|
#31
February 17th, 2010, 04:17 PM
|
|||
|
|||
|
Hi Jintan,
I just want to make sure that I've got things right so I don't mess up anything. When you say "Then load the XP CD into the CD-ROM drive and restart the system" are you talking about what you called the boot CD earlier -the disk that you are having me create - or should I still be trying to find an XP disk to use. Also, when you say "If the system only reboots to Windows stop and post back here ..." You mean if I don't see any promts from the CD, right? Sorry to ask such dumb questions, but I'm new to all of this and want to make sure that I've got it right. 
|
|
#32
February 18th, 2010, 12:32 AM
|
||||
|
||||
|
Yes, you are to use the CD you burned to do these steps. It has the setup part of an XP install disk, but just no copy of XP.
If you reboot, and the system does not allow you the option to press any key to "boot from the CD", and goes straight into locating Windows, then just post back here at that time, and we can discuss what BIOS changes you would need to make.
|
|
#35
February 20th, 2010, 01:15 AM
|
|||
|
|||
|
Thanks, Jintan. I did as you said and reset the boot order in the Bios. After exiting the machine went back to the "Welcome to Setup" screen. I got out of that and got back in using SafeMode and found the file you asked for in C:\Windows. Here it is:
Abiosdsk Disabled abp480n5 Disabled abp480n5 ACPI Boot Microsoft ACPI Driver ACPIEC Disabled adpu160m Disabled adpu160m aec Manual Microsoft Kernel Acoustic Echo Canceller AFD System AFD AFS2K System AFS2k agp440 Disabled Intel AGP Bus Filter agpCPQ Disabled Compaq AGP Bus Filter Aha154x Disabled Aha154x aic78u2 Disabled aic78u2 aic78xx Disabled aic78xx Alerter Disabled Alerter ALG Manual Application Layer Gateway Service AliIde Disabled AliIde alim1541 Disabled ALI AGP Bus Filter amdagp Disabled AMD AGP Bus Filter Driver amsint Disabled amsint Apple Mobile Device Auto Apple Mobile Device AppMgmt Manual Application Management asc Disabled asc asc3350p Disabled asc3350p asc3550 Disabled asc3550 ASCTRM Auto ASCTRM aspnet_state Manual ASP.NET State Service AsyncMac Manual RAS Asynchronous Media Driver atapi Boot Standard IDE/ESDI Hard Disk Controller Atdisk Disabled Atmarpc Manual ATM ARP Client Protocol AudioSrv Auto Windows Audio audstub Manual Audio Stub Driver Beep System BITS Manual Background Intelligent Transfer Service Bonjour Service Auto Bonjour Service Browser Auto Computer Browser BrScnUsb Manual Brother USB Still Image driver BrSerIf Manual Brother MFC Serial Port Interface WDM Driver BrUsbSer Manual Brother MFC USB Serial WDM Driver bvrp_pci Manual catchme Manual cbidf Disabled cbidf cbidf2k Disabled CCDECODE Manual Closed Caption Decoder cd20xrnt Disabled cd20xrnt Cdaudio System Cdfs Disabled Cdrom System CD-ROM Driver Changer System CiSvc Manual Indexing Service ClipSrv Manual ClipBook clr_optimization_v2.0.50727_32 Manual .NET Runtime Optimization Service v2.0.50727_X86 CmdIde Disabled CmdIde COMSysApp Manual COM+ System Application Cpqarray Disabled Cpqarray Creative Service for CDROM Access Auto Creative Service for CDROM Access CryptSvc Auto CryptSvc dac2w2k Disabled dac2w2k dac960nt Disabled dac960nt DcomLaunch Auto DCOM Server Process Launcher Dhcp Auto DHCP Client Disk Boot Disk Driver DLABOIOM Auto DLACDBHM System DLADResN Auto DLAIFS_M Auto DLAOPIOM Auto DLAPoolM Auto DLARTL_N System DLAUDFAM Auto DLAUDF_M Auto dmadmin Manual Logical Disk Manager Administrative Service dmboot Disabled dmio Disabled dmload Disabled dmserver Manual