Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"ordinal 1109 could not be located" - Help Please!


  • This topic is locked This topic is locked
14 replies to this topic

#1 alliecat023

alliecat023

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 09 February 2012 - 12:56 PM

Hi, it looks like I have a virus on my computer. The error message "Ordinal 1109 could not be located in the dynamic link library WSOCK32.dll" pops up when I turn on my computer, and soon after a message stating my antivirus program Symantec has been disabled. My computer is running very slow and I cannot get onto the internet. Any help would be greatly appreciated!!

Edited by alliecat023, 09 February 2012 - 01:46 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 11 February 2012 - 10:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 February 2012 - 09:38 AM

Thank you for your response, Mole.



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-13 09:23:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.SBDO
Running: ydzq50x9.exe; Driver: C:\DOCUME~1\Alliance\LOCALS~1\Temp\kgpcqfod.sys


---- System - GMER 1.0.15 ----

SSDT FED129D0 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text netbt.sys A7F75000 6 Bytes [89, 01, 81, 7D, 10, 16]
.text netbt.sys A7F75008 47 Bytes [C0, 0F, 85, 36, FF, FF, FF, ...]
.text netbt.sys A7F75038 19 Bytes [6A, 00, FF, 75, 08, 89, 7D, ...]
.text netbt.sys A7F7504D 29 Bytes [8B, 47, 18, 8B, 70, 0C, 85, ...]
.text netbt.sys A7F7506B 114 Bytes [00, 8D, 4E, 7C, 89, 4D, F4, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\netbt.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[700] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\ping.exe[868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[868] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\ping.exe[868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\ping.exe[868] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\WINDOWS\System32\ping.exe[868] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\ping.exe[868] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\ping.exe[868] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\ping.exe[868] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0195000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0196000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EF000C
? C:\WINDOWS\System32\svchost.exe[3960] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: oleaut32.dllunknown module: oleaut32.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [00401004] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 7453060A
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 676E6972
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [00401010] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 69570A0B
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 74536564
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 676E6972
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [00401020] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 6156070C
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 6E616972
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [00408D74] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [00401030] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 6C4F0A0C
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 72615665
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [00401088] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [00403708] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [0040370C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [00403710] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [00403704] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [00403494] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [004034B0] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [004034EC] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 624F5407
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 7463656A
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [00401094] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 4F540707
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 63656A62
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 40108874
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 06000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 74737953
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 00006D65
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [004010B4] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 49490A0F
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 7265746E
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 65636166
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000001
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 79530646
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 6D657473
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] FFFF0003
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [004010E4] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 4449090F
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 61707369
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] B0686374
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 01004010
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 00020400
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 000000C0
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 46000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 73795306
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 046D6574
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 90FFFF00
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 244483CC
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] E5E9F804
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 83000049
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] F8042444
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 24448300
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 0DE9F804
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] CC00004A
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 401111CC
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 40111B00
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 40112500
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 00000100
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00000000
IAT C:\WINDOWS\System32\svchost.exe[3960] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 00000000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A7F9C000-A7FBB000 (126976 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 868

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB13240$\2271327449 0 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\cfg.ini 318 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\keywords 351 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\L 0 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\L\fouqjdwk 162816 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\oemid 270 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U 0 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB13240$\2271327449\version 858 bytes
File C:\WINDOWS\$NtUninstallKB13240$\3425271076 0 bytes

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 13 February 2012 - 12:43 PM

You have a rootkit called ZeroAccess which at least explains the strange message. This is not a nice customer so...


