3a4734fb505b mspqm.sys
Microsoft Corporation

b5614aecb05a9340aa0fb55bf561cc63 msrpc.sys
Microsoft Corporation

e384487cb84be41d09711c30ca79646c mssmbios.sys
Microsoft Corporation

7199c1eec1e4993caf96b8c0a26bd58a mstee.sys
Microsoft Corporation

6dfd1d322de55b0b7db7d21b90bec49c mup.sys
Microsoft Corporation

9bdc71790fa08f0a0b5f10462b1bd0b1 ndis.sys
Microsoft Corporation

0e186e90404980569fb449ba7519ae61 ndistapi.sys
Microsoft Corporation

d6973aa34c4d5d76c0430b181c3cd389 ndisuio.sys
Microsoft Corporation

3d14c3b3496f88890d431e8aa022a411 ndiswan.sys
Microsoft Corporation

71dab552b41936358f3b541ae5997fb3 ndproxy.sys
Microsoft Corporation

bcd093a5a6777cf626434568dc7dba78 netbios.sys
Microsoft Corporation

7c5fee5b1c5728507cd96fb4a13e7a02 netbt.sys
Microsoft Corporation

cb57feb3288cf6d5cadc6ef0e50718d9 netio.sys
Microsoft Corporation

35d5458d9a1b26b2005abffbf4c1c5e7 NETw3v32.sys
Intel Corporation

25acccfc33dd448b9d3037c5e439e830 NETw4v32.sys
Intel Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys
IBM Corp

ecb5003f484f9ed6c608d6d6c7886cbb npfs.sys
Microsoft Corporation

609773e344a97410ce4ebf74a8914fcf nsiproxy.sys
Microsoft Corporation

b4effe29eb4f15538fd8a9681108492d ntfs.sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

cf7e041663119e09d2e118521ada9300 nuidfltr.sys
Microsoft Corporation

c5dbbcda07d780bda9b685df333bb41e null.sys
Microsoft Corporation

18bbdf913916b71bd54575bdb6eeac0b NV_AGP.SYS
Microsoft Corporation

2edf9e7751554b42cbb60116de727101 nvraid.sys
NVIDIA Corporation

abed0c09758d1d97db0042dbb2688177 nvstor.sys
NVIDIA Corporation

3c21ce48ff529bb73dadb98770b54025 nwifi.sys
Microsoft Corporation

790e27c3db53410b40ff9ef2fd10a1d9 ohci1394.sys
Microsoft Corporation

bfef604508a0ed1eae2a73e872555ffb pacer.sys
Microsoft Corporation

0fa9b5055484649d63c303fe404e5f4d parport.sys
Microsoft Corporation

3b38467e7c3daed009dfe359e17f139f partmgr.sys
Microsoft Corporation

4f9a6a8a31413180d0fcb279ad5d8112 parvdm.sys
Microsoft Corporation

fc175f5ddab666d7f4d17449a547626f pciide.sys
Microsoft Corporation

46ed71afe2c872931e87ab958be133fa pciidex.sys
Microsoft Corporation

01b94418deb235dff777cc80076354b4 pci.sys
Microsoft Corporation

b7c5a8769541900f6dfa6fe0c5e4d513 pcmcia.sys
Microsoft Corporation

6349f6ed9c623b44b52ea3c63c831a92 PEAuth.sys
Microsoft Corporation

75dad0e7f4cd3cb9455a76123ac16bf3 portcls.sys
Microsoft Corporation

2027293619dd0f047c584cf2e7df4ffd processr.sys
Microsoft Corporation

d970470f8f39470bdae94d313a1ccdce pxhelp20.sys
Sonic Solutions

0a6db55afb7820c99aa1f3a1d270f4f6 ql2300.sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys
QLogic Corporation

