Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects after removing Vista Security virus


  • This topic is locked This topic is locked
68 replies to this topic

#1 Derren

Derren

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 15 December 2011 - 09:15 PM

I am using Windows Vista Business (SP2) on a 32 bit machine.

I recently recovered from the Vista Security 2012 virus following the instructions found on bleepingcomputer.com.

Since then, I am unable to click on any Google search results without being redirected to an ad site. Also, every few minutes I get a Windows message saying "TCP/IP Ping command has stopped working." Neither of these problems existed before the outbreak of Vista Security 2012 virus.

I have Malwarebytes' Anti-Malware installed on my machine and this is what I used (along with the other steps included in the bleeping computer instructions) to recover from the Vista Security virus.

The TCP/IP issue appears to only occur after I have opened a browser.

Following the directions given to me from this thread:

http://www.bleepingcomputer.com/forums/topic432622.html

I have created the specified logs and I will post them below.

Please note that I checked on my Windows firewall and I'm unable to activate it-Windows encounters an unidentified error and I'm unable to interact with it.

Also note that while running GMER (it ran several hours) AVG AntiVirus popped up with following:

"Threat was Blocked!"
File Name: tubeni.com/enterpoint.php?tsub=11
Threat Name: Exploit JavaScript Obfuscation (type 156)
Process Name: C:\Windows\System32\Ping.exe
Process ID: 5704

Also, another "TCP/IP Ping Command has stopped working" error popped up during the GMER scan.

At the end of the GMER scan I received a warning:

"Warning!!! GMER has found system modification caused by rootkit activity."