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you wish to continue, please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 February 2012 - 01:35 PM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-13 13:31:09
-----------------------------
13:31:09.810 OS Version: Windows 5.1.2600 Service Pack 3
13:31:09.810 Number of processors: 2 586 0xF0A
13:31:09.810 ComputerName: ALLIANCE-D4853F UserName: Alliance
13:31:12.185 Initialize success
13:31:31.326 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:31:31.341 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 3
13:31:31.372 Disk 0 MBR read successfully
13:31:31.372 Disk 0 MBR scan
13:31:31.372 Disk 0 Windows XP default MBR code
13:31:31.372 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104649 MB offset 63
13:31:31.388 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9820 MB offset 214323165
13:31:31.404 Disk 0 scanning sectors +234436545
13:31:31.451 Disk 0 scanning C:\WINDOWS\system32\drivers
13:31:45.372 Service scanning
13:31:47.122 Modules scanning
13:31:52.107 Module: C:\WINDOWS\system32\DRIVERS\netbt.sys **SUSPICIOUS**
13:31:58.716 Disk 0 trace - called modules:
13:31:58.732 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfe4e5ff0]<<
13:31:58.747 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d47ab8]
13:31:58.747 3 CLASSPNP.SYS[f75a8fd7] -> nt!IofCallDriver -> [0x86289f08]
13:31:58.747 \Driver\00001590[0x861c6410] -> IRP_MJ_CREATE -> 0xfe4e5ff0
13:31:58.747 Scan finished successfully
13:32:27.372 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Alliance\Desktop\MBR.dat"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 13 February 2012 - 02:39 PM

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 February 2012 - 03:23 PM

15:28:30.0796 2788 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52

15:28:31.0093 2788 ============================================================

15:28:31.0125 2788 Current date / time: 2012/02/13 15:28:31.0093

15:28:31.0125 2788 SystemInfo:

15:28:31.0125 2788

15:28:31.0125 2788 OS Version: 5.1.2600 ServicePack: 3.0

15:28:31.0125 2788 Product type: Workstation

15:28:31.0125 2788 ComputerName: ALLIANCE-D4853F

15:28:31.0156 2788 UserName: Alliance

15:28:31.0156 2788 Windows directory: C:\WINDOWS

15:28:31.0156 2788 System windows directory: C:\WINDOWS

15:28:31.0156 2788 Processor architecture: Intel x86

15:28:31.0156 2788 Number of processors: 2

15:28:31.0156 2788 Page size: 0x1000

15:28:31.0156 2788 Boot type: Normal boot

15:28:31.0156 2788 ============================================================

15:28:31.0812 2788 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

15:28:31.0828 2788 Drive \Device\Harddisk1\DR3 - Size: 0xEC400000 (3.69 Gb), SectorSize: 0x200, Cylinders: 0x1E1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

15:28:31.0828 2788 \Device\Harddisk0\DR0:

15:28:31.0828 2788 MBR used

15:28:31.0828 2788 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCC64F9E

15:28:31.0828 2788 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCC64FDD, BlocksNum 0x132E7E4

15:28:31.0828 2788 \Device\Harddisk1\DR3:

15:28:31.0828 2788 MBR used

15:28:31.0828 2788 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xB, StartLBA 0x2000, BlocksNum 0x760000

15:28:31.0906 2788 Initialize success

15:28:31.0906 2788 ============================================================

Edited by alliecat023, 13 February 2012 - 03:32 PM.


#8 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 February 2012 - 03:33 PM

My anti virus also popped up saying it had cleaned several back door trojans.

#9 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 February 2012 - 04:14 PM

Ok, now my antivirus is telling me it has found (3) more viruses.

Count- 2
Risk- Backdoor.Trojan
Filename- 6to4v32.dll

Count- 2
Risk- Backdoor.Trojan
Filename- 6to4v32.dll

Count- 2
Risk- Trojan.Gen.2
Filename- 835d484a-5689.exe

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 13 February 2012 - 05:18 PM

My anti virus also popped up saying it had cleaned several back door trojans.


Can you make sure you disable your antivirus before running these tools.

