TechSpot

Google redirect, BSOD prevents normal startup of windows

Inactive
By Syoka
Feb 16, 2011
  1. Hi there, I had recently had a really bad run-in with what I think is some sort of virus recently and was going to wipe my computer as a last resort. Then I found techspot and decided to see if anyone here would be able to help me before I lose all my data. :(

    So here goes:
    I'm running windows 7 professional, 32 bit on a satellite series toshiba. I think I first got the virus when i clicked a sketchy link a couple weeks back (I was looking for new tv show episodes). A bunch of popups came up and then Java started to load. After it loaded, my computer restarted on its own.

    Since then, when I click any google search result, I'll often get redirected to a different site (it seems many people have had this issue). When I'm on a trusted site, sometimes I'll get tabs opening with an advertisement for some site. I can longer start up windows normally because it will give me BSOD soon after I log on. The BSOD error that I get the most often is IRQL_NOT_LESS_THAN_OR_EQUAL. On safe mode, I rarely get bsod (twice in the past 2 weeks).

    I tried to run the scans for 8-step prelim removal instructions but Malwarebyte's scan resulted in BSOD after 5 minutes with error message DRIVER_IRQL_NOT_LESS_THAN_OR_EQUAL. TFC also gave me a blue screen, although I didn't catch the error message that time. The same thing happened with DDS. The only scan I was successfully able to complete is GMER and the log is below. I had run all the scans on safe mode with networking (with internet disconnected).

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-16 17:23:48
    Windows 6.1.7600
    Running: 9uq8o8sp.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xF4 0x9F 0x50 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0xF4 0x9F 0x50 ...

    ---- EOF - GMER 1.0.15 ----

    Thanks in advance for the help!

    -Syo
     
  2. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Syoka

    Syoka TS Rookie Topic Starter

    After several attempts, I managed to complete the scans and use FTC.
    Thanks so much for your help! :)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5777

    Windows 6.1.7600 (Safe Mode)
    Internet Explorer 8.0.7600.16385

    17/02/2011 11:13:39 AM
    mbam-log-2011-02-17 (11-13-39).txt

    Scan type: Quick scan
    Objects scanned: 177122
    Time elapsed: 4 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK
    Run by Bowen at 11:38:07.83 on 17/02/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.3964.3299 [GMT -5:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\notepad.exe
    C:\Users\Bowen\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat

    \ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData

    \Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office

    \Office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft

    Shared\Windows Live\WindowsLiveLogin.dll
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [LCR] C:\Program Files (x86)\XemiComputers\Lecture Recorder\LCR.exe
    uRun: [Google Update] "C:\Users\Bowen\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [Bamboo Dock] "C:\Program Files (x86)\Bamboo Dock\Bamboo Dock\Bamboo Dock.exe"
    uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
    uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_Plugin.exe -update plugin
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -

    launchedbylogin
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
    mRun: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: QQ - C:\Program Files (x86)\Tencent\QQIntl\Bin\AddEmotion.htm
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre6\bin

    \jp2iexp.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:

    \PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:

    \PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} -

    hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office

    \Office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office

    \Office12\GrooveShellExtensions.dll
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    mRun-x64: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
    mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
    mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
    AppInit_DLLs-X64: avgrssta.dll

    ================= FIREFOX ===================

    FF - ProfilePath - C:\Users\Bowen\AppData\Roaming\Mozilla\Firefox\Profiles\nj7kp4h2.default\
    FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components

    \SkypeFfComponent.dll
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npjpi160_23.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
    FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: C:\Users\Bowen\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08

    -4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions

    \{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox

    \extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer

    \BrowserRecordPlugin\Firefox\Ext

    ============= SERVICES / DRIVERS ===============

    R1 AvgTdiA;AVG Free8 Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2009-9-28 317520]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers

    \NETw5s64.sys [2010-1-13 7675392]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
    S1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2009-9-28 269904]
    S1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2009-9-28 35536]
    S2 avg9wd;AVG Free WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-7-15 308136]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework

    \v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET

    \Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-21 136176]
    S2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-10-13 373640]
    S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 15928]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2009-10-1 72216]
    S2 TabletServicePen;TabletServicePen;C:\Program Files\Tablet\Pen\Pen_Tablet.exe [2010-12-22 7329648]
    S2 TouchServicePen;Wacom Consumer Touch Service;C:\Program Files\Tablet\Pen\Pen_TouchService.exe [2010-12-22 719216]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers

    \netw5v64.sys [2009-6-10 5434368]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service

    [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
    S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2010-12-22 18288]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-25 1255736]

    =============== File Associations ===============

    txtfile=C:\Windows\notepad.exe %1

    =============== Created Last 30 ================

    2011-02-06 22:59:47 181608 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10137.bin
    2011-02-06 21:06:22 83249512 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc1C39.tmp
    2011-02-06 20:35:40 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-02-06 20:35:40 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-24 20:23:04 -------- d-----w- C:\PROGRA~3\Fun4IM
    2011-01-24 20:23:02 -------- d-----w- C:\Program Files (x86)\Windows Searchqu Toolbar
    2011-01-24 20:23:02 -------- d-----w- C:\Program Files (x86)\Fun4IM
    2011-01-20 23:43:25 83249512 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc960E.tmp