I have taken no action. The DDS.txt log follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Derren at 13:39:31 on 2011-12-15
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2012.780 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\Explorer.EXE
C:\windows\SMINST\scheduler.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Mindjet\MindManager 8\MmReminderService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Mesh\WLSync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PhraseExpress\phraseexpress.exe
C:\Windows\system32\ifxuagui.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Windows Live\Mesh\MOE.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.thirdgen.org/techboard/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CmjBrowserHelperObject Object: {6fe6a929-59d1-4763-91ad-29b61cffb35b} - c:\program files\mindjet\mindmanager 8\Mm8InternetExplorer.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WLSync] "c:\program files\windows live\mesh\WLSync.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\hp\setrefresh\SetRefresh.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 8\MMReminderService.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\phrase~1.lnk - c:\program files\phraseexpress\phraseexpress.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {2F72393D-2472-4F82-B600-ED77F354B7FF} - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - c:\program files\mindjet\mindmanager 8\Mm8InternetExplorer.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
TCP: Interfaces\{10B9A43D-86ED-4095-B9C8-5312D48D8CA2} : DhcpNameServer = 68.87.69.150 68.87.85.102
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\derren\appdata\roaming\mozilla\firefox\profiles\up7yn32n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://revit-progress.blogspot.com
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\derren\appdata\roaming\mozilla\firefox\profiles\up7yn32n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\derren\appdata\roaming\mozilla\firefox\profiles\up7yn32n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\derren\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\derren\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-4-18 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-6-13 5808]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-1-20 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-1-20 21504]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-7-9 221184]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-10-3 2255464]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-1-14 576024]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-8-3 379496]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-1-14 2521880]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-12-9 246624]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-11 41272]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-10-3 139368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-12-15 17:04:17 -------- d-----w- c:\users\derren\appdata\local\{0EBF6FC6-6337-4B29-8034-688D1DE32848}
2011-12-15 17:03:46 -------- d-----w- c:\users\derren\appdata\local\{7F50318D-9034-493D-B4D4-F4C23C64F0A1}
2011-12-15 05:02:57 -------- d-----w- c:\users\derren\appdata\local\{E3446C07-861A-4308-BEE2-84C9BFA7C12E}
2011-12-15 05:02:27 -------- d-----w- c:\users\derren\appdata\local\{5E2F3A56-89F3-4847-B3DC-AAA538C6ED6E}
2011-12-14 17:01:30 -------- d-----w- c:\users\derren\appdata\local\{2C8339DC-26A0-4118-8F3D-5E4A532A7B1B}
2011-12-14 17:00:49 -------- d-----w- c:\users\derren\appdata\local\{5A8A3411-B68A-48C5-B6F8-E7C127630540}
2011-12-13 05:28:39 -------- d-----w- c:\users\derren\appdata\local\{C6D1905B-A2B2-42F9-9F6A-4890525E7DD7}
2011-12-13 05:28:05 -------- d-----w- c:\users\derren\appdata\local\{C401A426-1A16-4AF4-BF19-6CB774AD0ADE}
2011-12-12 12:07:47 -------- d-----w- c:\users\derren\appdata\local\{4B29E9AA-7354-41BF-9E61-F7F31209E1B8}
2011-12-12 12:07:13 -------- d-----w- c:\users\derren\appdata\local\{6347AB2A-E5B7-4873-9262-55A8DC5331A2}
