Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Boot.Mebroot warning from Norton


  • This topic is locked This topic is locked
28 replies to this topic

#1 DRaich

DRaich

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 January 2011 - 03:13 AM

About two years ago, I got hit by a drive-by download that brought down my computer. I reinstalled Windows and seemed almost to have resolved the problem except for one thing: Norton Internet Security continued to warn me every day that I had a Boot.Mebroot infection (a rootkit), and that it had removed it.

The removal instructions on the Symantec Web site did not help. Their tool was useless, and running fixmbr from the installation CD recovery console did not help either. However, I discovered mbr.exe, and it always would say that it found malicious code @ sector 0x1d1a4f79 size 0x1b6, and a copy of the MBR in sector 62. Unable to do more, I ignored the problem and waited, hoping Norton would eventually improve its abilities.

Today, NIS got more forceful in its warnings. Now it admits it found a Boot.Mebroot problem that it cannot fix, and it will not stop warning me about it. I think this is because of an automatic NIS update via LiveUpdate -- which has made NIS more realistic in its assessment, but no more capable of removal.

I found a new tool on the Symantec Web site called NPE.exe and tried it. When I checked the box for rootkit checking, it rebooted, but the reboot failed with a blue screen of death, saying there was a "fltmgr.sys error". This happened each boot try unless I rebooted with the last known settings that worked. But then, it appeared that NPE ran its scan without checking for a rootkit, and it found nothing. The Boot.Mebroot warnings continue.

A reference on the Symantec forum brought me here. I have now run DDS, but GMER fails with a blue screen of death (no problem rebooting, though), so I am not able to attach a GMER report.

DDS.txt report is below, but I do not see a way to attach "Attach.zip" here. Perhaps that must be done in a different forum? Not sure what else I can do at this point. Please advise. Thank you.


DDS (Ver_10-12-12.02) - NTFSx86
Run by David at 23:28:54.29 on Fri 01/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1122 [GMT -8:00]

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Integrity Desktop Firewall *Disabled*
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Utils\zips\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080625
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent-disable.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart-disable.exe" "/Trigger RunAtLogon"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [CirqueGesture] c:\program files\touchpad\Gesture.exe
mRun: [Glide] glidew32.exe
mRun: [fontnav] "c:\program files\corel\wordperfect office 2000\font navigator\FontNav.exe" *1
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NPSStartup]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aol.com
Trusted Zone: kaiserpermanentejobs.org
Trusted Zone: right-from-home.com\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234547248265
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244700462656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\4insjqbo.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\4insjqbo.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coFFPlgn
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-1-6 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-1-6 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-1-6 136312]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-29 238952]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2011-1-6 130000]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-10-31 90112]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2005-3-27 14416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-29 36608]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [2009-2-12 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [2009-2-12 14063]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110107.002\IDSXpx86.sys [2011-1-7 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110107.021\NAVENG.SYS [2011-1-7 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110107.021\NAVEX15.SYS [2011-1-7 1360760]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-11-2 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2008-6-23 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-6-23 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-6-23 166384]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-11-2 13224]
S3 i1;eye-one;c:\windows\system32\drivers\i1.sys [2005-3-27 26045]
S3 mbr;mbr;\??\c:\docume~1\david\locals~1\temp\mbr.sys --> c:\docume~1\david\locals~1\temp\mbr.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2008-6-23 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-6-23 1120752]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-10-31 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-10-31 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-10-31 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-10-31 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-10-31 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-10-31 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-10-31 109864]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2010-10-29 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-10-29 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-10-29 123648]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2010-7-25 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2010-7-25 85696]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-01-08 05:24:04 76920 ----a-w- c:\windows\system32\drivers\SMR161.SYS
2011-01-08 05:24:04 40 ----a-w- c:\windows\system32\drivers\SMR161.dat
2011-01-08 05:24:00 -------- d-----w- c:\docume~1\david\locals~1\applic~1\NPE
2011-01-06 23:13:34 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
2011-01-06 23:13:34 368248 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdi.sys
2011-01-06 23:13:34 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2011-01-06 23:13:34 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2011-01-06 23:13:33 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2011-01-06 23:13:33 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2011-01-06 23:13:33 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
2011-01-06 23:13:33 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
2011-01-06 23:13:20 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2011-01-02 00:41:29 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-02 00:41:29 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-01-02 00:41:09 -------- d-----w- c:\program files\iPod
2011-01-02 00:41:06 -------- d-----w- c:\program files\iTunes
2011-01-02 00:41:06 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-02 00:39:12 -------- d-----w- c:\program files\Bonjour
2010-12-17 02:19:53 -------- d-----w- c:\docume~1\david\applic~1\SMath
2010-12-17 02:17:42 -------- d-----w- c:\program files\SMath

