Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, unwanted tabs, tr/atraps.gen, problems


  • This topic is locked This topic is locked
19 replies to this topic

#1 G_Boing

G_Boing

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 19 December 2010 - 02:42 PM

Hello

I would appreciate some help. I was sent over to here from the Am I infected? What do I do? forum by quietman7. Topic referenced is here: http://www.bleepingcomputer.com/forums/topic367872.html ~ OB Around a week ago I started getting redirected from google searches I clicked on and had unwanted tab pop-ups. Avira spotted a tr/atraps.gen virus and removed it but his didn't seem to solve the problem as it and some others have been spotted many times since. I downloaded and ran malwarebytes, superantispyware and hitman pro and ad-aware but it was still happening. Then we tried TDSSKiller.exe and an ESET scan on the advice of quietman7 but the problem persists. I have a comodo firewall as well. Please note I accidentially deleted sptd.sys and dtscsi.sys drivers after the TDSSKiller scan but these are not really important to me right now.

I'm having a problem with the ark.txt as it's too big to attach and too long to post here. What should I do?

Edit - on first opening up the GMER this appeared but I don't know if this is what you need I still have the longer version saved too:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-19 19:48:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\viasraid1 Maxtor_6 rev.YAR5
Running: gmer.exe; Driver: C:\DOCUME~1\Louise\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xECFBD768]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xECFBD9BE]

---- Devices - GMER 1.0.15 ----

Device \Driver\viasraid -> DriverStartIo \Device\Scsi\viasraid1 850B839B

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Device\Scsi\viasraid1Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Maxtor_6&Prod_Y120M0&Rev_YAR5#4&53af4df&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----


Thanks.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Louise at 17:57:02.75 on 19/12/2010
Internet Explorer: 7.0.5730.13

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/broadband
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\louise\applic~1\mozilla\firefox\profiles\44mqadp1.default\
FF - component: c:\documents and settings\louise\application data\mozilla\firefox\profiles\44mqadp1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\louise\application data\mozilla\firefox\profiles\44mqadp1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R? is3srv;is3srv
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? szkg5;szkg5
R? szkgfs;szkgfs
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgio;avgio
S? avgntflt;avgntflt
S? CLEDX;Team H2O CLEDX service
S? cmdAgent;COMODO Internet Security Helper Service
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? rt2870;Ralink 802.11n USB Wireless LAN Card Driver
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? viasraid;viasraid

=============== Created Last 30 ================

2010-12-18 19:58:51 -------- d-----w- c:\program files\Runtime Software
2010-12-17 18:16:31 -------- d-----w- c:\program files\ESET
2010-12-17 18:09:24 -------- d-----w- c:\docume~1\louise\applic~1\Wovaqi
2010-12-17 18:09:24 -------- d-----w- c:\docume~1\louise\applic~1\Emeq
2010-12-17 05:21:44 54016 ----a-w- c:\windows\system32\drivers\stvrbsl.sys
2010-12-16 00:04:58 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-12-15 23:52:07 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-15 23:52:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-15 23:50:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-15 19:39:02 -------- d-----w- c:\docume~1\louise\applic~1\Avira
2010-12-15 19:24:43 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-15 19:24:38 -------- d-----w- c:\program files\Avira
2010-12-15 19:24:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-12-14 16:41:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-14 15:40:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-14 08:42:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-14 08:40:36 -------- d-----w- c:\docume~1\louise\locals~1\applic~1\Sunbelt Software
2010-12-14 08:32:29 -------- d-----w- c:\docume~1\louise\locals~1\applic~1\Temp
2010-12-14 08:31:47 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-14 08:30:41 -------- d-----w- c:\program files\Lavasoft
2010-12-13 10:41:19 1033728 ----a-w- c:\windows\explorer.exe
2010-12-10 19:23:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-12-10 08:11:28 -------- d-----w- c:\docume~1\louise\applic~1\QuickScan
2010-12-10 05:58:58 -------- d-----w- c:\docume~1\louise\applic~1\SUPERAntiSpyware.com
2010-12-10 05:58:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-10 05:58:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-10 03:05:24 -------- d-----w- c:\docume~1\louise\applic~1\Malwarebytes
2010-12-10 03:05:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 03:05:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-10 03:04:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 03:04:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-09 21:56:41 0 ----a-w- C:\28.tmp
2010-12-09 18:21:06 -------- d-----w- c:\windows\system32\NtmsData
2010-12-09 17:28:03 -------- d-----w- c:\program files\windows
2010-12-09 16:19:55 -------- d-----w- c:\program files\tmp
2010-12-09 16:15:39 -------- d-----w- c:\program files\jATUiHLg
2010-12-09 13:59:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-09 13:25:10 -------- d-----w- c:\docume~1\louise\applic~1\ElevatedDiagnostics
2010-12-09 13:14:17 -------- d-----w- c:\program files\DIZJNCvJÓû¢—Ëtkevcsdp.exe

