Infected with unknown virus/malware...DDS not working. :(

[JoshProto22]

Hello Helpers,

My computer is infected with something. I can't say for sure what it is.

A few weeks ago, my computer was attacked by a trojan virus which basically took control of everything. A fake virus removal tool was popping up and scanning my system automatically. Then, my Dell laptop would not reboot at all. Long story short, I finally learned how to reboot my machine but then everything on my hard drive was hidden. Someone recommended that I download an application called "unhider" which helped return everything back to where it belonged.

I thought all of my problems were over but now I'm having problems with fake news sites popping open in new tabs in my Firefox browser. My computer also begins operating very slowly..almost to a crawl.

I have scanned my system with Spybot, Malwarebytes, and Ad-Aware but they all say that everything is clean.

Lastly, I have tried to run dds to get things started here on the forums but the application stalls and does not run. So, unfortunately, I do not have any dds scan results to post at this time.

I am hopeful that someone here will still be able to help me get back up and running smoothly again. I would greatly appreciate any assistance with my computer woes. Thank you very much!

[ken545]

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR



Run RKill and then give DDS another shot

• Please download rkill (Courtesy of Bleepingcomputer.com).
• There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
• Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
• Note: You only need to get one of the tools to run, not all of them.

• 1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe

• Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
  
  Run rkill repeatedly until it's able to do it's job. This may take a few tries.
  
  You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

Either way, see if this program will run, post the DDS log if you get it running and also the aswMBR log please


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[JoshProto22]

Hi,

I've been away from my computer for a while so I apologize for my late reply. Thank you very much for helping me.

Here is where I am with my progress...

I followed your request to run rkill. It seemed to go through it's process without any problems. However, I still could not run DDS afterward. I tried all of the different rkill versions but didn't have any more luck with DDS. (DDS starts to scan but then freezes and never finishes. I have to do a hard restart at that point.)

Thankfully, I was able to run the aswMBR scan. Here is the log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-08 01:47:11
-----------------------------
01:47:11.828 OS Version: Windows 5.1.2600 Service Pack 3
01:47:11.828 Number of processors: 2 586 0xE08
01:47:11.828 ComputerName: BASESTATION UserName: Russell
01:47:13.453 Initialize success
01:47:20.000 AVAST engine defs: 12020701
01:47:30.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
01:47:30.234 Disk 0 Vendor: TOSHIBA_MK1032GSX AS022D Size: 93958MB BusType: 3
01:47:30.265 Disk 0 MBR read successfully
01:47:30.265 Disk 0 MBR scan
01:47:30.281 Disk 0 unknown MBR code
01:47:30.281 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
01:47:30.296 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 89141 MB offset 96390
01:47:30.328 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 182675115
01:47:30.343 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 7 MB offset 192410505
01:47:30.359 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
01:47:30.359 Disk 0 scanning sectors +192426554
01:47:30.421 Disk 0 scanning C:\WINDOWS\system32\drivers
01:47:31.593 File: C:\WINDOWS\system32\drivers\APPDRV.SYS **INFECTED** Win32:Alureon-FZ
01:47:36.421 File: C:\WINDOWS\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
01:47:47.187 Disk 0 trace - called modules:
01:47:47.203 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a2a0ff0]<<
01:47:47.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a70bab8]
01:47:47.218 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a346490]
01:47:47.218 \Driver\00001464[0x8a2fa9f0] -> IRP_MJ_CREATE -> 0x8a2a0ff0
01:47:47.765 AVAST engine scan C:\WINDOWS
01:47:56.500 AVAST engine scan C:\WINDOWS\system32
01:51:32.375 AVAST engine scan C:\WINDOWS\system32\drivers
01:51:35.140 File: C:\WINDOWS\system32\drivers\APPDRV.SYS **INFECTED** Win32:Alureon-FZ
01:51:44.250 File: C:\WINDOWS\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
01:52:07.781 AVAST engine scan C:\Documents and Settings\Russell
02:06:13.078 AVAST engine scan C:\Documents and Settings\All Users
02:13:12.625 Scan finished successfully
02:13:49.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Russell\Desktop\MBR.dat"
02:13:49.953 The log file has been saved successfully to "C:\Documents and Settings\Russell\Desktop\aswMBR log.txt"


A side note... After I posted my initial help request, Malwarebytes found a couple different trojan viruses on my computer. It said it got rid of them but I'm still having Google search redirects and my computer begins working extremely sluggish within an hour or so after being turned on.

