Inactive Malwarebytes keeps blocking 206.161.121.6

[CharlieAndover]

Yes, post #22 and post #24 are each the contents of a single log file which, as you point out, has entries for both debug.cpp and for boot_cleaner.cpp.

To make the code you gave me above run, I have to make it refer to boot_cleaner.exe, which is what the .exe is called on my Desktop. If I don't replace "boot cleaner.exe" with "boot_cleaner.exe" in the code above, it fails because it can't find "boot".

When I run the modified code, I get the command window and a Windows dialog box strongly recommending that I click Yes to allow it to reboot the computer after disinfection to prevent the trojan from restoring the malicious boot code. I'm going to let it reboot. When I'm back up, I'll run boot_cleaner.exe again (the regular way, not with fix.bat) and send you the log. Be right back ...

 

[CharlieAndover]

Here's the latest log. It seems to still see a problem.

------------------------------------

.\debug.cpp(238) : Debug log started at 26.06.2012 - 19:06:22
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.1
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x00217580 "\WINDOWS\system32\ntoskrnl.exe"
.\debug.cpp(256) : 0x806ef000 0x00020300 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xf7d2f000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xf7c3f000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xf77e0000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xf7d31000 0x00002000 "\WINDOWS\System32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xf77cf000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xf782f000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xf7df7000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xf7aaf000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf783f000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xf77b0000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xf7ab7000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xf784f000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xf7798000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xf785f000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xf786f000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xf7778000 0x00020000 "fltmgr.sys"
.\debug.cpp(256) : 0xf7766000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xf787f000 0x00009000 "PxHelp20.sys"
.\debug.cpp(256) : 0xf774f000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xf76c2000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xf7695000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xf767a000 0x0001b000 "snapman.sys"
.\debug.cpp(256) : 0xf7660000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xf788f000 0x0000b000 "agp440.sys"
.\debug.cpp(256) : 0xf796f000 0x00009000 "\SystemRoot\System32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xf7596000 0x00049000 "\SystemRoot\System32\DRIVERS\ati2mtaa.sys"
.\debug.cpp(256) : 0xf7582000 0x00014000 "\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xf7b2f000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xf755e000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xf7528000 0x00036000 "\SystemRoot\System32\DRIVERS\HSFBS2S2.sys"
.\debug.cpp(256) : 0xf7505000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xf7406000 0x000ff000 "\SystemRoot\System32\DRIVERS\HSFDPSP2.sys"
.\debug.cpp(256) : 0xf735e000 0x000a8000 "\SystemRoot\System32\DRIVERS\HSFCXTS2.sys"
.\debug.cpp(256) : 0xf7b47000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
.\debug.cpp(256) : 0xf797f000 0x0000b000 "\SystemRoot\System32\DRIVERS\dlkfet5b.sys"
.\debug.cpp(256) : 0xf7b4f000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
.\debug.cpp(256) : 0xf798f000 0x0000d000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xf7b57000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xf7b5f000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf799f000 0x00010000 "\SystemRoot\System32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xf7d0f000 0x00004000 "\SystemRoot\System32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xf734a000 0x00014000 "\SystemRoot\System32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xf79af000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xf79bf000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xf79cf000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xf7338000 0x00012000 "\SystemRoot\System32\Drivers\KUSBusByTCPMasterBus.sys"
.\debug.cpp(256) : 0xf7b67000 0x00005000 "\SystemRoot\System32\Drivers\TDI.SYS"
.\debug.cpp(256) : 0xf7ec4000 0x00001000 "\SystemRoot\System32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xf79df000 0x0000d000 "\SystemRoot\System32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xf7d1b000 0x00003000 "\SystemRoot\System32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xf7321000 0x00017000 "\SystemRoot\System32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xf79ef000 0x0000b000 "\SystemRoot\System32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xf79ff000 0x0000c000 "\SystemRoot\System32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xf7310000 0x00011000 "\SystemRoot\System32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xf7a0f000 0x00009000 "\SystemRoot\System32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xf7b6f000 0x00005000 "\SystemRoot\System32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xf7b77000 0x00005000 "\SystemRoot\System32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xf7a1f000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xf7d3f000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xf72b2000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xf7d1f000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xf7a2f000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xf7a3f000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xf7d41000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xf760b000 0x00004000 "\SystemRoot\system32\drivers\MODEMCSA.sys"
.\debug.cpp(256) : 0xf7b8f000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