    ==================== Find3M ====================

    2010-12-21 18:50:40 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
    2010-12-21 18:50:40 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
    2010-12-21 18:50:40 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
    2010-12-21 18:50:40 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
    2010-12-20 23:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2010-12-05 16:52:22 488960 ----a-w- C:\Windows\System32\pythoncom27.dll
    2010-12-05 16:52:22 137216 ----a-w- C:\Windows\System32\pywintypes27.dll
    2010-12-05 16:51:50 2978816 ----a-w- C:\Windows\System32\python27.dll
    2010-11-25 20:31:04 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
    2010-11-25 20:31:04 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll

    ============= FINISH: 11:39:19.96 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 28/09/2009 10:33:27 PM
    System Uptime: 17/02/2011 11:32:08 AM (0 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Core(TM)2 Duo CPU T6400 @ 2.00GHz |

    CPU | 1995/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 214 GiB total, 95.179 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 3.247 GiB free.
    E: is CDROM ()
    F: is Removable
    H: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Security Processor Loader Driver
    Device ID: ROOT\LEGACY_SPLDR\0000
    Manufacturer:
    Name: Security Processor Loader Driver
    PNP Device ID: ROOT\LEGACY_SPLDR\0000
    Service: spldr

    Class GUID:
    Description:
    Device ID: ACPI\TOS1901\2&DABA3FF&1
    Manufacturer:
    Name:
    PNP Device ID: ACPI\TOS1901\2&DABA3FF&1
    Service:

    ==== System Restore Points ===================

    RP158: 15/12/2010 3:00:20 AM - Windows Update
    RP160: 19/12/2010 1:32:50 PM - Restore Operation
    RP161: 20/12/2010 3:00:18 AM - Windows Update
    RP162: 21/12/2010 11:50:23 AM - Windows Update
    RP163: 28/12/2010 6:24:36 PM - Scheduled Checkpoint
    RP164: 30/12/2010 11:27:55 PM - Installed ActiveState

    ActivePython 2.7.1.3 (64-bit)
    RP165: 07/01/2011 5:34:30 PM - Scheduled Checkpoint
    RP167: 13/01/2011 12:44:29 PM - Windows Modules Installer
    RP168: 13/01/2011 1:54:56 PM - Windows Modules Installer
    RP170: 15/01/2011 11:10:06 AM - Windows Modules Installer
    RP171: 22/01/2011 3:43:22 PM - Scheduled Checkpoint
    RP172: 06/02/2011 3:34:45 PM - Installed Java(TM) 6 Update

    23

    ==== Installed Programs ======================

    AAC Decoder
    Adobe AIR
    Adobe Community Help
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Flash Professional CS5
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    aMSN 0.97.2
    ApexDC++ 1.3.0 (32-bit)
    Apple Application Support
    Apple Software Update
    µTorrent
    Audacity 1.3.12 (Unicode)
    AutoUpdate
    AVG Free 9.0
    Bamboo
    Bamboo Dock
    Bamboo Dock 3.3
    CGoban 3
    DAEMON Tools Toolbar
    Dev-C++ 5 beta 9 release (4.9.9.2)
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Garena 2010
    Google Chrome
    Google Earth Plug-in
    Google Update Helper
    H.264 Decoder
    ImgBurn
    Japanese Fonts Support For Adobe Reader 9
    Java Auto Updater
    Java(TM) 6 Update 23
    Junk Mail filter update
    League of Legends
    Left 4 Dead 2
    Left 4 Dead 2 Add-on Support
    LogMeIn
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware
    MapleStory
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86

    8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86

    9.0.30729.4974
    Microsoft Visual C++ 2010 Express - ENU
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    mIRC
    MKV Splitter
    Mozilla Firefox (3.6.13)
    MSN Polygamy 8.1
    MSVCRT
    Nexon Game Manager
    OpenAL
    Pando Media Booster
    PDF Settings CS5
    PLT Scheme v4.2.2
    PowerISO
    QuickTime
    Racket v5.0.2
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client

    Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Extended

    (KB2416472)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007

    (KB979441)
    Security Update for Microsoft Office PowerPoint 2007

    (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer

    (KB2413381)
    Security Update for Microsoft Office Publisher 2007

    (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007

    (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 5.0
    Starcraft
    Steam
    StepMania 3.9a (remove only)
    Tencent QQ
    Ubuntu
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features

    (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2483110)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 8.0 Runtime Setup Package (x64)
    Warcraft III
    Warcraft III: All Products
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Winamp
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    World of Warcraft
    Xfire (remove only)
    Xvid 1.2.1 final uninstall

    ==== Event Viewer Messages From Past Week ========

    17/02/2011 11:35:18 AM, Error: Service Control Manager

    [7001] - The Computer Browser service depends on the Server

    service which failed to start because of the following

    error: The dependency service or group failed to start.
    17/02/2011 11:33:14 AM, Error: Service Control Manager