2011-12-11 20:01:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-11 18:39:28 -------- d-----w- c:\users\derren\appdata\local\{E39B1BEA-605C-40EC-9F15-88EBAAB27BC1}
2011-12-11 18:38:56 -------- d-----w- c:\users\derren\appdata\local\{D5080932-1ED8-4D4E-81C9-8D5C37404EF4}
2011-12-11 06:35:14 -------- d-----w- c:\users\derren\appdata\local\{D1591AFF-CA0E-4DC9-B7FF-34F3A11E915E}
2011-12-11 06:34:44 -------- d-----w- c:\users\derren\appdata\local\{9C541772-3CED-42A3-992E-41B0FF68790A}
2011-12-10 16:19:43 -------- d-----w- c:\users\derren\appdata\local\{1365722F-2D3A-43E8-ABD9-2FFB617F96D9}
2011-12-10 16:19:10 -------- d-----w- c:\users\derren\appdata\local\{E9B8AC79-BDDB-47A4-9D5C-AE4A190F4D2D}
2011-12-09 20:06:06 -------- d-----w- c:\users\derren\appdata\local\{8A50703E-CBCD-4E5B-BA9F-5F525E71FC4C}
2011-12-09 20:05:44 -------- d-----w- c:\users\derren\appdata\local\{FE6E065D-E278-4DE4-870F-6AD0BE2B12AE}
2011-12-09 19:09:05 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-12-09 19:06:47 -------- d-----w- c:\users\derren\appdata\roaming\AVG2012
2011-12-09 19:05:54 -------- d-----w- c:\programdata\AVG2012
2011-12-09 16:13:36 -------- d-----w- c:\users\derren\appdata\roaming\Malwarebytes
2011-12-09 16:13:19 -------- d-----w- c:\programdata\Malwarebytes
2011-12-09 16:13:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 16:13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-09 08:01:34 -------- d-----w- c:\users\derren\appdata\local\{077875F1-4783-4C70-BDFD-EA38E4FF9AF0}
2011-12-08 20:00:50 -------- d-----w- c:\users\derren\appdata\local\{30CC96F5-B163-4EDD-BF14-3A80A98604BE}
2011-12-08 08:00:13 -------- d-----w- c:\users\derren\appdata\local\{44477553-E07E-462B-A6E7-513FA6630D65}
2011-12-07 19:59:34 -------- d-----w- c:\users\derren\appdata\local\{4C36626D-4D58-492B-8F8A-DA2686D4889E}
2011-12-07 07:58:59 -------- d-----w- c:\users\derren\appdata\local\{003728A4-AD13-416C-880C-A7D17CB1750F}
2011-12-06 19:58:23 -------- d-----w- c:\users\derren\appdata\local\{FD6BA690-F5FC-4BA8-9234-AA76C99A5DCB}
2011-12-06 07:57:49 -------- d-----w- c:\users\derren\appdata\local\{6D2E470A-875E-4FD3-B512-F072695B5231}
2011-12-05 19:57:14 -------- d-----w- c:\users\derren\appdata\local\{A5013987-4D2A-41C8-82DF-D76E8AFC3CE8}
2011-12-05 19:56:53 -------- d-----w- c:\users\derren\appdata\local\{FC638352-6114-43C8-890B-314CBDFBE232}
2011-12-05 07:56:27 -------- d-----w- c:\users\derren\appdata\local\{FF95D814-672E-4355-9E16-7F263025A34A}
2011-12-05 07:56:05 -------- d-----w- c:\users\derren\appdata\local\{6C79ADEF-0801-48EA-A495-C032F68E7D86}
2011-12-04 19:55:40 -------- d-----w- c:\users\derren\appdata\local\{0BA3E354-7553-4FAA-8FAD-AA5B39B5457C}
2011-12-04 07:55:05 -------- d-----w- c:\users\derren\appdata\local\{9F00B3EA-9F9E-4C6D-AF74-9F077942FD4C}
2011-12-03 19:54:29 -------- d-----w- c:\users\derren\appdata\local\{6DB4D3FB-0728-480C-B0C2-BA5AABDF7C2E}
2011-12-03 19:54:08 -------- d-----w- c:\users\derren\appdata\local\{2FDB189F-939D-4B24-B8FB-9ECFC1B21EC7}
2011-12-03 07:53:42 -------- d-----w- c:\users\derren\appdata\local\{C2CC3645-20F2-44E8-96F5-2545EAA34B2C}
2011-12-02 19:53:06 -------- d-----w- c:\users\derren\appdata\local\{B3013C2B-577D-47CA-B9DD-B429A653762D}
2011-12-02 07:52:29 -------- d-----w- c:\users\derren\appdata\local\{67DF294E-12F4-4C68-8F59-CB01095B63C3}
2011-12-01 19:51:55 -------- d-----w- c:\users\derren\appdata\local\{4A2C63CB-CC93-4804-84BE-5F464B255463}
2011-12-01 07:51:20 -------- d-----w- c:\users\derren\appdata\local\{9AEDFAF6-23E8-4DE2-99E0-4BF0038121D2}
2011-11-30 19:50:44 -------- d-----w- c:\users\derren\appdata\local\{D1B4CA0A-06DB-4EAF-B5B6-1786F67FD2B5}
2011-11-30 19:50:23 -------- d-----w- c:\users\derren\appdata\local\{E3A60C96-F57D-44B5-820C-5C2A841565C7}
2011-11-30 07:49:56 -------- d-----w- c:\users\derren\appdata\local\{38D20467-F16A-4534-8FC0-89314E56827A}
2011-11-29 19:49:20 -------- d-----w- c:\users\derren\appdata\local\{409F7C4F-E8D8-4FCE-8BCA-1748F22D5A5D}