==================== Find3M ====================

2011-01-06 22:21:44 101 ----a-w- c:\windows\wpd99.drv
2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ------w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-11-03 02:29:21 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-11-01 04:53:37 148736 ----a-w- c:\docume~1\alluse~1.win\applic~1\hpe27E8.dll
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ------w- c:\windows\system32\win32k.sys
2010-10-24 05:50:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2004-03-11 21:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 23:29:15.21 ===============

Edited by Blade Zephon, 08 January 2011 - 03:51 AM.
Moved to log forum. ~BZ


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 08 January 2011 - 04:19 PM

Good evening. :)

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

Will you also include the make and model of the PC.

So long, and thanks for all the fish.

 

 


#3 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 09 January 2011 - 11:30 PM

Thank you. The computer is Dell Precision T3400.

The contents of the two files that were generated are pasted below. I look forward to your reply, but because of travel I will be unable to perform additional procedures until Friday, the end of this week.

-----
MBRCheck_01.09.11_20.17.16.txt:
-----
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000c03fd

Kernel Drivers (total 148):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E5C000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E44000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DED000 SYMDS.SYS
0xBA118000 PxHelp20.sys
0xB9DD6000 KSecDD.sys
0xB9DC3000 WudfPf.sys
0xB9D36000 Ntfs.sys
0xB9D09000 NDIS.sys
0xBA128000 sbp2port.sys
0xB9CEF000 Mup.sys
0xB9CCF000 fltmgr.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB914C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7164000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7150000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB712C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7104000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB70D9000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB913C000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA4A8000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB912C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA594000 \SystemRoot\system32\DRIVERS\gpmoups2.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\glidesvc.sys
0xBA350000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB70C5000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA598000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA59C000 \SystemRoot\system32\drivers\pfc.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB70A2000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA360000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB7083000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA75A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9CA7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB706C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA368000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB705B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA358000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA370000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB702B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB790D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA378000 \SystemRoot\system32\DRIVERS\seehcri.sys
0xB78FD000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA62C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6FCD000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C8B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB0BCC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB0BBC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAF91A000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xAF8F6000 \SystemRoot\system32\drivers\portcls.sys
0xB0BAC000 \SystemRoot\system32\drivers\drmk.sys
0xAF896000 \SystemRoot\system32\drivers\Senfilt.sys
0xB365C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA80C0000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xA93DF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA7D0E000 \SystemRoot\System32\Drivers\Null.SYS
0xA93DD000 \SystemRoot\System32\Drivers\Beep.SYS
0xA7772000 \SystemRoot\System32\drivers\vga.sys
0xA8B93000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA8B91000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA776A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA7762000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA8921000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA6578000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA651F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA64C6000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SYMTDI.SYS
0xA64A0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA647A000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA6422000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110107.002\IDSxpx86.sys
0xA63FA000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA63D8000 \SystemRoot\System32\drivers\afd.sys
0xA7BFE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA775A000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA7BEE000 \SystemRoot\system32\drivers\NIS\1205000.07D\SRTSPX.SYS
0xA63AD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA633D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA7BDE000 \SystemRoot\System32\Drivers\Fips.SYS
0xA774A000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0xA630A000 \SystemRoot\system32\DRIVERS\Dot4.sys
0xA7BCE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7BBE000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA8318000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA708F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA7742000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA773A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA62AC000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA628F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA61E3000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
0xA613F000 \SystemRoot\system32\drivers\NIS\1205000.07D\SYMEFA.SYS
0xA611B000 \SystemRoot\system32\drivers\NIS\1205000.07D\Ironx86.SYS
0xAE526000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0xB0B09000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xA6703000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA6054000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9819000 \SystemRoot\System32\drivers\Dxapi.sys
0xB0AF9000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6CD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8314000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5E17000 \SystemRoot\system32\drivers\wdmaud.sys
0xB08AC000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5D9C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5B6000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA5CE4000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xA5C3C000 \SystemRoot\system32\DRIVERS\srv.sys
0xA5CD0000 \??\C:\WINDOWS\system32\drivers\pdihwctl.sys
0xA5426000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA51E1000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SRTSP.SYS
0xA5A4C000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xA45DE000 \SystemRoot\System32\Drivers\HTTP.sys
0xA42DB000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110109.003\NAVEX15.SYS
0xA42C7000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110109.003\NAVENG.SYS
0xA417F000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 SYSTEM
1236 C:\WINDOWS\system32\smss.exe
1296 csrss.exe
1320 C:\WINDOWS\system32\winlogon.exe
1364 C:\WINDOWS\system32\services.exe
1376 C:\WINDOWS\system32\lsass.exe
1548 C:\WINDOWS\system32\svchost.exe
1648 svchost.exe
1800 C:\WINDOWS\system32\svchost.exe
1840 C:\WINDOWS\system32\svchost.exe
1992 svchost.exe
220 svchost.exe
500 C:\WINDOWS\system32\spoolsv.exe
900 svchost.exe
932 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
948 C:\Program Files\Bonjour\mDNSResponder.exe
996 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1024 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1580 C:\WINDOWS\system32\FsUsbExService.Exe
1604 C:\Program Files\Java\jre6\bin\jqs.exe
1728 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
1976 C:\WINDOWS\system32\nvsvc32.exe
2004 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
276 C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
248 C:\WINDOWS\explorer.exe
1908 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
2532 C:\WINDOWS\system32\svchost.exe
2552 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2600 C:\Program Files\Touchpad\Gesture.exe
2644 C:\WINDOWS\system32\glidew32.exe
2704 C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
2736 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
2952 C:\Program Files\iTunes\iTunesHelper.exe
3008 C:\WINDOWS\system32\ctfmon.exe
3016 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3080 C:\Program Files\Skype\Phone\Skype.exe
2312 C:\Program Files\iPod\bin\iPodService.exe
3392 alg.exe
3064 C:\Program Files\Mozilla Firefox\firefox.exe
3956 C:\Program Files\Mozilla Firefox\plugin-container.exe
816 C:\Program Files\Qualcomm\Eudora\Eudora.exe
584 C:\Utils\zips\Diagnostics\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01
PhysicalDrive1 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: D1552CFE3A80B6458D680CEEF8D33E3E9A927AF9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

