TechSpot

Nasty Virus infection including fakeantivirus

By nonaestet
Nov 22, 2010
  1. I have a friends computer from work that I am attempting to fix, and it seems like it only wants to run in safe mode, ive ran several scanns.. which have come up with various virus. The original problem was the fakeantivirus. i ran hirens boot disk, cleaned alot of the infections off of the computer, and alot of the issues are resolved, but im sure there are more. one of the weird problems it has is when booting normally the system runs the windows up dates every time, yet never installs the updates. This is before the user log in. The system is running Vist Sp1, aqnd im sure the updates are needed.

    DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
    Run by Owner at 15:07:58.68 on Mon 11/22/2010
    Internet Explorer: 7.0.6000.16681
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.2424 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Owner\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
    mRunOnce: [<NO NAME>]
    mRunOnce: [GrpConv] grpconv -o
    StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-21 135336]
    S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-21 267944]
    S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-21 60936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-3 135664]
    S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-11-22 312152]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-21 1153368]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
    S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-13 1174152]

    =============== Created Last 30 ================

    2010-11-22 19:54:43 -------- d-s---w- C:\ComboFix
    2010-11-22 03:05:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-22 02:53:30 -------- d-----w- c:\users\owner\appdata\roaming\Avira
    2010-11-22 02:43:49 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-22 02:43:46 -------- d-----w- c:\program files\Avira
    2010-11-22 02:43:46 -------- d-----w- c:\progra~2\Avira
    2010-11-22 01:24:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-11-22 01:16:48 -------- d-----w- c:\program files\IObit
    2010-11-21 23:12:13 -------- d-----w- c:\users\owner\appdata\local\Threat Expert
    2010-11-19 01:22:50 -------- d-----w- c:\users\owner\appdata\roaming\Spam Monitor
    2010-11-19 01:22:50 -------- d-----w- c:\users\owner\appdata\roaming\PCToolsFirewallPlus
    2010-11-19 00:32:43 -------- d-----w- c:\progra~2\PC Tools
    2010-11-18 07:56:22 -------- d-----w- c:\users\owner\appdata\local\temp(12)

    ==================== Find3M ====================

    2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
     

    Attached Files:

  2. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Ark is gmr log
     
  3. Broni

    Broni Malware Annihilator Posts: 52,899   +344

  4. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Also, you pasted incomplete DDS.txt log and MBAM log is missing.
     
  5. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    MBAM does not run a full scan.. it locks up on a dll file. I did not realize that the DDS log was incomplete. im running the tool now
     
  6. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    No need for MBAM full scan.
    If you've read our instructions, we need "Quick scan" only.
     
  7. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
    Run by Owner at 15:07:58.68 on Mon 11/22/2010
    Internet Explorer: 7.0.6000.16681
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.2424 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Owner\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
    mRunOnce: [<NO NAME>]
    mRunOnce: [GrpConv] grpconv -o
    StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-21 135336]
    S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-21 267944]
    S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-21 60936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-3 135664]
    S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-11-22 312152]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-21 1153368]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
    S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-13 1174152]

    =============== Created Last 30 ================

    2010-11-22 19:54:43 -------- d-s---w- C:\ComboFix
    2010-11-22 03:05:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-22 02:53:30 -------- d-----w- c:\users\owner\appdata\roaming\Avira
    2010-11-22 02:43:49 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-22 02:43:46 -------- d-----w- c:\program files\Avira
    2010-11-22 02:43:46 -------- d-----w- c:\progra~2\Avira
    2010-11-22 01:24:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-11-22 01:16:48 -------- d-----w- c:\program files\IObit
    2010-11-21 23:12:13 -------- d-----w- c:\users\owner\appdata\local\Threat Expert
    2010-11-19 01:22:50 -------- d-----w- c:\users\owner\appdata\roaming\Spam Monitor
    2010-11-19 01:22:50 -------- d-----w- c:\users\owner\appdata\roaming\PCToolsFirewallPlus
    2010-11-19 00:32:43 -------- d-----w- c:\progra~2\PC Tools
    2010-11-18 07:56:22 -------- d-----w- c:\users\owner\appdata\local\temp(12)