Logical Disk Manager DMusic Manual Microsoft Kernel DLS Syntheiszer Dnscache Auto DNS Client Dot3svc Manual Wired AutoConfig dpti2o Disabled dpti2o drmkaud Manual Microsoft Kernel DRM Audio Descrambler DRVMCDB Boot DRVNDDM Auto DSBrokerService Manual DSBrokerService DSproct Manual DSproct dsunidrv Auto DellSupport UniDriver E100B Manual Intel(R) PRO Network Connection Driver EapHost Manual Extensible Authentication Protocol Service ERSvc Auto Error Reporting Service Eventlog Auto Event Log EventSystem Manual COM+ Event System Fastfat Disabled FastUserSwitchingCompatibility Auto Fast User Switching Compatibility Fdc Manual Floppy Disk Controller Driver Fips System Flpydisk Manual Floppy Disk Driver FltMgr Boot FltMgr FontCache3.0.0.0 Manual Windows Presentation Foundation Font Cache 3.0.0.0 Fs_Rec System Ftdisk Boot Volume Manager Driver GEARAspiWDM Manual GEAR ASPI Filter Driver Gpc Manual Generic Packet Classifier grmnusb Manual gusvc Manual Google Software Updater HCWBT8xx Manual Hauppauge WinTV 848/9 WDM Video Driver HDAudBus Manual Microsoft UAA Bus Driver for High Definition Audio helpsvc Auto Help and Support HidServ Auto HID Input Service HidUsb Manual Microsoft HID Class Driver hkmsvc Manual Health Key and Certificate Management Service hpn Disabled hpn HPZid412 Manual IEEE-1284.4 Driver HPZid412 HPZipr12 Manual Print Class Driver for IEEE-1284.4 HPZipr12 HPZius12 Manual USB to IEEE-1284.4 Translation Driver HPZius12 HSFHWBS2 Manual HSF_DP Manual HTTP Manual HTTP HTTPFilter Manual HTTP SSL i2omgmt System i2omp Disabled i2omp i8042prt System i8042 Keyboard and PS/2 Mouse Port Driver ialm Manual IDriverT Manual InstallDriver Table Manager idsvc Manual Windows CardSpace Imapi System CD-Burning Filter Driver Imapi Helper Manual Imapi Helper ImapiService Manual IMAPI CD-Burning COM Service ini910u Disabled ini910u IntelIde Boot intelppm System Intel Processor Driver Ip6Fw Manual IPv6 Windows Firewall Driver IpFilterDriver Manual IP Traffic Filter Driver IpInIp Manual IP in IP Tunnel Driver IpNat Manual IP Network Address Translator iPod Service Manual iPod Service IPSec System IPSEC driver IRENUM Manual IR Enumerator Service isapnp Boot PnP ISA/EISA Bus Driver JavaQuickStarterService Auto Java Quick Starter Kbdclass System Keyboard Class Driver kbdhid System Keyboard HID Driver kmixer Manual Microsoft Kernel Wave Audio Mixer KSecDD Boot lanmanserver Auto Server lanmanworkstation Auto Workstation Lavasoft Ad-Aware Service Auto Lavasoft Ad-Aware Service Lbd Boot Lbd lbrtfdc System LmHosts Auto TCP/IP NetBIOS Helper mdmxsdk Auto Messenger Disabled Messenger Microsoft Office Groove Audit Service Manual Microsoft Office Groove Audit Service mnmdd System mnmsrvc Manual NetMeeting Remote Desktop Sharing Modem Manual MODEMCSA Manual Unimodem Streaming Filter Device Mouclass System Mouse Class Driver mouhid Manual Mouse HID Driver MountMgr Boot Mount Point Manager mraid35x Disabled mraid35x MRxDAV Manual WebDav Client Redirector MRxSmb System MRXSMB MSDTC Manual Distributed Transaction Coordinator Msfs System MSIServer Manual Windows Installer MSKSSRV Manual Microsoft Streaming Service Proxy MSPCLOCK Manual Microsoft Streaming Clock Proxy MSPQM Manual Microsoft Streaming Quality Manager Proxy mssmbios Manual Microsoft System Management BIOS Driver MSTEE Manual Microsoft Streaming Tee/Sink-to-Sink Converter Mup Boot Mup NABTSFEC Manual NABTS/FEC VBI Codec napagent Manual Network Access Protection Agent NDIS Boot NDIS System Driver NdisIP Manual Microsoft TV/Video Connection NdisTapi Manual