-----
Preformat.txt:
-----

Partition ID: Disk #0, Partition #0
Size: 62.72 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 232.76 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #0
Size: 232.82 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A05
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 10 January 2011 - 02:53 PM

Good evening. :)

Is you computer suffering any ill effects, search redirects or pop-ups for example, or is it simply that Norton is displaying it's warnings that is the issue?

EDIT:

I reinstalled Windows

As a matter of interest, did you use a disc or does your Dell have a Recovery Partition that you used instead - it may have a bearing on your situation.

Edited by Noviciate, 10 January 2011 - 03:31 PM.

So long, and thanks for all the fish.

 

 


#5 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 11 January 2011 - 09:33 PM

I reinstalled from an XP installation disk provided by Dell (not an image disk, and there is not a recovery partition).

I am not aware of any ill effects other than the continued warnings. No odd ads or popups. My network connection is sometimes slower than it should be, but I do not think I am part of a botnet -- though I do not know how to be certain of that.

I doubt a key logger is running because there have been no warnings of one and there has been no unauthorized bank activity.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 12 January 2011 - 03:47 PM

Good evening. :)

I see that your system has two hard drives in it. Each of these has a Master Boot Record. The MBR on the drive that has Windows installed is the one that is active and, if infected, it is the one that causes the problems.
Reinstalling Windows will have overwritten the MBR on the primary disc and any infected MBR would have gone west, so to speak, but if both MBRs were infected it wouldn't have touched the second.

It is possible that the MBR infection that Norton is warning you about is on the other drive and while that MBR is technically infected, as Windows doesn't access it unless you boot from that drive, it poses no risk.
The fact that you are not reporting any symptoms of infection makes me think that this is the case, but we'll start by checking the PC for active issues before we proceed.

So long, and thanks for all the fish.

 

 


#7 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 14 January 2011 - 08:55 PM

Thank you, that's an interesting thought -- that I've been trying to clean up the wrong drive, in which case I am hardly at risk, but it should be easy to fix.

