Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected: Tidserv activity detected


  • This topic is locked This topic is locked
54 replies to this topic

#1 karldd

karldd

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 09 January 2012 - 05:01 PM

My antivirus software(SEP11) keeps giving me the pop up message 'system infected: tidserv activity detected' Also sometimes get tidserv 2 activity on start up.I have read forums and tried using tdsskiller and fixtdss but neither solved the problem. Also completed full PC virus scan. I was previously infected with XP internet security 2012 and was able to remove by using malwarebytes. But now still get the above message. PC seems to be working OK other than this constant popup message from SEP11. Read forums, says it might be 'zeroaccess'? Please need help to remove. Here are logs and attachements as requested.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Karl at 18:53:36 on 2012-01-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.744 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\backup~1.lnk - c:\program files\ascomp software\backup maker\bkmaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A99D7E22-B9DA-4601-8DF0-0D98393A38F9} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\karl\application data\mozilla\firefox\profiles\dzcuffr0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49758
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\karl\application data\mozilla\firefox\profiles\dzcuffr0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\karl\application

data\mozilla\firefox\profiles\dzcuffr0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 KODAK Picture Transfer Agent;Kodak picture transfer agent;c:\program files\kodak\kodak utilities\pts\Kodak Picture Transfer Service.exe [2007-7-17 233472]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-2-1 2440120]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-16 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111223.035\NAVENG.SYS [2011-12-24 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111223.035\NAVEX15.SYS [2011-12-24 1576312]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2006-6-27 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2006-6-27 17700]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-7 135664]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2006-6-27 76260]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-7 135664]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== Created Last 30 ================
.
2012-01-07 15:15:10 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2012-01-05 01:23:55 -------- d-----w- c:\documents and settings\karl\local settings\application data\SanctionedMedia
2011-12-24 14:25:15 -------- d-----w- c:\documents and settings\karl\local settings\application data\PCHealth
2011-12-22 22:07:54 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-12-22 22:07:54 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
.
==================== Find3M ====================
.
2012-01-07 15:04:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-07 15:04:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 20:57:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 18:55:01.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 10 January 2012 - 04:15 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 10 January 2012 - 07:18 PM

Here is the log for combofix.

I now cannot access internet at all. I followed directions to manually restore internet connection. After clicking 'repair' I get message: "Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address. For assistance contact the person who manages your network"