    [7001] - The HomeGroup Provider service depends on the

    Function Discovery Provider Host service which failed to

    start because of the following error: The dependency

    service or group failed to start.
    17/02/2011 11:33:13 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1084" attempting

    to start the service WSearch with arguments "" in order to

    run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    17/02/2011 11:33:13 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1084" attempting

    to start the service WSearch with arguments "" in order to

    run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    17/02/2011 11:33:08 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1084" attempting

    to start the service EventSystem with arguments "" in order

    to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    17/02/2011 11:32:59 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1084" attempting

    to start the service ShellHWDetection with arguments "" in

    order to run the server: {DD522ACC-F821-461A-A407-

    50B198B896DC}
    17/02/2011 11:32:50 AM, Error: Service Control Manager

    [7026] - The following boot-start or system-start driver(s)

    failed to load: AvgLdx64 AvgMfx64 discache SCDEmu spldr

    Wanarpv6
    17/02/2011 11:32:17 AM, Error: atapi [11] - The driver

    detected a controller error on \Device\Ide\IdePort0.
    17/02/2011 11:17:42 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1068" attempting

    to start the service fdPHost with arguments "" in order to

    run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    17/02/2011 11:17:42 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1068" attempting

    to start the service fdPHost with arguments "" in order to

    run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    17/02/2011 11:17:01 AM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000001e

    (0xffffffffc0000005, 0xfffff800020c6cd8, 0x0000000000000000,

    0xffffffffffffffff). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021711-31637-01.
    16/02/2011 5:29:59 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000000a

    (0x0000000000000000, 0x0000000000000002, 0x0000000000000000,

    0xfffff800020f52b3). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021611-33587-01.
    16/02/2011 5:00:20 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x000000d1

    (0xfffff880063b26f8, 0x0000000000000002, 0x0000000000000001,

    0xfffff88000e92074). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021611-32401-01.
    16/02/2011 4:54:45 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000001e

    (0xffffffffc0000005, 0xfffff800020b07e7, 0x0000000000000000,

    0x000000007efa0000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021611-33477-01.
    16/02/2011 12:07:43 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000001e

    (0xffffffffc0000005, 0xfffff80002e5d7e7, 0x0000000000000000,

    0x000007fffffa0000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021611-37705-01.
    15/02/2011 12:41:56 AM, Error: Service Control Manager

    [7001] - The Network List Service service depends on the

    Network Location Awareness service which failed to start

    because of the following error: The dependency service or

    group failed to start.
    15/02/2011 12:24:32 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1068" attempting

    to start the service netprofm with arguments "" in order to

    run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    15/02/2011 12:24:32 AM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1068" attempting

    to start the service netman with arguments "" in order to

    run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    15/02/2011 12:24:00 AM, Error: Service Control Manager

    [7026] - The following boot-start or system-start driver(s)

    failed to load: AFD AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC

    discache NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr

    tdx vwififlt Wanarpv6 WfpLwf
    15/02/2011 12:24:00 AM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000003b

    (0x00000000c0000005, 0xfffff80002091448, 0xfffff88005fd9ad0,

    0x0000000000000000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021511-46519-01.
    15/02/2011 12:23:59 AM, Error: Service Control Manager

    [7001] - The SMB MiniRedirector Wrapper and Engine service

    depends on the Redirected Buffering Sub Sysytem service

    which failed to start because of the following error: A

    device attached to the system is not functioning.
    15/02/2011 12:23:59 AM, Error: Service Control Manager

    [7001] - The SMB 2.0 MiniRedirector service depends on the

    SMB MiniRedirector Wrapper and Engine service which failed

    to start because of the following error: The dependency

    service or group failed to start.
    15/02/2011 12:23:59 AM, Error: Service Control Manager

    [7001] - The SMB 1.x MiniRedirector service depends on the

    SMB MiniRedirector Wrapper and Engine service which failed

    to start because of the following error: The dependency

    service or group failed to start.
    15/02/2011 12:23:59 AM, Error: Service Control Manager

    [7001] - The Network Location Awareness service depends on

    the Network Store Interface Service service which failed to

    start because of the following error: The dependency

    service or group failed to start.
    15/02/2011 12:23:59 AM, Error: Service Control Manager

    [7001] - The IP Helper service depends on the Network Store

    Interface Service service which failed to start because of

    the following error: The dependency service or group failed

    to start.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The Workstation service depends on the Network

    Store Interface Service service which failed to start

    because of the following error: The dependency service or

    group failed to start.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The WebDav Client Redirector Driver service

    depends on the Redirected Buffering Sub Sysytem service

    which failed to start because of the following error: A

    device attached to the system is not functioning.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The WebClient service depends on the WebDav Client

    Redirector Driver service which failed to start because of

    the following error: The dependency service or group failed

    to start.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The TCP/IP NetBIOS Helper service depends on the

    Ancillary Function Driver for Winsock service which failed

    to start because of the following error: A device attached

    to the system is not functioning.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The Network Store Interface Service service

    depends on the NSI proxy service driver. service which

    failed to start because of the following error: A device

    attached to the system is not functioning.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The DNS Client service depends on the NetIO Legacy

    TDI Support Driver service which failed to start because of

    the following error: A device attached to the system is not

    functioning.
    15/02/2011 12:23:58 AM, Error: Service Control Manager

    [7001] - The DHCP Client service depends on the Ancillary

    Function Driver for Winsock service which failed to start

    because of the following error: A device attached to the

    system is not functioning.
    13/02/2011 12:51:12 PM, Error: Microsoft-Windows-

    DistributedCOM [10005] - DCOM got error "1068" attempting

    to start the service stisvc with arguments "" in order to

    run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    13/02/2011 12:49:11 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000000a