Can you then rerun TDSSKiller.
Posted Image
m0le is a proud member of UNITE

#11 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 14 February 2012 - 08:13 AM

08:10:54.0671 3948 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
08:10:55.0000 3948 ============================================================
08:10:55.0000 3948 Current date / time: 2012/02/14 08:10:55.0000
08:10:55.0000 3948 SystemInfo:
08:10:55.0000 3948
08:10:55.0000 3948 OS Version: 5.1.2600 ServicePack: 3.0
08:10:55.0000 3948 Product type: Workstation
08:10:55.0000 3948 ComputerName: ALLIANCE-D4853F
08:10:55.0000 3948 UserName: Alliance
08:10:55.0000 3948 Windows directory: C:\WINDOWS
08:10:55.0000 3948 System windows directory: C:\WINDOWS
08:10:55.0000 3948 Processor architecture: Intel x86
08:10:55.0000 3948 Number of processors: 2
08:10:55.0000 3948 Page size: 0x1000
08:10:55.0000 3948 Boot type: Normal boot
08:10:55.0000 3948 ============================================================
08:10:56.0109 3948 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:10:56.0109 3948 Drive \Device\Harddisk1\DR3 - Size: 0xEC400000 (3.69 Gb), SectorSize: 0x200, Cylinders: 0x1E1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:10:56.0109 3948 \Device\Harddisk0\DR0:
08:10:56.0109 3948 MBR used
08:10:56.0109 3948 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCC64F9E
08:10:56.0109 3948 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCC64FDD, BlocksNum 0x132E7E4
08:10:56.0109 3948 \Device\Harddisk1\DR3:
08:10:56.0109 3948 MBR used
08:10:56.0109 3948 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xB, StartLBA 0x2000, BlocksNum 0x760000
08:10:56.0218 3948 Initialize success
08:10:56.0218 3948 ============================================================
08:10:57.0515 1376 ============================================================
08:10:57.0515 1376 Scan started
08:10:57.0515 1376 Mode: Manual;
08:10:57.0515 1376 ============================================================
08:10:59.0156 1376 Abiosdsk - ok
08:10:59.0171 1376 abp480n5 - ok
08:10:59.0218 1376 Accelerometer (558a0039f0ef634397e1f61055504478) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
08:10:59.0218 1376 Accelerometer - ok
08:10:59.0296 1376 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:10:59.0296 1376 ACPI - ok
08:10:59.0343 1376 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
08:10:59.0343 1376 ACPIEC - ok
08:10:59.0437 1376 ADIHdAudAddService (1600cb3056c984af1987627128874e39) C:\WINDOWS\system32\drivers\ADIHdAud.sys
08:10:59.0453 1376 ADIHdAudAddService - ok
08:10:59.0515 1376 adpu160m - ok
08:10:59.0546 1376 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
08:10:59.0546 1376 AEAudio - ok
08:10:59.0609 1376 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:10:59.0609 1376 aec - ok
08:10:59.0687 1376 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:10:59.0718 1376 AFD - ok
08:10:59.0890 1376 AgereSoftModem (90456051c422e09bc36e6340dd891f0c) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:10:59.0921 1376 AgereSoftModem - ok
08:10:59.0984 1376 Aha154x - ok
08:11:00.0000 1376 aic78u2 - ok
08:11:00.0015 1376 aic78xx - ok
08:11:00.0031 1376 AliIde - ok
08:11:00.0046 1376 amsint - ok
08:11:00.0093 1376 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:11:00.0109 1376 Arp1394 - ok
08:11:00.0109 1376 asc - ok
08:11:00.0125 1376 asc3350p - ok
08:11:00.0140 1376 asc3550 - ok
08:11:00.0171 1376 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:11:00.0171 1376 AsyncMac - ok
08:11:00.0203 1376 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:11:00.0203 1376 atapi - ok
08:11:00.0218 1376 Atdisk - ok
08:11:00.0265 1376 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:11:00.0265 1376 Atmarpc - ok
08:11:00.0375 1376 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
08:11:00.0390 1376 ATSWPDRV - ok
08:11:00.0437 1376 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:11:00.0437 1376 audstub - ok
08:11:00.0484 1376 b57w2k (74a65415dfaad20f06e7550fa9b6e012) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
08:11:00.0500 1376 b57w2k - ok
08:11:00.0531 1376 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:11:00.0531 1376 Beep - ok
