TechSpot

Attepmting to recover from a trojan yesterday, almost there, but stuck at the end

By dan fleming
Oct 20, 2010
  1. Hi!

    I got hit with some form of trojan or virus yesterday. A fake Windows Security Essentials warning popped up asking me to load "Think Point AV" as my antivirus software. I rebooted into safe-mode and ThinkPoint popped up there too before even explorer.exe. To make a long story short I ended up pulling out my hard drive, slaving it to another computer and running malwarebytes on my drive. That at least allowed me to boot into safe mode where I again ran MBAM and cleaned up my registry there. At the height of my problems I could not boot into safe mode, standard mode, nor my recovery partition. Instead it would power on, bring up the XP black boot screen (or list of files being loaded when in safe-mode) and then BSOD and power down...lather rinse repeat. I thought I had it beat, but this morning MBAM caught 4 more infected objects. The latest MBAM run was clean.
    Having run MBAM and TrendMicro I can now boot normally and do most of what I want. However I do have some lingering issues.
    1) My Recovery partition still boots to BSOD.
    2) Google Chrome (both installed and portable) loads, but just sits on a white tab not doing anything. (an ancient version of IE still works and I can browse the web/download/etc). I reinstalled Chrome and no luck, including having it delete all my personal data.
    3) Firefox might load once after start up, but immediately crashes and will not fully load again. Instead firefox.exe will load into memory but not do any thing and just sit there eating about 7MB of ram. (incidentally copying notepad.exe to the desktop and renaming it firefox.exe and notepad still runs) Completely reinstalled firefox, no better.
    4) I cannot boot with anything plugged into my USB ports. This is not a huge deal as it is a netbook (see below) however it is odd.
    5) My Disk Management Console does not recognize any drives at all. There is 1 SATA hard drive plugged in partitioned into C D and a hidden partition for recovery. C and D are visible in Windows Explorer.

    MBAM Log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4892

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 6.0.2900.5512

    10/20/2010 11:59:02 AM
    mbam-log-2010-10-20 (11-59-02).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 198163
    Time elapsed: 49 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER Log:

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-20 12:11:54
    Windows 5.1.2600 Service Pack 3
    Running: x2e9dkz7.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgldapog.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
    .text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B3000A
    .text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
    .text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008C000A
    .text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008D000A
    .text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
    .text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
    .text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
    .text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
    .text C:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EC000A

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864F0292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864F0292
    Device \FileSystem\Cdfs \Cdfs A0AD6400
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVT-22ZCT0___________________11.01A11#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----


    DDS Log:


    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Daniel at 12:13:12.14 on Wed 10/20/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.605 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CE\nmSvc.exe
    C:\WINDOWS\system32\iprntctl.exe
    C:\WINDOWS\system32\iprntlgn.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\CE\nmFlt.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    C:\WINDOWS\system32\cidaemon.exe
    E:\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.msi.com.tw/
    mDefault_Page_URL = hxxp://www.msi.com.tw
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [NMSVC] c:\program files\ce\nmSvc.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
    mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\daniel\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
    uPolicies-explorer: NoActiveDesktop = 01000000
    uPolicies-explorer: NoSMMyPictures = 01000000
    uPolicies-explorer: NoTrayItemsDisplay = 00000000
    dPolicies-explorer: NoFolderOptions = 1 (0x1)
    dPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: E&xport to Microsoft Excel
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: CESpy.dll
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\bcg3hauy.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npnipp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-9-15 41336]
    R1 vcdrom;Virtual CD-ROM Device Driver;d:\dans\new\VCdRom.sys [2001-12-19 8576]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-8-21 182304]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 1334240]
    S0 csqugxnw;csqugxnw; [x]
    S3 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-11 814344]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-21 1684736]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-19 38224]

