Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Iexplore.exe processes running, causing audio and pop-ups.


  • This topic is locked This topic is locked
27 replies to this topic

#1 goodweiser

goodweiser

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 27 July 2010 - 05:21 PM

Hello,

I am running Windows XP SP 3. I always use Chrome as my normal browser but over the last few weeks have noticed multiple iexplore.exe process running in task manager. The iexplore.exe processes are always running under the SYSTEM account.

When my audio is on i can hear the IE "click" indicating a window is opened, yet no browser actually opens. I also hear audio clips of commercials, such as Slim Jim commercials and other random ads. I also receive Internet Explorer error windows asking me to either Continue or Cancel.

I ran the recommended Anti-Malware software and that seem to just masque the problem. While the iexplore.exe processes are no longer visible in task manager, they are running as hidden processes, with all the same symptoms as mentioned above.

If i try to actually open the IE Browser, the computer thinks for a bit, but never actually opens the window.

The DDS Log contents are pasted below and i'm attaching the DDS Attach and GMER (Ark.txt) Logs. Thanks for any assistance you can provide in advance!

Dan



DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 17:51:40.54 on Tue 07/27/2010
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2279 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\DOCUME~1\Dan\LOCALS~1\Temp\clclean.0001
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2060923
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=16314
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://sslvpn.amica.com/whalecom63bc792f8cfe821ccba43f03a785/whalecom0/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://sslvpn.amica.com/whalecom63bc792f8cfe821ccba43f03a785/whalecom0/tsweb/msrdp.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sslvpn.amica.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.amica.com/dana-cached/sc/JuniperSetupClient.cab
TCP: {47B0AA72-53FF-4BF6-9384-8B46FA1B076E} = 68.105.28.11,68.105.29.11
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\m7ictwow.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?referrer=ign
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=FdYq2SFF.6UT7ZSUJ9lsvw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\dan\application data\mozilla\firefox\profiles\m7ictwow.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\firefox\profiles\m7ictwow.default\extensions\activegs@freetoolsassociation.com\platform\winnt_x86-msvc\plugins\npActiveGS.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\firefox\profiles\m7ictwow.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dan\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-30 164048]
R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [2009-12-15 85288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-30 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-19 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-19 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 whlva;Whale Network Connector;c:\windows\system32\drivers\whlva.sys --> c:\windows\system32\drivers\whlva.sys [?]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]

=============== Created Last 30 ================

2010-07-25 11:18:36 0 d-----w- c:\docume~1\dan\applic~1\SUPERAntiSpyware.com
2010-07-25 11:18:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-25 11:18:22 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-24 21:42:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-24 21:42:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-13 23:04:37 0 d-----w- c:\program files\CONEXANT
2010-07-13 22:45:19 0 d-----w- c:\windows\SxsCaPendDel
2010-07-13 19:56:02 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 21:40:03 0 d-----w- c:\program files\Steam
2010-07-07 20:06:25 1541 ----a-w- c:\documents and settings\dan\.recently-used.xbel

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2006-10-18 19:25:12 88 --sh--r- c:\windows\system32\2A2229E5F6.sys
2006-10-18 19:25:14 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-28 22:41:43 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 17:52:29.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 05 August 2010 - 08:51 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 07 August 2010 - 06:48 PM

Hi Mole,

Thanks! And yes, i am still here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 06:52 PM

The symptoms are definitely a rootkit's.

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 07 August 2010 - 06:57 PM

Thanks for the quick response Mole!

