TechSpot

[A] Hard drive clusters are partly damaged - can't run malware

By rblum
Mar 2, 2012
  1. I seem to have the same problem as several other people. i downloaded the malware but when I tried to run it it said i didn't have permission. Can someone help me fix my computer. I'm on Windows Vista for Home
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps as you can.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. rblum

    rblum TS Rookie Topic Starter

    i can't run the Malware program because it says Access is denied when i try to install it.
     
  4. rblum

    rblum TS Rookie Topic Starter

    I found a way to install the Malware on another drive, so i'm running the scan now.
     
  5. rblum

    rblum TS Rookie Topic Starter

    results from Malware Scan

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.02.06

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19170
    Renee :: RENEE [administrator]

    3/2/2012 5:34:41 PM
    mbam-log-2012-03-02 (17-34-41).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 245732
    Time elapsed: 22 minute(s), 8 second(s)

    Memory Processes Detected: 2
    C:\ProgramData\QgsXPpOqaEn.exe (Trojan.FakeAlert) -> 3176 -> Delete on reboot.
    C:\ProgramData\epJVlUliY9qMni.exe (Trojan.FakeAlert) -> 160 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|QgsXPpOqaEn.exe (Trojan.FakeAlert) -> Data: C:\ProgramData\QgsXPpOqaEn.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 4
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\ProgramData\QgsXPpOqaEn.exe (Trojan.FakeAlert) -> Delete on reboot.
    C:\ProgramData\epJVlUliY9qMni.exe (Trojan.FakeAlert) -> Delete on reboot.

    (end)
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good. Go on....
     
  7. rblum

    rblum TS Rookie Topic Starter

    gmer.log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-02 18:20:47
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST332082 rev.3.AH
    Running: hpuuyh5o.exe; Driver: C:\Users\Renee\AppData\Local\Temp\ugldrpow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E8EC398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
     
  8. rblum

    rblum TS Rookie Topic Starter

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19170
    Run by Renee at 18:48:03 on 2012-03-02
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1111 [GMT -6:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: IObit Security 360 *Disabled/Updated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\System32\alg.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\IObit\IObit Security 360\is360tray.exe
    C:\Program Files\j2 Messenger 4.4\J2GDllCmd.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\IObit\IObit Security 360\is360.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\IObit\Advanced SystemCare 4\Asc.exe
    C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = Preserve
    uInternet Settings,ProxyOverride = *.local;*.hotmail.com;*.msn.com
    BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    BHO: 1 (0x1) - No File
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
    TB: {00000000-0000-0000-0000-000000000001} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    uRun: [cdloader] "c:\users\renee\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [j2 4.4] "c:\program files\j2 messenger 4.4\J2GDllCmd.exe" /R
    uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [CompanionLink] "c:\program files\companionlink\companionlink.exe" -Icon
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
    StartupFolder: c:\users\renee\appdata\roaming\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
    StartupFolder: c:\users\renee\appdata\roaming\microsoft\windows\start menu\programs\startup\hpqtra08.exe
    StartupFolder: c:\users\renee\appdata\roaming\micros~1\windows\startm~1\programs\startup\jconne~1.lnk - c:\program files\j2 messenger 4.4\J2GTray.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: Show RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4D} - {320AF880-6646-11D3-ABEE-C5DBF3571F4D} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F50} - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F51} - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F52} - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F53} - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F54} - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F55} - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {45DB34C3-955C-11D3-ABEF-444553540001} - {45DB34C3-955C-11D3-ABEF-444553540001} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: bluecrossmn.com\www
    Trusted Zone: dice.com\seeker
    Trusted Zone: dice.com\www
    Trusted Zone: fedex.com\www
    Trusted Zone: intuit.com
    Trusted Zone: intuit.com\ttlc
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246215145099
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {7411047A-48E1-4EC9-8AC1-088087AD368F} - hxxps://cbspayroll.quickbooks.com/NetPay/QBGL/GLDownload.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webportal.veoliaes.com/,DanaInfo=mail6.veoliaes.net+dwa7W.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
    TCP: DhcpNameServer = 172.16.0.1
    TCP: Interfaces\{07A7C227-CA85-4131-A3D9-C7CB36011BA6} : DhcpNameServer = 172.16.0.1
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R?2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-22 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-18 309848]
    R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-4-22 328536]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-18 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-5-11 54104]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-13 42184]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-2 21504]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-7-29 47640]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
    R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
    R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-4-17 13408]
    R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-7 25088]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c99b5680deea72;Google Update Service (gupdate1c99b5680deea72);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
    S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
    S4 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
    S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-1-9 312152]
    S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
    S4 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
    S4 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
    .
    =============== Created Last 30 ================
    .
    2012-03-02 22:52:15 737606 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-03-02 08:16:08 6552120 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{9392b4ca-232a-402a-b666-0fd67e6b9988}\mpengine.dll
    2012-02-16 18:22:52 -------- d--h--w- c:\users\renee\appdata\roaming\CompanionLink
    2012-02-16 18:22:08 -------- d--h--w- c:\program files\CompanionLink
    .
    ==================== Find3M ====================
    .
    2012-01-29 11:10:42 237072 ---ha-w- c:\windows\system32\MpSigStub.exe
    2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-08 00:33:28 4200024 ---ha-w- c:\windows\system32\cdintf400.dll
    .
    ============= FINISH: 18:54:55.87 ===============


