[RatHat]

I have to take my daughter to school so I will be gone for an hour or so. In the meantime please do this:

Run System File Checker:

Go to Start >> Run and type in SFC /SCANNOW and click OK.

The System File Checker will check all the Windows files on your computer and replace any that have been deleted or damaged.
Note: You may be prompted to insert your original Windows CD, so please have this at hand.

[Advertisements]

Also, please zip the runscanner.run file and attach it again. Something is stopping it from downloading properly.

[RatHat]

Also, please zip the runscanner.run file and attach it again. Something is stopping it from downloading properly.

[Undersea_Gal]

Ok, I'll try to run this, but I don't have the Windows CD, so I hope they won't ask.

[Undersea_Gal]

It asked for the Windows CD and I don't have it, unfortunately.

I tried re-attaching the runscanner in a zip folder. I'm not sure I did it right, though.

Attached Files

•  runscanner.zip   139.12KB   122 downloads

[RatHat]

Julie,

I want to see if we can find replacements for the two files that Sophos report.

Please visit Windows VBScript Tools to download Find File Information

• Scroll down the page until you locate Find File Information
• Click on the small arrow to the left of the word File
• On the right hand side, you will see a small arrow pointing down onto a hard drive (under a magnifying glass icon)
• Click on the Arrow to Download the script
• Save the script to your Desktop
• Once the script has completed download, unzip it to your Desktop

Next, locate FileInfo.vbs and double click it to run the program

• In the first dialog box, type * and click OK
• In the next dialog box, type wdmaud and click OK
• The program will disappear for a minute, Do Not do anything while it is running
• When the scan is complete, it will open a Text file named searched.txt which it will save to you root drive (typically C:\searched.txt)
• Save this to your desktop as wdmaud.txt as we will run another file search.
• Copy and paste the results of the search in your next reply

Now following the above procedure, search for sysaudio, then save the results as sysaudio.txt

Post the contents of both reports in your next reply.

[Undersea_Gal]

wdmaud:

c:\windows\$ntservicepackuninstall$\wdmaud.drv
Version: 5.1.2600.2180
Created: 1/14/2009 6:00:29 PM
Modified: 8/3/2004 11:56:57 PM
Size: 23,552 bytes
Attributes: Compressed

c:\windows\$ntservicepackuninstall$\wdmaud.sys
Version: 5.1.2600.2180
Created: 1/14/2009 6:01:35 PM
Modified: 8/3/2004 10:15:04 PM
Size: 82,944 bytes
Attributes: Compressed

c:\windows\servicepackfiles\i386\wdmaud.drv
Version: 5.1.2600.5512
Created: 8/3/2004 11:56:57 PM
Modified: 4/13/2008 4:12:45 PM
Size: 23,552 bytes
c:\windows\servicepackfiles\i386\wdmaud.sys
Version: 5.1.2600.5512
Created: 8/3/2004 10:15:04 PM
Modified: 4/13/2008 11:17:18 AM
Size: 83,072 bytes
c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f9e\wdmaud.drv
Version: 5.1.2600.5512
Created: 9/4/2008 8:58:31 AM
Modified: 4/13/2008 4:12:45 PM
Size: 23,552 bytes
Attributes: Archive

c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f9e\wdmaud.sys
Version: 5.1.2600.5512
Created: 9/4/2008 8:58:31 AM
Modified: 4/13/2008 11:17:18 AM
Size: 83,072 bytes
Attributes: Archive

c:\windows\system32\wdmaud.drv
Version: 5.1.2600.5512
Created: 8/17/2001 2:37:04 PM
Modified: 4/13/2008 4:12:45 PM
Size: 23,552 bytes
Attributes: Archive

sysaudio:

c:\windows\$ntservicepackuninstall$\sysaudio.sys
Version: 5.1.2600.2180
Created: 1/14/2009 6:01:45 PM
Modified: 8/3/2004 10:15:55 PM
Size: 60,800 bytes
Attributes: Compressed

c:\windows\servicepackfiles\i386\sysaudio.sys
Version: 5.1.2600.5512
Created: 8/3/2004 10:15:55 PM
Modified: 4/13/2008 11:15:55 AM
Size: 60,800 bytes
c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f9e\sysaudio.sys
Version: 5.1.2600.5512
Created: 9/4/2008 8:58:23 AM
Modified: 4/13/2008 11:15:55 AM
Size: 60,800 bytes
Attributes: Archive


Also, now my Sophos is telling me that file C:/System Volume Information/(followed by a bunch of numbers and letters) belongs to virus/spyware Troj/Daonol-Fam. Should I scan and delete this one as well?

Thanks.

[RatHat]

Can you run another Kaspersky scan for me please Julie:

Please run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.

Click the Accept button.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the View scan report link:
• Click the Save report as button
• Under Save as type, choose Text file (*.txt)
• Save the file to your desktop as Kaspersky.txt
• Copy and paste that information in your next post.

[Undersea_Gal]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 15, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 15, 2009 23:06:00
Records in database: 1627818
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\
J:\

Scan statistics:
Files scanned: 92018
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:57:24

No malware has been detected. The scan area is clean.

The selected area was scanned.

[RatHat]

Also, now my Sophos is telling me that file C:/System Volume Information/(followed by a bunch of numbers and letters) belongs to virus/spyware Troj/Daonol-Fam. Should I scan and delete this one as well?

This is in your system restore, and is safe as long as you don't revert to an earlier restore point. It is also easily fixed, though I want to leave it for now. Are you still getting the redirects?

[Undersea_Gal]

On and off.

Right now I'm not, but this morning I was.

[RatHat]

Whatever is causing this is certainly well hidden!

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the box that says Include MD5
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Check the Radio button under Drivers for Non Microsoft
• Check the radio button under Rootkit Search for Yes
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please zip the log and attach the zipped file in your next post.

[Undersea_Gal]

How do I zip the log?
Apologies for being so clueless.

[Undersea_Gal]

Also, the link for the program doesn't work.

[RatHat]

Try downoading it from here .

To zip the log, save it to your desktop first as OTScanit-Results.txt then right click on it and choose Send to then Compressed (Zipped) Folder.

This will create a zipped file named OTScanit-Results.zip in your desktop. Upload that file.

[Undersea_Gal]

Here it is.

Attached Files

•  OTScanIt.zip   24.66KB   125 downloads