Inactive [A] Hard drive clusters are partly damaged - can't run malware

[rblum]

I seem to have the same problem as several other people. i downloaded the malware but when I tried to run it it said i didn't have permission. Can someone help me fix my computer. I'm on Windows Vista for Home

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.
Complete as many steps as you can.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[rblum]

i can't run the Malware program because it says Access is denied when i try to install it.

 

[rblum]

I found a way to install the Malware on another drive, so i'm running the scan now.

 

[rblum]

results from Malware Scan

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.02.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
Renee :: RENEE [administrator]

3/2/2012 5:34:41 PM
mbam-log-2012-03-02 (17-34-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245732
Time elapsed: 22 minute(s), 8 second(s)

Memory Processes Detected: 2
C:\ProgramData\QgsXPpOqaEn.exe (Trojan.FakeAlert) -> 3176 -> Delete on reboot.
C:\ProgramData\epJVlUliY9qMni.exe (Trojan.FakeAlert) -> 160 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|QgsXPpOqaEn.exe (Trojan.FakeAlert) -> Data: C:\ProgramData\QgsXPpOqaEn.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\QgsXPpOqaEn.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\ProgramData\epJVlUliY9qMni.exe (Trojan.FakeAlert) -> Delete on reboot.

(end)

 

[Broni]

Good. Go on....

 

[rblum]

gmer.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-02 18:20:47
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST332082 rev.3.AH
Running: hpuuyh5o.exe; Driver: C:\Users\Renee\AppData\Local\Temp\ugldrpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E8EC398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

 

[rblum]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by Renee at 18:48:03 on 2012-03-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1111 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Security 360 *Disabled/Updated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\j2 Messenger 4.4\J2GDllCmd.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\IObit\Advanced SystemCare 4\Asc.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local;*.hotmail.com;*.msn.com
BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: 1 (0x1) - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
TB: {00000000-0000-0000-0000-000000000001} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [cdloader] "c:\users\renee\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [j2 4.4] "c:\program files\j2 messenger 4.4\J2GDllCmd.exe" /R
uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [CompanionLink] "c:\program files\companionlink\companionlink.exe" -Icon
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
StartupFolder: c:\users\renee\appdata\roaming\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\users\renee\appdata\roaming\microsoft\windows\start menu\programs\startup\hpqtra08.exe
StartupFolder: c:\users\renee\appdata\roaming\micros~1\windows\startm~1\programs\startup\jconne~1.lnk - c:\program files\j2 messenger 4.4\J2GTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4D} - {320AF880-6646-11D3-ABEE-C5DBF3571F4D} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F50} - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F51} - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F52} - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F53} - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F54} - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F55} - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {45DB34C3-955C-11D3-ABEF-444553540001} - {45DB34C3-955C-11D3-ABEF-444553540001} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: bluecrossmn.com\www
Trusted Zone: dice.com\seeker
Trusted Zone: dice.com\www
Trusted Zone: fedex.com\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246215145099
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7411047A-48E1-4EC9-8AC1-088087AD368F} - hxxps://cbspayroll.quickbooks.com/NetPay/QBGL/GLDownload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webportal.veoliaes.com/,DanaInfo=mail6.veoliaes.net+dwa7W.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
TCP: DhcpNameServer = 172.16.0.1
TCP: Interfaces\{07A7C227-CA85-4131-A3D9-C7CB36011BA6} : DhcpNameServer = 172.16.0.1
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-22 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-18 309848]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-4-22 328536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-18 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-5-11 54104]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-13 42184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-2 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-7-29 47640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-4-17 13408]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-7 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c99b5680deea72;Google Update Service (gupdate1c99b5680deea72);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
S4 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-1-9 312152]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
S4 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S4 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
.
=============== Created Last 30 ================
.
2012-03-02 22:52:15 737606 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-03-02 08:16:08 6552120 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{9392b4ca-232a-402a-b666-0fd67e6b9988}\mpengine.dll
2012-02-16 18:22:52 -------- d--h--w- c:\users\renee\appdata\roaming\CompanionLink
2012-02-16 18:22:08 -------- d--h--w- c:\program files\CompanionLink
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ---ha-w- c:\windows\system32\MpSigStub.exe
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 00:33:28 4200024 ---ha-w- c:\windows\system32\cdintf400.dll
.
============= FINISH: 18:54:55.87 ===============


attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2007 2:31:48 AM
System Uptime: 3/2/2012 6:41:54 PM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | LEONITE
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Socket 775 | 1867/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 292 GiB total, 137.113 GiB free.
D: is FIXED (NTFS) - 6 GiB total, 0.841 GiB free.
E: is CDROM ()
F: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
Z: is NetworkDisk (NTFS) - 927 GiB total, 489.401 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
6400_Help
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader 9.5.0
Advanced SystemCare 4
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Internet Mail
AudibleManager
avast! Free Antivirus
BlackBerry App World Browser Plugin
BlackBerry Desktop Software 6.1
BlackBerry Device Software Updater
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
CDDRV_Installer
CompanionLink
Crawler Smileys
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DIRECTV2PC Playback Advisor
DOC Regenerator
DocMgr
DocProc
DocProcQFolder
Enhanced Multimedia Keyboard Solution
erLT
eSupportQFolder
Evernote v. 4.4.2
Fax
Form Fill (Windows Live Toolbar)
GoodSync
Google Chrome
Google Update Helper
GPBaseService
GPBaseService2
Handmark® Pocket Express for BlackBerry
Hardware Diagnostic Tools
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Advisor
HP Customer Feedback
HP Customer Participation Program 10.0
HP Document Manager 1.0
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Imaging Device Functions 10.0
HP Officejet J6400 Series
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Product Detection
HP Smart Web Printing
HP Solution Center 13.0
HP Update
HP_Network_UserGuide
HPDiagnosticAlert
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel® Viiv™ Software
IObit Security 360
Iomega Home Storage Manager
iSEEK AnswerWorks English Runtime
iTunes
j2 Messenger
J2SE Runtime Environment 5.0 Update 3
J6400
Juniper Networks Host Checker
Juniper Networks Network Connect 6.4.0
Juniper Networks Setup Client
KhalInstallWrapper
LightScribe 1.4.124.1
Logitech SetPoint
LogMeIn
magicJack
magicJack Outlook Add-In 1.0.3.521
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Easy Assist v2
Microsoft Fix it Center
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MyTomTom 3.1.0.432
Network
OCR Software by I.R.I.S. 10.0
OcxSetup
OGA Notifier 2.0.0048.0
OverDrive Media Console
PIXMA Extended Survey Program
ProductContext
PSSWCORE
Python 2.4.3
QuickBooks
QuickBooks Company File Diagnostic Tool
QuickBooks Pro 2010
QuickBooks Product Listing Service
Quicken 2012
Quicken Home Inventory Manager
Quicken WillMaker Plus 2005
Quicken WillMaker Plus 2009
Quicken WillMaker Plus 2011
QuickTime
Realtek High Definition Audio Driver
Recover My Files
Registry Mechanic 7.0
Retrospect Express HD 2.5
Rhapsody Player Engine
RoboForm 7-7-0 (All Users)
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Scan
ScanSoft OmniPage SE 4
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Shop for HP Supplies
Smart Defrag 1.20
SmartWebPrintingOC
Soft Data Fax Modem with SmartCP
SolutionCenter
StartNow Toolbar
Status
SupportSoft Assisted Service
TeamViewer 4
TomTom HOME 2.8.2.2264
TomTom HOME Visual Studio Merge Modules
Toolbox
TrayApp
Turbo Tax Audit Support Center 2.0
TurboTax 2008
TurboTax 2008 WinBizFedFormset
TurboTax 2008 WinBizProgramHelp
TurboTax 2008 WinBizReleaseEngine
TurboTax 2008 WinBizTaxSupport
TurboTax 2008 WinBizUserEducation
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2008 wwiiper
TurboTax 2009
TurboTax 2009 WinBizFedFormset
TurboTax 2009 WinBizReleaseEngine
TurboTax 2009 WinBizTaxSupport
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2009 wwiiper
TurboTax 2010
TurboTax 2010 WinBizFedFormset
TurboTax 2010 WinBizReleaseEngine
TurboTax 2010 WinBizTaxSupport
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wmniper
TurboTax 2010 wrapper
TurboTax 2010 wwiiper
TurboTax 2011
TurboTax 2011 WinBizFedFormset
TurboTax 2011 WinBizReleaseEngine
TurboTax 2011 WinBizTaxSupport
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wmniper
TurboTax 2011 wmnpbpm
TurboTax 2011 wrapper
TurboTax 2011 wwiiper
TurboTax Business 2005
TurboTax Business 2006
TurboTax Business 2007
TurboTax Business 2008
TurboTax Business 2009
TurboTax Business 2010
TurboTax Business 2011
TurboTax ItsDeductible 2006
TurboTax Premier 2007
TurboTax Premier Investments 2006
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
VersionTracker Pro Windows
VideoToolkit01
VirtualLab Client 5.6.4
Visual Studio C++ 10.0 Runtime
WebReg
Windows Installer Clean Up
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Yahoo! Install Manager
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
3/2/2012 6:54:56 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
3/2/2012 6:54:55 PM, Error: Service Control Manager [7034] - The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).
3/2/2012 6:54:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
3/2/2012 6:54:54 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume HP.
3/2/2012 6:54:53 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
3/2/2012 6:51:30 PM, Error: iaStor [5] - A parity error was detected on \Device\Ide\iaStor0.
3/2/2012 6:46:06 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
3/2/2012 6:45:34 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
3/2/2012 6:45:34 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
3/2/2012 6:43:57 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/2/2012 6:43:57 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate1c99b5680deea72) service failed to start due to the following error: The system cannot find the file specified.
3/2/2012 6:43:40 PM, Error: Microsoft-Windows-TaskScheduler [412] - Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147549183. User Action: restart task scheduler service.
3/2/2012 6:43:32 PM, Error: EventLog [6008] - The previous system shutdown at 6:29:40 PM on 3/2/2012 was unexpected.
3/2/2012 6:42:38 PM, Error: volmgr [46] - Crash dump initialization failed!
3/2/2012 4:04:35 PM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/2/2012 3:56:00 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
3/2/2012 2:59:17 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
3/2/2012 12:26:50 PM, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/2/2012 12:26:39 PM, Error: Microsoft-Windows-Windows Defender [5008] - Windows Defender engine has been terminated due to an unexpected error. Failure Type: Crash Exception code: 0xc0000005 Resource: file:C:\Windows\system32\SLsvc.exe
.
==== End Of File ===========================