    ==================== Find3M ====================

    2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

    ============= FINISH: 15:09:12.80 ===============
     
  8. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-22 16:21:59
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.04.0
    Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\pxrdypoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\Users\Owner\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!DialogBoxIndirectParamW 774D14EA 5 Bytes JMP 713A1667 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!MessageBoxExA 774E570D 5 Bytes JMP 713A15AE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!DialogBoxParamA 774E65BF 5 Bytes JMP 713A162C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!MessageBoxIndirectW 774EF1B3 5 Bytes JMP 712316B6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!DialogBoxParamW 774F129F 5 Bytes JMP 7120F301 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!DialogBoxIndirectParamA 775129C9 5 Bytes JMP 713A16A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!MessageBoxIndirectA 7751FACF 5 Bytes JMP 713A15E8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[616] USER32.dll!MessageBoxExW 7751FBC9 5 Bytes JMP 713A1574 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  9. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    ahh ok ill post the quickscan log in a couple of minutes. Im on another forum, and was reading there rules, sorry for the misunderstanding.
     
  10. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5166

    Windows 6.0.6000 (Safe Mode)
    Internet Explorer 7.0.6000.16681

    11/23/2010 1:11:11 AM
    mbam-log-2010-11-23 (01-11-11).txt

    Scan type: Quick scan
    Objects scanned: 167879
    Time elapsed: 5 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  11. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    avg removal tool ran
     
  12. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Is the computer still unable to boot to normal mode?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  13. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Yeah mbrcheck detects that my master boot record is infected.. here is the log.
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: (build 6000), 32-bit
    Base Board Manufacturer: Intel Corp.
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L355
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 109):
    0x82C00000 \SystemRoot\system32\ntkrnlpa.exe
    0x82FA1000 \SystemRoot\system32\hal.dll
    0x802C6000 \SystemRoot\system32\kdcom.dll
    0x80266000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8025D000 \SystemRoot\system32\PSHED.dll
    0x80255000 \SystemRoot\system32\BOOTVID.dll
    0x8021A000 \SystemRoot\system32\CLFS.SYS
    0x8051F000 \SystemRoot\system32\CI.dll
    0x804A3000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8020D000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80460000 \SystemRoot\system32\drivers\acpi.sys
    0x80204000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80458000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80433000 \SystemRoot\system32\drivers\pci.sys
    0x80424000 \SystemRoot\system32\drivers\volmgr.sys
    0x80201000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8041A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8040A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80403000 \SystemRoot\system32\DRIVERS\intelide.sys
    0x807F2000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x807EB000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x807A1000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806D9000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x806D1000 \SystemRoot\system32\drivers\atapi.sys
    0x806B3000 \SystemRoot\system32\drivers\ataport.SYS
    0x806AA000 \SystemRoot\system32\drivers\msahci.sys
    0x80679000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80669000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80660000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x834FC000 \SystemRoot\system32\drivers\ndis.sys
    0x80635000 \SystemRoot\system32\drivers\msrpc.sys
    0x834C3000 \SystemRoot\system32\drivers\NETIO.SYS
    0x836F8000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x83459000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x83423000 \SystemRoot\system32\drivers\volsnap.sys
    0x80630000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x80619000 \SystemRoot\System32\drivers\partmgr.sys
    0x8060A000 \SystemRoot\System32\Drivers\mup.sys
    0x836D3000 \SystemRoot\System32\drivers\ecache.sys
    0x83412000 \SystemRoot\system32\drivers\disk.sys
    0x836B2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x80601000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8C0A5000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8C0B0000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8C09A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8C05D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8C04F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8C03D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8C019000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8F1ED000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8C006000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8ED85000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8ED55000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8BC7E000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8ED4A000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8ED32000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8EC7D000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8EC3D000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8EC32000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8EC1B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8EC10000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8ED0F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x83683000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8ECBF000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8F0FD000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8BC7C000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8F003000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8EFC6000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
    0x8ECA8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8F02D000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8EF92000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8BD20000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8C0CB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8EDA5000 \SystemRoot\System32\Drivers\Null.SYS
    0x8EDAC000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8BCEE000 \SystemRoot\System32\drivers\vga.sys
    0x8EEB1000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8F03A000 \SystemRoot\System32\drivers\watchdog.sys
    0x8C1B8000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8ECB4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8EE83000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8C0D4000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8F92F000 \SystemRoot\System32\drivers\tcpip.sys
    0x8EE6A000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8EE55000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8EE41000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8EE0F000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8F918000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8F8D1000 \SystemRoot\system32\drivers\afd.sys
    0x8F8BB000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8EE01000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F880000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8F836000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F81F000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8FBED000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x97A00000 \SystemRoot\System32\win32k.sys
    0x8FB93000 \SystemRoot\System32\drivers\Dxapi.sys
    0x97DE0000 \SystemRoot\System32\drivers\dxg.sys
    0x97C00000 \SystemRoot\System32\TSDDD.dll
    0x97C10000 \SystemRoot\System32\framebuf.dll
    0x9A068000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x98415000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x98481000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9A014000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9A6C2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9A689000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9A002000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9B4A5000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x76EC0000 \Windows\System32\ntdll.dll

