Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot.Tidserv from Norton. Can't remove.


  • This topic is locked This topic is locked
37 replies to this topic

#16 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 29 November 2011 - 08:05 AM

Greetings

I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

  • Download and save a copy of the latest Puppy ISO file
  • Download and save a copy of Unetbootin for Windows.
  • Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
  • Launch Unetbootin ....
  • Ensure that Disk Image is selected.
  • Using the browse button ... browse to and select the Puppy ISO file.
  • Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
  • Click OK
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

  • Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

  • Click menu > Graphic > mtPaint-snapshot screen capture
  • A small window will open ....

    • Click Capture Now
    • Click OK
  • The mtPaint program will open ....
    • Click File > Save
    • Double click on ../
    • Double click on mnt/
    • Double click on sdb1/
    • Set File Format to JPEG
    • Enter screenshot1 into the text box
    • Click OK

This will save a file screenshot1.jpeg into the USB drive, paste or attach this to your next post

Next

  • Click menu > shutdown > power off computer
  • If prompted to save the session click on No

Puppy will now close down.

remove the usb and save it - we will use it again - boot back into windows and send me the screen capture

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

BC AdBot (Login to Remove)

 


#17 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 29 November 2011 - 10:05 AM

Here's the file. Hope it displays in the post.
Attached File  screenshot1.jpg   159.08KB   12 downloads

#18 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 29 November 2011 - 10:46 AM

I want you to boot back into gparted and highlight each of the two hidden partitions and then click on the trash can to delete


reboot the computer and let me know if it still gives the warning


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#19 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 29 November 2011 - 11:03 AM

Nope, Norton still complains. I turned System Restore back on after we did that test. Do you want me to try it without System Restore on? I wouldn't think those partitions would have anything to do with the restore files but...

Scott

#20 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 29 November 2011 - 11:33 AM

Print out these instructions to use while in the Recovery Console:

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter'

fixmbr
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#21 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 29 November 2011 - 12:05 PM

It said it was a non-standard mbr. I let it recreate the mbr and rebooted. Norton still complains.

#22 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 29 November 2011 - 01:05 PM

Hello


just for fun


uninstall norton and reinstall and let me know if it still complains


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#23 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 29 November 2011 - 01:42 PM

Still complains. I removed all user settings and quarantined files during the uninstall.

#24 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 29 November 2011 - 03:22 PM

MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#25 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 29 November 2011 - 04:32 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E74000 iaStor.sys
0xB9E5C000 atapi.sys
0xB9E19000 ftsata2.sys
0xB9E01000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DE1000 fltmgr.sys
0xB9D8A000 SYMDS.SYS
0xB9D78000 sr.sys
0xB9CBD000 SYMEFA.SYS
0xBA118000 bb-run.sys
0xBA338000 PxHelp20.sys
0xB9CA6000 KSecDD.sys
0xB9C19000 Ntfs.sys
0xB9BEC000 NDIS.sys
0xB9BD2000 Mup.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB915A000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9146000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB911E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA410000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB90FA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB90E0000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xB8FFE000 \SystemRoot\system32\DRIVERS\smserial.sys
0xBA420000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8FEA000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA428000 \SystemRoot\system32\DRIVERS\PS2.sys
0xBA430000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA438000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA440000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA7A6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8FD3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA448000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8FC2000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA458000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA460000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xBA228000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5EE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F9F000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8F41000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA238000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA8A17000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA89F3000 \SystemRoot\system32\drivers\portcls.sys
0xBA258000 \SystemRoot\system32\drivers\drmk.sys
0xBA268000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA600000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA568000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA602000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA686000 \SystemRoot\System32\Drivers\Null.SYS
0xBA604000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xBA606000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA608000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA57C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8998000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA893F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA88E6000 \SystemRoot\System32\Drivers\N360\0501000.01D\SYMTDI.SYS
0xA88C0000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA889A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA298000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA8817000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111128.030\IDSxpx86.sys
0xA87EF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA87CD000 \SystemRoot\System32\drivers\afd.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA87A9000 \SystemRoot\system32\drivers\N360\0501000.01D\Ironx86.SYS
0xBA2B8000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSPX.SYS
0xA86DE000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA866E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA85A2000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111114.002\BHDrvx86.sys
0xA857E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA370000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA853E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA610000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9B96000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA378000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA671000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF073000 \SystemRoot\System32\ialmdd5.DLL
0xBF151000 \SystemRoot\System32\ATMFD.DLL
0xA84DE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8191000 \SystemRoot\system32\drivers\wdmaud.sys
0xA82F6000 \SystemRoot\system32\drivers\sysaudio.sys
0xA8116000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA7FCE000 \SystemRoot\system32\DRIVERS\srv.sys
0xA79F8000 \SystemRoot\System32\Drivers\N360\0501000.01D\SRTSP.SYS
0xA77B0000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20111129.002\NAVEX15.SYS
0xA779C000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20111129.002\NAVENG.SYS
0xA7674000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7463000 \SystemRoot\System32\Drivers\HTTP.sys
0xA710D000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA70EF000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11120.sys
0xA70C4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
608 C:\WINDOWS\system32\smss.exe
688 csrss.exe
712 C:\WINDOWS\system32\winlogon.exe
756 C:\WINDOWS\system32\services.exe
768 C:\WINDOWS\system32\lsass.exe
924 C:\WINDOWS\system32\svchost.exe
988 svchost.exe
1084 C:\WINDOWS\system32\svchost.exe
1148 svchost.exe
1216 svchost.exe
1492 C:\WINDOWS\explorer.exe
1636 C:\WINDOWS\system32\spoolsv.exe
1816 svchost.exe
1896 PresentationFontCache.exe
1988 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
168 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
160 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
216 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
376 C:\WINDOWS\system32\svchost.exe
1468 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
2232 alg.exe
2420 C:\WINDOWS\system32\hkcmd.exe
2428 C:\WINDOWS\system32\igfxpers.exe
2568 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
2608 C:\WINDOWS\sm56hlpr.exe
2628 C:\WINDOWS\SOUNDMAN.EXE
2652 C:\WINDOWS\ALCWZRD.EXE
2684 C:\Program Files\Common Files\AOL\1322003842\ee\aolsoftware.exe
2696 C:\WINDOWS\system32\ctfmon.exe
2732 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2792 C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
3180 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
3416 C:\hp\KBD\kbd.exe
3564 C:\WINDOWS\ALCMTR.EXE
416 C:\WINDOWS\system\hpsysdrv.exe
3324 C:\Documents and Settings\HP_Owner.ELMOS-PC\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`e0ce4000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3200822AS, Rev: 3.02

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#26 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 30 November 2011 - 01:10 AM

I uninstalled Norton Internet Security and installed Microsoft Security Essentials just to see if it was a false positive. MSE tags the malware as:
Trojan:DOS/Alureon.E
on
boot:\\.\PHYSICALDDRIVE0\Partition2 (Type 17)
boot:\\.\PHYSICALDDRIVE0\Partition3 (Type 17)

The removal process fails with error code:0x80501001

#27 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 30 November 2011 - 08:40 AM

I want you to give me another screen shot with puppy and gpart again

they are reading the two hidden partitions



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#28 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 30 November 2011 - 10:42 AM

It's still showing those two hidden partitions. You want me to delete them again?
Attached File  screenshot2.jpg   209.56KB   8 downloads

#29 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 PM

Posted 30 November 2011 - 10:51 AM

yes that is what is showing up in the scans

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#30 scott.m

scott.m
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 30 November 2011 - 11:04 AM

My bad. When I removed them last, I hit delete and didn't notice they were just in a pending state. I clicked on apply this time. I'm running a scan now to see if it's clean and will let you know, then close this incident. Thanks for your help. I learned a little more on this one.

Scott




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users