2011-11-29 07:48:44 -------- d-----w- c:\users\derren\appdata\local\{0F718708-2860-455E-A0B8-A5D94EA3D8BC}
2011-11-28 19:48:09 -------- d-----w- c:\users\derren\appdata\local\{E654A986-C926-4574-ABA4-E33E84F0D254}
2011-11-28 19:47:47 -------- d-----w- c:\users\derren\appdata\local\{537D5880-7E41-411A-AC24-0006F9137C17}
2011-11-28 07:47:20 -------- d-----w- c:\users\derren\appdata\local\{B4F0F44D-3911-4EA1-98A4-136FF96B6E02}
2011-11-27 19:46:40 -------- d-----w- c:\users\derren\appdata\local\{F4B0F5E1-F07D-4BA7-BF0D-CDB28C64FF0F}
2011-11-27 07:45:56 -------- d-----w- c:\users\derren\appdata\local\{F626C1DA-B32C-4AEC-8A9D-7F39BF309272}
2011-11-26 19:45:20 -------- d-----w- c:\users\derren\appdata\local\{00C1763C-EADB-46B3-A33A-7AD3320050F4}
2011-11-26 07:44:44 -------- d-----w- c:\users\derren\appdata\local\{123CC282-6F70-43A3-9EAA-C385938F0BEE}
2011-11-25 19:44:07 -------- d-----w- c:\users\derren\appdata\local\{626BE9B4-48FA-4C76-AE91-B817D24DD723}
2011-11-25 07:43:33 -------- d-----w- c:\users\derren\appdata\local\{C624FD6C-9158-4DF8-9911-4626667A62D2}
2011-11-24 19:42:59 -------- d-----w- c:\users\derren\appdata\local\{D386048F-DB06-4942-BEB7-F84127064D75}
2011-11-24 07:42:26 -------- d-----w- c:\users\derren\appdata\local\{9E274BB4-D22A-4CD8-A81B-AB493490584F}
2011-11-23 19:41:52 -------- d-----w- c:\users\derren\appdata\local\{0F9396A8-406A-4C4B-A5D4-06C84AA76A81}
2011-11-23 19:41:31 -------- d-----w- c:\users\derren\appdata\local\{29F605CE-9B64-4789-A40B-926FF93B55C0}
2011-11-23 07:41:05 -------- d-----w- c:\users\derren\appdata\local\{05534630-706D-488A-BB3C-5E4092F5B1A4}
2011-11-22 19:40:29 -------- d-----w- c:\users\derren\appdata\local\{A3FD6ED0-B22D-4806-B10C-1EAFD2196194}
2011-11-22 07:39:54 -------- d-----w- c:\users\derren\appdata\local\{6D1F29B7-4B41-49A4-AD2D-B656BAF710A5}
2011-11-22 07:39:32 -------- d-----w- c:\users\derren\appdata\local\{C44CFCCF-2070-4B93-910D-C88C1774ECEF}
2011-11-21 19:39:09 -------- d-----w- c:\users\derren\appdata\local\{52D0DF0E-9219-40DC-A18E-E5C2BE75D246}
2011-11-21 19:38:47 -------- d-----w- c:\users\derren\appdata\local\{4C64FC95-A4FD-4B87-8B01-54426E0A1909}
2011-11-21 07:38:22 -------- d-----w- c:\users\derren\appdata\local\{034C303E-308F-40B8-ADF2-D516B84C17E9}
2011-11-20 19:37:46 -------- d-----w- c:\users\derren\appdata\local\{1B5AF70B-5227-4471-9451-B2EF39B082CE}
2011-11-20 07:37:10 -------- d-----w- c:\users\derren\appdata\local\{62D8D3C3-DC41-4F91-8088-CA0D2473F67E}
2011-11-19 19:36:34 -------- d-----w- c:\users\derren\appdata\local\{03400343-5D2C-49F1-BD56-FE7F2F88E251}
2011-11-19 07:36:00 -------- d-----w- c:\users\derren\appdata\local\{BB50EF34-957B-4BC5-93F5-8EE79A5B051D}
2011-11-18 19:35:25 -------- d-----w- c:\users\derren\appdata\local\{AEBD134A-7E01-4DA2-9993-3F225E98FD67}
2011-11-18 07:34:50 -------- d-----w- c:\users\derren\appdata\local\{5C84DAFF-26ED-44DB-A0AD-AB3270FB407D}
2011-11-17 19:34:15 -------- d-----w- c:\users\derren\appdata\local\{4E163DCD-ED96-4516-8D03-00849D364AC4}
2011-11-17 07:33:41 -------- d-----w- c:\users\derren\appdata\local\{11AF8D7E-F482-4B7C-B76D-CA8F9ED36B90}
2011-11-17 07:33:19 -------- d-----w- c:\users\derren\appdata\local\{3C662463-263F-48E6-B66D-27A7D55BE47D}
2011-11-16 19:32:53 -------- d-----w- c:\users\derren\appdata\local\{F00D656C-4DFC-4E94-8E87-D463ABA5AB26}
2011-11-16 07:32:14 -------- d-----w- c:\users\derren\appdata\local\{60A28691-8FEA-4D3E-9686-E200534208AA}
.
==================== Find3M ====================
.
2011-11-21 15:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 16:08:43 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-10-07 14:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 14:21:16 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-10-03 12:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-01 00:04:09 319456 ----a-w- c:\windows\DIFxAPI.dll
2011-09-30 00:20:32 168234 ----a-w- c:\windows\DUMP4b03.tmp
2011-09-20 21:02:55 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 13:41:09.85 ===============

