Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDL4@MBR Google Redirection Blue Screens


  • This topic is locked This topic is locked
7 replies to this topic

#1 taggart1

taggart1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 12 February 2012 - 02:05 PM

Hi,
I having a issue w/ Google Redirection and blue screen memory dumps after windows boots up. Will work in safe mode. It was blue screening for the past couple days. But the google redirection to buffpuma just began yesterday after updating Java. Any help would be great. Thanks

(Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7601.17514
Run by taggart1 at 12:23:21 on 2012-02-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.2333 [GMT -6:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://deere.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelPROSet] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [TdmNotify] c:\program files\dell\dell data protection\access\advanced\wave\trusted drive manager\TdmNotify.exe
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio\oem\roxio burn\RoxioBurnLauncher.exe"
mRun: [ISUSPM] c:\programdata\flexnet\connect\11\\isuspm.exe -scheduler
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellsy~1.lnk - c:\program files\dell\dell system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 172.31.190.11 172.31.190.12
TCP: Interfaces\{97302188-337B-4513-B34C-5082AACDD908} : DhcpNameServer = 172.31.190.11 172.31.190.12
TCP: Interfaces\{97302188-337B-4513-B34C-5082AACDD908}\83736393 : DhcpNameServer = 216.106.1.2 216.106.1.3
TCP: Interfaces\{ADB43DBD-CEAE-43FE-9D33-B6991E1A15B9} : DhcpNameServer = 172.31.190.11 172.31.190.12
TCP: Interfaces\{E6112BEA-F1D4-4CDC-A3DD-B3CA8F574495} : NameServer = 68.28.67.132 68.28.68.132
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2011-10-6 17648]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2011-10-6 43888]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2011-10-6 349736]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-10-6 41088]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-10-6 7434240]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-10-6 62440]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2011-10-6 63976]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-17 344712]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-10-6 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-5-12 249648]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2010-6-29 127488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\dell\dell system manager\DCPSysMgrSvc.exe [2011-1-20 388464]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-2-23 212944]
S2 LightweightIDOL;LightweightIDOL;c:\program files\service advisor\suir\LightweightIDOL.exe [2010-9-10 4145152]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-8-25 22816]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-5-19 120128]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-8-25 147984]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-8-25 66880]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-17 69192]
S2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2011-10-6 8192]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SAUploader;SAUploader;c:\program files\service advisor\sauploader\SAUploader.exe [2011-9-16 34632]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-10-6 2656280]
S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-12-17 1590216]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2011-7-1 1131520]
S2 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\intel\wifi\bin\ZCfgSvc7.exe [2010-12-23 577536]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-6-7 191752]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2011-10-6 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-10-6 33832]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2008-10-15 124160]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-10-6 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-10-6 269824]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-17 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-17 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-17 66536]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2011-10-6 60904]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-10 16:52:25 -------- d-----w- c:\users\appdata\local\ElevatedDiagnostics
2012-01-28 04:39:46 -------- d-----w-
c:\users\appdata\local\Sprint
.
==================== Find3M ====================
.
2012-01-22 04:18:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 15:37:52 5341453 ----a-w- c:\windows\FramePkg.exe
2011-12-17 15:14:43 722782 ----a-w- c:\windows\unins000.exe
2011-12-17 15:12:53 691545 ----a-w- c:\windows\unins001.exe
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01:00 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:41:52 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-11-17 05:41:51 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-11-17 05:39:24 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2011-11-17 05:38:39 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- c:\windows\system32\webio.dll
2011-11-17 05:34:55 15872 ----a-w- c:\windows\system32\sspisrv.dll
2011-11-17 05:34:55 100352 ----a-w- c:\windows\system32\sspicli.dll
2011-11-17 05:34:52 224768 ----a-w- c:\windows\system32\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- c:\windows\system32\secur32.dll
2011-11-17 05:32:51 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2011-11-17 05:29:50 22528 ----a-w- c:\windows\system32\lsass.exe
2011-11-15 20:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 12:24:39.44 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:57 PM

Posted 12 February 2012 - 04:16 PM

Good evening. :)

You'll need to bear with me a little as i've just bought a new system with Windows 7 on, after many years with XP, so it may take a little time for me to get my head round a new set of tools and instructions - if you don't see what I describe or something doesn't work as I say, just put it down to my slowness in catching up with the modern world and tell me and i'll correct things.

Please see if you can run the following in Normal Mode, or Safe Mode if not:

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click No .
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 taggart1

taggart1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 12 February 2012 - 06:14 PM

Hello Noviciate,

Thanks for responding so quickly. I got aswMBR.exe downloaded in safe mode and ran it. Here is the log it created.

MBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-12 17:07:04
-----------------------------
17:07:04.556 OS Version: Windows 6.1.7601 Service Pack 1
17:07:04.556 Number of processors: 4 586 0x2A07
17:07:04.556 ComputerName: UserName:
17:07:06.771 Initialize success
17:07:19.064 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:07:19.064 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
17:07:19.064 Disk 0 MBR read error 0
17:07:19.064 Disk 0 MBR scan
17:07:19.064 Disk 0 unknown MBR code
17:07:19.064 MBR BIOS signature not found 0
17:07:19.064 Disk 0 scanning sectors +625139712
17:07:19.111 Disk 0 scanning C:\Windows\system32\drivers
17:07:24.758 Service scanning
17:07:27.441 Modules scanning
17:07:45.849 Disk 0 trace - called modules:
17:07:45.849 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys >>UNKNOWN [0x8624f49f]<<
17:07:45.849 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f29a38]
17:07:45.849 3 CLASSPNP.SYS[8b1c359e] -> nt!IofCallDriver -> [0x85f29020]
17:07:45.849 5 stdcfltn.sys[8b5c1896] -> nt!IofCallDriver -> \IAAStorageDevice-1[0x85424028]
17:07:45.849 \Driver\iaStor[0x84b33990] -> IRP_MJ_CREATE -> 0x8624f49f
17:07:45.849 Scan finished successfully
17:08:38.078 Disk 0 MBR has been saved successfully to "C:\Users\taggart1\Desktop\MBR.dat"
17:08:38.078 The log file has been saved successfully to "C:\Users\taggart1\Desktop\aswMBR.txt"

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:57 PM

Posted 13 February 2012 - 04:00 PM

Good evening. :)

As this infection comes in a few different forms I think it would be wise to gather a little more information about it before we try to remove it. Do you have access to a flashdrive of at least 128 Mb that you can wipe clean to run a tool from?

So long, and thanks for all the fish.

 

 


#5 taggart1

taggart1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 13 February 2012 - 06:05 PM

Yes, I do have a cd or a flashdrive

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:57 PM

Posted 14 February 2012 - 05:11 PM

Good evening. :)

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Make sure that you can still see the contents of the flashdrive folder and do the following:
  • Click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh and then <ENTER>
  • You now get to sit and watch some text scroll down the Terminal window until it reports Done - which doesn't need any explanation, hopefully!
  • A report will be located on your flash drive called report.txt (an uninspired choice of name I know!), which is the purpose of this little adventure.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:57 PM

Posted 16 February 2012 - 04:12 PM

Got confused - ignore this one. :whistle:

Edited by Noviciate, 16 February 2012 - 04:12 PM.

So long, and thanks for all the fish.

 

 


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:57 PM

Posted 24 February 2012 - 05:03 PM

Helpers are limited in the number of logs they can take by the time they have available and having threads sit idle means that somebody else who could be being helped has to wait.
Given that there has been no response for at least five days, and I have no way of knowing when there will be one, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users