ComboFix 12-01-10.02 - Karl 01/10/2012 18:18:01.1.1 - x86
Running from: c:\documents and settings\Karl\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Karl\Application Data\0FC9.5FE
c:\documents and settings\Karl\Application Data\AdobeDLM.log
c:\documents and settings\Karl\Application Data\Local
c:\documents and settings\Karl\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\Karl\Application Data\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr
c:\documents and settings\Karl\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\documents and settings\Karl\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Karl\WINDOWS
c:\documents and settings\Katie\My Documents\~WRL0399.tmp
c:\windows\$NtUninstallKB48361$\2645737905
c:\windows\$NtUninstallKB48361$\4201334402\@
c:\windows\$NtUninstallKB48361$\4201334402\bckfg.tmp
c:\windows\$NtUninstallKB48361$\4201334402\cfg.ini
c:\windows\$NtUninstallKB48361$\4201334402\Desktop.ini
c:\windows\$NtUninstallKB48361$\4201334402\keywords
c:\windows\$NtUninstallKB48361$\4201334402\kwrd.dll
c:\windows\$NtUninstallKB48361$\4201334402\L\nhmanpzz
c:\windows\$NtUninstallKB48361$\4201334402\lsflt7.ver
c:\windows\$NtUninstallKB48361$\4201334402\U\00000001.@
c:\windows\$NtUninstallKB48361$\4201334402\U\00000002.@
c:\windows\$NtUninstallKB48361$\4201334402\U\00000004.@
c:\windows\$NtUninstallKB48361$\4201334402\U\80000000.@
c:\windows\$NtUninstallKB48361$\4201334402\U\80000004.@
c:\windows\$NtUninstallKB48361$\4201334402\U\80000032.@
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\SET251.tmp
c:\windows\system32\SET255.tmp
c:\windows\system32\SET256.tmp
c:\windows\system32\SET25D.tmp
c:\windows\system32\Thumbs.db
G:\SETUP.EXE
H:\Autorun.inf
H:\Setup.exe
c:\windows\$NtUninstallKB48361$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
.
.
2012-01-09 08:43 . 2012-01-09 08:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-07 15:15 . 2012-01-07 15:15 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2012-01-07 14:25 . 2012-01-07 14:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-05 01:23 . 2012-01-05 01:23 -------- d-----w- c:\documents and settings\Karl\Local Settings\Application Data\SanctionedMedia
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-24 14:25 . 2011-12-24 14:25 -------- d-----w- c:\documents and settings\Karl\Local Settings\Application Data\PCHealth
2011-12-22 22:07 . 2008-04-13 19:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-12-22 22:07 . 2008-04-13 19:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-07 15:04 . 2011-01-18 00:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-07 15:04 . 2007-10-28 16:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-20 20:57 . 2011-05-28 13:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2010-05-12 16:11 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2003-07-16 20:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-04-28 14:58 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-07-26 04:31 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2003-07-16 20:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2003-07-16 20:39 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2003-07-16 20:27 186880 ----a-w- c:\windows\system32\encdec.dll
2012-01-08 14:52 . 2011-03-24 23:34 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2011-03-10 77656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BackUp Maker.lnk - c:\program files\ASCOMP Software\BackUp Maker\bkmaker.exe [2011-5-13 7767888]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak Picture Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak Picture Transfer.lnk
backup=c:\windows\pss\Kodak Picture Transfer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 05:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Kodak\\Kodak Utilities\\PTS\\Kodak Picture Transfer Service.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/26/2009 1:02 AM 102448]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [6/27/2006 6:10 PM 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [6/27/2006 6:10 PM 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [6/27/2006 6:10 PM 76260]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 15:34]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 15:34]
.
2012-01-10 c:\windows\Tasks\User_Feed_Synchronization-{11E25375-9F59-4E71-A876-E9D1894167DC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Karl\Application Data\Mozilla\Firefox\Profiles\dzcuffr0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49758
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
AddRemove-Money2006a - c:\program files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe
AddRemove-WinGTK-2_is1 - c:\program files\Gimp\GTK\2.0\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-10 18:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\fxssvc.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2012-01-10 18:57:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-10 23:57
.
Pre-Run: 11,542,405,120 bytes free
Post-Run: 13,264,465,920 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - F8AB43100E73856D10427FBFB8C00EA2

Attached Files

  • Attached File  log.txt   15.2KB   2 downloads

Edited by Noviciate, 11 January 2012 - 03:19 PM.
Added log from attachment.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 11 January 2012 - 03:21 PM

Good evening. :)

When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.

Did you do the above?

So long, and thanks for all the fish.

 

 


#5 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 11 January 2012 - 03:45 PM

No, I missed that! Should i start again with instructions and run combofix again?

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 11 January 2012 - 03:48 PM

No, just take the time to read the instructions fully in future as it is probably in your best interests to do so.

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Change parameters and check the two boxes under Additional Options.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 11 January 2012 - 03:49 PM

Should I uninstall combofix on my PC first? before resaving(new name) and reinstalling?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 11 January 2012 - 04:20 PM

Should I uninstall combofix on my PC first? before resaving(new name) and reinstalling?

No, follow the instructions in my last post - forget ComboFix for now.

So long, and thanks for all the fish.

 

 


#9 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 11 January 2012 - 05:32 PM

Here is TDSkiller log.
Did not ask me to reboot. Identified items but default action was to skip.
I still do not have internet access, see previous post.
Thanks.

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 12 January 2012 - 03:43 PM

Good evening. :)

Do you have a flashdrive of at least 128Mb that you can wipe clean for a little tool that we need to run?

So long, and thanks for all the fish.

 

 


#11 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 January 2012 - 04:26 PM

yes, that is how i transfered tdsskiller download to infected PC from a laptop.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 12 January 2012 - 04:53 PM

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#13 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 January 2012 - 05:21 PM

i tried to reboot from the usb, it came up with window asking me to restore pc and select restore point. should i restore or cancel?

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:20 PM

Posted 12 January 2012 - 05:23 PM

Cancel.

So long, and thanks for all the fish.

 

 


#15 karldd

karldd
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 January 2012 - 05:27 PM

ok, i cancelled and PC rebooted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users