08:11:00.0656 1376 BTKRNL (ba57f31eab93dc597d772f6f5b9ed54f) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
08:11:00.0671 1376 BTKRNL - ok
08:11:00.0796 1376 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
08:11:00.0796 1376 BTWUSB - ok
08:11:01.0000 1376 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:11:01.0000 1376 cbidf2k - ok
08:11:01.0078 1376 cd20xrnt - ok
08:11:01.0156 1376 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:11:01.0171 1376 Cdaudio - ok
08:11:01.0421 1376 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:11:01.0468 1376 Cdfs - ok
08:11:01.0546 1376 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:11:01.0562 1376 Cdrom - ok
08:11:01.0593 1376 Changer - ok
08:11:01.0656 1376 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:11:01.0671 1376 CmBatt - ok
08:11:01.0703 1376 CmdIde - ok
08:11:01.0703 1376 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:11:01.0718 1376 Compbatt - ok
08:11:01.0718 1376 Cpqarray - ok
08:11:01.0734 1376 dac2w2k - ok
08:11:01.0750 1376 dac960nt - ok
08:11:01.0765 1376 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:11:01.0765 1376 Disk - ok
08:11:01.0859 1376 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:11:01.0875 1376 dmboot - ok
08:11:01.0968 1376 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:11:01.0968 1376 dmio - ok
08:11:01.0984 1376 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:11:01.0984 1376 dmload - ok
08:11:02.0062 1376 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:11:02.0062 1376 DMusic - ok
08:11:02.0093 1376 dpti2o - ok
08:11:02.0109 1376 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:11:02.0109 1376 drmkaud - ok
08:11:02.0156 1376 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
08:11:02.0156 1376 eabfiltr - ok
08:11:02.0234 1376 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
08:11:02.0234 1376 eeCtrl - ok
08:11:02.0328 1376 EraserUtilDrv11122 (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11122.sys
08:11:02.0328 1376 EraserUtilDrv11122 - ok
08:11:02.0468 1376 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:11:02.0484 1376 Fastfat - ok
08:11:02.0515 1376 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:11:02.0515 1376 Fdc - ok
08:11:02.0531 1376 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:11:02.0546 1376 Fips - ok
08:11:02.0546 1376 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:11:02.0546 1376 Flpydisk - ok
08:11:02.0625 1376 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:11:02.0625 1376 FltMgr - ok
08:11:02.0656 1376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:11:02.0656 1376 Fs_Rec - ok
08:11:02.0718 1376 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:11:02.0718 1376 Ftdisk - ok
08:11:02.0765 1376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:11:02.0765 1376 Gpc - ok
08:11:02.0812 1376 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
08:11:02.0812 1376 HBtnKey - ok
08:11:02.0843 1376 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:11:02.0843 1376 HDAudBus - ok
08:11:02.0890 1376 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:11:02.0890 1376 HidUsb - ok
08:11:02.0984 1376 HP24X (04ebefe45b300a4edee5a38dc2791291) C:\WINDOWS\system32\DRIVERS\HP24X.sys
08:11:02.0984 1376 HP24X - ok
08:11:03.0078 1376 hpdskflt (5953c0952e4dd2b25b9adef05ab0285c) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
08:11:03.0078 1376 hpdskflt - ok
08:11:03.0078 1376 hpn - ok
08:11:03.0140 1376 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:11:03.0156 1376 HTTP - ok
08:11:03.0218 1376 i2omgmt - ok
08:11:03.0234 1376 i2omp - ok
08:11:03.0281 1376 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:11:03.0281 1376 i8042prt - ok
08:11:03.0609 1376 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
08:11:03.0843 1376 ialm - ok
08:11:03.0984 1376 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\DRIVERS\iaStor.sys
08:11:03.0984 1376 iaStor - ok
08:11:04.0062 1376 IFXTPM (2cdf483f8fc2bf3f7b93e3bdd734cfbd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
08:11:04.0062 1376 IFXTPM - ok
08:11:04.0125 1376 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:11:04.0125 1376 Imapi - ok