As requested here is the MBR log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DEE000 Mup.sys
0xBA138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA168000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9DC6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB944B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9437000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB940F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB92B1000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA440000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB928D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA178000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB9279000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA458000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB922D000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA198000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB91FD000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5CC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA478000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA480000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB91DA000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA498000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA723000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9629000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA550000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB91C3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9619000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9609000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA340000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB91B2000 \SystemRoot\system32\DRIVERS\psched.sys
0xB95F9000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA360000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA370000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9182000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB95E9000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9124000 \SystemRoot\system32\DRIVERS\update.sys
0xB97E6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB95D9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA8F2C000 \SystemRoot\system32\drivers\sthda.sys
0xA8F08000 \SystemRoot\system32\drivers\portcls.sys
0xB95B9000 \SystemRoot\system32\drivers\drmk.sys
0xA8DB4000 \SystemRoot\system32\drivers\monfilt.sys
0xA8D7A000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xA8C83000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xA8BCD000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA398000 \SystemRoot\System32\Drivers\Modem.SYS
0xB95A9000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5A4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5E2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA788000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3B8000 \SystemRoot\System32\drivers\vga.sys
0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3C8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3D8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9DC2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8B72000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8B19000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8B01000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_650_14951.SYS
0xA8ADB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB9599000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA8A8B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8A69000 \SystemRoot\System32\drivers\afd.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8A47000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA418000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8A1C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA89AC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3F8000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA8985000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA410000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA218000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8945000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8BA5000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA460000 \SystemRoot\System32\watchdog.sys
0xBA228000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA238000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7DF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8891000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBA490000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA8781000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA8729000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA847E000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA8339000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA8140000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8191000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7FD1000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7FB9000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xA7E8C000 \SystemRoot\system32\drivers\wdmaud.sys
0xA82D9000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7E17000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xA7DE7000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xA7DC1000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xBA3E8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA430000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA75F6000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA6C98000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 68):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
932 csrss.exe
956 C:\WINDOWS\system32\winlogon.exe
1000 C:\WINDOWS\system32\services.exe
1012 C:\WINDOWS\system32\lsass.exe
1184 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1300 C:\WINDOWS\system32\svchost.exe
1304 C:\WINDOWS\system32\svchost.exe
1400 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1452 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1484 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1580 svchost.exe
1652 svchost.exe
1936 C:\WINDOWS\system32\svchost.exe
2016 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
600 C:\WINDOWS\system32\spoolsv.exe
676 svchost.exe
708 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
724 C:\Program Files\Bonjour\mDNSResponder.exe
756 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
784 C:\WINDOWS\system32\CTSVCCDA.EXE
796 C:\WINDOWS\ehome\ehrecvr.exe
812 C:\WINDOWS\ehome\ehSched.exe
1140 C:\WINDOWS\system32\svchost.exe
1204 C:\Program Files\Java\jre6\bin\jqs.exe
1588 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1752 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1776 C:\WINDOWS\ehome\RMSvc.exe
1800 svchost.exe
1840 C:\WINDOWS\system32\stacsv.exe
2088 C:\WINDOWS\system32\svchost.exe
2128 McrdSvc.exe
2316 wmpnetwk.exe
2956 C:\WINDOWS\system32\dllhost.exe
3160 alg.exe
3868 C:\WINDOWS\system32\wscntfy.exe
3656 C:\WINDOWS\explorer.exe
748 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
876 C:\Program Files\Java\jre6\bin\jusched.exe
1240 C:\WINDOWS\stsystra.exe
1684 C:\WINDOWS\system32\rundll32.exe
1956 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3048 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3776 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
1360 C:\WINDOWS\system32\igfxpers.exe
2512 C:\WINDOWS\system32\igfxsrvc.exe
2712 C:\WINDOWS\system32\hkcmd.exe
3236 C:\WINDOWS\ehome\ehtray.exe
3404 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
3436 C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
2728 C:\WINDOWS\system32\TaskSwitch.exe
4036 C:\DOCUME~1\Dan\LOCALS~1\Temp\clclean.0001
1828 C:\WINDOWS\ehome\ehmsas.exe
3944 C:\Program Files\iTunes\iTunesHelper.exe
1216 C:\Program Files\Windows Media Player\wmpnscfg.exe
3368 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2716 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
3616 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3152 C:\Program Files\Messenger\msmsgs.exe
1328 C:\WINDOWS\ehome\RMSysTry.exe
2892 C:\Program Files\iPod\bin\iPodService.exe
5096 C:\Program Files\Mozilla Firefox\firefox.exe
2240 C:\Program Files\Mozilla Firefox\plugin-container.exe
3084 C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
3312 C:\Documents and Settings\Dan\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75LAT0, Rev: 02.06M02