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==================================================================

Download Bootkit Remover to your desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[rblum]

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-02 19:09:23
-----------------------------
19:09:23.086 OS Version: Windows 6.0.6002 Service Pack 2
19:09:23.087 Number of processors: 2 586 0xF06
19:09:23.088 ComputerName: RENEE UserName: Renee
19:09:30.257 Initialize success
19:09:31.933 AVAST engine defs: 12030201
19:09:46.106 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:09:46.111 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
19:09:46.158 Disk 0 MBR read successfully
19:09:46.162 Disk 0 MBR scan
19:09:46.168 Disk 0 unknown MBR code
19:09:46.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
19:09:46.229 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
19:09:46.235 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
19:09:46.248 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
19:09:46.258 Disk 0 scanning sectors +625142432
19:09:46.378 Disk 0 scanning C:\Windows\system32\drivers
19:10:03.549 Service scanning
19:10:34.964 Modules scanning
19:11:07.651 Disk 0 trace - called modules:
19:11:07.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:11:07.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
19:11:07.708 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
19:11:08.593 AVAST engine scan C:\Windows
19:11:16.598 AVAST engine scan C:\Windows\system32
19:16:44.140 AVAST engine scan C:\Windows\system32\drivers
19:17:52.083 AVAST engine scan C:\Users\Renee
19:47:35.089 AVAST engine scan C:\ProgramData
19:55:54.821 Scan finished successfully
20:48:18.859 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
20:48:18.871 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"

 

[rblum]

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: ce8901d28a2b8c635e22b4216ab678c2

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

It looks like we have TDL rootkit there.

Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[rblum]

ListParts by Farbar Version: 29-02-2012
Ran by Renee (administrator) on 02-03-2012 at 21:12:42
Windows Vista (X86)
Running From: C:\Users\Renee\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 44%
Total physical RAM: 2037.77 MB
Available physical RAM: 1135.17 MB
Total Pagefile: 4316.78 MB
Available Pagefile: 3049.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.4 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
9 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 292 GB 32 KB
Partition 3 Primary 6417 MB 292 GB
Partition 2 Primary 2544 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 6417 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
nx OptIn

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
path \windows\system32\boot\winload.exe
description HP Recovery Manager
osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Resume from Hibernate
---------------------
identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device partition=C:
path \ntldr
description Earlier Version of Windows

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
description Ramdisk Device Options
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi

Setup Ramdisk Options
---------------------
identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
description RAM Disk Settings
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi


****** End Of Log ******

 

[Broni]

Download attached fix.txt file and save it to your desktop (<--- very important!).

Run ListParts.
Press Fix button.
When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.

 

[rblum]

ListParts by Farbar Version: 29-02-2012
Ran by Renee (administrator) on 02-03-2012 at 21:54:26
Windows Vista (X86)
Running From: C:\Users\Renee\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 49%
Total physical RAM: 2037.77 MB
Available physical RAM: 1028.16 MB
Total Pagefile: 4316.78 MB
Available Pagefile: 2917.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.22 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
10 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 292 GB 32 KB
Partition 3 Primary 6417 MB 292 GB
Partition 2 Primary 2544 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 6417 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G RAW Partition 2544 KB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
nx OptIn

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
path \windows\system32\boot\winload.exe
description HP Recovery Manager
osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Resume from Hibernate
---------------------
identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device partition=C:
path \ntldr
description Earlier Version of Windows

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
description Ramdisk Device Options
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi

Setup Ramdisk Options
---------------------
identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
description RAM Disk Settings
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi


****** End Of Log ******

 

[Broni]

Good job

Now, delete fix.txt file from your desktop.

Download new (attached) fix.txt file and save it to your desktop.

Run ListParts.
Press Fix button.
When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.

Also post new aswMBR log.

 

[rblum]

ListParts by Farbar Version: 29-02-2012
Ran by Renee (administrator) on 02-03-2012 at 21:54:26
Windows Vista (X86)
Running From: C:\Users\Renee\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 49%
Total physical RAM: 2037.77 MB
Available physical RAM: 1028.16 MB
Total Pagefile: 4316.78 MB
Available Pagefile: 2917.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.22 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:291.82 GB) (Free:137.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:6.27 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
10 Drive z: (ActiveFolders) (Network) (Total:927.44 GB) (Free:489.4 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 292 GB 32 KB
Partition 3 Primary 6417 MB 292 GB
Partition 2 Primary 2544 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 292 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 6417 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G RAW Partition 2544 KB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
displayorder {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {4fc6d9f5-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
nx OptIn

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
path \windows\system32\boot\winload.exe
description HP Recovery Manager
osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Resume from Hibernate
---------------------
identifier {4fc6d9f6-8a86-11db-ad6a-0018f3fac05e}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device partition=C:
path \ntldr
description Earlier Version of Windows

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
description Ramdisk Device Options
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi

Setup Ramdisk Options
---------------------
identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
description RAM Disk Settings
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi


****** End Of Log ******

 

[Broni]

OK, that didn't work for whatever reason.

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Click Menu then Terminal Emulator
• Type parted /dev/sda set 1 boot on
• Press Enter
• Type parted /dev/sda rm 2
• Press Enter
• Remove xPUD CD, reboot, run aswMBR and post the log

 

[rblum]

I got this error when I did the previous activity.

It didn't copy right so this is approximately what it said. It said I needed to unmount the disk before i could partition it. or something like that.

 

[Broni]

Restart normally and post new aswMBR log.

 

[rblum]

Partition dev/sda2 is being used. you must unmount it before modifying it with Parted

 

[Broni]

Go ahead with my previous reply.