    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/4/2007 2:31:48 AM
    System Uptime: 3/2/2012 6:41:54 PM (0 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | LEONITE
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Socket 775 | 1867/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 292 GiB total, 137.113 GiB free.
    D: is FIXED (NTFS) - 6 GiB total, 0.841 GiB free.
    E: is CDROM ()
    F: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    Z: is NetworkDisk (NTFS) - 927 GiB total, 489.401 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    6400_Help
    Acrobat.com
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.5.0
    Advanced SystemCare 4
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AT&T Yahoo! Internet Mail
    AudibleManager
    avast! Free Antivirus
    BlackBerry App World Browser Plugin
    BlackBerry Desktop Software 6.1
    BlackBerry Device Software Updater
    Bonjour
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    CDDRV_Installer
    CompanionLink
    Crawler Smileys
    CustomerResearchQFolder
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DIRECTV2PC Playback Advisor
    DOC Regenerator
    DocMgr
    DocProc
    DocProcQFolder
    Enhanced Multimedia Keyboard Solution
    erLT
    eSupportQFolder
    Evernote v. 4.4.2
    Fax
    Form Fill (Windows Live Toolbar)
    GoodSync
    Google Chrome
    Google Update Helper
    GPBaseService
    GPBaseService2
    Handmark® Pocket Express for BlackBerry
    Hardware Diagnostic Tools
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Advisor
    HP Customer Feedback
    HP Customer Participation Program 10.0
    HP Document Manager 1.0
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP Imaging Device Functions 10.0
    HP Officejet J6400 Series
    HP Photosmart Essential 2.5
    HP Picasso Media Center Add-In
    HP Product Detection
    HP Smart Web Printing
    HP Solution Center 13.0
    HP Update
    HP_Network_UserGuide
    HPDiagnosticAlert
    HPProductAssistant
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel® Viiv™ Software
    IObit Security 360
    Iomega Home Storage Manager
    iSEEK AnswerWorks English Runtime
    iTunes
    j2 Messenger
    J2SE Runtime Environment 5.0 Update 3
    J6400
    Juniper Networks Host Checker
    Juniper Networks Network Connect 6.4.0
    Juniper Networks Setup Client
    KhalInstallWrapper
    LightScribe 1.4.124.1
    Logitech SetPoint
    LogMeIn
    magicJack
    magicJack Outlook Add-In 1.0.3.521
    Malwarebytes Anti-Malware version 1.60.1.1000
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Easy Assist v2
    Microsoft Fix it Center
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual Studio 2005 Tools for Office Runtime
    MSVCSetup
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MyTomTom 3.1.0.432
    Network
    OCR Software by I.R.I.S. 10.0
    OcxSetup
    OGA Notifier 2.0.0048.0
    OverDrive Media Console
    PIXMA Extended Survey Program
    ProductContext
    PSSWCORE
    Python 2.4.3
    QuickBooks
    QuickBooks Company File Diagnostic Tool
    QuickBooks Pro 2010
    QuickBooks Product Listing Service
    Quicken 2012
    Quicken Home Inventory Manager
    Quicken WillMaker Plus 2005
    Quicken WillMaker Plus 2009
    Quicken WillMaker Plus 2011
    QuickTime
    Realtek High Definition Audio Driver
    Recover My Files
    Registry Mechanic 7.0
    Retrospect Express HD 2.5
    Rhapsody Player Engine
    RoboForm 7-7-0 (All Users)
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Scan
    ScanSoft OmniPage SE 4
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Shop for HP Supplies
    Smart Defrag 1.20
    SmartWebPrintingOC
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    StartNow Toolbar
    Status
    SupportSoft Assisted Service
    TeamViewer 4