    =============== Created Last 30 ================

    2010-10-20 15:46:20 -------- d-----w- c:\docume~1\daniel\locals~1\applic~1\Deployment
    2010-10-20 14:51:55 974848 ----a-w- c:\windows\system32\mfc70.dll
    2010-10-20 14:51:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2010-10-20 14:51:55 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2010-10-20 14:51:54 608448 ----a-w- c:\windows\system32\comctl32.ocx
    2010-10-20 14:51:54 -------- d-----w- c:\program files\AML Products
    2010-10-19 18:47:18 -------- d-----w- c:\program files\Marcos Velasco Security
    2010-10-19 17:47:35 -------- d-----w- c:\windows\Cookies
    2010-10-19 17:47:34 -------- d-----w- c:\windows\Recent
    2010-10-19 17:20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-19 17:20:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-19 17:20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-19 16:51:12 -------- d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
    2010-10-19 16:50:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-19 15:26:40 -------- d-sh--w- C:\$RECYCLE.BIN
    2010-10-19 12:58:46 -------- d-----w- c:\windows\pss
    2010-10-19 01:02:01 199 ----a-w- c:\docume~1\daniel\applic~1\13541.bat
    2010-10-19 01:01:41 199 ----a-w- c:\docume~1\daniel\applic~1\10495.bat
    2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Pihia
    2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Iwhadu
    2010-10-14 01:04:12 -------- d-----w- c:\docume~1\daniel\applic~1\.minecraft
    2010-10-06 13:11:23 -------- d-----w- c:\program files\SpeedFan
    2010-09-23 15:03:01 -------- d-----w- c:\docume~1\daniel\applic~1\Xerox
    2010-09-22 23:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2010-09-22 16:05:28 -------- d-----w- c:\docume~1\daniel\applic~1\Novell

    ==================== Find3M ====================

    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 12:13:55.23 ===============


    DDS Attach is attached.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe forum rules.
    All logs have to be pasted in.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/21/2010 1:15:42 AM
    System Uptime: 10/20/2010 12:01:57 PM (0 hours ago)

    Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | U90/U100
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU 1 | 1600/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 39 GiB total, 27.228 GiB free.
    D: is FIXED (NTFS) - 106 GiB total, 62.492 GiB free.
    E: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    ĀµTorrent
    32 Bit HP CIO Components Installer
    ABBYY FineReader 10 Professional Edition
    Adobe Reader 9.4.0
    AML Free Registry Cleaner 4.21
    Bluetooth Stack for Windows by Toshiba
    Covenant Eyes
    Dropbox
    foobar2000 v1.0.2.1
    GroupWise
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 21
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Age of Empires Gold
    Microsoft Age of Empires II
    Microsoft Sync Framework 2.0 Core Components (x86) ENU
    Microsoft Sync Framework 2.0 Provider Services (x86) ENU
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox (3.6.11)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MV RegClean 5.9
    Novell iPrint Client v05.50.00
    OpenOffice.org 3.2
    PDFCreator
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    RocketDock 1.3.5
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973815)
    USB 2.0 Card Reader
    WebFldrs XP
    Windows Driver Package - Atheros (AR5416) Net (04/08/2008 7.6.0.200)
    Windows Driver Package - Ralink Technology, Corp. (RT80x86) Net (05/19/2008 1.01.03.0000)
    Windows Driver Package - Ralink Technology, Corp. (RT80x86) Net (07/06/2010 3.01.08.0001)
    Windows Driver Package - Realtek (rtl8187Se) Net (07/10/2008 5.9067.0710.2008)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows NT Messaging
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    10/20/2010 9:09:53 AM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    10/20/2010 12:03:43 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    10/20/2010 12:02:21 PM, error: Dhcp [1002] - The IP address lease 172.16.20.159 for the Network Card with network address 002185BA176A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    10/19/2010 7:58:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm Tosrfcom
    10/19/2010 7:56:51 AM, error: Dhcp [1002] - The IP address lease 192.168.1.66 for the Network Card with network address 002185BA176A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    10/19/2010 6:27:37 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.
    10/19/2010 3:33:51 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    10/19/2010 3:33:51 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80U.DLL. Reference error message: The operation completed successfully. .
    10/19/2010 3:33:51 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    10/19/2010 2:11:00 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    10/19/2010 12:20:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    10/19/2010 1:42:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/19/2010 1:40:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tosrfcom WS2IFSL
    10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    10/19/2010 1:39:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    10/18/2010 8:02:25 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
    10/18/2010 8:00:33 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
    10/18/2010 4:36:17 PM, error: Dhcp [1002] - The IP address lease 172.16.72.48 for the Network Card with network address 002185BA176A has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
    10/18/2010 12:41:07 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL. Reference error message: The operation completed successfully. .
    10/16/2010 9:22:04 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    10/13/2010 8:15:37 AM, error: DCOM [10009] - DCOM was unable to communicate with the computer ipp://matthew.tiu.edu using any of the configured protocols.