.\debug.cpp(256) : 0xf7d4f000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xf7f24000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xf7d51000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xf7b9f000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xf7d53000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xf7d55000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xf7ba7000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xf7baf000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xf75ef000 0x00003000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xf414f000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xf40f6000 0x00059000 "\SystemRoot\System32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xf40ce000 0x00028000 "\SystemRoot\System32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xf7cf7000 0x00003000 "\SystemRoot\System32\drivers\ws2ifsl.sys"
.\debug.cpp(256) : 0xf40a8000 0x00026000 "\SystemRoot\System32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xf7a8f000 0x00009000 "\SystemRoot\System32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xf4086000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xf7a9f000 0x00009000 "\SystemRoot\System32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xf7bb7000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
.\debug.cpp(256) : 0xf405b000 0x0002b000 "\SystemRoot\System32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xf7d07000 0x00004000 "\SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS"
.\debug.cpp(256) : 0xf3feb000 0x00070000 "\SystemRoot\System32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xf78cf000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xf78df000 0x0000c000 "\SystemRoot\system32\DRIVERS\avkmgr.sys"
.\debug.cpp(256) : 0xf3f9e000 0x00025000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
.\debug.cpp(256) : 0xf78ff000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xf3f86000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xf7d9b000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c7000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xf418e000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xf7c07000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xf7e4a000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbf012000 0x0004e000 "\SystemRoot\System32\ati2dvaa.dll"
.\debug.cpp(256) : 0xbf060000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xf1e2b000 0x0001b000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
.\debug.cpp(256) : 0xf1eaa000 0x00004000 "\??\C:\WINDOWS\system32\drivers\mbam.sys"
.\debug.cpp(256) : 0xf1e27000 0x00004000 "\SystemRoot\System32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xf7db7000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
.\debug.cpp(256) : 0xf0981000 0x00058000 "\SystemRoot\System32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xf094d000 0x00003000 "\SystemRoot\System32\DRIVERS\mdmxsdk.sys"
.\debug.cpp(256) : 0xf0440000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xf05e1000 0x00009000 "\SystemRoot\System32\DRIVERS\ipfltdrv.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&1dd1b184&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskWDC_WD5000AAKB-00H8A0___________________05.04E05#5&b1800df&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T1L0-c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination "\Device\Video1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000030"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination "\Device\Video2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_2#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\0000003d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination "\Device\IPSEC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&11876118&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000004f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination "\Device\Video3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000002f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\snapman"
.\debug.cpp(400) : Destination "\Device\snapman"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination "\Device\NDProxy"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C7&SUBSYS_01421028&REV_01#3&172e68dd&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
.\debug.cpp(400) : Destination "\Device\ParallelVdm0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\OMCI"
.\debug.cpp(400) : Destination "\Device\OMCI"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C2&SUBSYS_01421028&REV_01#3&172e68dd&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b31020b2-90e6-11de-bcf2-0013466d4b29}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
.\debug.cpp(400) : Destination "\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{74ACFCE6-C54F-480E-972A-727A489DF736}"
.\debug.cpp(400) : Destination "\Device\{74ACFCE6-C54F-480E-972A-727A489DF736}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1002&DEV_5446&SUBSYS_04091002&REV_00#4&ec7a465&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
.\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&192a1af1&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3E0EA16A-89A4-474F-8140-5EB859A634D8}"
.\debug.cpp(400) : Destination "\Device\{3E0EA16A-89A4-474F-8140-5EB859A634D8}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM3"
.\debug.cpp(400) : Destination "\Device\Winachsf0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&1dd1b184&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination "\Device\PSched"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination "\Device\IPNAT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination "\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SoftV90 Voice Speakerphone Modem"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPFILTERDRIVER"
.\debug.cpp(400) : Destination "\Device\IPFILTERDRIVER"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskIC35L020AVVA07-0________________________VA1OA51A#5&b1800df&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&27daeab8&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000034"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ConexantDiagnosticsServer"