    TomTom HOME 2.8.2.2264
    TomTom HOME Visual Studio Merge Modules
    Toolbox
    TrayApp
    Turbo Tax Audit Support Center 2.0
    TurboTax 2008
    TurboTax 2008 WinBizFedFormset
    TurboTax 2008 WinBizProgramHelp
    TurboTax 2008 WinBizReleaseEngine
    TurboTax 2008 WinBizTaxSupport
    TurboTax 2008 WinBizUserEducation
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2008 wwiiper
    TurboTax 2009
    TurboTax 2009 WinBizFedFormset
    TurboTax 2009 WinBizReleaseEngine
    TurboTax 2009 WinBizTaxSupport
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2009 wwiiper
    TurboTax 2010
    TurboTax 2010 WinBizFedFormset
    TurboTax 2010 WinBizReleaseEngine
    TurboTax 2010 WinBizTaxSupport
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wmniper
    TurboTax 2010 wrapper
    TurboTax 2010 wwiiper
    TurboTax 2011
    TurboTax 2011 WinBizFedFormset
    TurboTax 2011 WinBizReleaseEngine
    TurboTax 2011 WinBizTaxSupport
    TurboTax 2011 WinPerFedFormset
    TurboTax 2011 WinPerReleaseEngine
    TurboTax 2011 WinPerTaxSupport
    TurboTax 2011 wmniper
    TurboTax 2011 wmnpbpm
    TurboTax 2011 wrapper
    TurboTax 2011 wwiiper
    TurboTax Business 2005
    TurboTax Business 2006
    TurboTax Business 2007
    TurboTax Business 2008
    TurboTax Business 2009
    TurboTax Business 2010
    TurboTax Business 2011
    TurboTax ItsDeductible 2006
    TurboTax Premier 2007
    TurboTax Premier Investments 2006
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    VersionTracker Pro Windows
    VideoToolkit01
    VirtualLab Client 5.6.4
    Visual Studio C++ 10.0 Runtime
    WebReg
    Windows Installer Clean Up
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Yahoo! Install Manager
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/2/2012 6:54:56 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    3/2/2012 6:54:55 PM, Error: Service Control Manager [7034] - The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).
    3/2/2012 6:54:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
    3/2/2012 6:54:54 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume HP.
    3/2/2012 6:54:53 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    3/2/2012 6:51:30 PM, Error: iaStor [5] - A parity error was detected on \Device\Ide\iaStor0.
    3/2/2012 6:46:06 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
    3/2/2012 6:45:34 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    3/2/2012 6:45:34 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    3/2/2012 6:43:57 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    3/2/2012 6:43:57 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate1c99b5680deea72) service failed to start due to the following error: The system cannot find the file specified.
    3/2/2012 6:43:40 PM, Error: Microsoft-Windows-TaskScheduler [412] - Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147549183. User Action: restart task scheduler service.
    3/2/2012 6:43:32 PM, Error: EventLog [6008] - The previous system shutdown at 6:29:40 PM on 3/2/2012 was unexpected.
    3/2/2012 6:42:38 PM, Error: volmgr [46] - Crash dump initialization failed!
    3/2/2012 4:04:35 PM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    3/2/2012 3:56:00 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    3/2/2012 2:59:17 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    3/2/2012 12:26:50 PM, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/2/2012 12:26:39 PM, Error: Microsoft-Windows-Windows Defender [5008] - Windows Defender engine has been terminated due to an unexpected error. Failure Type: Crash Exception code: 0xc0000005 Resource: file:C:\Windows\system32\SLsvc.exe
    .
    ==== End Of File ===========================
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  10. rblum