Anyhow, I am back and ready to work on this machine again. How would you like to proceed?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 15 January 2011 - 02:21 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#9 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 15 January 2011 - 04:17 PM

ESET found no threats on C: or D:

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 15 January 2011 - 05:38 PM

Run MBRCheck.exe again but, when prompted, enter Y this time for further options.
At the "Options" prompt enter 2 - this will overwrite the malicious boot code.
When asked for the "Physical Drive Number", enter 1
When asked for the "MBR Code to write", enter 1
Enter YES to confirm your actions - it needs to be YES and not Y.

Please immediately reboot your PC and let me have the contents of the new text file that will have been created on your Desktop.

So long, and thanks for all the fish.

 

 


#11 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 15 January 2011 - 09:47 PM

The new MBRCheck file is as follows. An MBRCheck_Backup was also created. FWIW, Norton is still complaining about mebroot.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000c03fd

Kernel Drivers (total 150):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E5C000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E44000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DED000 SYMDS.SYS
0xBA118000 PxHelp20.sys
0xB9DD6000 KSecDD.sys
0xB9DC3000 WudfPf.sys
0xB9D36000 Ntfs.sys
0xB9D09000 NDIS.sys
0xBA128000 sbp2port.sys
0xB9CEF000 Mup.sys
0xB9CCF000 fltmgr.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB90D6000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7D51000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7D3D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB7D19000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7CF1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7CC6000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB90C6000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA4B0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA340000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB90B6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA350000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\gpmoups2.sys
0xB90A6000 \SystemRoot\system32\DRIVERS\glidesvc.sys
0xBA360000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB7CB2000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9CAB000 \SystemRoot\system32\drivers\pfc.sys
0xB9096000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7C8F000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA358000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB7C70000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA7B6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C9B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7C59000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA158000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA368000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7C48000 \SystemRoot\system32\DRIVERS\psched.sys
0xB84FA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA370000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA378000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7C18000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB84EA000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA380000 \SystemRoot\system32\DRIVERS\seehcri.sys
0xB84DA000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA618000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7BBA000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C6E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9126000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9116000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5B0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB1864000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB1840000 \SystemRoot\system32\drivers\portcls.sys
0xB9106000 \SystemRoot\system32\drivers\drmk.sys
0xB17E0000 \SystemRoot\system32\drivers\Senfilt.sys
0xA9BDD000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA9A49000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xAB192000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA950F000 \SystemRoot\System32\Drivers\Null.SYS
0xAB190000 \SystemRoot\System32\Drivers\Beep.SYS
0xA8D7E000 \SystemRoot\System32\drivers\vga.sys
0xAB18E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAA5C5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA8D76000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA8D6E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA9535000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA83FB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA83A2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA837C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8323000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SYMTDI.SYS
0xA82FD000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA82A5000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110114.002\IDSxpx86.sys
0xAFD65000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0xA8AF7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8272000 \SystemRoot\system32\DRIVERS\Dot4.sys
0xA824A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8228000 \SystemRoot\System32\drivers\afd.sys
0xA8AE7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAFD5D000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA8AD7000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA8AC7000 \SystemRoot\system32\drivers\NIS\1205000.07D\SRTSPX.SYS
0xA81FD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA818D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA8AB7000 \SystemRoot\System32\Drivers\Fips.SYS
0xA812F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA8112000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8066000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
0xA7FC2000 \SystemRoot\system32\drivers\NIS\1205000.07D\SYMEFA.SYS
0xA7F9E000 \SystemRoot\system32\drivers\NIS\1205000.07D\Ironx86.SYS
0xACEEE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA87C5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAFACF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xACECE000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xA7ED7000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAC82E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3D8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA707000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB97D9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7327000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA218000 \SystemRoot\system32\drivers\sysaudio.sys
0xA72AC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAB19A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA71F4000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xA714C000 \SystemRoot\system32\DRIVERS\srv.sys
0xA71D0000 \??\C:\WINDOWS\system32\drivers\pdihwctl.sys
0xA6B1F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA69D2000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SRTSP.SYS
0xA5B77000 \SystemRoot\System32\Drivers\HTTP.sys
0xA5C00000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xA5894000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110115.002\NAVEX15.SYS
0xA5880000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110115.002\NAVENG.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA704C000 \SystemRoot\system32\drivers\usbaudio.sys
0xA54DF000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 SYSTEM
1232 C:\WINDOWS\system32\smss.exe
1288 csrss.exe
1316 C:\WINDOWS\system32\winlogon.exe
1368 C:\WINDOWS\system32\services.exe
1380 C:\WINDOWS\system32\lsass.exe
1552 C:\WINDOWS\system32\svchost.exe
1652 svchost.exe
1804 C:\WINDOWS\system32\svchost.exe
1844 C:\WINDOWS\system32\svchost.exe
1892 svchost.exe
1968 svchost.exe
436 C:\WINDOWS\system32\spoolsv.exe
892 svchost.exe
924 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
940 C:\Program Files\Bonjour\mDNSResponder.exe
992 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1020 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1604 C:\WINDOWS\system32\FsUsbExService.Exe
1704 C:\Program Files\Java\jre6\bin\jqs.exe
1756 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
2004 C:\WINDOWS\system32\nvsvc32.exe
204 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
2020 C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
1040 C:\WINDOWS\explorer.exe
848 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1164 C:\WINDOWS\system32\svchost.exe
1220 C:\Program Files\Touchpad\Gesture.exe
180 C:\WINDOWS\system32\glidew32.exe
2156 C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
2528 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
2900 C:\Program Files\iTunes\iTunesHelper.exe
2908 C:\WINDOWS\system32\ctfmon.exe
2916 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3612 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
2324 alg.exe
1216 C:\Program Files\iPod\bin\iPodService.exe
2352 C:\Program Files\Mozilla Firefox\firefox.exe
640 C:\Program Files\Qualcomm\Eudora\Eudora.exe
780 C:\Program Files\Skype\Phone\Skype.exe
864 C:\Program Files\Mozilla Firefox\plugin-container.exe
3380 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
4060 C:\Utils\zips\Diagnostics\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01
PhysicalDrive1 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: D1552CFE3A80B6458D680CEEF8D33E3E9A927AF9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 1Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 16 January 2011 - 02:55 PM