 

[rblum]

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-02 19:09:23
-----------------------------
19:09:23.086 OS Version: Windows 6.0.6002 Service Pack 2
19:09:23.087 Number of processors: 2 586 0xF06
19:09:23.088 ComputerName: RENEE UserName: Renee
19:09:30.257 Initialize success
19:09:31.933 AVAST engine defs: 12030201
19:09:46.106 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:09:46.111 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
19:09:46.158 Disk 0 MBR read successfully
19:09:46.162 Disk 0 MBR scan
19:09:46.168 Disk 0 unknown MBR code
19:09:46.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
19:09:46.229 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
19:09:46.235 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
19:09:46.248 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
19:09:46.258 Disk 0 scanning sectors +625142432
19:09:46.378 Disk 0 scanning C:\Windows\system32\drivers
19:10:03.549 Service scanning
19:10:34.964 Modules scanning
19:11:07.651 Disk 0 trace - called modules:
19:11:07.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:11:07.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
19:11:07.708 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
19:11:08.593 AVAST engine scan C:\Windows
19:11:16.598 AVAST engine scan C:\Windows\system32
19:16:44.140 AVAST engine scan C:\Windows\system32\drivers
19:17:52.083 AVAST engine scan C:\Users\Renee
19:47:35.089 AVAST engine scan C:\ProgramData
19:55:54.821 Scan finished successfully
20:48:18.859 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
20:48:18.871 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-02 22:21:23
-----------------------------
22:21:23.784 OS Version: Windows 6.0.6002 Service Pack 2
22:21:23.784 Number of processors: 2 586 0xF06
22:21:23.786 ComputerName: RENEE UserName: Renee
22:21:24.691 Initialize success
22:21:25.281 AVAST engine defs: 12030201
22:21:30.141 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:21:30.149 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
22:21:30.386 Disk 0 MBR read successfully
22:21:30.391 Disk 0 MBR scan
22:21:30.397 Disk 0 unknown MBR code
22:21:30.440 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
22:21:30.487 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
22:21:30.528 Disk 0 scanning sectors +625137345
22:21:30.925 Disk 0 scanning C:\Windows\system32\drivers
22:23:00.683 Service scanning
22:23:34.099 Modules scanning
22:25:12.461 Disk 0 trace - called modules:
22:25:12.508 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
22:25:12.509 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ae6708]
22:25:12.511 3 CLASSPNP.SYS[88da38b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
22:25:18.778 AVAST engine scan C:\Windows
22:26:24.039 AVAST engine scan C:\Windows\system32
22:37:53.041 AVAST engine scan C:\Windows\system32\drivers
22:39:15.021 AVAST engine scan C:\Users\Renee
23:06:34.528 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
23:06:34.599 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-02 23:33:22
-----------------------------
23:33:22.089 OS Version: Windows 6.0.6002 Service Pack 2
23:33:22.089 Number of processors: 2 586 0xF06
23:33:22.091 ComputerName: RENEE UserName: Renee
23:33:50.468 Initialize success
23:33:50.884 AVAST engine defs: 12030201
23:34:50.131 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:34:50.135 Disk 0 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
23:34:50.188 Disk 0 MBR read successfully
23:34:50.194 Disk 0 MBR scan
23:34:50.199 Disk 0 unknown MBR code
23:34:50.266 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298826 MB offset 63
23:34:50.321 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 6416 MB offset 611996175
23:34:50.337 Disk 0 scanning sectors +625137345
23:34:50.511 Disk 0 scanning C:\Windows\system32\drivers
23:35:17.638 Service scanning
23:35:44.953 Modules scanning
23:36:21.431 Disk 0 trace - called modules:
23:36:21.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
23:36:21.462 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865322e0]
23:36:21.471 3 CLASSPNP.SYS[88dac8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85076030]
23:36:22.336 AVAST engine scan C:\Windows
23:36:32.290 AVAST engine scan C:\Windows\system32
23:44:06.597 AVAST engine scan C:\Windows\system32\drivers
23:44:44.341 AVAST engine scan C:\Users\Renee
00:18:11.618 AVAST engine scan C:\ProgramData
00:25:27.475 Scan finished successfully
00:27:23.281 Disk 0 MBR has been saved successfully to "C:\Users\Renee\Downloads\Documents\MBR.dat"
00:27:23.291 The log file has been saved successfully to "C:\Users\Renee\Downloads\Documents\aswMBR.txt"

 

[rblum]

are you still there? It is 1:00 am where I am. Is there more that needs to be done?

 

[Broni]

OK, the fix worked.
Infected partition is gone.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!