    (0x00000000dc000002, 0x0000000000000002, 0x0000000000000000,

    0xfffff80002e90436). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021311-34226-01.
    12/02/2011 7:51:58 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000003b

    (0x00000000c0000005, 0xfffff80002e7fcd8, 0xfffff88008f09d90,

    0x0000000000000000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021211-32713-01.
    12/02/2011 5:38:40 AM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000003b

    (0x00000000c0000005, 0xfffff80002e8bcd8, 0xfffff88008c53730,

    0x0000000000000000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021211-39359-01.
    10/02/2011 11:10:30 PM, Error: Microsoft-Windows-WER-

    SystemErrorReporting [1001] - The computer has rebooted

    from a bugcheck. The bugcheck was: 0x0000001e

    (0xffffffffc0000005, 0xfffff80002ea87e7, 0x0000000000000000,

    0x000007fffffa0000). A dump was saved in: C:\Windows

    \MEMORY.DMP. Report Id: 021011-32245-01.

    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Please, disable "word wrap" in Notepad, because your logs are hard to read.

    Is there any reason, you ran all scans in Safe Mode?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Syoka

    Syoka TS Rookie Topic Starter

    Hi, Broni.

    I am only able to operate on safe mode right now. If i try to start normally, I will be greeted with BSOD before windows has finished booting.

    I had downloaded all the programs in your last post and disconnected my internet to do the scanning. However, as soon as I uninstalled AVG, things turned really bad. I tried to run combofix but I would BSOD before the little progress bar reached the end. Right now, i having difficulty starting up my computer, even in safe mode (I am replying on a separate laptop). I will try to run RKiller if I can get my computer to boot. In the meantime, do you have any other suggestions since combofix will not work?

    Edit: RKill also causes BSOD.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  7. Syoka

    Syoka TS Rookie Topic Starter

    Will a blank DVD do? I don't have any blank CDs around, haha. I'll go out to buy some late and hopefully post my results tonight. In the meanwhile, I did get the MBRCheck running but the log is on the computer I can't boot. I remember that the last part of the log stated that the mbr code was faked though.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    I never tried DVD.
    You can give it a shot, but I can guarantee anything.
     
  9. Syoka

    Syoka TS Rookie Topic Starter

    Hey Broni,

    Something came up and I gotta run out of town for the weekend. Can we postpone this topic until monday or tuesday? Sorry for the trouble. :)
     
  10. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    No problem :)
     
  11. Syoka

    Syoka TS Rookie Topic Starter

    hey broni,

    I am back for the week and will work on running that cd. i'll edit this post when i'm done.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Fair enough :)
     
  13. Syoka

    Syoka TS Rookie Topic Starter

    okay, so I got the reatogo-x-pe desktop running and I clicked the OTLPE icon. It asked me to load some kind of directory and your instructions didn't indicate what I should do so I tried loading my computer, and each of the different drives to no avail.

    I tried to run the program by going to X:/Programs/OLTPE.exe which did start up OLTPE without asking to load a directory, but it also did not ask me about users and registry (as per your instructions). I started the scan (checking for 60 days) and it gave me an error: OTL.txt could not be found, create new file? When I click yes, all that comes up is an untitled blank notepad document :/

    Any clue to what i'm doing wrong?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Direct it to a folder, where Windows is installed, which normally would be C:\Windows
     
  15. Syoka

    Syoka TS Rookie Topic Starter

    Here is the OTLPE log:

    OTL logfile created on: 2/24/2011 6:10:06 PM - Run
    OTLPE by OldTimer - Version 3.1.44.3 Folder = X:\Programs\OTLPE
    64bit-Windows 7 Professional (Version = 6.1.7600) - Type = System
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 89.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 214.29 Gb Total Space | 95.65 Gb Free Space | 44.63% Space Free | Partition Type: NTFS
    Drive E: | 8.65 Gb Total Space | 3.25 Gb Free Space | 37.58% Space Free | Partition Type: NTFS
    Drive X: | 436.55 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2010/07/13 16:26:12 | 000,719,216 | ---- | M] (Wacom Technology, Corp.) [Auto] -- C:\Program Files\Tablet\Pen\Pen_TouchService.exe -- (TouchServicePen)
    SRV:64bit: - [2010/07/13 16:26:08 | 007,329,648 | ---- | M] (Wacom Technology, Corp.) [Auto] -- C:\Program Files\Tablet\Pen\Pen_Tablet.exe -- (TabletServicePen)
    SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/10/10 16:33:10 | 000,120,712 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe -- (LMIMaint)
    SRV - [2010/09/27 13:52:18 | 000,373,640 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
    SRV - [2009/10/29 01:02:00 | 003,407,292 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
    SRV - [2009/09/23 15:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) @C:\Program Files (x86)
    SRV - [2009/07/16 16:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2008/08/11 11:40:58 | 000,057,920 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2010/10/10 16:32:59 | 000,087,456 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV:64bit: - [2010/09/28 15:44:52 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2010/05/19 16:52:38 | 000,018,288 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\Windows\System32\drivers\wacmoumonitor.sys -- (wacmoumonitor)
    DRV:64bit: - [2010/01/13 15:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw5s64.sys -- (NETw5s64) Intel(R)
    DRV:64bit: - [2009/09/29 21:46:11 | 000,871,408 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
    DRV:64bit: - [2009/09/21 18:29:22 | 000,016,168 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\Windows\System32\drivers\wacomvhid.sys -- (wacomvhid)
    DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
    DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot] -- C:\Windows\System32\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand] -- C:\Windows\System32\drivers\agrsm64.sys -- (AgereSoftModem)
    DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- C:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
    DRV:64bit: - [2009/06/10 15:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/06/10 15:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\netw5v64.sys -- (netw5v64) Intel(R)
    DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/02/24 17:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
    DRV:64bit: - [2008/08/11 11:40:58 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV:64bit: - [2007/11/09 04:00:30 | 000,026,968 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
    DRV:64bit: - [2007/05/14 16:06:18 | 000,027,520 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand] -- C:\Windows\System32\drivers\RimUsb_AMD64.sys -- (RimUsb)
    DRV:64bit: - [2007/02/16 14:12:36 | 000,012,848 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\Windows\System32\drivers\wacommousefilter.sys -- (wacommousefilter)
    DRV - [2009/02/24 17:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)
    DRV - [2008/08/11 11:41:00 | 000,015,928 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
    DRV - [2005/01/01 04:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Bowen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
    IE - HKU\Bowen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
    IE - HKU\Bowen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5E 7A 86 EF 6D D4 CA 01 [binary data]
    IE - HKU\Bowen_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Bowen_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local