.\debug.cpp(400) : Destination "\Device\ConexantDiagnosticsServer"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000033"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination "\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RKSAMPLE0"
.\debug.cpp(400) : Destination "\Device\RKSAMPLE0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DR1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureEAFA88CAOffset70801F6E00Length3F0791400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination "\Device\FsWrap"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000032"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureD395D395Offset7E00Length4A8D00400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&c4ae404&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\FloppyPDO0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&11876118&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000004e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\00000050"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1106&DEV_3106&SUBSYS_14061186&REV_86#4&3b1caf2b&0&60F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&15bd56d3&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C4&SUBSYS_01421028&REV_01#3&172e68dd&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5E433507-2E27-478B-BE05-F33D397F340B}"
.\debug.cpp(400) : Destination "\Device\{5E433507-2E27-478B-BE05-F33D397F340B}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{7c0e97b0-bfc1-11e1-9cd4-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{93ba1ac2-6e06-11de-822c-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&1dd1b184&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{734AAA26-7999-4AF1-A98F-3D6E7115E047}"
.\debug.cpp(400) : Destination "\Device\{734AAA26-7999-4AF1-A98F-3D6E7115E047}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HSF_MDMDevice0"
.\debug.cpp(400) : Destination "\Device\HSF_MDMDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD9"
.\debug.cpp(400) : Destination "\Device\MasterBus"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
.\debug.cpp(400) : Destination "\Device\00000050"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{93ba1ac3-6e06-11de-822c-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
.\debug.cpp(400) : Destination "\Device\ssmctl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000002e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
.\debug.cpp(400) : Destination "\Device\WANARP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#Kernel#0000#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\00000003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
.\debug.cpp(400) : Destination "\Device\NdisWanIp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&2b5bba71&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2016&SUBSYS_021913E0&REV_01#4&3b1caf2b&0&08F0#{adb44c00-1b8d-11d4-8d5e-00a0c90d1c42}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000031"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{ECD5ED38-46FA-4EE4-B2A9-8CEAA337F1FE}"
.\debug.cpp(400) : Destination "\Device\{ECD5ED38-46FA-4EE4-B2A9-8CEAA337F1FE}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
.\debug.cpp(400) : Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination "\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{93ba1ac1-6e06-11de-822c-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&1dd1b184&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-18"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
.\debug.cpp(400) : Destination "\Device\NdisWan"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#Kernel#0000#{4338037d-a198-437b-9324-257d10dea4ee}"
.\debug.cpp(400) : Destination "\Device\00000003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
.\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination "\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{344EF481-706F-44D5-BF11-9A70B0706FB1}"
.\debug.cpp(400) : Destination "\Device\{344EF481-706F-44D5-BF11-9A70B0706FB1}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
.\debug.cpp(400) : Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureEAFA88CAOffset7E00Length70801E7200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&1dd1b184&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-18"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination "\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MBAMProtector"
.\debug.cpp(400) : Destination "\Device\MBAMProtector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2016&SUBSYS_021913E0&REV_01#4&3b1caf2b&0&08F0#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b31020b0-90e6-11de-bcf2-0013466d4b29}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
.\debug.cpp(400) : Destination "\Device\Ndisuio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000036"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000035"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3291A99A-DAEE-4669-AE2B-FDA76E78B86C}"
.\debug.cpp(400) : Destination "\Device\{3291A99A-DAEE-4669-AE2B-FDA76E78B86C}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
.\debug.cpp(400) : Destination "\Device\avipbb"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&11876118&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
.\debug.cpp(400) : Destination "\Device\00000051"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
.\boot_cleaner.cpp(1061) :
.\boot_cleaner.cpp(1062) : Size Device Name MBR Status
.\boot_cleaner.cpp(1063) : --------------------------------------------
.\boot_cleaner.cpp(1107) : 18 GB \\.\PhysicalDrive0 Controlled by rootkit!
.\boot_cleaner.cpp(1113) :
.\boot_cleaner.cpp(1136) : Boot code on some of your physical disks is hidden by a rootkit.
.\boot_cleaner.cpp(1138) : To disinfect the master boot sector, use the following command:
.\boot_cleaner.cpp(1139) : remover.exe fix <device_name>
.\boot_cleaner.cpp(1143) : To inspect the boot code manually, dump the master boot sector:
.\boot_cleaner.cpp(1144) : remover.exe dump <device_name> [output_file]
.\boot_cleaner.cpp(1147) :
.\boot_cleaner.cpp(1152) : Done;