    Processes (total 23):
    0 System Idle Process
    4 System
    328 C:\Windows\System32\smss.exe
    392 csrss.exe
    428 csrss.exe
    436 C:\Windows\System32\wininit.exe
    480 C:\Windows\System32\winlogon.exe
    512 C:\Windows\System32\services.exe
    524 C:\Windows\System32\lsass.exe
    532 C:\Windows\System32\lsm.exe
    684 C:\Windows\System32\svchost.exe
    736 C:\Windows\System32\svchost.exe
    764 C:\Windows\System32\svchost.exe
    860 C:\Windows\System32\svchost.exe
    884 C:\Windows\System32\svchost.exe
    904 C:\Windows\servicing\TrustedInstaller.exe
    964 C:\Windows\System32\svchost.exe
    1008 C:\Windows\System32\svchost.exe
    1024 C:\Windows\System32\svchost.exe
    1144 C:\Windows\System32\svchost.exe
    1256 C:\Windows\System32\svchost.exe
    1636 C:\Windows\explorer.exe
    1348 C:\Users\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000023`4c900000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVS-60RST0, Rev: 04.01G04

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  14. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    after looking at the combo fix log it looks like the avg removal tool failed. here is the log.
    ComboFix 10-11-23.02 - Owner 11/24/2010 2:02.2.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.2578 [GMT -5:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\recycler

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
    .

    2010-11-24 07:09 . 2010-11-24 07:09 -------- d-----w- c:\users\Owner\AppData\Local\temp
    2010-11-24 07:09 . 2010-11-24 07:09 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2010-11-24 07:09 . 2010-11-24 07:09 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-11-24 07:00 . 2010-11-24 07:00 -------- d-----w- C:\32788R22FWJFW
    2010-11-22 03:05 . 2010-11-22 03:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-22 02:53 . 2010-11-22 02:53 -------- d-----w- c:\users\Owner\AppData\Roaming\Avira
    2010-11-22 02:43 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-22 02:43 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-22 02:43 . 2010-11-22 02:43 -------- d-----w- c:\programdata\Avira
    2010-11-22 02:43 . 2010-11-22 02:43 -------- d-----w- c:\program files\Avira
    2010-11-22 01:24 . 2010-11-22 01:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-11-22 01:16 . 2010-11-22 10:34 -------- d-----w- c:\program files\IObit
    2010-11-21 23:12 . 2010-11-21 23:12 -------- d-----w- c:\users\Owner\AppData\Local\Threat Expert
    2010-11-19 01:22 . 2010-11-19 01:22 -------- d-----w- c:\users\Owner\AppData\Roaming\Spam Monitor
    2010-11-19 01:22 . 2010-11-19 01:22 -------- d-----w- c:\users\Owner\AppData\Roaming\PCToolsFirewallPlus
    2010-11-19 00:32 . 2010-11-22 02:22 -------- d-----w- c:\programdata\PC Tools
    2010-11-08 05:19 . 2010-11-21 09:00 -------- d-----w- c:\users\Guest

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2010-04-16 16:02 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2010-10-22 07:12 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C1E2393D-F9AB-40AD-8B03-E13A90F30B3E}\mpengine.dll
    2010-09-26 06:06 . 2006-11-02 08:57 66048 ----a-w- c:\windows\system32\drivers\smb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
    "QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [BU]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-03 178712]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
    "IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2294666553-2699877921-459855803-1001]
    "EnableNotificationsRef"=dword:00000001