Remote Access NDIS TAPI Driver Ndisuio Manual NDIS Usermode I/O Protocol NdisWan Manual Remote Access NDIS WAN Driver NDProxy Manual NDIS Proxy NetBIOS System NetBIOS Interface NetBT System NetBios over Tcpip NetDDE Disabled Network DDE NetDDEdsdm Disabled Network DDE DSDM Netlogon Manual Net Logon Netman Manual Network Connections NetSvc Manual Intel NCS NetService NetTcpPortSharing Disabled Net.Tcp Port Sharing Service Nla Manual Network Location Awareness (NLA) Nokia USB Modem Manual Nokia USB Modem Nokia USB Phone Parent Manual Nokia USB Phone Parent Npfs System Ntfs Disabled NtLmSsp Manual NT LM Security Support Provider NtmsSvc Manual Removable Storage Null System nv Manual NwlnkFlt Manual IPX Traffic Filter Driver NwlnkFwd Manual IPX Traffic Forwarder Driver odserv Manual Microsoft Office Diagnostics Service ose Manual Office Source Engine Parport Manual Parallel port driver PartMgr Boot Partition Manager ParVdm Disabled PCI Boot PCI Bus Driver PCIDump System PCIIde Boot Pcmcia Disabled PDCOMP Manual PDFRAME Manual PDRELI Manual PDRFRAME Manual perc2 Disabled perc2 perc2hib Disabled perc2hib PfModNT Auto PlugPlay Auto Plug and Play Pml Driver HPZ12 Manual Pml Driver HPZ12 PolicyAgent Auto IPSEC Services PptpMiniport Manual WAN Miniport (PPTP) ProtectedStorage Auto Protected Storage PSched Manual QoS Packet Scheduler Ptilink Manual Direct Parallel Link Driver PxHelp20 Boot PxHelp20 ql1080 Disabled ql1080 Ql10wnt Disabled Ql10wnt ql12160 Disabled ql12160 ql1240 Disabled ql1240 ql1280 Disabled ql1280 RasAcd System Remote Access Auto Connection Driver RasAuto Manual Remote Access Auto Connection Manager Rasl2tp Manual WAN Miniport (L2TP) RasMan Manual Remote Access Connection Manager RasPppoe Manual Remote Access PPPOE Driver Raspti Manual Direct Parallel Rdbss System Rdbss RDPCDD System rdpdr Manual Terminal Server Device Redirector Driver RDPWD Manual RDSessMgr Manual Remote Desktop Help Session Manager redbook System Digital CD Audio Playback Filter Driver RemoteAccess Disabled Routing and Remote Access RimUsb Manual BlackBerry Device RimVSerPort Manual RIM Virtual Serial Port v2 ROOTMODEM Manual Microsoft Legacy Modem Driver RpcLocator Manual Remote Procedure Call (RPC) Locator RpcSs Auto Remote Procedure Call (RPC) RSVP Manual QoS RSVP SamSs Auto Security Accounts Manager SCardSvr Manual Smart Card Schedule Auto Task Scheduler SeaPort Auto SeaPort Secdrv Manual Secdrv seclogon Auto Secondary Logon SENS Auto System Event Notification serenum Manual Serenum Filter Driver Serial System Serial port driver ServiceLayer Manual ServiceLayer Sfloppy System SharedAccess Auto Windows Firewall/Internet Connection Sharing (ICS) ShellHWDetection Auto Shell Hardware Detection Simbad Disabled sisagp Disabled SIS AGP Bus Filter SLIP Manual BDA Slip De-Framer Sparrow Disabled Sparrow splitter Manual Microsoft Kernel Audio Splitter Spooler Auto Print Spooler sr Boot System Restore Filter Driver srservice Auto System Restore Service Srv Manual Srv SSDPSRV Manual SSDP Discovery Service STHDA Manual SigmaTel High Definition Audio CODEC stisvc Auto Windows Image Acquisition (WIA) streamip Manual BDA IPSink swenum Manual Software Bus Driver swmidi Manual Microsoft Kernel GS Wavetable Synthesizer SwPrv Manual MS Software Shadow Copy Provider symc810 Disabled symc810 symc8xx Disabled symc8xx sym_hi Disabled sym_hi sym_u3 Disabled sym_u3 sysaudio Manual Microsoft Kernel System Audio Device SysmonLog Manual Performance Logs and Alerts TapiSrv Manual Telephony Tcpip System TCP/IP Protocol Driver TDPIPE