 

[Bobbye]

We are going to use another program to check the MBR. Not only has the Bootkit Remover left it's original site, but the entire program appears to have been restructured and we are getting conflicting information:

I need 2 things from you:
First: Are you still having the "Eureka" moment?. That is, is the system on that state? If not, are you still seeing the Mbam blocks?
--------------------
And second, let's see what this scan shows us:
Please download MBRCheck and save to your desktop

• Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  [o] Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  [o] Found non-standard or infected MBR.
  [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Paste this log to your next message.

=========================================

Depending on what the scan shows, I will take the next step.

 

[CharlieAndover]

Yes, the system is still running with about as much pep as it should.
Yes, Mbam is still repeatedly blocking that IP address.

One new development is that at shutdown, rundll32.exe won't shut down gracefully and must be killed.

MBRCheck did find problems. (FYI, there's nothing on F: that matters, so it could be re-formatted to fix any problem it has.)

---------------------------------------------

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 113):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7D2F000 \WINDOWS\system32\KDCOM.DLL
0xF7C3F000 \WINDOWS\system32\BOOTVID.dll
0xF77E0000 ACPI.sys
0xF7D31000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF77CF000 pci.sys
0xF782F000 isapnp.sys
0xF7DF7000 pciide.sys
0xF7AAF000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF783F000 MountMgr.sys
0xF77B0000 ftdisk.sys
0xF7AB7000 PartMgr.sys
0xF784F000 VolSnap.sys
0xF7798000 atapi.sys
0xF785F000 disk.sys
0xF786F000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7778000 fltmgr.sys
0xF7766000 sr.sys
0xF787F000 PxHelp20.sys
0xF774F000 KSecDD.sys
0xF76C2000 Ntfs.sys
0xF7695000 NDIS.sys
0xF767A000 snapman.sys
0xF7660000 Mup.sys
0xF788F000 agp440.sys
0xF797F000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF756E000 \SystemRoot\System32\DRIVERS\ati2mtaa.sys
0xF755A000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7B27000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7536000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7500000 \SystemRoot\System32\DRIVERS\HSFBS2S2.sys
0xF74DD000 \SystemRoot\System32\DRIVERS\ks.sys
0xF73DE000 \SystemRoot\System32\DRIVERS\HSFDPSP2.sys
0xF7336000 \SystemRoot\System32\DRIVERS\HSFCXTS2.sys
0xF7B3F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF798F000 \SystemRoot\System32\DRIVERS\dlkfet5b.sys
0xF7B47000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF799F000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7B4F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7B57000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79AF000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7D27000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7322000 \SystemRoot\System32\DRIVERS\parport.sys
0xF79BF000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF79CF000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7310000 \SystemRoot\System32\Drivers\KUSBusByTCPMasterBus.sys
0xF7B5F000 \SystemRoot\System32\Drivers\TDI.SYS
0xF7ED7000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF79EF000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7627000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF72F9000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF79FF000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7A0F000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF72E8000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7A1F000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7B67000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7B6F000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7A2F000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7D47000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF728A000 \SystemRoot\System32\DRIVERS\update.sys
0xF7623000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7A6F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A7F000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7D53000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF75E7000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7B87000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7D5B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7F3A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D5D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B97000 \SystemRoot\System32\drivers\vga.sys
0xF7D5F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D61000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B9F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7BA7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF75C3000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF414F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF40F6000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF40CE000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF7D13000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF4080000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF78BF000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF405E000 \SystemRoot\System32\drivers\afd.sys
0xF78CF000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7BAF000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xF4039000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7BB7000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF400E000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7D23000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xF3F9E000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF78FF000 \SystemRoot\System32\Drivers\Fips.SYS
0xF790F000 \SystemRoot\system32\DRIVERS\avkmgr.sys
0xF3F79000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF794F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3F39000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7DA7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7D0F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7C2F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E65000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvaa.dll
0xBF060000 \SystemRoot\System32\ATMFD.DLL
0xF1E06000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF75D3000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF1DE2000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF7DA9000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF11CD000 \SystemRoot\System32\DRIVERS\srv.sys
0xF1265000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xF0160000 \SystemRoot\System32\Drivers\HTTP.sys
0xF029A000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 30):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
1080 csrss.exe
1140 C:\WINDOWS\system32\winlogon.exe
1248 C:\WINDOWS\system32\services.exe
1260 C:\WINDOWS\system32\lsass.exe
1592 C:\WINDOWS\system32\svchost.exe
1772 svchost.exe
1912 C:\WINDOWS\system32\svchost.exe
1972 svchost.exe
504 svchost.exe
788 C:\WINDOWS\system32\spoolsv.exe
832 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1796 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
216 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
288 C:\Program Files\Java\jre7\bin\jqs.exe
404 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
992 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1276 alg.exe
1096 C:\WINDOWS\explorer.exe
2924 C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
3444 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3504 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
4032 C:\WINDOWS\system32\ctfmon.exe
4080 C:\WINDOWS\system32\rundll32.exe
1576 C:\WINDOWS\system32\svchost.exe
3964 C:\WINDOWS\system32\wscntfy.exe
3720 C:\Program Files\Internet Explorer\iexplore.exe
3112 C:\Documents and Settings\Charlie\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: IC35L020AVVA07-0, Rev: VA1OA51A
PhysicalDrive1 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05
Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528
465 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!