08:11:04.0140 1376 ini910u - ok
08:11:04.0156 1376 IntelIde - ok
08:11:04.0218 1376 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:11:04.0218 1376 intelppm - ok
08:11:04.0265 1376 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:11:04.0265 1376 Ip6Fw - ok
08:11:04.0359 1376 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:11:04.0359 1376 IpFilterDriver - ok
08:11:04.0390 1376 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:11:04.0390 1376 IpInIp - ok
08:11:04.0421 1376 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:11:04.0437 1376 IpNat - ok
08:11:04.0484 1376 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:11:04.0500 1376 IPSec - ok
08:11:04.0531 1376 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:11:04.0531 1376 IRENUM - ok
08:11:04.0578 1376 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:11:04.0578 1376 isapnp - ok
08:11:04.0656 1376 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:11:04.0656 1376 Kbdclass - ok
08:11:04.0671 1376 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:11:04.0671 1376 kbdhid - ok
08:11:04.0703 1376 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:11:04.0703 1376 kmixer - ok
08:11:04.0750 1376 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:11:04.0750 1376 KSecDD - ok
08:11:04.0765 1376 lbrtfdc - ok
08:11:04.0828 1376 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:11:04.0828 1376 mnmdd - ok
08:11:04.0890 1376 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:11:04.0890 1376 Modem - ok
08:11:04.0906 1376 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:11:04.0906 1376 Mouclass - ok
08:11:05.0203 1376 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:11:05.0203 1376 mouhid - ok
08:11:05.0218 1376 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:11:05.0218 1376 MountMgr - ok
08:11:05.0234 1376 mraid35x - ok
08:11:05.0250 1376 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:11:05.0250 1376 MRxDAV - ok
08:11:05.0328 1376 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:11:05.0359 1376 MRxSmb - ok
08:11:05.0468 1376 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:11:05.0468 1376 Msfs - ok
08:11:05.0515 1376 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:11:05.0515 1376 MSKSSRV - ok
08:11:05.0562 1376 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:11:05.0578 1376 MSPCLOCK - ok
08:11:05.0578 1376 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:11:05.0578 1376 MSPQM - ok
08:11:05.0671 1376 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:11:05.0671 1376 mssmbios - ok
08:11:05.0718 1376 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:11:05.0718 1376 Mup - ok
08:11:05.0859 1376 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120213.002\naveng.sys
08:11:05.0859 1376 NAVENG - ok
08:11:05.0953 1376 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120213.002\navex15.sys
08:11:05.0968 1376 NAVEX15 - ok
08:11:06.0125 1376 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:11:06.0140 1376 NDIS - ok
08:11:06.0187 1376 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:11:06.0187 1376 NdisTapi - ok
08:11:06.0203 1376 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:11:06.0218 1376 Ndisuio - ok
08:11:06.0218 1376 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:11:06.0234 1376 NdisWan - ok
08:11:06.0281 1376 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:11:06.0281 1376 NDProxy - ok
08:11:06.0328 1376 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:11:06.0328 1376 NetBIOS - ok
08:11:06.0421 1376 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:11:06.0421 1376 NetBT - ok
08:11:06.0593 1376 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
08:11:06.0671 1376 NETw4x32 - ok
08:11:06.0734 1376 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:11:06.0734 1376 NIC1394 - ok
08:11:06.0812 1376 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
08:11:06.0812 1376 NPF - ok
08:11:06.0843 1376 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:11:06.0843 1376 Npfs - ok
08:11:06.0875 1376 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:11:06.0906 1376 Ntfs - ok
08:11:07.0015 1376 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