==================== Find3M ====================

2010-10-21 12:47:19 285480 ----a-w- c:\windows\system32\guard32.dll
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2004-10-01 14:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 18:00:06.57 ===============

Attached Files


Edited by Orange Blossom, 20 December 2010 - 01:47 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 29 December 2010 - 09:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 30 December 2010 - 03:43 AM

Hello

I'm here thanks for getting back. The problem I'm having now is that the computer won't boot. When I start up there is none if the usual white writing, just a black screen. The fan starts up but nothing happens, the computer is otherwise silent. The 'beep' that usually happens is gone too.

I'm not sure what I can do now.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 30 December 2010 - 08:56 AM

Non-booting machines are quite common with the TDSS rootkit now.

We have ways of booting the system by bypassing the usual operating system and installing our own.

Please try the following method

Download http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#5 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 01 January 2011 - 05:56 AM

Hi

I'm having problems getting the bootable OS onto the USB and following the above instructions exactly as written. The quick format bit is fine but when I click into the roxio disc copier I selected disc image in the source and

C:\Documents and Settings\All Users\Shared Desktop\xpud-0.9.2.iso

then on the right side in destination I selected disc image and clicked 'save as'

In the left field I clicked USB2 (D:)

In the right field it says 'no matching files found in this folder' and below this it says File name xpud-0.9.2.iso
And below that File type ISO Disc Images (*.iso)

When I click OK here nothing happens.

There's probably something simple I'm doing wrong, sorry about this.

And happy new year.

Edited by G_Boing, 01 January 2011 - 06:18 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 01 January 2011 - 11:42 AM

Let's try to do this with a CD instead.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#7 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 02 January 2011 - 06:36 AM

I've followed the steps up to Expand mnt in xPUD, but there is only sda1 and not sdb1 in there. When I expand sda1 a lot of things appear but there is no sign of the rst.sh. I tried the next step bash rst.sh anyway but it says 'no such file or directory'. I've checked the usb again on the clean computer and the rst.sh is on it. Does this mean it's not being detected somehow when in the infected computer?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 02 January 2011 - 02:48 PM

Please boot using xPUD and then plug the USB drive in. Does it recognise it now?
Posted Image
m0le is a proud member of UNITE

#9 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 02 January 2011 - 03:26 PM

Yep that worked. Here's the log:

27.5M Jan 2 10:55 /mnt/sda1/WINDOWS/system32/config/software
10.5M Jan 2 10:55 /mnt/sda1/WINDOWS/system32/config/system