    ==== End Of File ===========================
     
  3. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.


    ====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  4. dan fleming

    dan fleming TS Rookie Topic Starter

    hi Broni,

    Sorry about the attachment, I read the log not the forum rules.

    Below are the two new logs:

    TDSSKiller

    2010/10/20 21:28:39.0500 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
    2010/10/20 21:28:39.0500 ================================================================================
    2010/10/20 21:28:39.0500 SystemInfo:
    2010/10/20 21:28:39.0500
    2010/10/20 21:28:39.0500 OS Version: 5.1.2600 ServicePack: 3.0
    2010/10/20 21:28:39.0515 Product type: Workstation
    2010/10/20 21:28:39.0515 ComputerName: DAN
    2010/10/20 21:28:39.0515 UserName: Daniel
    2010/10/20 21:28:39.0515 Windows directory: C:\WINDOWS
    2010/10/20 21:28:39.0515 System windows directory: C:\WINDOWS
    2010/10/20 21:28:39.0515 Processor architecture: Intel x86
    2010/10/20 21:28:39.0515 Number of processors: 2
    2010/10/20 21:28:39.0515 Page size: 0x1000
    2010/10/20 21:28:39.0515 Boot type: Normal boot
    2010/10/20 21:28:39.0515 ================================================================================
    2010/10/20 21:28:40.0125 Initialize success
    2010/10/20 21:28:43.0218 ================================================================================
    2010/10/20 21:28:43.0218 Scan started
    2010/10/20 21:28:43.0218 Mode: Manual;
    2010/10/20 21:28:43.0218 ================================================================================
    2010/10/20 21:28:45.0171 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/10/20 21:28:45.0203 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/10/20 21:28:45.0296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/10/20 21:28:45.0359 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/10/20 21:28:45.0609 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
    2010/10/20 21:28:45.0828 AR5416 (0297af4b89769159058b996c21218421) C:\WINDOWS\system32\DRIVERS\athw.sys
    2010/10/20 21:28:46.0015 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/10/20 21:28:46.0062 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/10/20 21:28:46.0093 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/10/20 21:28:46.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/10/20 21:28:46.0156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/10/20 21:28:46.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/10/20 21:28:46.0218 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/10/20 21:28:46.0250 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/10/20 21:28:46.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/10/20 21:28:46.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/10/20 21:28:46.0375 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/10/20 21:28:46.0406 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/10/20 21:28:46.0546 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/10/20 21:28:46.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/10/20 21:28:46.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/10/20 21:28:46.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/10/20 21:28:46.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/10/20 21:28:46.0796 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2010/10/20 21:28:46.0828 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2010/10/20 21:28:46.0859 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    2010/10/20 21:28:46.0906 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/10/20 21:28:46.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/10/20 21:28:47.0015 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/10/20 21:28:47.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/10/20 21:28:47.0062 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/10/20 21:28:47.0093 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/10/20 21:28:47.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/10/20 21:28:47.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/10/20 21:28:47.0187 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
    2010/10/20 21:28:47.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/10/20 21:28:47.0281 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/10/20 21:28:47.0359 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/10/20 21:28:47.0437 i8042prt (4cf9b1273c44118cdbb32384bd433949) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/10/20 21:28:47.0640 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2010/10/20 21:28:47.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/10/20 21:28:48.0093 IntcAzAudAddService (691dda8c43bd8e33a2567b694643c3f5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/10/20 21:28:48.0312 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/10/20 21:28:48.0375 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/10/20 21:28:48.0390 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/10/20 21:28:48.0421 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/10/20 21:28:48.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/10/20 21:28:48.0484 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/10/20 21:28:48.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/10/20 21:28:48.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/10/20 21:28:48.0578 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/10/20 21:28:48.0609 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/10/20 21:28:48.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/10/20 21:28:48.0734 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2010/10/20 21:28:48.0765 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/10/20 21:28:48.0796 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/10/20 21:28:48.0875 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
    2010/10/20 21:28:48.0953 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/10/20 21:28:48.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/10/20 21:28:49.0015 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/10/20 21:28:49.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/10/20 21:28:49.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/10/20 21:28:49.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/10/20 21:28:49.0187 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/10/20 21:28:49.0218 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/10/20 21:28:49.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/10/20 21:28:49.0265 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/10/20 21:28:49.0296 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/10/20 21:28:49.0312 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/10/20 21:28:49.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/10/20 21:28:49.0453 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/10/20 21:28:49.0531 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/10/20 21:28:49.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/10/20 21:28:49.0734 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/10/20 21:28:49.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/10/20 21:28:49.0828 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/10/20 21:28:49.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/10/20 21:28:49.0906 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/10/20 21:28:50.0000 nipplpt2 (4f9b1439bfbb1d3b3a7eefd5ecd8238f) C:\WINDOWS\system32\drivers\nipplpt.sys