Good evening. :)

You are going to need to tell me exactly what Norton is flagging.

So long, and thanks for all the fish.

 

 


#13 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 17 January 2011 - 10:53 AM

Attached is a screenshot of the Norton warning that appears whenever I boot. (This also used to pop up several more times per day, but Norton seems to have noticed that I always dismiss it, and now it appears only when I boot.)

The second screenshot shows the details page from Norton. The information is the same as when I click the export link, which gives the following text file:

Resolved Threats:
No risks have been resolved

Unresolved Threats:
Boot.Mebroot
Type: Master Boot Record
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Remove Failed
-----------
1 System Action
Drive 0x81 - Infected

Attached Files



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 17 January 2011 - 03:11 PM

Good evening. :)

Not exactly a great help is Norton. Let's see if the MBR on the second drive actually got fixed.

If you need to, download MBRCheck.exe by a_d_13 from here and save it to your Desktop, otherwise simply run the copy you still have...

  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#15 DRaich

DRaich
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 17 January 2011 - 09:27 PM

Below is the new 01/17 MBRCheck report. It still says it found a "nonstandard or infected" MBR. And I spoke too soon about Norton; it's back to popping up several times per day. Don't know why it did it only once yesterday.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fd

Kernel Drivers (total 150):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E5C000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E44000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DED000 SYMDS.SYS
0xBA118000 PxHelp20.sys
0xB9DD6000 KSecDD.sys
0xB9DC3000 WudfPf.sys
0xB9D36000 Ntfs.sys
0xB9D09000 NDIS.sys
0xBA128000 sbp2port.sys
0xB9CEF000 Mup.sys
0xB9CCF000 fltmgr.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7E07000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7DF3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB7DCF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA490000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7DA7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7D7C000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB9109000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA498000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB90F9000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\gpmoups2.sys
0xB90E9000 \SystemRoot\system32\DRIVERS\glidesvc.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB7D68000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA5A4000 \SystemRoot\system32\drivers\pfc.sys
0xB90D9000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB90C9000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7D45000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA340000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB90B9000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB7D26000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA78D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB90A9000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C9F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7D0F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9099000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB85B0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA350000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7CFE000 \SystemRoot\system32\DRIVERS\psched.sys
0xB85A0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA360000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA368000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7CCE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8590000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA358000 \SystemRoot\system32\DRIVERS\seehcri.sys
0xB8580000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA62C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7C70000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C72000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA268000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA66C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB2597000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB2573000 \SystemRoot\system32\drivers\portcls.sys
0xBA288000 \SystemRoot\system32\drivers\drmk.sys
0xB2513000 \SystemRoot\system32\drivers\Senfilt.sys
0xAA521000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA9D30000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xAB023000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA948D000 \SystemRoot\System32\Drivers\Null.SYS
0xAB021000 \SystemRoot\System32\Drivers\Beep.SYS
0xA8FB8000 \SystemRoot\System32\drivers\vga.sys
0xAB01F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAB01D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA8FB0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA8FA8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA9CAF000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA84E0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8487000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA842E000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SYMTDI.SYS