    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1


    [2011/01/26 19:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
    [2011/01/26 19:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\22nxrdcq.default\extensions
    [2011/02/13 12:54:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s7fsd9h1.default\extensions
    [2011/02/16 17:40:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2010/07/19 22:45:03 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2011/01/27 13:05:00 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    [2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/12/21 11:51:44 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/12/21 11:51:44 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/12/21 11:51:44 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/12/21 11:51:44 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/04/30 14:56:09 | 000,001,798 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 activate.adobe.com
    O1 - Hosts: 127.0.0.1 practivate.adobe.com
    O1 - Hosts: 127.0.0.1 ereg.adobe.com
    O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
    O1 - Hosts: 127.0.0.1 wip3.adobe.com
    O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
    O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
    O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
    O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
    O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
    O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
    O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
    O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
    O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
    O1 - Hosts: 127.0.0.1 adobe.activate.com
    O1 - Hosts: 127.0.0.1 adobeereg.com
    O1 - Hosts: 127.0.0.1 www.adobeereg.com
    O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
    O1 - Hosts: 127.0.0.1 125.252.224.90
    O1 - Hosts: 127.0.0.1 125.252.224.91
    O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
    O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
    O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe ()
    O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
    O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\Bowen_ON_C..\Run: [Bamboo Dock] C:\Program Files (x86)\Bamboo Dock\Bamboo Dock\Bamboo Dock.exe ()
    O4 - HKU\Bowen_ON_C..\Run: [LCR] File not found
    O4 - HKU\Bowen_ON_C..\Run: [RESTART_STICKY_NOTES] File not found
    O4 - HKU\LocalService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\NetworkService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\SysWow64\grpconv.exe (Microsoft Corporation)
    O4 - HKU\Administrator_ON_C..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_Plugin.exe (Adobe Systems, Inc.)
    O4 - HKU\Bowen_ON_C..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_Plugin.exe (Adobe Systems, Inc.)
    O4 - HKU\LocalService_ON_C..\RunOnce: [mctadmin] File not found
    O4 - HKU\NetworkService_ON_C..\RunOnce: [mctadmin] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Bowen_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - File not found
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13:64bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab (UnoCtrl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 206.248.154.22 206.248.154.170
    O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
    O20:64bit: - AppInit_DLLs: (avgrssta.dll) - File not found
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20:64bit: - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
    64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/02/17 16:54:33 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2011/02/17 16:14:14 | 006,022,408 | ---- | C] (OPSWAT, Inc.) -- C:\Users\Bowen\Desktop\AppRemover.exe
    [2011/02/13 13:30:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WinRAR
    [2011/02/06 15:40:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
    [2011/02/06 15:35:40 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
    [2011/02/06 15:35:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
    [2011/01/26 20:26:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\Scanned Documents
    [2011/01/26 20:26:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\Fax
    [2011/01/26 19:57:58 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Mozilla
    [2011/01/26 19:57:58 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Mozilla
    [2011/01/26 19:44:17 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Apple Computer
    [2011/01/26 19:44:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Real
    [2011/01/26 19:40:46 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Wacom
    [2011/01/26 19:40:38 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WTablet