    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-03 135664]
    R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
    R3 mvb35316;mvb35316; [x]
    R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-12-18 20480]
    R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-12-18 174720]
    R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-04 4232704]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2008-04-25 04:23 124928 ----a-w- c:\windows\System32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-22 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-22 02:33]

    2010-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-03 11:30]

    2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-03 11:30]

    2010-11-22 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-11-22 23:08]

    2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{69747E9F-0818-49E9-9A2F-E3A783B1ADC6}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-24 02:09
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2010-11-24 02:11:17
    ComboFix-quarantined-files.txt 2010-11-24 07:11
    ComboFix2.txt 2010-11-18 07:56
    ComboFix3.txt 2010-11-17 20:22
    ComboFix4.txt 2010-09-28 23:00

    Pre-Run: 76,469,768,192 bytes free
    Post-Run: 76,474,294,272 bytes free

    - - End Of File - - F33868D13ADBB4C57AF2CAD2B5E28B4C
     
  15. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I can also see, that you don't have any service pack installed. Any particular reason for it?

    Let's start with fixing your MBR...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
  16. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Cant run the windows updates, and my friend is not very computer savvy, so he never updated prior to the infection. Ill run the CD as soon as I have a burnable CD in my possession.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    OK..............
     
  18. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    I found a copy of his usb tool, ran it did the same thing as the cd, about to post the log. Happy Thanksgiving.
     
  19. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: (build 6000), 32-bit
    Base Board Manufacturer: Intel Corp.
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L355
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 109):
    0x82400000 \SystemRoot\system32\ntkrnlpa.exe
    0x827A1000 \SystemRoot\system32\hal.dll
    0x802C6000 \SystemRoot\system32\kdcom.dll
    0x80266000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8025D000 \SystemRoot\system32\PSHED.dll
    0x80255000 \SystemRoot\system32\BOOTVID.dll
    0x8021A000 \SystemRoot\system32\CLFS.SYS
    0x8051F000 \SystemRoot\system32\CI.dll
    0x804A3000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8020D000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80460000 \SystemRoot\system32\drivers\acpi.sys
    0x80204000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80458000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80433000 \SystemRoot\system32\drivers\pci.sys
    0x80424000 \SystemRoot\system32\drivers\volmgr.sys
    0x80201000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8041A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8040A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80403000 \SystemRoot\system32\DRIVERS\intelide.sys
    0x807F2000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x807EB000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x807A1000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806D9000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x806D1000 \SystemRoot\system32\drivers\atapi.sys
    0x806B3000 \SystemRoot\system32\drivers\ataport.SYS
    0x806AA000 \SystemRoot\system32\drivers\msahci.sys
    0x80679000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80669000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80660000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x82CFC000 \SystemRoot\system32\drivers\ndis.sys
    0x80635000 \SystemRoot\system32\drivers\msrpc.sys
    0x82CC3000 \SystemRoot\system32\drivers\NETIO.SYS
    0x82EF8000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x82C59000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82C23000 \SystemRoot\system32\drivers\volsnap.sys
    0x80630000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x80619000 \SystemRoot\System32\drivers\partmgr.sys
    0x8060A000 \SystemRoot\System32\Drivers\mup.sys
    0x82ED3000 \SystemRoot\System32\drivers\ecache.sys
    0x82C12000 \SystemRoot\system32\drivers\disk.sys
    0x82EB2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x80601000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8B42A000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x82E05000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8ED50000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8B983000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8B4EC000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8B403000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8E72C000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8EFED000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8B970000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8ED5B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8E68C000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8B4A6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8ED66000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8E674000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8E61F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8ED10000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8ED71000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8E608000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8ED7C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8ECED000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x82E83000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8E661000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8EEFD000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8B4A4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8ECC3000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8EC86000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
    0x8E64A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8E654000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8EB82000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8B510000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8B812000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8E6CA000 \SystemRoot\System32\Drivers\Null.SYS
    0x8E6D1000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8EB76000 \SystemRoot\System32\drivers\vga.sys
    0x8EB55000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8EBB6000 \SystemRoot\System32\drivers\watchdog.sys
    0x8EB1E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8B8F0000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8ED87000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8EB0B000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x8EAFD000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8B81B000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8EA2C000 \SystemRoot\System32\drivers\tcpip.sys
    0x8EA13000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8EEE8000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8EED4000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8EEA2000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8EE5B000 \SystemRoot\system32\drivers\afd.sys
    0x8EE45000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8EA05000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8EE0A000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8EE00000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F5E9000 \SystemRoot\System32\Drivers\dfsc.sys
    0x97400000 \SystemRoot\System32\win32k.sys
    0x8F54D000 \SystemRoot\System32\drivers\Dxapi.sys
    0x977E0000 \SystemRoot\System32\drivers\dxg.sys
    0x97600000 \SystemRoot\System32\TSDDD.dll
    0x97610000 \SystemRoot\System32\framebuf.dll
    0x99555000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8F4A1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x95A0A000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x98809000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x99477000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9943E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9942C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x99416000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x77470000 \Windows\System32\ntdll.dll