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 40CDA7FAB46ED5C590709E4BD531651D56F0F6C0


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 07:53 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 08 August 2010 - 07:18 AM

Thanks Mole, I followed the steps and here is the resulting MBRCheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DEE000 Mup.sys
0xBA138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA158000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9DCA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9541000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB952D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9505000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB93A7000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA448000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9383000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA168000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB936F000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA460000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA178000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB9323000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB92F3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5C8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA488000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA198000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB971F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB970F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB92D0000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA4A0000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA723000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB96FF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB92B9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB96EF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB96DF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA358000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB92A8000 \SystemRoot\system32\DRIVERS\psched.sys
0xB96CF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA368000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA378000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9278000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB96BF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB921A000 \SystemRoot\system32\DRIVERS\update.sys
0xB98AA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB96AF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9022000 \SystemRoot\system32\drivers\sthda.sys
0xA8FFE000 \SystemRoot\system32\drivers\portcls.sys
0xB968F000 \SystemRoot\system32\drivers\drmk.sys
0xA8EAA000 \SystemRoot\system32\drivers\monfilt.sys
0xA8E70000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xA8D79000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xA8CC3000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA3A0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA1A8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5A0000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA75C000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3C0000 \SystemRoot\System32\drivers\vga.sys
0xBA5E6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3D0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3E0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9DC6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8C68000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8C0F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8BF7000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_650_14951.SYS
0xA8BD1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1B8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA8B81000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8B5F000 \SystemRoot\System32\drivers\afd.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8B3D000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3F8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8B12000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8AA2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA408000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA8A7B000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA420000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA208000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8A3B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8CA3000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA468000 \SystemRoot\System32\watchdog.sys
0xBA218000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA228000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7C0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8983000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA887B000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA883B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8614000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA83A7000 \SystemRoot\system32\drivers\wdmaud.sys
0xA837A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA85BC000 \SystemRoot\system32\drivers\sysaudio.sys
0xA82DD000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xA82AD000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xA8287000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xA7ED9000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7E32000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7FF2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7E1A000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xBA400000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA388000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA7366000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA71FB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 68):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
924 csrss.exe
948 C:\WINDOWS\system32\winlogon.exe
992 C:\WINDOWS\system32\services.exe
1004 C:\WINDOWS\system32\lsass.exe
1188 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1312 C:\WINDOWS\system32\svchost.exe
1388 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1424 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1480 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1600 svchost.exe
1656 svchost.exe
1916 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
516 C:\WINDOWS\explorer.exe
800 C:\WINDOWS\system32\spoolsv.exe
884 svchost.exe
1160 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1008 C:\Program Files\Bonjour\mDNSResponder.exe
1220 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
1504 C:\WINDOWS\system32\CTSVCCDA.EXE
1520 C:\WINDOWS\ehome\ehrecvr.exe
1576 C:\WINDOWS\ehome\ehSched.exe
2040 C:\WINDOWS\system32\svchost.exe
172 C:\Program Files\Java\jre6\bin\jqs.exe
240 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
384 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
420 C:\WINDOWS\ehome\RMSvc.exe
540 svchost.exe
560 C:\WINDOWS\system32\stacsv.exe
1336 C:\WINDOWS\system32\svchost.exe
1736 McrdSvc.exe
2092 wmpnetwk.exe
2116 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2132 C:\Program Files\Java\jre6\bin\jusched.exe
2240 C:\WINDOWS\stsystra.exe
2328 C:\WINDOWS\system32\rundll32.exe
2356 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2476 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
2504 C:\WINDOWS\system32\wuauclt.exe
2648 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2696 C:\WINDOWS\system32\igfxpers.exe
2704 C:\WINDOWS\system32\hkcmd.exe
2720 C:\WINDOWS\ehome\ehtray.exe
2744 C:\WINDOWS\system32\igfxsrvc.exe
2792 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
2828 C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
2864 C:\WINDOWS\system32\TaskSwitch.exe
2896 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
2916 C:\Program Files\iTunes\iTunesHelper.exe
2996 C:\Program Files\Windows Media Player\wmpnscfg.exe
3068 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3148 wmiprvse.exe
3220 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3332 C:\Program Files\Messenger\msmsgs.exe
3344 C:\DOCUME~1\Dan\LOCALS~1\Temp\clclean.0001
2872 C:\WINDOWS\ehome\RMSysTry.exe
2940 alg.exe
2928 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
3364 C:\WINDOWS\system32\dllhost.exe
2340 C:\WINDOWS\ehome\ehmsas.exe
3736 C:\Program Files\iPod\bin\iPodService.exe
3048 C:\Program Files\Mozilla Firefox\firefox.exe
1760 C:\Documents and Settings\Dan\Desktop\MBRCheck.exe
3472 C:\WINDOWS\system32\wscntfy.exe
4060 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75LAT0, Rev: 02.06M02