    ========== Files - Modified Within 30 Days ==========

    [2011/02/17 19:01:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/02/17 19:01:20 | 328,335,685 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2011/02/17 19:01:15 | 3117,412,352 | -HS- | M] () -- C:\hiberfil.sys
    [2011/02/17 16:25:05 | 000,721,199 | ---- | M] () -- C:\Users\Bowen\Desktop\rkill.exe
    [2011/02/17 16:14:31 | 006,022,408 | ---- | M] (OPSWAT, Inc.) -- C:\Users\Bowen\Desktop\AppRemover.exe
    [2011/02/17 16:13:56 | 004,270,552 | ---- | M] () -- C:\Users\Bowen\Desktop\ComboFix.exe
    [2011/02/17 11:19:53 | 000,000,298 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-3541986981-812281285-174318126-1000.job
    [2011/02/15 00:43:21 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
    [2011/02/15 00:43:21 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
    [2011/02/13 22:59:44 | 000,000,600 | ---- | M] () -- C:\Users\Bowen\AppData\Roaming\winscp.rnd
    [2011/02/13 13:31:07 | 002,657,282 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/02/13 13:31:07 | 001,126,288 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/02/13 13:25:35 | 000,000,314 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-3541986981-812281285-174318126-500.job
    [2011/02/13 12:54:59 | 000,001,444 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/02/13 12:54:16 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
    [2011/02/13 12:46:54 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2011/02/11 13:12:28 | 000,010,819 | ---- | M] () -- C:\Users\Bowen\Desktop\whywaterloo.docx
    [2011/02/07 10:54:45 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3541986981-812281285-174318126-1000UA.job
    [2011/02/07 10:54:45 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2011/02/07 02:47:18 | 000,009,940 | ---- | M] () -- C:\Users\Bowen\Documents\mredauto.1
    [2011/02/07 00:04:58 | 000,002,409 | ---- | M] () -- C:\Users\Bowen\Desktop\Google Chrome.lnk
    [2011/02/06 17:57:16 | 000,000,000 | ---- | M] () -- C:\Users\Bowen\AppData\Local\prvlcl.dat
    [2011/02/06 17:06:59 | 000,013,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/02/06 17:06:59 | 000,013,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/02/01 18:20:40 | 015,693,798 | ---- | M] () -- C:\Users\Bowen\Desktop\2B.rar
    [2011/01/27 06:59:42 | 000,000,162 | -H-- | M] () -- C:\Users\Administrator\Desktop\~$b_report_1_template.docx

    ========== Files Created - No Company Name ==========

    [2011/02/17 16:25:05 | 000,721,199 | ---- | C] () -- C:\Users\Bowen\Desktop\rkill.exe
    [2011/02/17 16:13:55 | 004,270,552 | ---- | C] () -- C:\Users\Bowen\Desktop\ComboFix.exe
    [2011/02/15 00:25:16 | 000,001,908 | ---- | C] () -- C:\Windows\diagwrn.xml
    [2011/02/15 00:25:16 | 000,001,908 | ---- | C] () -- C:\Windows\diagerr.xml
    [2011/02/13 22:59:44 | 000,000,600 | ---- | C] () -- C:\Users\Bowen\AppData\Roaming\winscp.rnd
    [2011/02/13 13:25:35 | 000,000,314 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-3541986981-812281285-174318126-500.job
    [2011/02/13 12:54:59 | 000,001,444 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/02/13 12:54:16 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/02/11 13:12:28 | 000,010,819 | ---- | C] () -- C:\Users\Bowen\Desktop\whywaterloo.docx
    [2011/02/07 11:36:49 | 000,000,298 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-3541986981-812281285-174318126-1000.job
    [2011/02/07 02:47:18 | 000,009,940 | ---- | C] () -- C:\Users\Bowen\Documents\mredauto.1
    [2011/02/01 18:20:35 | 015,693,798 | ---- | C] () -- C:\Users\Bowen\Desktop\2B.rar
    [2011/01/27 06:59:42 | 000,000,162 | -H-- | C] () -- C:\Users\Administrator\Desktop\~$b_report_1_template.docx
    [2010/09/22 19:58:08 | 000,815,104 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
    [2010/09/22 19:58:08 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
    [2010/09/04 12:21:45 | 000,000,614 | ---- | C] () -- C:\Program Files (x86)\RejoinCommandLine.txt
    [2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
    [2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
    [2010/06/02 15:33:28 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
    [2010/05/27 19:09:00 | 000,041,872 | ---- | C] () -- C:\Windows\SysWow64\xfcodec.dll
    [2010/05/05 17:28:24 | 000,000,000 | ---- | C] () -- C:\Users\Bowen\AppData\Local\prvlcl.dat
    [2009/11/19 18:26:26 | 000,006,392 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2009/09/30 15:46:46 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI
    [2009/07/13 19:02:54 | 000,245,248 | ---- | C] () -- C:\Windows\SysWow64\DShowRdpFilter.dll
    [2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
    [2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- C:\Windows\SysWow64\ir32_32.dll
    [2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

    ========== LOP Check ==========

    [2011/01/26 19:40:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Wacom
    [2010/08/23 18:32:39 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Audacity
    [2009/09/29 21:49:52 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\DAEMON Tools Lite
    [2010/05/01 03:33:10 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Dev-Cpp
    [2010/01/02 16:44:25 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\ImgBurn
    [2009/12/13 12:50:17 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\iWin
    [2010/05/25 01:46:19 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\LolClient
    [2009/12/23 22:22:18 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\NeopleLauncherDFO
    [2009/10/06 16:47:47 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\PLT Scheme
    [2011/02/07 15:08:31 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Racket
    [2010/12/26 01:58:50 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    [2010/06/02 15:37:33 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Tencent
    [2010/06/06 03:39:55 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Tunngle
    [2011/01/01 03:08:09 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\uTorrent
    [2010/12/22 21:36:51 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\Wacom
    [2010/12/22 21:36:54 | 000,000,000 | ---D | M] -- C:\Users\Bowen\AppData\Roaming\wacomid-desktop-launcher.DCFD4B89A63EE70BC162777F06D4B93B6397AEC7.1
    [2011/02/06 15:29:50 | 000,032,592 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Files - Unicode (All) ==========
    [2011/02/13 20:52:41 | 000,292,352 | ---- | M] ()(C:\Users\Bowen\Desktop\_????Preface(edited).doc) -- C:\Users\Bowen\Desktop\_需审阅的Preface(edited).doc
    [2011/02/13 20:52:40 | 000,292,352 | ---- | C] ()(C:\Users\Bowen\Desktop\_????Preface(edited).doc) -- C:\Users\Bowen\Desktop\_需审阅的Preface(edited).doc
    < End of report >