 

[Bobbye]

The application hang that you are reporting can be checked using the Event Viewer.

From OTL:
Drive C: | 18.64 Gb Total Space | 4.68 Gb Free Space | 25.10% Space Free | Partition Type: NTFS
Drive F: | 450.00 Gb Total Space | 449.88 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Please explain the above. Normally, Drive C is the hard drive, PhysicalDrive 0, Total space would be the 450GB.

But you tell me that there is 'nothing' on the F Drive, although is has the 'space' of the hard drive. Both drives show 'faked MBR'
--------------------------------------

The MBR scan shows:

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)<< usually the hard drive
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: IC35L020AVVA07-0, Rev: VA1OA51A
PhysicalDrive1 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05
Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528
465 GB \\.\PhysicalDrive1 MBR Code Faked!<<< but this is hard drive 'size'
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

=============================
For the hanging app:
Click on Start> Run> type in eventvwr.> Enter> Double click on the Application log to open> Look for app hangs for the app that isn't closing> right click> Properties> Copy the information to include:
Event ID #:
Source:
Description:

 

[CharlieAndover]

About the drives. I believe that C: is the drive that the computer was originally bought with (long ago, hence the relatively small size by today's standards). I think that F: is a more recent addition that we had hanging around and installed just for the heck of it.

F: does have some stuff on it. What I should have said is that it doesn't have anything on it that's worth keeping.

About the app hanging on shutdown. Based on dates and times in the event log, it must be one of these two events:

1:20:16 PM; 1524; Userenv; Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

1:20:17 PM; 1517; Userenv;
Windows saved user BEACON1003\Charlie registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Something new cropped up this morning when I turned on the computer. Avira reported that uhdovosl.dll is infected with TR/Tracur.AN.145 and wants to move it to quarantine.

The offer to just re-format C: and/or F: still stands, if this is getting to be too much.

Thanks, Bobbye!

 

[Bobbye]

I believe that C: is the drive that the computer was originally bought with (long ago, hence the relatively small size by today's standards). I think that F: is a more recent addition that we had hanging around and installed just for the heck of it.

You can't just install and external hard drive 'for the heck of it'! If it's connected when you're working, it looks like it is the primary hard drive. Conversely, if you did not have it connected when you wanted to run a program, DDS for example, it's not going to run because technically, the functioning hard drive isn't connected.

According to the specs I left, it appears that the F Drive is now functioning as the C Drive. Scanners will usually read the C Drive as the main hard drive unless they are told differently.