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 86489E3B39BA71CCD7428B67894DE6732DFFF0C8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 01:27 PM

That just scanned again.

At the bottom of the log this text is found.

QUOTE
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Did you press Y and enter when this came up? The log says that you didn't. Please try again. smile.gif
Posted Image
m0le is a proud member of UNITE

#9 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 08 August 2010 - 04:55 PM

Hi Mole, my apologies. I followed your instructions a second time and this is what i see:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DEE000 Mup.sys
0xBA138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9DAA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9261000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB924D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9225000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB90C7000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA488000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB90A3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA490000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB908F000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB9043000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9013000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5EA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA358000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA360000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA218000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8FF0000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA370000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA776000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA228000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB97C0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8FD9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB943F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB942F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA390000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8FC8000 \SystemRoot\system32\DRIVERS\psched.sys
0xB941F000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8F98000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB940F000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5F0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F3A000 \SystemRoot\system32\DRIVERS\update.sys
0xBA56C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB93FF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA8D42000 \SystemRoot\system32\drivers\sthda.sys
0xA8D1E000 \SystemRoot\system32\drivers\portcls.sys
0xB93CF000 \SystemRoot\system32\drivers\drmk.sys
0xA8BCA000 \SystemRoot\system32\drivers\monfilt.sys
0xA8B90000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xA8A99000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xA89E3000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA3D0000 \SystemRoot\System32\Drivers\Modem.SYS
0xB93BF000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB97E0000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA68B000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61E000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3E8000 \SystemRoot\System32\drivers\vga.sys
0xBA622000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA626000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3F8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA408000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB97D0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8988000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA892F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8917000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_650_14951.SYS
0xA88F1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB93AF000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA88C9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA88A7000 \SystemRoot\System32\drivers\afd.sys
0xBA238000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8885000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA420000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8832000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA87C2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA258000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA428000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA879B000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA438000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA278000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA875B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA630000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA89C7000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA460000 \SystemRoot\System32\watchdog.sys
0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA725000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA86AB000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBA378000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA85A3000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA8563000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8334000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA814F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA8112000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8463000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7FD5000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xA7FA5000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xA7F7F000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xA7BF7000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7CD8000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7B67000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xA79F8000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA440000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA4B0000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA7174000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
924 csrss.exe
948 C:\WINDOWS\system32\winlogon.exe
992 C:\WINDOWS\system32\services.exe
1004 C:\WINDOWS\system32\lsass.exe
1168 C:\WINDOWS\system32\svchost.exe
1248 svchost.exe
1292 C:\WINDOWS\system32\svchost.exe
1352 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1388 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1432 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1532 svchost.exe
1644 svchost.exe
1892 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
540 C:\WINDOWS\system32\spoolsv.exe
628 svchost.exe
764 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
880 C:\Program Files\Bonjour\mDNSResponder.exe
968 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
1196 C:\WINDOWS\system32\CTSVCCDA.EXE
1232 C:\WINDOWS\ehome\ehrecvr.exe
1348 C:\WINDOWS\explorer.exe
1516 C:\WINDOWS\ehome\ehSched.exe
1916 C:\WINDOWS\system32\svchost.exe
1924 C:\Program Files\Java\jre6\bin\jqs.exe
2072 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2136 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2152 C:\WINDOWS\ehome\RMSvc.exe
2184 svchost.exe
2208 C:\WINDOWS\system32\stacsv.exe
2300 C:\WINDOWS\system32\svchost.exe
2336 McrdSvc.exe
2484 wmpnetwk.exe
2896 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2912 C:\Program Files\Java\jre6\bin\jusched.exe
2932 C:\WINDOWS\stsystra.exe
3032 C:\WINDOWS\system32\rundll32.exe
3040 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3056 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3088 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
3156 C:\WINDOWS\system32\igfxpers.exe
3204 C:\WINDOWS\system32\hkcmd.exe
3216 C:\WINDOWS\ehome\ehtray.exe
3236 C:\WINDOWS\system32\igfxsrvc.exe
3252 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
3292 C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
3312 C:\WINDOWS\system32\TaskSwitch.exe
3496 C:\Program Files\iTunes\iTunesHelper.exe
3552 C:\Program Files\Windows Media Player\wmpnscfg.exe
3564 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3744 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3760 C:\Program Files\Messenger\msmsgs.exe
3796 C:\DOCUME~1\Dan\LOCALS~1\Temp\clclean.0001
672 C:\WINDOWS\ehome\RMSysTry.exe
2272 C:\WINDOWS\system32\dllhost.exe
652 C:\WINDOWS\ehome\ehmsas.exe
1136 alg.exe
3008 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
1684 C:\Program Files\iPod\bin\iPodService.exe
3944 C:\WINDOWS\system32\wscntfy.exe
836 C:\Program Files\Mozilla Firefox\firefox.exe
664 C:\Program Files\Mozilla Firefox\plugin-container.exe
2768 C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
2740 C:\Documents and Settings\Dan\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75LAT0, Rev: 02.06M02