19.3M Sep 9 2007 /sda1/found.000/dir0000.chk/~SOFTWARE
26.4M Dec 1 10:39 /sda1/~/RP897/~SOFTWARE
26.4M Dec 2 14:43 /sda1/~/RP898/~SOFTWARE
26.4M Dec 5 21:02 /sda1/~/RP899/~SOFTWARE
26.4M Dec 6 09:08 /sda1/~/RP900/~SOFTWARE
26.4M Dec 7 10:25 /sda1/~/RP901/~SOFTWARE
26.4M Dec 8 13:48 /sda1/~/RP902/~SOFTWARE
26.4M Dec 9 13:22 /sda1/~/RP903/~SOFTWARE
27.4M Dec 10 19:23 /sda1/~/RP904/~SOFTWARE
27.5M Dec 13 11:58 /sda1/~/RP905/~SOFTWARE
27.4M Dec 14 00:56 /sda1/~/RP906/~SOFTWARE
27.4M Dec 14 16:41 /sda1/~/RP907/~SOFTWARE
27.4M Dec 15 18:52 /sda1/~/RP908/~SOFTWARE
27.4M Dec 16 20:19 /sda1/~/RP909/~SOFTWARE
27.4M Dec 17 21:48 /sda1/~/RP910/~SOFTWARE
27.4M Dec 18 22:40 /sda1/~/RP911/~SOFTWARE
3.9M Sep 9 2007 /sda1/found.000/dir0000.chk/~SYSTEM
6.0M Dec 1 10:39 /sda1/~/RP897/~SYSTEM
6.0M Dec 2 14:43 /sda1/~/RP898/~SYSTEM
6.0M Dec 5 21:02 /sda1/~/RP899/~SYSTEM
6.0M Dec 6 09:08 /sda1/~/RP900/~SYSTEM
6.0M Dec 7 10:25 /sda1/~/RP901/~SYSTEM
6.0M Dec 8 13:48 /sda1/~/RP902/~SYSTEM
6.0M Dec 9 13:22 /sda1/~/RP903/~SYSTEM
6.0M Dec 10 19:23 /sda1/~/RP904/~SYSTEM
7.8M Dec 13 11:58 /sda1/~/RP905/~SYSTEM
7.8M Dec 14 00:57 /sda1/~/RP906/~SYSTEM
7.8M Dec 14 16:41 /sda1/~/RP907/~SYSTEM
10.1M Dec 15 18:52 /sda1/~/RP908/~SYSTEM
10.1M Dec 16 20:19 /sda1/~/RP909/~SYSTEM
10.4M Dec 17 21:48 /sda1/~/RP910/~SYSTEM
10.4M Dec 18 22:40 /sda1/~/RP911/~SYSTEM

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 02 January 2011 - 07:54 PM

Let's see if there is an available registry backup we can use to help get your computer booting properly
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r
  • Type 903
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#11 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 January 2011 - 05:21 AM

It's run through to the desktop on normal windows boot fine although a RUNDLL box came up with:

Error loading C:\WINDOWS\$NtUninstallMTF197$\qtnpv.dll

The specified module could not be found

Here's the restore.log:

SOFTWARE hive restored from RP903
SYSTEM hive restored from RP903
SECURITY hive restored from RP903
SAM hive restored from RP903

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 03 January 2011 - 07:37 PM

Can you boot now?
Posted Image
m0le is a proud member of UNITE

#13 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 January 2011 - 07:41 PM

Yes it's booting fine thanks.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 03 January 2011 - 07:54 PM

Okay, let's see what's been going on. Boot normally from now on.

Please run both TDSSKiller and MBRCheck

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#15 G_Boing

G_Boing
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 January 2011 - 08:33 PM

Hi

I already had TDSSKiller from a previous scan on the desktop but on entering the text above in Start-run it says Error valid command line parameters and gives a list. I ran TDSSKiller anyway from the desktop, it didn't find anything:

2011/01/04 01:26:22.0077 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 01:26:22.0077 ================================================================================
2011/01/04 01:26:22.0077 SystemInfo:
2011/01/04 01:26:22.0077
2011/01/04 01:26:22.0077 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/04 01:26:22.0077 Product type: Workstation
2011/01/04 01:26:22.0077 ComputerName: FRED
2011/01/04 01:26:22.0077 UserName: Louise
2011/01/04 01:26:22.0077 Windows directory: C:\WINDOWS
2011/01/04 01:26:22.0077 System windows directory: C:\WINDOWS
2011/01/04 01:26:22.0077 Processor architecture: Intel x86
2011/01/04 01:26:22.0077 Number of processors: 1
2011/01/04 01:26:22.0077 Page size: 0x1000
2011/01/04 01:26:22.0077 Boot type: Normal boot
2011/01/04 01:26:22.0077 ================================================================================
2011/01/04 01:26:22.0233 Initialize success
2011/01/04 01:26:38.0249 ================================================================================
2011/01/04 01:26:38.0249 Scan started
2011/01/04 01:26:38.0249 Mode: Manual;
2011/01/04 01:26:38.0249 ================================================================================
2011/01/04 01:26:38.0640 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/04 01:26:38.0718 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/04 01:26:38.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/04 01:26:38.0890 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/01/04 01:26:38.0952 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/01/04 01:26:39.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/04 01:26:39.0577 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/04 01:26:39.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/04 01:26:39.0765 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/04 01:26:39.0827 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/04 01:26:39.0921 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/04 01:26:40.0062 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/04 01:26:40.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/04 01:26:40.0233 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/04 01:26:40.0280 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/01/04 01:26:40.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/04 01:26:40.0437 CLEDX (b53f9635457b56dcffef750e18aec6cb) C:\WINDOWS\system32\DRIVERS\cledx.sys
2011/01/04 01:26:40.0515 cmdGuard (bbe9f023dfd2c4d2755da3fa47e4da08) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2011/01/04 01:26:40.0562 cmdHlp (111e6755acb5f236e2465e24508f6367) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2011/01/04 01:26:40.0702 cmuda (e5adeef2c0db43964223f408f1fcc97e) C:\WINDOWS\system32\drivers\cmuda.sys
2011/01/04 01:26:40.0968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/04 01:26:41.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/04 01:26:41.0124 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/04 01:26:41.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 01:26:41.0249 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/04 01:26:41.0327 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/04 01:26:41.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/04 01:26:41.0499 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/04 01:26:41.0562 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/01/04 01:26:41.0624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/04 01:26:41.0671 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/04 01:26:41.0718 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/04 01:26:41.0796 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/04 01:26:41.0858 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/04 01:26:41.0890 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2011/01/04 01:26:41.0921 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/01/04 01:26:41.0983 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/04 01:26:42.0030 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/04 01:26:42.0093 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/04 01:26:42.0218 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/04 01:26:42.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/04 01:26:42.0358 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/04 01:26:42.0421 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/01/04 01:26:42.0468 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/01/04 01:26:42.0499 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/01/04 01:26:42.0546 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys
2011/01/04 01:26:42.0655 Inspect (343ac4733c1e8b7ab6454178e4fcd4ad) C:\WINDOWS\system32\DRIVERS\inspect.sys
2011/01/04 01:26:42.0733 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/04 01:26:42.0780 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/04 01:26:42.0827 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/04 01:26:42.0874 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/04 01:26:42.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/04 01:26:42.0999 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/04 01:26:43.0030 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/04 01:26:43.0140 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/04 01:26:43.0187 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/04 01:26:43.0233 KBFiltr (5b4cb9c3f442842a7b4529532f4ed578) C:\WINDOWS\system32\Drivers\KBFiltr.sys
