Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton detects Backdoor.Tidserv!kmem but can't remove it.


  • This topic is locked This topic is locked
39 replies to this topic

#1 Scottynmundo

Scottynmundo

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 19 February 2012 - 02:13 PM

I'm having a hard time trying to find specific instructions on the removal of the Backdoor.tidserv!kmem virus on my old XP box. I've read some other threads on this but I don't want to muck the situation up by running progs I'm not familiar with. Any help would be appreciated.

Thanks

Scott

DDS log results

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Run by Administrator at 15:53:55 on 2012-02-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.416 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\administrator.scott-k2t6g9kax\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file:///F:/components/hidinputmonitorx.ocx
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file:///F:/components/A9.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249005734608
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249005724796
DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} - file:///F:/components/wmvhdrating.ocx
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5693/mcfscan.cab
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
TCP: Interfaces\{2351781E-8BE6-4B5E-B7FA-25AFE2441E1B} : DhcpNameServer = 205.152.37.23 205.152.150.23
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.scott-k2t6g9kax\application data\mozilla\firefox\profiles\40y1up70.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 2572
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: g:\itunes install\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1207000.00d\symds.sys [2012-1-31 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1207000.00d\symefa.sys [2012-1-31 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20120215.001\BHDrvx86.sys [2012-2-18 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1207000.00d\ironx86.sys [2012-1-31 136312]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/06/01 16:58:25];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-7-3 88176]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.7.0.13\ccsvchst.exe [2012-1-31 130008]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-18 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20120217.003\IDSXpx86.sys [2012-2-17 356280]
S1 wlottyqr;wlottyqr;\??\c:\windows\system32\drivers\wlottyqr.sys --> c:\windows\system32\drivers\wlottyqr.sys [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120217.036\naveng.sys [2012-2-18 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120217.036\navex15.sys [2012-2-18 1576312]
.
=============== Created Last 30 ================
.
2012-02-19 20:33:16 -------- d-----w- c:\documents and settings\administrator.scott-k2t6g9kax\local settings\application data\PCHealth
2012-02-19 18:47:26 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-19 15:57:37 1288704 -c----w- c:\windows\system32\dllcache\ole32.dll
2012-02-19 15:48:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-19 15:48:17 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-19 15:46:26 -------- d-----w- c:\windows\system32\drivers\nav\1206000.01D
2012-02-19 02:45:02 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-02-19 02:42:26 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-02-19 02:40:57 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-02-19 02:40:06 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-02-19 02:35:35 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-02-19 02:35:27 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-02-19 02:27:55 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-02-19 02:27:43 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-19 02:27:43 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-19 02:24:05 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-02-19 00:45:58 -------- d-----w- c:\windows\system32\NtmsData
2012-02-18 23:01:18 -------- d-----w- c:\documents and settings\administrator.scott-k2t6g9kax\local settings\application data\NPE
2012-01-31 20:48:06 331384 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\symtdiv.sys
2012-01-31 20:48:04 369784 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\symtdi.sys
2012-01-31 20:48:02 299640 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\symnets.sys
2012-01-31 20:47:59 744568 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\symefa.sys
2012-01-31 20:47:58 340088 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\symds.sys
2012-01-31 20:47:57 516216 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\srtsp.sys
2012-01-31 20:47:57 50168 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\srtspx.sys
2012-01-31 20:47:56 136312 ----a-w- c:\windows\system32\drivers\nav\1207000.00d\ironx86.sys
2012-01-31 20:44:27 -------- d-----w- c:\windows\system32\drivers\nav\1207000.00D
.
==================== Find3M ====================
.
2012-02-19 18:47:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:13:37 832512 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:13:37 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-12-19 08:13:36 78336 ------w- c:\windows\system32\ieencode.dll
2011-12-19 08:13:36 17408 ------w- c:\windows\system32\corpol.dll
2011-12-16 12:22:56 389120 ------w- c:\windows\system32\html.iec
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:55:23.56 ===============

Attached Files


Edited by Scottynmundo, 19 February 2012 - 08:47 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 19 February 2012 - 04:31 PM

Good evening. :)

Please go here, follow steps six, seven and eight, skipping those that you cannot run for any reason, and then post accordingly into this thread.

So long, and thanks for all the fish.

 

 


#3 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 19 February 2012 - 08:50 PM

sorry, I edited the original thread with the necessary logs. Thanks for the quick reply.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 20 February 2012 - 03:19 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click No .
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 20 February 2012 - 04:40 PM

aswMBR.txt attached as requested. Again. Thanks for the fast turnaround.

Scott

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 20 February 2012 - 05:08 PM

Given that this nasty can be a pain to remove i'd like a little more information before we begin to play. Do you have a flashdrive of at least 128 Mb that you can wipe clean to use for this purpose?

So long, and thanks for all the fish.

 

 


#7 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 20 February 2012 - 05:13 PM

Yes, 8Gb.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 20 February 2012 - 05:42 PM

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Make sure that you can still see the contents of the flashdrive folder and do the following:
  • Click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh and then <ENTER>
  • You now get to sit and watch some text scroll down the Terminal window until it reports Done - which doesn't need any explanation, hopefully!
  • A report will be located on your flash drive called report.txt (an uninspired choice of name I know!), which is the purpose of this little adventure.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#9 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 20 February 2012 - 06:38 PM

One MRB.zip file. I hope this is what you need. Thanks again.

Attached Files

  • Attached File  mbr.zip   4.35KB   5 downloads


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 20 February 2012 - 06:41 PM

I'd like a copy of dumpfiles.txt that you should find in the dumpfiles folder on the flashdrive - forgot to mention that bit. :wacko:

So long, and thanks for all the fish.

 

 


#11 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 20 February 2012 - 06:48 PM

Sorry, but i don't see a dumpfiles folder on the drive or a dumpfiles.txt anywhere on it. What i have is the root and two folders called Boot and Opt. Are you looking for the report.txt file?

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 21 February 2012 - 03:23 PM

Good evening. :)

Did you run the section that includes the bash driver.sh command?

So long, and thanks for all the fish.

 

 


#13 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 21 February 2012 - 03:28 PM

Yes. It seemed to run and it created the report.txt file as indicated in the proceedures. I could run it again if you think that maybe i missed something the first time.

Thanks

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:59 AM

Posted 21 February 2012 - 03:51 PM

Sorry, my bad - i'm mixing and matching output text files for some reason. If you could post the contents of report.txt that would be grand.

So long, and thanks for all the fish.

 

 


#15 Scottynmundo

Scottynmundo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 21 February 2012 - 03:53 PM

Cool, here you go.

Thanks

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users