0xA8408000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA83E2000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA8FA0000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0xA83AF000 \SystemRoot\system32\DRIVERS\Dot4.sys
0xA948F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA90A0000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9C97000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA9090000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA8F98000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA8F90000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA8357000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110114.002\IDSxpx86.sys
0xA832F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA830D000 \SystemRoot\System32\drivers\afd.sys
0xA9050000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8F88000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA9030000 \SystemRoot\system32\drivers\NIS\1205000.07D\SRTSPX.SYS
0xA82E2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8272000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9020000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8214000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA81F7000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA814B000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
0xA80A7000 \SystemRoot\system32\drivers\NIS\1205000.07D\SYMEFA.SYS
0xA8083000 \SystemRoot\system32\drivers\NIS\1205000.07D\Ironx86.SYS
0xB0123000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0xA8FC0000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xB0085000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7FBC000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB984D000 \SystemRoot\System32\drivers\Dxapi.sys
0xAFF85000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6E8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8FEC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA75DF000 \SystemRoot\system32\drivers\wdmaud.sys
0xAFB61000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7564000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xABD94000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA74AC000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xA742C000 \SystemRoot\system32\DRIVERS\srv.sys
0xA74A4000 \??\C:\WINDOWS\system32\drivers\pdihwctl.sys
0xA6E90000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA6E0B000 \SystemRoot\System32\Drivers\NIS\1205000.07D\SRTSP.SYS
0xA6C98000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110116.003\NAVEX15.SYS
0xA6C5C000 \??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110116.003\NAVENG.SYS
0xA6F44000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xA68A0000 \SystemRoot\System32\Drivers\HTTP.sys
0xA5A6A000 \??\C:\WINDOWS\system32\vsdatant.sys
0xA9000000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA5769000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 SYSTEM
1232 C:\WINDOWS\system32\smss.exe
1288 csrss.exe
1316 C:\WINDOWS\system32\winlogon.exe
1360 C:\WINDOWS\system32\services.exe
1372 C:\WINDOWS\system32\lsass.exe
1544 C:\WINDOWS\system32\svchost.exe
1644 svchost.exe
1796 C:\WINDOWS\system32\svchost.exe
1836 C:\WINDOWS\system32\svchost.exe
1880 svchost.exe
2008 svchost.exe
432 C:\WINDOWS\system32\spoolsv.exe
868 svchost.exe
900 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
916 C:\Program Files\Bonjour\mDNSResponder.exe
964 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
992 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1520 C:\WINDOWS\system32\FsUsbExService.Exe
1572 C:\Program Files\Java\jre6\bin\jqs.exe
1628 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
1972 C:\WINDOWS\system32\nvsvc32.exe
2020 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
336 C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
284 C:\WINDOWS\system32\svchost.exe
2716 C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccsvchst.exe
3232 alg.exe
2604 C:\WINDOWS\explorer.exe
2760 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2772 C:\Program Files\Touchpad\Gesture.exe
2692 C:\WINDOWS\system32\glidew32.exe
2800 C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
2836 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
2992 C:\Program Files\iTunes\iTunesHelper.exe
3032 C:\WINDOWS\system32\ctfmon.exe
3040 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2084 C:\Program Files\Skype\Phone\Skype.exe
844 C:\Program Files\iPod\bin\iPodService.exe
1900 C:\Program Files\Mozilla Firefox\firefox.exe
468 C:\Program Files\Mozilla Firefox\plugin-container.exe
788 C:\Utils\zips\Diagnostics\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01
PhysicalDrive1 Model Number: WDCWD2500AAJS-75B4A0, Rev: 01.03A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: D1552CFE3A80B6458D680CEEF8D33E3E9A927AF9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users