08:11:07.0015 1376 NuidFltr - ok
08:11:07.0078 1376 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:11:07.0078 1376 Null - ok
08:11:07.0125 1376 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:11:07.0125 1376 NwlnkFlt - ok
08:11:07.0140 1376 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:11:07.0140 1376 NwlnkFwd - ok
08:11:07.0156 1376 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:11:07.0156 1376 ohci1394 - ok
08:11:07.0203 1376 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:11:07.0234 1376 Parport - ok
08:11:07.0265 1376 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:11:07.0265 1376 PartMgr - ok
08:11:07.0375 1376 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:11:07.0375 1376 ParVdm - ok
08:11:07.0390 1376 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:11:07.0390 1376 PCI - ok
08:11:07.0406 1376 PCIDump - ok
08:11:07.0437 1376 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:11:07.0437 1376 PCIIde - ok
08:11:07.0453 1376 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:11:07.0453 1376 Pcmcia - ok
08:11:07.0468 1376 PDCOMP - ok
08:11:07.0484 1376 PDFRAME - ok
08:11:07.0515 1376 PDRELI - ok
08:11:07.0531 1376 PDRFRAME - ok
08:11:07.0546 1376 perc2 - ok
08:11:07.0562 1376 perc2hib - ok
08:11:07.0593 1376 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:11:07.0593 1376 PptpMiniport - ok
08:11:07.0609 1376 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:11:07.0609 1376 PSched - ok
08:11:07.0625 1376 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:11:07.0625 1376 Ptilink - ok
08:11:07.0640 1376 ql1080 - ok
08:11:07.0656 1376 Ql10wnt - ok
08:11:07.0671 1376 ql12160 - ok
08:11:07.0671 1376 ql1240 - ok
08:11:07.0687 1376 ql1280 - ok
08:11:07.0718 1376 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:11:07.0718 1376 RasAcd - ok
08:11:07.0765 1376 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:11:07.0765 1376 Rasl2tp - ok
08:11:07.0843 1376 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:11:07.0843 1376 RasPppoe - ok
08:11:07.0875 1376 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:11:07.0875 1376 Raspti - ok
08:11:07.0906 1376 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:11:07.0906 1376 Rdbss - ok
08:11:07.0921 1376 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:11:07.0921 1376 RDPCDD - ok
08:11:07.0953 1376 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:11:07.0953 1376 rdpdr - ok
08:11:08.0015 1376 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:11:08.0015 1376 RDPWD - ok
08:11:08.0046 1376 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:11:08.0046 1376 redbook - ok
08:11:08.0203 1376 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
08:11:08.0203 1376 SAVRT - ok
08:11:08.0218 1376 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
08:11:08.0218 1376 SAVRTPEL - ok
08:11:08.0343 1376 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:11:08.0343 1376 Secdrv - ok
08:11:08.0375 1376 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:11:08.0375 1376 Serial - ok
08:11:08.0390 1376 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:11:08.0406 1376 Sfloppy - ok
08:11:08.0421 1376 Simbad - ok
08:11:08.0437 1376 Sparrow - ok
08:11:08.0484 1376 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
08:11:08.0484 1376 SPBBCDrv - ok
08:11:08.0609 1376 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:11:08.0625 1376 splitter - ok
08:11:08.0687 1376 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:11:08.0687 1376 sr - ok
08:11:08.0734 1376 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:11:08.0750 1376 Srv - ok
08:11:08.0796 1376 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:11:08.0796 1376 swenum - ok
08:11:08.0812 1376 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:11:08.0812 1376 swmidi - ok
08:11:08.0828 1376 symc810 - ok
08:11:08.0843 1376 symc8xx - ok
08:11:08.0906 1376 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS
08:11:08.0921 1376 SymEvent - ok
08:11:09.0062 1376 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
08:11:09.0062 1376 SYMREDRV - ok
08:11:09.0109 1376 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