Thanks again for your help. I'm open to any further suggestions.

[ken545]

Good Morning,

It looks like your Master Boot Record may be infected with a hidden partition.

Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

[JoshProto22]

Hi,

Thanks for you help. I ran the MBRCheck scan and it seems to have found something. Here's the log report:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 159):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 Lbd.sys
0xB9EC3000 drvmcdb.sys
0xBA338000 PxHelp20.sys
0xB9EAC000 KSecDD.sys
0xB9E99000 WudfPf.sys
0xB9E0C000 Ntfs.sys
0xB9DDF000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DC5000 Mup.sys
0xBA138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA178000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9D45000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB970F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96FB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB96D3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9531000 \SystemRoot\system32\DRIVERS\NETw3x32.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB950D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB94F9000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA408000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB94AD000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9458000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D6000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xBA248000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA258000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9435000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA430000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA268000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xBA72C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA278000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D21000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB941E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA298000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB940D000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA440000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA448000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB93DD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9357000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D05000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA450000 \SystemRoot\system32\DRIVERS\omci.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA2D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB1219000 \SystemRoot\system32\drivers\sthda.sys
0xB11F5000 \SystemRoot\system32\drivers\portcls.sys
0xBA308000 \SystemRoot\system32\drivers\drmk.sys
0xB10A1000 \SystemRoot\system32\drivers\monfilt.sys
0xB106F000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB0F72000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB0EC2000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA458000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9908000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB9D5D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6A9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA480000 \SystemRoot\system32\drivers\ssrtln.sys
0xBA488000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xBA5E2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9D51000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0E3F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB0DE6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB0DBE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0D98000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB98F8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0D76000 \SystemRoot\System32\drivers\afd.sys
0xB98E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB98C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0CAB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0C3B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB98B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB93D5000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xB98A8000 \SystemRoot\System32\Drivers\tosrfusb.sys
0xB0C20000 \SystemRoot\System32\Drivers\tosrfbd.sys
0xB9888000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9878000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
0xBA158000 \SystemRoot\System32\Drivers\tosrfbnp.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB0C1C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA168000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA348000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xBA198000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB0B05000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB0C18000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA360000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB0AED000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5EC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB0C00000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA370000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7CC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBF3FE000 \SystemRoot\System32\ATMFD.DLL
0xB0D16000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA6FD000 \SystemRoot\system32\dla\tfsndres.sys
0xAE997000 \SystemRoot\system32\dla\tfsnifs.sys
0xAEA35000 \SystemRoot\system32\dla\tfsnopio.sys
0xBA5F4000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA388000 \SystemRoot\system32\dla\tfsnboio.sys
0xB0D06000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA6FC000 \SystemRoot\system32\dla\tfsndrct.sys
0xAE97E000 \SystemRoot\system32\dla\tfsnudf.sys
0xAE965000 \SystemRoot\system32\dla\tfsnudfa.sys
0xBA390000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAE9C5000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xAE6A1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE360000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE915000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE2EB000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xAE2BB000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xAE295000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xBA620000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xAE18C000 \SystemRoot\System32\Drivers\HTTP.sys
0xAE044000 \SystemRoot\system32\DRIVERS\srv.sys
0xAE375000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAD1C7000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
792 C:\WINDOWS\system32\smss.exe
932 csrss.exe
960 C:\WINDOWS\system32\winlogon.exe
1004 C:\WINDOWS\system32\services.exe
1016 C:\WINDOWS\system32\lsass.exe
1200 C:\WINDOWS\system32\ati2evxx.exe
1216 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1332 C:\WINDOWS\system32\svchost.exe
1376 C:\WINDOWS\system32\svchost.exe
1416 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1656 C:\WINDOWS\system32\ati2evxx.exe
1756 C:\WINDOWS\explorer.exe
1904 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1932 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
2000 svchost.exe
344 svchost.exe
648 C:\WINDOWS\system32\spoolsv.exe
712 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
820 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
980 C:\Program Files\Bonjour\mDNSResponder.exe
1240 C:\Program Files\Creative\Shared Files\CTDevSrv.exe
1440 C:\WINDOWS\ehome\ehrecvr.exe
1464 C:\WINDOWS\ehome\ehSched.exe
1712 C:\Program Files\Java\jre6\bin\jqs.exe
1996 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2176 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
2248 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2344 C:\WINDOWS\system32\svchost.exe
2772 wmiprvse.exe
3304 C:\WINDOWS\system32\dllhost.exe
3560 alg.exe
2844 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2848 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2632 C:\Program Files\Dell\QuickSet\quickset.exe
2996 C:\Program Files\QuickTime\QTTask.exe
3160 C:\Program Files\iTunes\iTunesHelper.exe
3168 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3272 C:\WINDOWS\system32\ctfmon.exe
3448 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
3192 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3476 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
3496 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
3396 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
1648 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3996 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
400 C:\Program Files\iPod\bin\iPodService.exe
2380 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
3972 C:\Documents and Settings\Russell\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS022D