    Processes (total 23):
    0 System Idle Process
    4 System
    332 C:\Windows\System32\smss.exe
    400 csrss.exe
    436 csrss.exe
    444 C:\Windows\System32\wininit.exe
    480 C:\Windows\System32\winlogon.exe
    520 C:\Windows\System32\services.exe
    532 C:\Windows\System32\lsass.exe
    540 C:\Windows\System32\lsm.exe
    716 C:\Windows\System32\svchost.exe
    768 C:\Windows\System32\svchost.exe
    800 C:\Windows\System32\svchost.exe
    892 C:\Windows\System32\svchost.exe
    916 C:\Windows\System32\svchost.exe
    936 C:\Windows\servicing\TrustedInstaller.exe
    992 C:\Windows\System32\svchost.exe
    1024 C:\Windows\System32\svchost.exe
    1044 C:\Windows\System32\svchost.exe
    1176 C:\Windows\System32\svchost.exe
    1284 C:\Windows\System32\svchost.exe
    2004 C:\Windows\explorer.exe
    1564 C:\Users\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000023`4c900000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVS-60RST0, Rev: 04.01G04

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  20. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I'm not sure, what you're saying...
    It didn't work anyway.
     
  21. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Its the same tool, by the same author, but it burns to usb, and you set the pc to boot from usb.
     
  22. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    Found a disk, burnt the disc, and after pressing one to install standard it gives me three more options.
     
  23. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    it says mbr is not flagged as bootable, and it says i can flag it as bootable, delete the partition information and set as bootable, or just flag as bootable.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Let's try something else...

    If you have Vista/7 DVD...

    start with step 2

    If you don't have Vista/7 DVD...

    1. Create Vista/7 Recovery Disc.

    Option 1 :
    Vista: http://www.c4consulting.com.au/soluctions/vista/VISTA SOLUCTIONS.htm
    Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

    Option 2:
    Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
    Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
    Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    2. Boot from created disk.

    Vista users. At first screen click on Repair your computer:
    [​IMG]

    Windows 7 users. At first screen click on Install now:
    [​IMG]
    Select your language and click next:
    [​IMG]
    Click the button for "Use recovery tools":
    [​IMG]

    The following applies to both, Vista and Windows 7 users.

    This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:
    [​IMG]
    After this, it will present you with a list of options including startup repair, system restore and command prompt:
    [​IMG]
    Select Command Prompt

    Type in:
    bootrec /FixMbr (<--- there is a "space" after "bootrec")
    and then press Enter

    Once completed then type Exit, press Enter and restart computer.

    Post fresh MBRCheck log.
     