9f5e0e1926014d17486901c88eca2db7 qwavedrv.sys
Microsoft Corporation

147d7f9c556d259924351feb0de606c3 rasacd.sys
Microsoft Corporation

a214adbaf4cb47dd2728859ef31f26b0 rasl2tp.sys
Microsoft Corporation

3e9d9b048107b40d87b97df2e48e0744 raspppoe.sys
Microsoft Corporation

ecfffaec0c1ecd8dbc77f39070ea1db1 raspptp.sys
Microsoft Corporation

a7d141684e9500ac928a772ed8e6b671 rassstp.sys
Microsoft Corporation

6e1c5d0457622f9ee35f683110e93d14 rdbss.sys
Microsoft Corporation

89e59be9a564262a3fb6c4f4f1cd9899 RDPCDD.sys
Microsoft Corporation

fbc0bacd9c3d7f6956853f64a66e252d rdpdr.sys
Microsoft Corporation

9d91fe5286f748862ecffa05f8a0710c RDPENCDD.sys
Microsoft Corporation

e1c18f4097a5abcec941dc4b2f99db7e rdpwd.sys
Microsoft Corporation

001b4278407f4303efc902a2b16f2453 regi.sys
InterVideo

fdeb76bed9c0a75329ca426623297158 rmcast.sys
Microsoft Corporation

8f5db387ff2f57ad9107b7eb78a6d34b RNDISMP.sys
Microsoft Corporation

75e8a6bfa7374aba833ae92bf41ae4e6 rootmdm.sys
Microsoft Corporation

9c508f4074a39e8b4b31d27198146fad rspndr.sys
Microsoft Corporation

a82c70cbaec7b10e4c9c1341d729640f RTKVHDA.sys
Realtek Semiconductor

3ce8f073a557e172b330109436984e30 sbp2port.sys
Microsoft Corporation

6f5ca34ae885645acf8a20d564db976c scsiport.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

68e44e331d46f0fb38f0863a84cd1a31 serenum.sys
Microsoft Corporation

c70d69a918b178d3c3b06339b40c2e1b serial.sys
Microsoft Corporation

8af3d28a879bf75db53a0ee7a4289624 sermouse.sys
Microsoft Corporation

8b7c1768d2cde2e02e09a66563ddfd16 SFEP.sys
Sony Corporation

3efa810bdca87f6ecc24f9832243fe86 sffdisk.sys
Microsoft Corporation

e95d451f7ea3e583aec75f3b3ee42dc5 sffp_mmc.sys
Microsoft Corporation

3d0ea348784b7ac9ea9bd9f317980979 sffp_sd.sys
Microsoft Corporation

c33bfbd6e9e41fcd9ffef9729e9faed6 sfloppy.sys
Microsoft Corporation

1d76624a09a054f682d746b924e2dbc3 SISAGP.SYS
Microsoft Corporation

43cb7aa756c7db280d01da9b676cfde2 sisraid2.sys
Microsoft Corporation

a99c6c8b0baa970d8aa59ddc50b57f94 sisraid4.sys
Silicon Integrated Systems

031e6bcd53c9b2b9ace111eafec347b6 smb.sys
Microsoft Corporation

a7d7ea1771d2ed6f39a8063e79b6c3e8 smclib.sys
Microsoft Corporation

7aebdeef071fe28b0eef2cdd69102bff spldr.sys
Microsoft Corporation

f713e67c329ce82ff1e1ebb497887427 spsys.sys
Microsoft Corporation

b7ff59408034119476b00a81bb53d5d1 srv2.sys
Microsoft Corporation

2accc9b12af02030f531e6cca6f8b76e srvnet.sys
Microsoft Corporation

2252aef839b1093d16761189f45af885 srv.sys
Microsoft Corporation

39ad2c7b9c05c1ccd12480890dba4eb5 Storport.sys
Microsoft Corporation

264232ef4283f123438c60d49e52d596 stream.sys
Microsoft Corporation

7ba58ecf0c0a9a69d44b3dca62becf56 swenum.sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys
LSI Logic

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys
LSI Logic

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys
LSI Logic

1239fd18895040d97b7cdbc19bc2075e tape.sys
Microsoft Corporation

d4a2e4a4b011f3a883af77315a5ae76b tcpipreg.sys
Microsoft Corporation

782568ab6a43160a159b6215b70bcce9 tcpip.sys
Microsoft Corporation

77937eff009ac696b90e09f671f9d0a4 tdi.sys
Microsoft Corporation

5dcf5e267be67a1ae926f2df77fbcc56 tdpipe.sys
Microsoft Corporation

389c63e32b3cefed425b61ed92d3f021 tdtcp.sys
Microsoft Corporation

d09276b1fab033ce1d40dcbdf303d10f tdx.sys
Microsoft Corporation

a048056f5e1a96a9bf3071b91741a5aa termdd.sys
Microsoft Corporation

909cd987b54a8179c9aee874d754721a ti21sony.sys
Texas Instruments

dcf0f056a2e4f52287264f5ab29cf206 tssecsrv.sys
Microsoft Corporation

caecc0120ac49e3d2f758b9169872d38 TUNMP.SYS
Microsoft Corporation

6042505ff6fa9ac1ef7684d0e03b6940 tunnel.sys
Microsoft Corporation

7d33c4db2ce363c8518d2dfcf533941f UAGP35.SYS
Microsoft Corporation

8b5088058fa1d1cd897a2113ccff6c58 udfs.sys
Microsoft Corporation

b0acfdc9e4af279e9116c03e014b2b27 ULIAGPKX.SYS
Microsoft Corporation

9224bb254f591de4ca8d572a5f0d635c uliahci.sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys
Promise Technology