Manual TDTCP Manual TermDD System Terminal Device Driver TermService Auto Terminal Services Themes Auto Themes TosIde Disabled TosIde TrkWks Auto Distributed Link Tracking Client Udfs Disabled ultra Disabled ultra Update Manual Microcode Update Driver upnphost Manual Universal Plug and Play Device Host UPS Manual Uninterruptible Power Supply usb2vcom Manual Nokia CA-42 USB USBAAPL Manual Apple Mobile USB Driver usbaudio Manual USB Audio Driver (WDM) usbccgp Manual Microsoft USB Generic Parent Driver usbehci Manual Microsoft USB 2.0 Enhanced Host Controller Miniport Driver usbhub Manual Microsoft USB Standard Hub Driver usbprint Manual Microsoft USB PRINTER Class usbscan Manual USB Scanner Driver USBSTOR Manual USB Mass Storage Driver usbuhci Manual Microsoft USB Universal Host Controller Miniport Driver VgaSave System VGA Display Controller. viaagp Disabled VIA AGP Bus Filter ViaIde Disabled ViaIde VolSnap Boot VPROEVENTMONITOR Manual VPROEVENTMONITOR VSS Manual Volume Shadow Copy w32time Auto Windows Time Wanarp Manual Remote Access IP ARP Driver wanatw Manual WAN Miniport (ATW) WDICA Manual wdmaud Manual Microsoft WINMM WDM Audio Compatibility Driver WebClient Auto WebClient winachsf Manual winmgmt Auto Windows Management Instrumentation Winsock Manual WmdmPmSN Manual Portable Media Serial Number Service WmiApSrv Manual WMI Performance Adapter WMPNetworkSvc Manual Windows Media Player Network Sharing Service WS2IFSL System WsAudioDevice_383 Manual WsAudioDevice_383 wscsvc Auto Security Center WSearch Auto Windows Search WSTCODEC Manual World Standard Teletext Codec wsvad_driver Manual WS Audio Device wuauserv Auto Automatic Updates WudfPf Manual Windows Driver Foundation - User-mode Driver Framework Platform Driver WudfRd Manual Windows Driver Foundation - User-mode Driver Framework Reflector WudfSvc Manual Windows Driver Foundation - User-mode Driver Framework WZCSVC Auto Wireless Zero Configuration xmlprov Manual Network Provisioning Service xnacc Manual Microsoft Common Controller For Windows Driver Service
|
|
#36
February 20th, 2010, 03:30 AM
|
||||
|
||||
|
Good you got that run. But if the malware is there, it is loading as something with a legit name. Two items to check are that file ComboFix removed earlier, and then just assume a known boot level driver file is altered, and correct that. And add one other scan check as well.
Go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer. C:\qoobox\Quarantine\C\windows\system32\termsrv32.dll.vir You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. ------------ Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each: cd\ mbr.exe -c 0 64 copy_of_sectors Then type exit and press Enter to close the command window. Then locate that C:\copy_of_sectors, and upload it to SpyKiller as well please. -------------- Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below): Code:
:filefind atapi.sys ------------- Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display. Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner. !!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it. That will be a very large log file, so just zip a copy of it, then send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -jmterry/cth/rdx" as the email Subject.
|
|
#37
February 20th, 2010, 03:32 AM
|
||||
|
||||
|
One reason to check that file ComboFix removed is that the name ties in with a service that runs in the DcomLaunch group. Which has been involved in many of these malware shutdown problems. I would like to see what is in that file.