    rblum TS Rookie Topic Starter

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-02 19:09:23
    -----------------------------
    19:09:23.086 OS Version: Windows 6.0.6002 Service Pack 2
    19:09:23.087 Number of processors: 2 586 0xF06
    19:09:23.088 ComputerName: RENEE UserName: Renee
    19:09:30.257 Initialize success
    19:09:31.933 AVAST engine defs: 12030201
    19:09:46.106 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:09:46.111 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
    19:09:46.158 Disk 0 MBR read successfully
    19:09:46.162 Disk 0 MBR scan
    19:09:46.168 Disk 0 unknown MBR code
    19:09:46.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
    19:09:46.229 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
    19:09:46.235 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
    19:09:46.248 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
    19:09:46.258 Disk 0 scanning sectors +625142432
    19:09:46.378 Disk 0 scanning C:\Windows\system32\drivers
    19:10:03.549 Service scanning
    19:10:34.964 Modules scanning
    19:11:07.651 Disk 0 trace - called modules:
    19:11:07.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    19:11:07.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
    19:11:07.708 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
    19:11:08.593 AVAST engine scan C:\Windows
    19:11:16.598 AVAST engine scan C:\Windows\system32
    19:16:44.140 AVAST engine scan C:\Windows\system32\drivers
    19:17:52.083 AVAST engine scan C:\Users\Renee
    19:47:35.089 AVAST engine scan C:\ProgramData
    19:55:54.821 Scan finished successfully
    20:48:18.859 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
    20:48:18.871 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"
     
  11. rblum

    rblum TS Rookie Topic Starter

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: ce8901d28a2b8c635e22b4216ab678c2

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It looks like we have TDL rootkit there.

    Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

    Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  13. rblum

    rblum TS Rookie Topic Starter

    ListParts by Farbar Version: 29-02-2012
    Ran by Renee (administrator) on 02-03-2012 at 21:12:42
    Windows Vista (X86)
    Running From: C:\Users\Renee\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 44%
    Total physical RAM: 2037.77 MB
    Available physical RAM: 1135.17 MB
    Total Pagefile: 4316.78 MB
    Available Pagefile: 3049.73 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.4 MB

    ======================= Partitions =========================

    1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
    2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    9 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 292 GB 32 KB
    Partition 3 Primary 6417 MB 292 GB
    Partition 2 Primary 2544 KB 298 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Recovery NTFS Partition 6417 MB Healthy

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ======================================================================================================

    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=C:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30
    resume No

    Windows Boot Loader
    -------------------
    identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winload.exe
    description Microsoft Windows Vista
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
    device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    path \windows\system32\boot\winload.exe
    description HP Recovery Manager
    osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    systemroot \windows
    nx OptIn
    detecthal Yes
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    pae Yes
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=C:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    Windows Legacy OS Loader
    ------------------------
    identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
    device partition=C:
    path \ntldr
    description Earlier Version of Windows

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
    description Ramdisk Device Options
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi

    Setup Ramdisk Options
    ---------------------
    identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
    description RAM Disk Settings
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi


    ****** End Of Log ******
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download attached fix.txt file and save it to your desktop (<--- very important!).

    Run ListParts.
    Press Fix button.
    When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.
     