Thank you for helping!!

Attached Files


Edited by Derren, 15 December 2011 - 09:21 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 18 December 2011 - 03:57 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 18 December 2011 - 08:56 PM

Thank you for your help Gringo.

Presently, my problem has changed. I shut down the computer last night, and now when it starts I have no keyboard or mouse. There are no lights on the keyboard or mouse either. I am unable to enter my password on the startup screen.

I tried hitting F8 to get it start in Safe Mode, and I was able to get to the Safe Mode options. I used the down arrow to select Safe Mode with Networking, so I had keyboard functionality at that point. But unfortunately when the password screen appeared I once again was unable to use the keyboard or mouse. I had to do a hard shut down.

So I'm using another computer to reply.

What can I do now?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 18 December 2011 - 09:31 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 18 December 2011 - 11:54 PM

Thank you Gringo.

I followed the instructions exactly. When I attempted to start from the USB, I see the xPUD Screen, then I get a black screen with many lines of text (appears to be loading or something) then it ends with some errors including:

No devices detected.
Fatal server error:
No screens found

ddxSigGiveUp (followed by a bunch of text)

xinit: No such file or directory (errno 2): Unable to connect to X server
xinit: No such process (errno 3): Server error
xauth: (argv):1: bad display name "(none):0" in "remove" command
sh: no job control in this shell
sh-4.0# _

Did I do something wrong in preparing the USB?

Edited by Derren, 18 December 2011 - 11:55 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 19 December 2011 - 12:30 AM

Hello


try and remake the usb and see if it works


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 December 2011 - 11:58 AM

I have remade the USB exactly per instructions. I am about to attempt to boot my sick computer from the USB.

Can you please clarify for me when I am supposed to hit F12? When my computer starts there is a screen with several options listed across the bottom. I can't remember them all, but I think they were F9 thru F12 and the F12 option was "F12 Network."

The first time I tried yesterday I hit F12 here and the second time I did not. Both times I ended up at the xPUD language select screen. The only prompt I received was the opportunity to change the language.

So I just wonder if I failed to hit F12 at the proper time?

I'd kind of like to know before I give this fresh USB it's first try.

Thank you again,

Derren

Edited by Derren, 19 December 2011 - 01:06 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 19 December 2011 - 02:54 PM

Hello


If the computer is set up to boot from the usb and then you don't need to do anything


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 December 2011 - 04:07 PM

Hello Gringo,

I went thru the procedure again. I inserted the USB and powered the computer on. I didn't push anything. The xPUD language select screen came up with a countdown that said it would boot in so many seconds. I pushed nothing and let it countdown and boot itself.

The result was the same. A black "DOS" looking screen came up, said it was loading etc. Then a couple more screens went by and it stopped with the identical screen I described before.

I'm on a 32 bit Windows Vista Business (SP2) machine. What am I doing wrong?

Thank you again for your help.

-Derren

EDIT: I just noticed that the last line (sh-4.0# _) is a prompt waiting for input and I am able to type in characters. I don't know if that makes any difference.

UPDATE: After letting it sit there for a couple of hours, an additional prompt has appeared. It says "Display all 489 possibilities? (y or n)"

Edited by Derren, 19 December 2011 - 07:23 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 19 December 2011 - 09:32 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 20 December 2011 - 03:20 PM

Hello Gringo,

I'm using the same flash drive I used for the earlier attempts to boot from the USB. However, I deleted all the old xPUD stuff off the USB and only put on the Farbar Recovery Scan Tool.

Maybe as a result of our earlier efforts, the computer appears to be trying to boot from the USB still.

When I turn the computer on with the USB connected, it stalls on the following screen:

Attempting Boot From USB Device

SYSLINUX 3.72 2008-09-25 EBIOS Copyright © 1994-2008 H. Peter Anvin

Could not find kernal image: linux
boot:
(*and now it shows a command prompt awaiting input*)

I have been careful to follow all your instructions to the letter. I'm not sure what I'm doing wrong.

I started hitting F8 as soon as the first screen appeared (the first thing I see is a blue screen with the HP logo and the word "Invent" below it and a little intel logo at the bottom right).

What am I doing wrong? Was I supposed to leave the xPUD stuff on the USB?

Thank you for helping Gringo.

Edited by Derren, 20 December 2011 - 07:12 PM.


#12 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 22 December 2011 - 03:35 PM

Hello Gringo,

I'm giving this a 48 hour bump per instructions.

And thank you for your help!

-Derren

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 23 December 2011 - 08:23 AM

lETS TRY THIS FROM A CD AND SEE IF WE HAVE BETTER LUCK


Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 23 December 2011 - 02:35 PM

Hello Gringo,

I created the CD and the USB as described. However, the result was identical to the result described in reply #5 above (where I get a "DOS" looking screen and a prompt awaiting input).

Am I using the correct files for my system?

Thanks again for helping me.

-Derren

Edited by Derren, 23 December 2011 - 02:35 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:36 AM

Posted 23 December 2011 - 07:14 PM

Hello

go here and download the extra drivers - http://www.xpud.org/download.en.html#tab-4


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users