    here is also the mbr checker log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Professional
    Windows Information: (build 7600), 64-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L300
    Logical Drives Mask: 0x000000bc

    Kernel Drivers (total 134):
    0x0205B000 \SystemRoot\system32\ntoskrnl.exe
    0x02012000 \SystemRoot\system32\hal.dll
    0x00BA7000 \SystemRoot\system32\kdcom.dll
    0x00CA8000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00CEC000 \SystemRoot\system32\PSHED.dll
    0x00D00000 \SystemRoot\system32\CLFS.SYS
    0x00E81000 \SystemRoot\system32\CI.dll
    0x00F41000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00FE5000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x01070000 \SystemRoot\System32\Drivers\spii.sys
    0x011A4000 \SystemRoot\System32\Drivers\WMILIB.SYS
    0x011AD000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
    0x01000000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x01057000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x01061000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x00E00000 \SystemRoot\system32\DRIVERS\pci.sys
    0x011DC000 \SystemRoot\System32\drivers\partmgr.sys
    0x011F1000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x00E33000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x00E3F000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x00D5E000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00E54000 \SystemRoot\System32\drivers\mountmgr.sys
    0x00E6E000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x00DBA000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x00FF4000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x00DE4000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x00DF4000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x00C00000 \SystemRoot\system32\drivers\fltmgr.sys
    0x00C4C000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01246000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x014AC000 \SystemRoot\System32\Drivers\msrpc.sys
    0x0150A000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01524000 \SystemRoot\System32\Drivers\cng.sys
    0x01597000 \SystemRoot\System32\drivers\pcw.sys
    0x015A8000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x016FF000 \SystemRoot\system32\drivers\ndis.sys
    0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01803000 \SystemRoot\System32\drivers\tcpip.sys
    0x0168B000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x016D5000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x015B2000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x016E5000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x01400000 \SystemRoot\System32\drivers\rdyboost.sys
    0x0143A000 \SystemRoot\System32\Drivers\mup.sys
    0x016F2000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x0144C000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x01486000 \SystemRoot\system32\DRIVERS\disk.sys
    0x01200000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x0123B000 \SystemRoot\System32\Drivers\Null.SYS
    0x016EA000 \SystemRoot\System32\Drivers\Beep.SYS
    0x00C60000 \SystemRoot\System32\drivers\vga.sys
    0x00C6E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x00C93000 \SystemRoot\System32\drivers\watchdog.sys
    0x00E77000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x02265000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x02270000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x02281000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x0229F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x022AC000 \SystemRoot\System32\Drivers\avgtdia.sys
    0x022FD000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x02342000 \SystemRoot\system32\drivers\afd.sys
    0x023CC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x023D5000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x02200000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x02216000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x028F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x02941000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x0294D000 \SystemRoot\system32\drivers\csc.sys
    0x029D0000 \SystemRoot\System32\Drivers\dfsc.sys
    0x02800000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x02826000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x02833000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x02889000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x0289A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x028BE000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
    0x02AA1000 \SystemRoot\system32\DRIVERS\NETw5s64.sys
    0x02A00000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x02A0D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x02A2B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x02A3A000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x02A49000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x02A73000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x02A80000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x02A91000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x029EE000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
    0x02225000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x029F1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x0223E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x02249000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x03296000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x032BA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x032C6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x032F5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x03310000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x03331000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x0334B000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x03356000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x0336A000 \SystemRoot\system32\DRIVERS\mcdbus.sys
    0x033A7000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x033A9000 \SystemRoot\system32\DRIVERS\ks.sys
    0x033EC000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x03200000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x0325A000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x03267000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
    0x0326F000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x03284000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x017F1000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x0149C000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x013E9000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x04EF1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x04F0E000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x04F10000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x000B0000 \SystemRoot\System32\win32k.sys
    0x04F2B000 \SystemRoot\System32\drivers\Dxapi.sys
    0x005B0000 \SystemRoot\System32\drivers\dxg.sys
    0x006B0000 \SystemRoot\System32\TSDDD.dll
    0x00900000 \SystemRoot\System32\framebuf.dll
    0x00B70000 \SystemRoot\System32\ATMFD.DLL
    0x04F37000 \SystemRoot\system32\drivers\WudfPf.sys
    0x04F58000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x04FAB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x04FBE000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x04FDC000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x04E00000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x04E2D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x04E7B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x77100000 \Windows\System32\ntdll.dll
    0x47E20000 \Windows\System32\smss.exe
    0xFF420000 \Windows\System32\apisetschema.dll
    0xFF130000 \Windows\System32\autochk.exe
    0xFE680000 \Windows\System32\shell32.dll
    0xFE550000 \Windows\System32\wininet.dll
    0x76FE0000 \Windows\System32\kernel32.dll