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 86489E3B39BA71CCD7428B67894DE6732DFFF0C8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 05:40 PM

I don't understand this. Tell me what you are doing when you run MBRCheck.


Posted Image
m0le is a proud member of UNITE

#11 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 08 August 2010 - 06:06 PM

Hi Mole,

I am attaching screen shots of the process i'm running through.

The attachment titled RunMBRCHeck.png is the first part of your request, where i run MBRCheck and eventually reboot the system. The log file i am attaching titled MBRCheck_08.08.10_18.42.30.txt is the output from this. I then reboot my machine.

The file titled AfterRebootMBRCheck is what i see after i restart my PC and launch MBRCheck a second time. The log file titled AfterRebootMBRCheck_08.08.10_18.58.29.txt is the log created when i run MBRCheck a second time.

I apologize that i am making this more complicated than it needs to be and thank you for your continued assistance!

Dan

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 06:15 PM

Thanks for the screenshots. That's not your fault, you did the instructions perfectly. thumbup2.gif

Sometimes it just doesn't work and here's one of those times.


There are other ways to do this fortunately, please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 08 August 2010 - 07:18 PM

Hi Mole,

Good! I thought i was doing something wrong.
Here are the results of the combfix.exe run.

Thanks!

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 09 August 2010 - 04:36 PM

First, if you have now installed the Recovery console, you need to boot into it. Reboot the PC and it should give you the option to do this.

Once in Recovery Console, please type fixmbr and hit enter.

Type exit to exit and restart your PC.


When you have done that rerun Combofix, as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image
m0le is a proud member of UNITE

#15 goodweiser

goodweiser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 09 August 2010 - 05:43 PM

Thanks Mole. As requested the log is attached.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users