2011/01/04 01:26:43.0280 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/04 01:26:43.0343 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/04 01:26:43.0483 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/04 01:26:43.0530 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/04 01:26:43.0562 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/04 01:26:43.0608 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/04 01:26:43.0671 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/04 01:26:43.0765 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/04 01:26:43.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/04 01:26:43.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/04 01:26:43.0983 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/04 01:26:44.0062 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/04 01:26:44.0093 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/04 01:26:44.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/04 01:26:44.0187 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/04 01:26:44.0233 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/04 01:26:44.0265 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/04 01:26:44.0312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/04 01:26:44.0343 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/04 01:26:44.0390 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/04 01:26:44.0405 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/04 01:26:44.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/04 01:26:44.0593 Nokia USB Generic (5abb6b2461c4eb0afdf1bf7f03963d59) C:\WINDOWS\system32\drivers\nmwcdc.sys
2011/01/04 01:26:44.0640 Nokia USB Modem (353c16d21eec1f11306270040b3713c1) C:\WINDOWS\system32\drivers\nmwcdcm.sys
2011/01/04 01:26:44.0702 Nokia USB Phone Parent (f5b1200c75b160c81e7e48cc0489aa5e) C:\WINDOWS\system32\drivers\nmwcd.sys
2011/01/04 01:26:44.0765 Nokia USB Port (353c16d21eec1f11306270040b3713c1) C:\WINDOWS\system32\drivers\nmwcdcj.sys
2011/01/04 01:26:44.0780 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/04 01:26:44.0843 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/04 01:26:44.0968 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/04 01:26:45.0030 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/04 01:26:45.0077 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/04 01:26:45.0124 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/04 01:26:45.0171 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/04 01:26:45.0202 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/04 01:26:45.0249 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/04 01:26:45.0405 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/04 01:26:45.0796 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/04 01:26:45.0843 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/04 01:26:45.0905 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/04 01:26:45.0952 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/04 01:26:46.0233 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/04 01:26:46.0265 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/04 01:26:46.0312 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/04 01:26:46.0358 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/04 01:26:46.0405 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/04 01:26:46.0437 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/04 01:26:46.0515 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/04 01:26:46.0577 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/04 01:26:46.0702 rt2870 (65a31e0eeaacc22871fe97c5ac23156c) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/01/04 01:26:46.0827 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/04 01:26:46.0890 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/04 01:26:46.0921 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/04 01:26:47.0015 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/04 01:26:47.0155 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/04 01:26:47.0249 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/04 01:26:47.0327 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/04 01:26:47.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/04 01:26:47.0437 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/04 01:26:47.0640 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/04 01:26:47.0733 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/04 01:26:47.0796 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/04 01:26:47.0827 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/04 01:26:47.0874 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 01:26:48.0015 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/04 01:26:48.0108 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/04 01:26:48.0187 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/04 01:26:48.0249 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/04 01:26:48.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/04 01:26:48.0343 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/04 01:26:48.0421 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/04 01:26:48.0483 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/04 01:26:48.0530 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/04 01:26:48.0577 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/04 01:26:48.0655 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/04 01:26:48.0718 viagfx (8415d39e3f95e27f5247072c78812c24) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/01/04 01:26:48.0765 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/04 01:26:48.0812 viasraid (ebe101c01d80a42868f57b327be1b564) C:\WINDOWS\system32\drivers\viasraid.sys
2011/01/04 01:26:48.0890 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/04 01:26:48.0999 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/04 01:26:49.0093 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/04 01:26:49.0358 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/01/04 01:26:49.0452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/04 01:26:49.0515 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/04 01:26:49.0655 ================================================================================
2011/01/04 01:26:49.0655 Scan finished
2011/01/04 01:26:49.0655 ================================================================================