|
|
#39
February 22nd, 2010, 05:00 AM
|
||||
|
||||
|
If the files are zipped, they should be rendered non-functional. In a discussion about a different repair creating a new user account was mentioned, and as your user account seems to be partially crippled I would like you to go ahead and create a new one. Just reboot to Safe Mode, but log in with the Administrator account. Then go to Control Panel - User Accounts, and create a new user admin level user account. Reboot to normal mode, and log in as that new user account, and see if things improve.
|
|
#40
February 25th, 2010, 03:53 AM
|
|||
|
|||
|
Hi Jintan,
Sorry this took so long. I created a new account like you suggested, but since the shut down starts at the welcome screen when an account is selected, it didn't really help. I uploaded the files to SpyKiller that you asked for, and I just emailed you the Radix file. Here is the SystemLook file. Thanks again. SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 21:36 on 24/02/2010 by J. M. Terry (Administrator - Elevation successful) ========== filefind ========== Searching for "atapi.sys" C:\i386\atapi.sys --a--c 95360 bytes [12:43 31/08/2006] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51 C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [08:48 28/08/2008] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51 C:\WINDOWS\erdnt\cache\atapi.sys --a--- 96512 bytes [02:58 16/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674 C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [23:30 26/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674 C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [02:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674 C:\WINDOWS\system32\ReinstallBackups\0003\DriverFi les\i386\atapi.sys --a--c 95360 bytes [03:57 16/08/2006] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFi les\i386\atapi.sys --a--c 95360 bytes [03:58 16/08/2006] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51 -=End Of File=-
|
|
#41
February 25th, 2010, 05:12 AM
|
||||
|
||||
|
I will have to check SpyKiller as soon as I get time. I received the Radix file, thanks. Radix shows some SDT table calls being altered by an Ad-Aware service. I don't recall ever seeing this from Ad-Aware. If it is not a paid version, or you have a key available to reinstall a paid version, I suggest you go ahead and uninstall it, just to remove one extraneous factor there.
The only items of mention from the log are that there is quite a bit of activity related to the remote access helpassistant user account. I now notice this in some of the logs posted here. And some activity from the guest account as well. As malware has been altering at least the helpassistant account lately it would be a good idea to disable that. Go to Start > Run and type: cmd.exe and OK. At the prompt type or copy/paste each of the following, pressing Enter after each: net user helpassistant /active:no net user guest /active:no Then type exit and press Enter to close the command window. But for now go ahead with the Ad-Aware uninstall, being sure to reboot after.
|
|
#42
February 26th, 2010, 01:48 AM
|
||||
|
||||
|
For some reason the one file uploaded that ComboFix had removed earlier came up as an empty folder. The MBR copy, however, was verified by at least three scans a Mebroot infected. So you will need to decide on repairs at this point. The only measures I have to offer will restore a Windows default MBR there, which will overwrite any existing MBR. If your system has a Dell hidden recovery partition, overwriting the MBR may also remove the means of accessing that. Not that I can offer an alternative, but do need your say so for repairing the MBR.
|
|
#43
March 4th, 2010, 12:23 AM
|
|||
|
|||
|
Hi Jintan,
Sorry for the long delay in my reply. So let me get this right:we need to replace something called the MBR, but doing so might prevent me from reinstalling the operating system at a later date if that becomes necessary. Now I were to reinstall everything that would wipe out all of my data and programs, but would it fix the MBR thing? I don't think that's what I want to do, but I'm just making sure.
|
|
#44
March 4th, 2010, 01:28 AM
|
||||
|
||||
|
You can always later reinstall the operating system, but just not have access to the pre-installed hidden recovery files you could do that with. There has been some newer repair steps since the last time you posted here we can use, but I will still need your input on the MBR fix please.
|
|
#45
March 9th, 2010, 10:28 PM
|
|||
|
|||
|
OK. Sorry to be a pain, but I'm trying to figure out if it's better to do the MBR fix or just try to save my data and do a full recovery since I don't have access to any operating system files other than what is on that hidden partition. Will I definitely lose access to those files?
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 04:49 AM.