    Attached Files:

    • fix.txt
      File size:
      28 bytes
      Views:
      3
  15. rblum

    rblum TS Rookie Topic Starter

    ListParts by Farbar Version: 29-02-2012
    Ran by Renee (administrator) on 02-03-2012 at 21:54:26
    Windows Vista (X86)
    Running From: C:\Users\Renee\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 49%
    Total physical RAM: 2037.77 MB
    Available physical RAM: 1028.16 MB
    Total Pagefile: 4316.78 MB
    Available Pagefile: 2917.93 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.22 MB

    ======================= Partitions =========================

    1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
    2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    10 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 292 GB 32 KB
    Partition 3 Primary 6417 MB 292 GB
    Partition 2 Primary 2544 KB 298 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Recovery NTFS Partition 6417 MB Healthy

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 G RAW Partition 2544 KB Healthy

    ======================================================================================================

    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=C:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30
    resume No

    Windows Boot Loader
    -------------------
    identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winload.exe
    description Microsoft Windows Vista
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
    device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    path \windows\system32\boot\winload.exe
    description HP Recovery Manager
    osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    systemroot \windows
    nx OptIn
    detecthal Yes
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    pae Yes
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=C:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    Windows Legacy OS Loader
    ------------------------
    identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
    device partition=C:
    path \ntldr
    description Earlier Version of Windows

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
    description Ramdisk Device Options
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi

    Setup Ramdisk Options
    ---------------------
    identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
    description RAM Disk Settings
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi


    ****** End Of Log ******
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good job :)

    Now, delete fix.txt file from your desktop.

    Download new (attached) fix.txt file and save it to your desktop.

    Run ListParts.
    Press Fix button.
    When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.

    Also post new aswMBR log.
     

    Attached Files:

    • fix.txt
      File size:
      17 bytes
      Views:
      2
  17. rblum

    rblum TS Rookie Topic Starter

    ListParts by Farbar Version: 29-02-2012
    Ran by Renee (administrator) on 02-03-2012 at 21:54:26
    Windows Vista (X86)
    Running From: C:\Users\Renee\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 49%
    Total physical RAM: 2037.77 MB
    Available physical RAM: 1028.16 MB
    Total Pagefile: 4316.78 MB
    Available Pagefile: 2917.93 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.22 MB

    ======================= Partitions =========================

    1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
    2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    10 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 292 GB 32 KB
    Partition 3 Primary 6417 MB 292 GB
    Partition 2 Primary 2544 KB 298 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Recovery NTFS Partition 6417 MB Healthy

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 G RAW Partition 2544 KB Healthy

    ======================================================================================================

    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=C:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30
    resume No

    Windows Boot Loader
    -------------------
    identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winload.exe
    description Microsoft Windows Vista
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
    device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    path \windows\system32\boot\winload.exe
    description HP Recovery Manager
    osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
    systemroot \windows
    nx OptIn
    detecthal Yes
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    pae Yes
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=C:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    Windows Legacy OS Loader
    ------------------------
    identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
    device partition=C:
    path \ntldr
    description Earlier Version of Windows

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
    description Ramdisk Device Options
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi

    Setup Ramdisk Options
    ---------------------
    identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
    description RAM Disk Settings
    ramdisksdidevice partition=D:
    ramdisksdipath \boot\boot.sdi


    ****** End Of Log ******
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK, that didn't work for whatever reason.

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 1 boot on
    • Press Enter
    • Type parted /dev/sda rm 2
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
     
  19. rblum

    rblum TS Rookie Topic Starter

    I got this error when I did the previous activity.

    It didn't copy right so this is approximately what it said. It said I needed to unmount the disk before i could partition it. or something like that.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Restart normally and post new aswMBR log.
     
  21. rblum

    rblum TS Rookie Topic Starter

    Partition dev/sda2 is being used. you must unmount it before modifying it with Parted
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Go ahead with my previous reply.
     