    2010/10/20 21:28:50.0046 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/10/20 21:28:50.0109 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/10/20 21:28:50.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/10/20 21:28:50.0218 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/10/20 21:28:50.0281 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/10/20 21:28:50.0343 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/10/20 21:28:50.0359 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/10/20 21:28:50.0406 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/10/20 21:28:50.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/10/20 21:28:50.0500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/10/20 21:28:50.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/10/20 21:28:50.0750 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/10/20 21:28:50.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/10/20 21:28:50.0812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/10/20 21:28:50.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/10/20 21:28:51.0000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/10/20 21:28:51.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/10/20 21:28:51.0046 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/10/20 21:28:51.0078 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/10/20 21:28:51.0093 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/10/20 21:28:51.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/10/20 21:28:51.0187 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/10/20 21:28:51.0250 RSUSBSTOR (b87f999e05dd9c0312c83a8752e8e66b) C:\WINDOWS\system32\Drivers\RtsUStor.sys
    2010/10/20 21:28:51.0328 RT80x86 (c980aed0b53c321f030905785b88db34) C:\WINDOWS\system32\DRIVERS\RT2860.sys
    2010/10/20 21:28:51.0406 rtl8187Se (0df1d68f289e07efd054b498d8efbbfd) C:\WINDOWS\system32\DRIVERS\rtl8187Se.sys
    2010/10/20 21:28:51.0437 RTLE8023xp (185641ad7e80bfce0aa545d3ec79d557) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2010/10/20 21:28:51.0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/10/20 21:28:51.0562 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/10/20 21:28:51.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2010/10/20 21:28:51.0859 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/10/20 21:28:51.0984 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
    2010/10/20 21:28:52.0015 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/10/20 21:28:52.0062 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/10/20 21:28:52.0140 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/10/20 21:28:52.0203 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/10/20 21:28:52.0234 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/10/20 21:28:52.0265 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/10/20 21:28:52.0390 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/10/20 21:28:52.0453 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/10/20 21:28:52.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/10/20 21:28:52.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/10/20 21:28:52.0531 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/10/20 21:28:52.0593 toshidpt (7c315ed5819329edb2f9b70e1c01d66b) C:\WINDOWS\system32\drivers\Toshidpt.sys
    2010/10/20 21:28:52.0656 tosporte (2c15b4856f929ac7dd144044d8334b54) C:\WINDOWS\system32\DRIVERS\tosporte.sys
    2010/10/20 21:28:52.0718 tosrfbd (6750328ab04ae5faf01403a575d66978) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
    2010/10/20 21:28:52.0765 tosrfbnp (e5e34cd8848742cdc946f589f802630f) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
    2010/10/20 21:28:52.0828 Tosrfcom (c281d231ba7bc7955d39ea9e21374eff) C:\WINDOWS\system32\Drivers\tosrfcom.sys
    2010/10/20 21:28:52.0843 Tosrfhid (592cd9c8ab08ef02ea53905d30fb157e) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
    2010/10/20 21:28:52.0875 tosrfnds (0f3fd4f55175caeddce9efd6c5ca45d3) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
    2010/10/20 21:28:52.0921 TosRfSnd (f21031c35fe340a948ffdca6de74d333) C:\WINDOWS\system32\drivers\tosrfsnd.sys
    2010/10/20 21:28:52.0953 Tosrfusb (c4245835d4fac0494ed616f3bfe9ee0a) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
    2010/10/20 21:28:53.0000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/10/20 21:28:53.0078 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/10/20 21:28:53.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/10/20 21:28:53.0156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/10/20 21:28:53.0203 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/10/20 21:28:53.0218 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/10/20 21:28:53.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/10/20 21:28:53.0281 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/10/20 21:28:53.0328 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) D:\Dans\new\VCdRom.sys
    2010/10/20 21:28:53.0375 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
    2010/10/20 21:28:53.0406 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/10/20 21:28:53.0468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/10/20 21:28:53.0515 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/10/20 21:28:53.0578 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/10/20 21:28:53.0656 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2010/10/20 21:28:53.0703 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/10/20 21:28:53.0750 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/10/20 21:28:53.0859 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/10/20 21:28:53.0859 ================================================================================
    2010/10/20 21:28:53.0859 Scan finished
    2010/10/20 21:28:53.0859 ================================================================================
    2010/10/20 21:28:53.0890 Detected object count: 1
    2010/10/20 21:29:03.0703 \HardDisk0\MBR - will be cured after reboot
    2010/10/20 21:29:03.0703 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
    2010/10/20 21:29:07.0156 Deinitialize success