I think this is what is causing the problem with reading-and removing-the rootkit
=========================================
As for the 2 Events you left: please reboot the computer and they will be handled. The 'Warning' is commonplace- my log has them. Can also be caused when in Stand By mode as the Registry isn't released. The 'Warning' progresses to the 'Error' if a reboot isn't done occasionally.

 

[CharlieAndover]

It's not an external drive. It's internal, connected to the ribbon cable and configured as a slave drive. It's F: instead of D: because the two CD drives are D: and E:.

If it would make it easier if I just removed the F: slave drive, that's no problem! Let me know if that's the thing to do, and what step(s) to re-run after doing it.

Thanks, and sorry for the confusion!

 

[Bobbye]

The problem is that now Drive F has the OS on it-it appears that both of these drives are going to have to be fixed as the scans are considering Drive C as the primary hard drive
------------------------------------
Double click MBRCheck.exe to run again. For Drive C:

If "Found non-standard/infected/unknown bootcode" is found>

1. Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
2. Enter your choice:> "Restore the MBR of a physical disk with a standard boot code."
3. For "Enter the physical disk number to fix (0-99, -1 to cancel)> type 0> press Enter.
4. The program will show Available MBR codes:, followed by a list of operating systems.
   

   Available MBR codes:
   [ 0] Default (Windows Vista)
   [ 1] Windows XP
   [ 2] Windows Server 2003
   [ 3] Windows Vista
   [ 4] Windows 2008
   [ 5] Windows 7
   [-1] Cancel

5. Select the MBR code 1 write to this drive according to your OSExample: Enter 1 if using Windows XP, then Enter.}
6. The program will prompt for confirmation. Type YES and hit Enter.
7. Left click on the title bar> Click on Edit> Select All> Enter> Copy
8. Paste that text into Notepad, save it to your desktop as MBRCheck results.txt
9. Important! Restart your PC for the fix to take effect.
10. Post the contents of the MBRCheck results log in your next reply.

------------------------------
For Drive F:
Go back and repeat, except change the physical disk number in line #3 to 1> Press Enter> finish the choices and run.
=======================================
Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

Logs in next reply please.

 

[CharlieAndover]

There's no joy in Mudville...

I did as you directed, including re-booting, and it says it's removing the problem, but when (after re-boot) I run MBRcheck again, it still reports a problem:

--------------------------------------------------

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528
465 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: Y
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: 2
Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done!
Press ENTER to exit...

-----------------------------------
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528
465 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
----------------------------------------------------------------------------------

I tried it all a second time, too, but the results were identical.

I'm heading out for the weekend soon, so there's no rush in pondering the next move.

Thanks, Bobbye!

 

[Bobbye]

Enjoy your weekend! The next step is to run the MGA Diagnostic. Instructions are in my Reply #34.

 

[CharlieAndover]

Here's the log:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {0407BCA0-0823-44E3-A3E7-1C58A01BB640}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0407BCA0-0823-44E3-A3E7-1C58A01BB640}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1292428093-1482476501-1801674531</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 4550 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A01</Version><SMBIOSVersion major="2" minor="3"/><Date>20020917000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>30CA33AF01842062</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B275ell Inc|1B275:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System
OEM Activation 2.0 Data-->
N/A

---------------------------------------------------------------------------------------

Step #34 above also asks about the COA sticker. It's on the outside of the computer, it's for Windows XP Home Edition, and it says DELL in bold black letters.

Charlie

 

[Bobbye]

Charlie, there are a lot of N/A in the report above. I haven't seen that before..

I cannot find anything on the internet that Blacklist this IP. I identified it for you. I did find others that were experiencing the same blocked IP however. Try disabling the 'block' feature in Mbam:
To disable and re-enable whenever you want do this by right clicking on the Malwarebytes tray icon and uncheck Enable Protection. OR you can enter this IP to be "ignored."
==================================
About the 2 drives and the Fake MBR:
This is the confusing one. Drive C was the original hard drive and would have had the MBR on it.

I think that F: is a more recent addition that we had hanging around and installed just for the heck of it.F: does have some stuff on it. What I should have said is that it doesn't have anything on it that's worth keeping.

So the Fake MBR is now also on the F Drive. Although you state that the F Drive does have "stuff" on it, you also state that losing that "stuff" isn't an issue.