08:11:09.0125 1376 SYMTDI - ok
08:11:09.0125 1376 sym_hi - ok
08:11:09.0140 1376 sym_u3 - ok
08:11:09.0218 1376 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
08:11:09.0218 1376 SynTP - ok
08:11:09.0265 1376 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:11:09.0281 1376 sysaudio - ok
08:11:09.0406 1376 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:11:09.0421 1376 Tcpip - ok
08:11:09.0468 1376 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:11:09.0468 1376 TDPIPE - ok
08:11:09.0484 1376 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:11:09.0484 1376 TDTCP - ok
08:11:09.0531 1376 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:11:09.0531 1376 TermDD - ok
08:11:09.0546 1376 TosIde - ok
08:11:09.0593 1376 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:11:09.0593 1376 Udfs - ok
08:11:09.0609 1376 ultra - ok
08:11:09.0640 1376 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:11:09.0656 1376 Update - ok
08:11:09.0781 1376 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:11:09.0781 1376 usbehci - ok
08:11:09.0843 1376 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:11:09.0843 1376 usbhub - ok
08:11:09.0875 1376 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:11:09.0875 1376 USBSTOR - ok
08:11:09.0906 1376 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:11:09.0906 1376 usbuhci - ok
08:11:10.0000 1376 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:11:10.0000 1376 VgaSave - ok
08:11:10.0015 1376 ViaIde - ok
08:11:10.0046 1376 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:11:10.0062 1376 VolSnap - ok
08:11:10.0093 1376 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:11:10.0093 1376 Wanarp - ok
08:11:10.0203 1376 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
08:11:10.0218 1376 Wdf01000 - ok
08:11:10.0265 1376 WDICA - ok
08:11:10.0328 1376 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:11:10.0328 1376 wdmaud - ok
08:11:10.0406 1376 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:11:10.0406 1376 WmiAcpi - ok
08:11:10.0453 1376 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:11:10.0656 1376 \Device\Harddisk0\DR0 - ok
08:11:10.0671 1376 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR3
08:11:10.0671 1376 \Device\Harddisk1\DR3 - ok
08:11:10.0687 1376 Boot (0x1200) (6f8e556b717b5256871b54afb0e598d2) \Device\Harddisk0\DR0\Partition0
08:11:10.0687 1376 \Device\Harddisk0\DR0\Partition0 - ok
08:11:10.0718 1376 Boot (0x1200) (61b2806b6ab1531f74f9fb09342d4c6f) \Device\Harddisk0\DR0\Partition1
08:11:10.0718 1376 \Device\Harddisk0\DR0\Partition1 - ok
08:11:10.0718 1376 Boot (0x1200) (bdd18d142fe3a05e142790618a97c07e) \Device\Harddisk1\DR3\Partition0
08:11:10.0718 1376 \Device\Harddisk1\DR3\Partition0 - ok
08:11:10.0718 1376 ============================================================
08:11:10.0718 1376 Scan finished
08:11:10.0718 1376 ============================================================
08:11:10.0734 0704 Detected object count: 0
08:11:10.0734 0704 Actual detected object count: 0

#12 alliecat023

alliecat023
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 14 February 2012 - 08:16 AM

now I'm getting all of these error messages popping up from Symantic that say "Symantic Email Proxy" "Your email message was unable to be send because your mail server rejected the message. 451 Greylisting is in process. Please, delay the message for at least 15 mins before retry." Or other error messages like that.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 14 February 2012 - 08:57 AM

Your antivirus will continually warn you that it is not enabled but as you can see TDSSKiller can't run correctly unless the antivirus is disabled and stops killing its scan process. Enable it when you are not carrying out my instructions.

Your infection needs us to go around the Windows environment to grab some information about the Master Boot Record

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 16 February 2012 - 09:38 PM

Are you okay with this step?
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:24 PM

Posted 17 February 2012 - 07:58 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users