32cff9f809ae9aed85464492bf3e32d2 umbus.sys
Microsoft Corporation

88bd96a1baeed33ee8bdf9499c07a841 umpass.sys
Microsoft Corporation

d173f7b936c8f579bcc4f78da861929c usb8023.sys
Microsoft Corporation

df38374e12e73c25b37b6f8a9b8622ef usbaapl.sys
Apple

b0b0c4970bd60e6e2b0fd33b2960490d USBCAMD2.sys
Microsoft Corporation

bf85eaab7b889e4b621111e0372cb147 USBCAMD.sys
Microsoft Corporation

8bd3ae150d97ba4e633c6c5c51b41ae1 usbccgp.sys
Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir.sys
Microsoft Corporation

790fdac6d0c762df9047c3c625a6ff6c usbd.sys
Microsoft Corporation

cebe90821810e76320155beba722fcf9 usbehci.sys
Microsoft Corporation

cc6b28e4ce39951357963119ce47b143 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys
Microsoft Corporation

65ad9c60dbfa2f0ea582e691cba03f0c usbport.sys
Microsoft Corporation

b51e52acf758be00ef3a58ea452fe360 usbprint.sys
Microsoft Corporation

87ba6b83c5d19b69160968d07d6e2982 USBSTOR.SYS
Microsoft Corporation

814d653efc4d48be3b04a307eceff56f usbuhci.sys
Microsoft Corporation

87b06e1f30b749a114f74622d013f8d4 vgapnp.sys
Microsoft Corporation

2e93ac0a1d8c79d019db6c51f036636c vga.sys
Microsoft Corporation

5d7159def58a800d5781ba3a879627bc VIAAGP.SYS
Microsoft Corporation

c4f3a691b5bad343e6249bd8c2d45dee viac7.sys
Microsoft Corporation

aadf5587a4063f52c2c3fed7887426fc viaide.sys
VIA Technologies

c048d2c33d27441a0cdcaae2651eb03d videoprt.sys
Microsoft Corporation

69503668ac66c77c6cd7af86fbdf8c43 volmgr.sys
Microsoft Corporation

98f5ffe6316bd74e9e2c97206c190196 volmgrx.sys
Microsoft Corporation

d8b4a53dd2769f226b3eb374374987c9 volsnap.sys
Microsoft Corporation

587253e09325e6bf226b299774b728a9 vsmraid.sys
VIA Technologies

46d67209550973257601a533e2ac5785 VSTAZL3.SYS
Conexant

5c7bdcf5864db00323fe2d90fa26a8a2 VSTCNXT3.SYS
Conexant

ec36f1d542ed4252390d446bf6d4dfd0 VSTDPV3.SYS
Conexant

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys
Microsoft Corporation

55201897378cca7af8b5efd874374a26 wanarp.sys
Microsoft Corporation

6c8b7df75ecf4a7dd668bec58e268329 watchdog.sys
Microsoft Corporation

b6f0a7ad6d4bd325fbcd8bac96cd8d96 Wdf01000.sys
Microsoft Corporation

b4fc6dd9167b058e6dbe6cb14acfa2cb WdfLdr.sys
Microsoft Corporation

78fe9542363f297b18c027b2d7e7c07f wd.sys
Microsoft Corporation

f9ad3a5e3fd7e0bdb18b8202b0fdd4e4 WimFltr.sys
Microsoft Corporation

2e7255d172df0b8283cdfb7b433b864e wmiacpi.sys
Microsoft Corporation

c546864eed786304762d030febf6b411 wmilib.sys
Microsoft Corporation

0cec23084b51b8288099eb710224e955 WpdUsb.sys
Microsoft Corporation

e3a3cb253c0ec2494d4a61f5e43a389c ws2ifsl.sys
Microsoft Corporation

13b5f255e90624a5ba0441d39cfb6be2 WUDFPf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WUDFRd.sys
Microsoft Corporation