Which drive are you booting from? Let's see if we can pin this down anymore. The following isn't a find, check, remove scan. It a find the MBR and save a copy to the desktop. I'm hoping I get more information from your running the scan on both the C Drive and the F drive. Leave the logs for each. Make sure they are correctly identified:

Download aswMBR to your desktop.

• Double click the aswMBR.exe to run it.
• Click the "Scan" button to start scan:
• On completion of the scan click "Save log", save it to your desktop
• Post in your next reply:

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[CharlieAndover]

I checked the Boot Sequence and it's CD-ROM (and there's no CD in the drive); C:; diskette.

I've downloaded aswMBR.exe to the Desktop. When I double-click it, I get the expected "Open File - Security Warning" dialog box. When I click the Run button of this dialog box, the dialog box vanishes, but nothing else happens. The same is true even if I turn off Avira and MalwareBytes.

With the Task Manager open, I can see aswMBR.exe appear briefly in the Processes list, use a few CPU cycles, then disappear almost immediately.

Sorry!

 

[Bobbye]

I checked the Boot Sequence and it's CD-ROM (and there's no CD in the drive); C:; diskette.[/QUOTE
For boot sequence, The default will normally be A (the 'diskette):, C (the hard drive):, CD-ROM.

Computers normally boot (start) from the hard drive – which makes sense as this is where Windows is stored.

(an example of needing to boot from the CD would be if you are reinstalling Windows)

Did you go into the BIOS to find this? Is there any particular reason it's set to boot from the CD-ROM? The boot order needs to be reset to the hard drive first. But going into and making a change in the BIOS can be risky. You should be able to safely do this, but you must not make any other changes. You use the arrow keys on the keyboard to navigate.

Please see this link for help:
http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm

READ the entire process first. Print if you can. Remember, the only setting you want to change is to make 'boot from hard drive' first.

It will be of interest to know if there is an 'H Drive'!

 

[CharlieAndover]

I had changed the boot sequence before this thread began. I was booting off the Avira Rescue CD in order to clear some viruses that seemed to be causing massive numbers of "Delayed write to disk failed" error messages. That all seemed to go well. The only remaining problem seemed to be the one that made me start this thread.

I've changed the boot sequence back to hard drive; CD; diskette.

There's no drive H. My Computer reports A: (floppy), C: (Local Disk), D: (CD drive), E: (CD-RW drive), and F: (Local Disk).
I can certainly remove F: if that would make things less confusing.

I tried aswMBR.exe again, but the sympton described in #39 is unchanged.

 

[Bobbye]

Run this please: NOTE: This is not the MBR check I had you run earlier

Download aswMBRto your desktop.

• Double click the aswMBR.exe to run it.
• Click the "Scan" button to start scan:
  
  
• On completion of the scan click "Save log", save it to your desktop
  
  
• Post in your next reply:

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
----------------------------------
Sorry about mixing up the Drive letters- I meant F, not H.

 

[CharlieAndover]

I downloaded the file from your link in #42. (It appears to be the identical file you linked to in your #38.)

When I try to run it, nothing happens. (Details are the same as I described in #39.) So I still have no aswMBR log to share with you.

System Setup in BIOS doesn't seem to be aware of drive F. I could physically unplug it if you want.

 

[Bobbye]

Sorry- yes it was the same. I have turned my threads over to the new malware helper, DragonMasterJay. I thought I had included yours, but must have missed it. He will finish with help for the problem.

I am sending the request now- you will be in good hands. Please stay subscribed to the thread.

 

[Jay Pfoutz]

Hi!

It's probably going to be more effective running from a separate boot mode than Windows. If we're dealing with the likes of a controlling bootkit, we'll need to stick to our real guns.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the [FONT=inherit][FONT=inherit][FONT=inherit]desktop[/FONT][/FONT][/FONT] of your clean computer

• Run GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Remove the USB & CD and insert it in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• Gently tap F12 and choose to boot from the CD
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Press Tool at the top
• Choose Open Terminal
• Type the following and press enter:
  
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
• Press Enter
• After it has finished a file will be located on your USB drive named mbr.bin
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.