Here is the MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000015

Kernel Drivers (total 121):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7AB3000 \WINDOWS\system32\KDCOM.DLL
0xF79C3000 \WINDOWS\system32\BOOTVID.dll
0xF7484000 ACPI.sys
0xF7AB5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7473000 pci.sys
0xF75B3000 isapnp.sys
0xF7AB7000 viaide.sys
0xF7833000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75C3000 MountMgr.sys
0xF7454000 ftdisk.sys
0xF783B000 PartMgr.sys
0xF75D3000 VolSnap.sys
0xF743C000 atapi.sys
0xF7429000 viasraid.sys
0xF7411000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0xF75E3000 disk.sys
0xF75F3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73F1000 fltmgr.sys
0xF73DF000 sr.sys
0xF73C8000 KSecDD.sys
0xF73B5000 WudfPf.sys
0xF7328000 Ntfs.sys
0xF7313000 inspect.sys
0xF72E6000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF7843000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF72CC000 Mup.sys
0xF7603000 gagp30kx.sys
0xF668E000 \SystemRoot\system32\DRIVERS\vtmini.sys
0xF667A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF76A3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF78FB000 \SystemRoot\system32\drivers\Afc.sys
0xF76B3000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xF76C3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76D3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6657000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7903000 \SystemRoot\System32\Drivers\incdrm.SYS
0xF790B000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xF76E3000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7913000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6633000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF791B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7923000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF661F000 \SystemRoot\system32\DRIVERS\parport.sys
0xF66DD000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF76F3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF66D9000 \SystemRoot\System32\Drivers\KBFiltr.sys
0xF792B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7933000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7703000 \SystemRoot\system32\DRIVERS\serial.sys
0xF66D5000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF64D9000 \SystemRoot\system32\drivers\cmuda.sys
0xF64B5000 \SystemRoot\system32\drivers\portcls.sys
0xF7713000 \SystemRoot\system32\drivers\drmk.sys
0xF793B000 \SystemRoot\system32\DRIVERS\fetnd5.sys
0xF7723000 \SystemRoot\system32\DRIVERS\processr.sys
0xF7CE5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7743000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF66D1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF649E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7763000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7773000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF63ED000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7783000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7943000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF794B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7793000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AF9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF638F000 \SystemRoot\system32\DRIVERS\update.sys
0xF66C5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77B3000 \SystemRoot\system32\DRIVERS\cledx.sys
0xF77E3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7803000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B01000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF789B000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF2F15000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xF7B5D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BBB000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B5F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7983000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF796B000 \SystemRoot\System32\drivers\vga.sys
0xF7B61000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B63000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF4813000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xB97C7000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xF7863000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF798B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF480F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB97B4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB975B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7973000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xB9733000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9711000 \SystemRoot\System32\drivers\afd.sys
0xEDF8E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB96E6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB9676000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEDF7E000 \SystemRoot\System32\Drivers\Fips.SYS
0xB95CC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDF6E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4777000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB58FC000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0xB3BBB000 \SystemRoot\System32\Drivers\dump_viasraid.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB43D6000 \SystemRoot\System32\drivers\Dxapi.sys
0xB4959000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C45000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\vtdisp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF78B3000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF7298000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAB316000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB7106000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAB1CF000 \SystemRoot\system32\DRIVERS\srv.sys
0xAB11A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1F45000 \SystemRoot\system32\drivers\sysaudio.sys
0xAAE2B000 \SystemRoot\System32\Drivers\HTTP.sys
0xAAABC000 \SystemRoot\system32\DRIVERS\rt2870.sys
0xAA752000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):
0 System Idle Process
4 System
592 C:\WINDOWS\system32\smss.exe
644 csrss.exe
668 C:\WINDOWS\system32\winlogon.exe
712 C:\WINDOWS\system32\services.exe
724 C:\WINDOWS\system32\lsass.exe
876 C:\WINDOWS\system32\svchost.exe
952 svchost.exe
992 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1020 C:\WINDOWS\system32\svchost.exe
1096 C:\Program Files\Ahead\InCD\InCDsrv.exe
1240 C:\WINDOWS\system32\svchost.exe
1316 svchost.exe
1364 svchost.exe
1428 C:\WINDOWS\system32\spoolsv.exe
1508 svchost.exe
1540 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1552 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1564 C:\WINDOWS\system32\bgsvcgen.exe
1588 C:\Program Files\Bonjour\mDNSResponder.exe
1640 C:\Program Files\Java\jre6\bin\jqs.exe
1820 C:\WINDOWS\system32\svchost.exe
144 alg.exe
512 C:\WINDOWS\explorer.exe
560 C:\WINDOWS\system32\wscntfy.exe
2084 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2216 C:\WINDOWS\system32\ctfmon.exe
2360 C:\Program Files\Belkin\F6D4050\v1\Belkinwcui.exe
1344 C:\WINDOWS\system32\wuauclt.exe
220 C:\Program Files\Mozilla Firefox\firefox.exe
2172 C:\Documents and Settings\Louise\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor 6Y120M0, Rev: YAR5

Size Device Name MBR Status
--------------------------------------------
114 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users