Size Device Name MBR Status
--------------------------------------------
91 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 86489E3B39BA71CCD7428B67894DE6732DFFF0C8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

[ken545]

I need to get a offline dump file of your Master Boot Record, this will show me if a hidden infected partition has been installed and if so we can fix it. You may want to print this out and keep it handy.

1. xPUD
   
   We will need a USB stick and access to an uninfected machine.
   
   We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
   
   
   • Insert your USB drive ino the uninfected machine.
   • Click on Start > My Computer > right click your USB drive > choose Format > Quick format.
   
   
   Next
   
   
   • Download both http://sourceforge.net/projects/unet...7.exe/download and http://noahdfear.net/downloads/boota...xpud-0.9.2.iso to the desktop of the uninfected machine.
   • Make sure you have the formatted USB stick in the uninfected system.
   • Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
   • Press Run and then OK.
   • Select the DiskImage option then click the browse button located on the right side of the textbox field.
   • Browse to and select the xpud-0.9.2.iso file you downloaded.
   • Verify the correct drive letter is selected for your USB device then click OK.
   • It will install a little bootable OS on your USB device
   • After it has completed do not choose to reboot the clean computer, simply close the installer.
   
   
   Next
   
   
   • Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
   • Once dumpit is downloaded save it to the USB stick.
   
   
   Next
   
   
   • Take the USB to the infected computer and boot with it.
   • The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
   • A Welcome to xPUD screen will appear.
   • Press File.
   • Expand mnt.
   • sda1,2...usually corresponds to your HDD.
   • sdb1 is likely your USB drive.
   • Click on the folder that represents your USB drive (sdb1 ?).
   • Confirm that you see dumpit that you downloaded there.
   • Double click on dumpit.
   • Once completed, a file called mbr.zip will be saved to the USB drive.
   • Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.
   
   
   
   If you encounter any diffuculties just let me know.
   

[JoshProto22]

Hi,

I have to go to work so I will be back later tonight to continue the troubleshooting.

Just as a quick update, here are all the symptoms my computer is experiencing right now..

The computer is becoming more and more unresponsive and sluggish, almost to the point of becoming unusable. This sluggishness goes away after a restart but returns after about 10 minutes or so.

Fake news sites and ads are popping up in new tabs in my Firefox browser.

Also, experiencing Google search redirects.

Thanks again for your help. I'll be back later tonight.

[ken545]

Still need help ?

[JoshProto22]

Hi,

I'm sorry it's taken me so long to get back to you. For one reason or another, I've had problems over the last couple of days finding an uninfected computer to work on the most recent set of procedures you gave me.

I finally was able to use another computer last night. However, I ran into one problem involving the dumpit download. The download link that you posted just opened a .txt file when I clicked on it. I also tried right-clicking and selecting "Save Target As..." to save it to the desktop but doing so just saved the .txt document instead of a .exe file. Is this link no longer valid or did I just do something wrong?

After the link didn't work, I searched and found another dumpit download site. I was a little leery of opening this download since it wasn't from a site you suggested. I did, however, save this dumpit.exe file that I found (but did not open it). Do you think it would be safe to use this file instead? I'll send you a private message of the website where I found the link so you can verify it. I don't want to post it here if it's a malicious site.

Please let me know how I need to proceed.

[JoshProto22]

OK, I see that you don't receive private messages. I can post the website where I downloaded the dumpit file if you need it. Thanks again for your help.