    Processes (total 29):
    0 System Idle Process
    4 System
    260 C:\Windows\System32\smss.exe
    344 csrss.exe
    380 csrss.exe
    388 C:\Windows\System32\wininit.exe
    416 C:\Windows\System32\winlogon.exe
    488 C:\Windows\System32\services.exe
    496 C:\Windows\System32\lsass.exe
    504 C:\Windows\System32\lsm.exe
    616 C:\Windows\System32\svchost.exe
    696 C:\Windows\System32\svchost.exe
    780 C:\Windows\System32\svchost.exe
    828 C:\Windows\System32\svchost.exe
    892 C:\Windows\System32\svchost.exe
    948 C:\Windows\System32\svchost.exe
    980 C:\Windows\System32\wisptis.exe
    108 C:\Windows\System32\svchost.exe
    640 C:\Windows\System32\svchost.exe
    1136 C:\Windows\System32\svchost.exe
    1292 C:\Windows\System32\wisptis.exe
    1336 C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
    1436 C:\Windows\explorer.exe
    1536 C:\Windows\System32\ctfmon.exe
    1564 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    1000 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    1208 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    808 C:\Users\Bowen\Downloads\MBRCheck.exe
    1084 C:\Windows\System32\conhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000035`f0300000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD2500BEVS-26VAT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: A7CEF36363F5C16CC311122770D0B9723F5430D3


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  16. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    I really don't see much there.

    Let's see, if fixing your MBR will change anything.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 2 to overwrite the infected MBR Code with the Windows 7 MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.

    **Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
     
  17. Syoka

    Syoka TS Rookie Topic Starter

    after pressing "enter" for english, i saw the following and was unable to continue:

    "Can't open CD driver CDRCACH
    SHSUCDX can't install.
    ERROR: Failure loading; unable to find CD-ROM drive!
    ERROR: If you have multiple CD-ROM drives, please remove the other CD-ROM discs and try again. Otherwise your disc may be corrupt or the CD-ROM driver does not correctly support your system.
    Please reboot your computer now. "

    I'm pretty sure my CD is not corrupt. Any ideas now?
     
  18. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Yes. We'll try different method.

    If you have Vista/7 DVD...

    start with step 2

    If you don't have Vista/7 DVD...

    1. Create Vista/7 Recovery Disc.

    Option 1 :
    Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
    Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

    Option 2:
    Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
    Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
    Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning ISO Images to a CD or DVD

    2. Boot from created disk.

    Vista users. At first screen click on Repair your computer:
    [​IMG]

    Windows 7 users. At first screen click on Install now:
    [​IMG]
    Select your language and click next:
    [​IMG]
    Click the button for "Use recovery tools":
    [​IMG]

    The following applies to both, Vista and Windows 7 users.

    This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:
    [​IMG]
    After this, it will present you with a list of options including startup repair, system restore and command prompt:
    [​IMG]
    Select Command Prompt

    Type in:
    bootrec /FixMbr (<--- there is a "space" after "bootrec")
    and then press Enter

    Once completed then type Exit, press Enter and restart computer.

    Post fresh MBRCheck log.
     
  19. Syoka

    Syoka TS Rookie Topic Starter

    Hey Broni,
    I can't burn the dvd from my computer because the drivers for my dvd burner aren't available in safe mode (and I can't start normally).

    I'm currently trying to burn from an external source.

    Update: I fixed the mbr, and now my computer is completely unbootable using any form of windows (safe mode w/ or w/o networking as well). It doesn't even get to the windows loading screen before flashing blue screen and then crash (I can't read the error message fast enough).
     
  20. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    I need more details...
    How did burn that disk?
    Did you use CD, or DVD?
    Tell me more, what exactly happened.
     
  21. Syoka

    Syoka TS Rookie Topic Starter

    I burned the disk using a windows 7 recovery iso downloaded from this site: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
    (64 bit windows 7)
    I burned it onto a DVD. I followed the instructions and fixed Mbr from command prompt after booting from DVD.
    Afterwards, it asked to restart but my computer will not even get to the windows loading screen anymore. After the blinking line at the top right hand corner of my usual windows start up (right before it loads windows), it crashes. All I see is a blue screen with white text filling up half the screen (so it must be different from the usual BSODs with text that fills up all of the screen and has memory dump). It's only there for a fraction of a second before my computer tries to reboot again, with the same result.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Did you try Safe Mode?
     
  23. Syoka

    Syoka TS Rookie Topic Starter

    Yes, i tried safe mode and safe mode with networking. Same result.
     
  24. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Boot from very same DVD and try to fix MBR one more time.
    If still no go, boot from the DVD again and try "Startup repair".
    If that doesn't work either, boot from the DVD again and try "System restore".
     
  25. Syoka

    Syoka TS Rookie Topic Starter

    so far, fixing Mbr again and startup repair are a no-go. start-up repair couldn't fix anything. i'm working on the system restore but it's taking awhile. I'll keep you updated while i let it finish running tonight.

    Thanks for your patience up til now. If this doesn't work, do you think it might be time to call it quits and reformat? :(

    Update: Windows cannot do system restore. It says "unspecified error".
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.