88af537264f2b818da15479ceeaf5d7c XAudio.sys
Conexant

2d07e65ed0023bb10b13a912b27dfb1a yk60x86.sys
Marvell


filefind.txt
Search results for Winlogon.exe

898e7c06a350d4a1a64a9ea264d55452 /mnt/sda2/Windows/SoftwareDistribution/Download/cd2b15b1a90e884578188440a1660b12/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741/winlogon.exe
307.0K Apr 11 2009

c2610b6bdbefc053bbdab4f1b965cb24 /mnt/sda2/Windows/System32/winlogon.exe
307.5K Jan 21 2008

c2610b6bdbefc053bbdab4f1b965cb24 /mnt/sda2/Windows/winsxs/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5/winlogon.exe
307.5K Jan 21 2008


Search results for volsnap.sys

147281c01fcb1df9252de2a10d5e7093 /mnt/sda2/Windows/SoftwareDistribution/Download/cd2b15b1a90e884578188440a1660b12/x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619/volsnap.sys
221.0K Apr 11 2009

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda2/Windows/System32/drivers/volsnap.sys
222.6K Jan 21 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys
222.6K Jan 21 2008

11ef6c1caef76b685233450a126125d6 /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda2/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd/volsnap.sys
222.6K Jan 21 2008


Search results for Userinit.exe

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda2/Windows/System32/userinit.exe
24.5K Jan 21 2008

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda2/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b/userinit.exe
24.5K Jan 21 2008


RegReport.txt
Remote Registry Report

Hive </mnt/sda2/Windows/System32/config/SOFTWARE>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 64 [0x40]
Windows Vista ™ Home Premium
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 1
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\Windows
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 26 [0x1a]
avgrsstx.dll
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\Windows\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 2 subkeys and 0 values
<igfxcui>
<VESWinlogon>
\Microsoft\Windows\CurrentVersion\Run> Node has 1 subkeys and 21 values
<OptionalComponents>
size type value name [value if type DWORD]
100 REG_EXPAND_SZ <Windows Defender>
66 REG_SZ <IgfxTray>
60 REG_SZ <HotKeysCmds>
66 REG_SZ <Persistence>
26 REG_SZ <RtHDVCpl>
70 REG_SZ <Apoint>
114 REG_SZ <Adobe Reader Speed Launcher>
94 REG_SZ <ISBMgr.exe>
90 REG_SZ <SunJavaUpdateSched>
138 REG_SZ <VAIOMyMemCenter>
130 REG_SZ <VWLASU>
132 REG_SZ <OneCareUI>
132 REG_SZ <VAIO Help and Support Demo>
122 REG_SZ <VAIORegistration>
112 REG_SZ <VAIOSurvey>
168 REG_SZ <AppleSyncNotifier>
104 REG_SZ <QuickTime Task>
86 REG_SZ <iTunesHelper>
66 REG_SZ <AVG8_TRAY>
136 REG_SZ <cleanhdm>
136 REG_SZ <cleanhtm>
(...)\Windows\CurrentVersion\Policies\System> Node has 1 subkeys and 16 values
<UIPI>
4 REG_DWORD <ConsentPromptBehaviorAdmin> 2 [0x2]
4 REG_DWORD <ConsentPromptBehaviorUser> 1 [0x1]
4 REG_DWORD <EnableInstallerDetection> 1 [0x1]
4 REG_DWORD <EnableLUA> 1 [0x1]
4 REG_DWORD <EnableSecureUIAPaths> 1 [0x1]
4 REG_DWORD <EnableVirtualization> 1 [0x1]
4 REG_DWORD <PromptOnSecureDesktop> 1 [0x1]
4 REG_DWORD <ValidateAdminCodeSignatures> 0 [0x0]
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
2 REG_SZ <legalnoticecaption>
6 REG_SZ <legalnoticetext>
4 REG_DWORD <scforceoption> 0 [0x0]
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
4 REG_DWORD <FilterAdministratorToken> 0 [0x0]
4 REG_DWORD <EnableUIADesktopToggle> 0 [0x0]


Hive </mnt/sda2/Users/Guest/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
108 REG_SZ <Sidebar>
88 REG_SZ <WindowsWelcomeCenter>


Hive </mnt/sda2/Users/vana/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
108 REG_SZ <Sidebar>
94 REG_SZ <Aim>

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:39 AM

Posted 20 July 2011 - 10:34 AM

The MBR (Master Boot Record) is infected.

Boot to the Repair Console. You can do this by booting with the Installation CD, Recovey CD or by tapping on F8 during startup to reach the advanced menu. At the menu select "Repair my computer", then the command prompt. At the prompt type the following and press Enter:

Bootrec /fixmbr

If successful, type Exit and press Enter to leave the prompt and restart the computer.

If able to restart in Normal Mode, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:39 AM

Posted 11 September 2011 - 11:54 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users