  25. nonaestet

    nonaestet TS Rookie Topic Starter Posts: 26

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: (build 6000), 32-bit
    Base Board Manufacturer: Intel Corp.
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L355
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 109):
    0x82400000 \SystemRoot\system32\ntkrnlpa.exe
    0x827A1000 \SystemRoot\system32\hal.dll
    0x802C6000 \SystemRoot\system32\kdcom.dll
    0x80266000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8025D000 \SystemRoot\system32\PSHED.dll
    0x80255000 \SystemRoot\system32\BOOTVID.dll
    0x8021A000 \SystemRoot\system32\CLFS.SYS
    0x8051F000 \SystemRoot\system32\CI.dll
    0x804A3000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8020D000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80460000 \SystemRoot\system32\drivers\acpi.sys
    0x80204000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80458000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80433000 \SystemRoot\system32\drivers\pci.sys
    0x80424000 \SystemRoot\system32\drivers\volmgr.sys
    0x80201000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8041A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8040A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80403000 \SystemRoot\system32\DRIVERS\intelide.sys
    0x807F2000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x807EB000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x807A1000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806D9000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x806D1000 \SystemRoot\system32\drivers\atapi.sys
    0x806B3000 \SystemRoot\system32\drivers\ataport.SYS
    0x806AA000 \SystemRoot\system32\drivers\msahci.sys
    0x80679000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80669000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80660000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x82CFC000 \SystemRoot\system32\drivers\ndis.sys
    0x80635000 \SystemRoot\system32\drivers\msrpc.sys
    0x82CC3000 \SystemRoot\system32\drivers\NETIO.SYS
    0x82EF8000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x82C59000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82C23000 \SystemRoot\system32\drivers\volsnap.sys
    0x80630000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x80619000 \SystemRoot\System32\drivers\partmgr.sys
    0x8060A000 \SystemRoot\System32\Drivers\mup.sys
    0x82ED3000 \SystemRoot\System32\drivers\ecache.sys
    0x82C12000 \SystemRoot\system32\drivers\disk.sys
    0x82EB2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x80601000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8B86F000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x82E05000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8B864000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8B827000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8B819000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8B800000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8E0CC000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8EBED000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8E0B9000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8E0AE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8E00E000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8B9CA000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8E003000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8E168000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8EBB8000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8EB78000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8E15D000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8E146000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8EB5D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8EB3A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8B40A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8EB27000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8B419000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8B9C8000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8EA2D000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8E9F0000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
    0x8EBE3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8EA57000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8E91C000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8B5F0000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8E102000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8E045000 \SystemRoot\System32\Drivers\Null.SYS
    0x8E04C000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B93D000 \SystemRoot\System32\drivers\vga.sys
    0x8E8FB000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8EA64000 \SystemRoot\System32\drivers\watchdog.sys
    0x8E1C0000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8E8D0000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8E8C2000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8E10B000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8F32F000 \SystemRoot\System32\drivers\tcpip.sys
    0x8E8A9000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8E894000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8E880000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8E84E000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8E837000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8F2E8000 \SystemRoot\system32\drivers\afd.sys
    0x8E821000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8E813000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F2AD000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8E950000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F256000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8F243000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x97400000 \SystemRoot\System32\win32k.sys
    0x8E95A000 \SystemRoot\System32\drivers\Dxapi.sys
    0x977E0000 \SystemRoot\System32\drivers\dxg.sys
    0x97600000 \SystemRoot\System32\TSDDD.dll
    0x97610000 \SystemRoot\System32\framebuf.dll
    0x93065000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8E96E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x8F4C2000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x99238000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9921A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x99FC7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x93000000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x99E38000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x779D0000 \Windows\System32\ntdll.dll

    Processes (total 24):
    0 System Idle Process
    4 System
    328 C:\Windows\System32\smss.exe
    392 csrss.exe
    428 csrss.exe
    436 C:\Windows\System32\wininit.exe
    480 C:\Windows\System32\winlogon.exe
    512 C:\Windows\System32\services.exe
    524 C:\Windows\System32\lsass.exe
    532 C:\Windows\System32\lsm.exe
    680 C:\Windows\System32\svchost.exe
    740 C:\Windows\System32\svchost.exe
    780 C:\Windows\System32\svchost.exe
    864 C:\Windows\System32\svchost.exe
    888 C:\Windows\System32\svchost.exe
    908 C:\Windows\servicing\TrustedInstaller.exe
    968 C:\Windows\System32\svchost.exe
    1020 C:\Windows\System32\svchost.exe
    1036 C:\Windows\System32\svchost.exe
    1156 C:\Windows\System32\svchost.exe
    1260 C:\Windows\System32\svchost.exe
    1564 C:\Windows\explorer.exe
    1708 C:\Windows\HelpPane.exe
    2036 C:\Users\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000023`4c900000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVS-60RST0, Rev: 04.01G04

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...