  23. rblum

    rblum TS Rookie Topic Starter

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-02 19:09:23
    -----------------------------
    19:09:23.086 OS Version: Windows 6.0.6002 Service Pack 2
    19:09:23.087 Number of processors: 2 586 0xF06
    19:09:23.088 ComputerName: RENEE UserName: Renee
    19:09:30.257 Initialize success
    19:09:31.933 AVAST engine defs: 12030201
    19:09:46.106 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:09:46.111 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
    19:09:46.158 Disk 0 MBR read successfully
    19:09:46.162 Disk 0 MBR scan
    19:09:46.168 Disk 0 unknown MBR code
    19:09:46.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
    19:09:46.229 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
    19:09:46.235 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
    19:09:46.248 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
    19:09:46.258 Disk 0 scanning sectors +625142432
    19:09:46.378 Disk 0 scanning C:\Windows\system32\drivers
    19:10:03.549 Service scanning
    19:10:34.964 Modules scanning
    19:11:07.651 Disk 0 trace - called modules:
    19:11:07.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    19:11:07.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
    19:11:07.708 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
    19:11:08.593 AVAST engine scan C:\Windows
    19:11:16.598 AVAST engine scan C:\Windows\system32
    19:16:44.140 AVAST engine scan C:\Windows\system32\drivers
    19:17:52.083 AVAST engine scan C:\Users\Renee
    19:47:35.089 AVAST engine scan C:\ProgramData
    19:55:54.821 Scan finished successfully
    20:48:18.859 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
    20:48:18.871 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-02 22:21:23
    -----------------------------
    22:21:23.784 OS Version: Windows 6.0.6002 Service Pack 2
    22:21:23.784 Number of processors: 2 586 0xF06
    22:21:23.786 ComputerName: RENEE UserName: Renee
    22:21:24.691 Initialize success
    22:21:25.281 AVAST engine defs: 12030201
    22:21:30.141 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    22:21:30.149 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
    22:21:30.386 Disk 0 MBR read successfully
    22:21:30.391 Disk 0 MBR scan
    22:21:30.397 Disk 0 unknown MBR code
    22:21:30.440 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
    22:21:30.487 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
    22:21:30.528 Disk 0 scanning sectors +625137345
    22:21:30.925 Disk 0 scanning C:\Windows\system32\drivers
    22:23:00.683 Service scanning
    22:23:34.099 Modules scanning
    22:25:12.461 Disk 0 trace - called modules:
    22:25:12.508 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    22:25:12.509 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
    22:25:12.511 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
    22:25:18.778 AVAST engine scan C:\Windows
    22:26:24.039 AVAST engine scan C:\Windows\system32
    22:37:53.041 AVAST engine scan C:\Windows\system32\drivers
    22:39:15.021 AVAST engine scan C:\Users\Renee
    23:06:34.528 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
    23:06:34.599 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-02 23:33:22
    -----------------------------
    23:33:22.089 OS Version: Windows 6.0.6002 Service Pack 2
    23:33:22.089 Number of processors: 2 586 0xF06
    23:33:22.091 ComputerName: RENEE UserName: Renee
    23:33:50.468 Initialize success
    23:33:50.884 AVAST engine defs: 12030201
    23:34:50.131 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    23:34:50.135 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
    23:34:50.188 Disk 0 MBR read successfully
    23:34:50.194 Disk 0 MBR scan
    23:34:50.199 Disk 0 unknown MBR code
    23:34:50.266 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
    23:34:50.321 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
    23:34:50.337 Disk 0 scanning sectors +625137345
    23:34:50.511 Disk 0 scanning C:\Windows\system32\drivers
    23:35:17.638 Service scanning
    23:35:44.953 Modules scanning
    23:36:21.431 Disk 0 trace - called modules:
    23:36:21.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    23:36:21.462 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865322e0]
    23:36:21.471 3 CLASSPNP.SYS[88dac8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
    23:36:22.336 AVAST engine scan C:\Windows
    23:36:32.290 AVAST engine scan C:\Windows\system32
    23:44:06.597 AVAST engine scan C:\Windows\system32\drivers
    23:44:44.341 AVAST engine scan C:\Users\Renee
    00:18:11.618 AVAST engine scan C:\ProgramData
    00:25:27.475 Scan finished successfully
    00:27:23.281 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
    00:27:23.291 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"
     
  24. rblum

    rblum TS Rookie Topic Starter

    are you still there? It is 1:00 am where I am. Is there more that needs to be done?
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK, the fix worked.
    Infected partition is gone.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...