    MBRCheck

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 118):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7AF3000 \WINDOWS\system32\KDCOM.DLL
    0xF7A03000 \WINDOWS\system32\BOOTVID.dll
    0xF74C4000 ACPI.sys
    0xF7AF5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74B3000 pci.sys
    0xF75F3000 isapnp.sys
    0xF7A07000 compbatt.sys
    0xF7A0B000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7BBB000 pciide.sys
    0xF7873000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7603000 MountMgr.sys
    0xF7494000 ftdisk.sys
    0xF7A0F000 ACPIEC.sys
    0xF7BBC000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF787B000 PartMgr.sys
    0xF7613000 VolSnap.sys
    0xF747C000 atapi.sys
    0xF7623000 disk.sys
    0xF7633000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF745C000 fltMgr.sys
    0xF7445000 KSecDD.sys
    0xF73B8000 Ntfs.sys
    0xF738B000 NDIS.sys
    0xF7AF7000 speedfan.sys
    0xF7371000 Mup.sys
    0xF7BBD000 giveio.sys
    0xF6D93000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF6D7F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6D57000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6D3A000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xF6BF5000 \SystemRoot\system32\DRIVERS\RT2860.sys
    0xF78DB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6BD1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF78E3000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF76F3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF78EB000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF78F3000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7AA7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF7AAB000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7703000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7713000 \SystemRoot\System32\Drivers\tosrfcom.sys
    0xF7D24000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7723000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7AAF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6BBA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7733000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7743000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF78FB000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6BA9000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7753000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF790B000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7913000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7773000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7B0D000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5B6E000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF5B10000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7ABF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7793000 \SystemRoot\system32\DRIVERS\tosporte.sys
    0xF77A3000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAA1EB000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAA1C7000 \SystemRoot\system32\drivers\portcls.sys
    0xF77B3000 \SystemRoot\system32\drivers\drmk.sys
    0xF77C3000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7B13000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7B15000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7C7B000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B17000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF793B000 \SystemRoot\System32\drivers\vga.sys
    0xF7B19000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B1B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7943000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF794B000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF732D000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA144000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA0EB000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xAA0C5000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xAA09D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF77F3000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF7A9F000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xAA07B000 \SystemRoot\System32\drivers\afd.sys
    0xF7803000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF6BA1000 \??\D:\Dans\new\VCdRom.sys
    0xA9FAD000 \SystemRoot\System32\Drivers\RtsUStor.sys
    0xA9F82000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF7843000 \SystemRoot\system32\drivers\nipplpt.sys
    0xA9F12000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF7863000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7663000 \SystemRoot\system32\DRIVERS\tosrfusb.sys
    0xA9EC8000 \SystemRoot\system32\DRIVERS\tosrfbd.sys
    0xA9E65000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
    0xF7673000 \SystemRoot\System32\Drivers\tosrfbnp.sys
    0xA9EEA000 \SystemRoot\system32\DRIVERS\tosrfnds.sys
    0xF7D33000 \SystemRoot\system32\drivers\Toshidpt.sys
    0xF7683000 \SystemRoot\system32\drivers\HIDCLASS.SYS
    0xF796B000 \SystemRoot\system32\drivers\HIDPARSE.SYS
    0xA9EB4000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA9DFD000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7B3D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA9EA4000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7973000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA9D01000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA9A88000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA9A4B000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9DBD000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA9745000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA92A4000 \SystemRoot\System32\Drivers\HTTP.sys
    0xF7B9B000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 45):
    0 System Idle Process
    4 System
    628 C:\WINDOWS\system32\smss.exe
    984 csrss.exe
    1008 C:\WINDOWS\system32\winlogon.exe
    1052 C:\WINDOWS\system32\services.exe
    1064 C:\WINDOWS\system32\lsass.exe
    1220 C:\WINDOWS\system32\svchost.exe
    1268 svchost.exe
    1320 C:\WINDOWS\system32\svchost.exe
    1440 svchost.exe
    1484 svchost.exe
    1720 C:\WINDOWS\system32\spoolsv.exe
    1832 svchost.exe
    2004 C:\WINDOWS\explorer.exe
    128 C:\WINDOWS\system32\cisvc.exe
    148 C:\Program Files\Java\jre6\bin\jqs.exe
    372 C:\WINDOWS\system32\svchost.exe
    404 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    528 C:\WINDOWS\system32\wuauclt.exe
    920 C:\WINDOWS\RTHDCPL.EXE
    940 C:\WINDOWS\system32\igfxpers.exe
    948 C:\Program Files\CE\nmSvc.exe
    960 C:\WINDOWS\system32\iprntctl.exe
    976 C:\WINDOWS\system32\iprntlgn.exe
    1112 C:\WINDOWS\system32\igfxtray.exe
    1192 C:\Program Files\CE\nmFlt.exe
    1188 C:\WINDOWS\system32\igfxsrvc.exe
    1252 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1360 C:\Program Files\RocketDock\RocketDock.exe
    1108 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    1820 C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
    2272 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    2356 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    2796 alg.exe
    2804 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
    2944 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
    2956 C:\WINDOWS\system32\wscntfy.exe
    3600 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
    3704 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
    3904 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
    1992 C:\WINDOWS\system32\cidaemon.exe
    2136 C:\Program Files\Mozilla Firefox\firefox.exe
    3364 C:\Program Files\Mozilla Firefox\plugin-container.exe
    1408 D:\Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`fa08fc00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`be62d400 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVT-22ZCT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 536F160BF31D1EA9A0903B1B75563BB4E20A3D65


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  5. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Your MBR seems to be infected.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...