TechSpot

Results of testing: locked self-protect mode of Avast Antivirus Pro

Solved
By systemmistress
Aug 27, 2010
  1. Hi,

    I thought I was totally lost, but due to the teasting requirements you recommend, I think my whole problem is because Avast 4 is locked in Self-Protect mode and also is locking me out of my Recovery Drive partition. Maybe this is why the odd test results? I did one weeks worth of investigating, reading, studying and clean-up of my machine and now it all makes sense.

    I have a :Summary HP, Compaq Presario, SR1920NX.
    Operating System
    MS Windows XP Home 32-bit SP3
    CPU
    AMD Athlon 64 3500+ 43 °C
    Venice 90nm Technology
    RAM
    512MB Dual-Channel DDR @ 200MHz (3-3-3-8)
    Motherboard
    ASUSTek Computer INC. NAGAMI2L (Socket 939)
    Graphics
    COMPAQ FS7600 @ 1024x768
    nVidia video (HP)
    Hard Drives
    195GB SAMSUNG SP2004C (IDE) 41 °C
    Optical Drives
    PHILIPS DVD8851
    Audio
    Realtek High Definition Audio
    Operating System
    MS Windows XP Home 32-bit SP3
    Installation Date: 30 March 2009, 07:14

    CPU
    AMD Athlon 64 3500+Core Memory slots
    Total memory slots 4
    Used memory slots 2
    Free memory slots 2
    Memory
    Type DDR
    Size 512 MBytes
    Channels # Dual
    DRAM Frequency 200.4 MHz
    CAS# Latency (CL) 3 clocks
    RAS# to CAS# Delay (tRCD) 3 clocks
    RAS# Precharge (tRP) 3 clocks
    Cycle Time (tRAS) 8 clocks
    Bank Cycle Time (tR?) 11 clocks
    Command Rate (CR) 2T
    SPD
    Number Of SPD Modules 2
    Slot #1
    Type DDR
    Size 256 MBytes
    Manufacturer Hyundai Electronics

    Max Bandwidth PC3200 (200 MHz)

    Here are the Results:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4490

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/27/2010 3:46:14 PM
    mbam-log-2010-08-27 (15-46-14).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 182135
    Time elapsed: 20 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-27 15:55:39
    Windows 5.1.2600 Service Pack 3
    Running: k3h5kxm2[1].exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\uwlcraoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----

    I even tried to delete the above with Revo Uninstaller, CCleaner, Add/Rem Programs, by hand, and withFile Assassin..nothing worked. And I tried more than once.
    Alwil Software, Avast4 resides in my Local Drive of all places..I would have thought it would have been in C:\\.

    Here is the other result:
    [I will give my opinion of the results, based on a popup I got from my computer, which told me I could no longer access my partition "for safety reasons" from Avast]. when you see the testing results]



    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 125):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF79DC000 \WINDOWS\system32\KDCOM.DLL
    0xF78EC000 \WINDOWS\system32\BOOTVID.dll
    0xF73AD000 ACPI.sys
    0xF79DE000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF739C000 pci.sys
    0xF74DC000 isapnp.sys
    0xF7AA4000 pciide.sys
    0xF775C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF79E0000 viaide.sys
    0xF79E2000 intelide.sys
    0xF74EC000 MountMgr.sys
    0xF737D000 ftdisk.sys
    0xF7764000 PartMgr.sys
    0xF74FC000 VolSnap.sys
    0xF72A8000 iaStor.sys
    0xF7290000 atapi.sys
    0xF750C000 disk.sys
    0xF751C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7270000 fltmgr.sys
    0xF725E000 sr.sys
    0xF752C000 PxHelp20.sys
    0xF7247000 KSecDD.sys
    0xF71BA000 Ntfs.sys
    0xF718D000 NDIS.sys
    0xF716E000 xpacket.sys
    0xF7154000 Mup.sys
    0xF770C000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF6BC9000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6BB5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7834000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6B91000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF783C000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF771C000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF772C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF773C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6B6E000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6A51000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7A04000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF784C000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6A29000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF79C8000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF69DE000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF69A7000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF774C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7854000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A08000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF7BE9000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF755C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF79CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6990000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF756C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF757C000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF785C000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF697F000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF758C000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7864000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF786C000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6943000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF759C000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7874000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A0C000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF68E5000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6F4D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF75AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF75BC000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF75CC000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF30DA000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF30B6000 \SystemRoot\system32\drivers\portcls.sys
    0xF75DC000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A10000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B81000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A12000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78B4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF78BC000 \SystemRoot\System32\drivers\vga.sys
    0xF7A14000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A16000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78C4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78CC000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7990000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF3033000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF2FDA000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF2FB2000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF75FC000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF2F90000 \SystemRoot\System32\drivers\afd.sys
    0xF760C000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF2F6E000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF78D4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF2F43000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF2ED3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF762C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF2EAD000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF763C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78DC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF696F000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF764C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF2E64000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF78E4000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF77A4000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF696B000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF6967000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF695F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF2E40000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF2E28000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A24000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF308E000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77BC000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B15000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7894000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
    0xBA51C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA391000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB9A59000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB97BC000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB99A1000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB9587000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB93F0000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB9107000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB7BBC000 \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\uwlcraoc.sys
    0xB7ACF000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 33):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    656 csrss.exe
    680 C:\WINDOWS\system32\winlogon.exe
    724 C:\WINDOWS\system32\services.exe
    736 C:\WINDOWS\system32\lsass.exe
    900 C:\WINDOWS\system32\svchost.exe
    948 svchost.exe
    1044 C:\WINDOWS\system32\svchost.exe
    1092 svchost.exe
    1184 svchost.exe
    1568 C:\WINDOWS\explorer.exe
    1780 C:\WINDOWS\RTHDCPL.EXE
    1832 C:\Program Files\PeoplePC\ISP7000\Browser\BartShel.exe
    1828 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1848 C:\Program Files\Filseclab\xfilter\xfilter.exe
    1864 C:\WINDOWS\system32\ctfmon.exe
    660 C:\WINDOWS\system32\spoolsv.exe
    152 C:\WINDOWS\system\hpsysdrv.exe
    1448 svchost.exe
    444 C:\Program Files\LSI SoftModem\agrsmsvc.exe
    456 aspnet_state.exe
    1920 PresentationFontCache.exe
    564 C:\Program Files\Java\jre6\bin\jqs.exe
    584 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1000 C:\WINDOWS\system32\nvsvc32.exe
    2448 alg.exe
    2812 C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    2956 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    4092 C:\Program Files\Internet Explorer\iexplore.exe
    1932 C:\Program Files\Internet Explorer\iexplore.exe
    2820 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`c0050e00 (FAT32)

    PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: 3

    Done!


    My thoughts on this odd results is that Avast has locked me out of my partition [D Drive] and it cannot be read..I am probably wrong.

    My symptoms are hangs, freezes to the point when I have to hit the 'kill' button because nothing works. I just blamed all this on Firefox's Plug-in Container...I had better apologize..I do not think this is trhe problem, as I uninstalled FF 3.6.8, and am using 3.5.11. I also read that lots of my symptoms are the same as those on the forums at Mozilla as well. I wonder now.

    All of the online scans for malware and viruses came up clean for me except the big one in MBam..I guess I should attach that huge file as well. You did not seem to want it from the other person you helped with a locked Avast..I do have it if needed.

    Thanx very much, I am sorry to be so windy, but I want you to know that I tried myself. This is sort of a last resort for me, as I do not give up easily.

    Thank you very much.
    Systemmistress
     
  2. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    First of all, it looks like MBR is infected, but before we go there, I don't understand what you're saying here:
    What do you mean by "locking me out"?

    ...and....
    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
     
  3. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    I'm sorry Broni, I did not say that correctly.

    Avira popped up a message stating that for securit reasons, I would "no longer be able to access my partition on D Drive". That was before I uninstalled it using Revo uninstaller set to the 4th level of removal or clean up[ which would include the registry, desktop icon, and all other listings in Documents and Settings, My Documents, and everywhere else.

    I wrote to Avira, as I had paid for the program for one year, and told them I needed access to my partition in case..., and their reply was non existant.

    I have not tried to do a re-install from D Drive as the last time I did one, all the same stuff was all right there..it was not from scratch.

    I do not have a complete backup of my drive, nor did I make a CD from the recovery partition, as if you do that, you can no longer use that partition, and sometimes the Cd does not work. It costs money to buy a Recovery CD and I have very little of that.

    I figured that since Avast got locked in self-protect mode that my D Drive was locked as well..I couyld not access the program on D Drive called Recovery.
    [ed] RegGuard
    I will lost everything now if I have to do a recovery..

    HP makes a small proigram that they put on the machines that keeps you from making a mistake and doing a recovery. I forget now what that is exactly, but remember reading about it.

    Also, shouldn't that MBAM have checked D Drive as well if it could have?

    I prepared the information for another forum called Freeze, hang BSOD. I did what those steps were and probably should have posted this there.

    Avast sent me instructions to boot into safe mode, and remove the program Avast4 trhere, but F8 did not work for me. If only I could remove Avast4, and then do these virus steps I woul;d feel so much better.
    Then we'd have a more detailed picture of all the results, to ascertain as to whether or not I actually have a virus or not. Don't you think so?

    I will do all the virus removal steps but can't we remove that Avast4 first? Then I will rescan and post if necessary.

    Please advise.
    Sandra
     
  4. Broni

    Broni Malware Annihilator Posts: 47,986   +271

  5. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    here's the rest

    I went thru the 8 steps [modified] as you asked



    Here are all the zipped files you requested:

    Thank you so much for your help..I am lost.
    Sandra
     
  6. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    Broni,

    The program that I cannot remove is Avast..here is what the tech person sent me in email:

    Hello,

    Try to reinstall your avast! using the avast! uninstall utility.

    The avast! uninstall utility (aswClear.exe) can be found on this page:
    http://public.avast.com/dev/aswClear_3.exe

    and follow these instructions:

    1. Download aswClear.exe on to your desktop
    2. Either, start Windows in Safe Mode if you know how (http://www.computerhope.com/issues/chsafe.htm)
    3. Open (execute) the uninstall utility
    4. If you installed avast! in a folder other than the default folder, use the browse facility to locate it. (Note: Be careful! The content of any folder you choose will be deleted!)
    5. Click REMOVE
    6. Restart your computer

    Now download the latest version of avast! and install it again (http://files.avast.com/iavs5x/setup_av_free.exe). If you have Windows 7 or Vista run the setup file as an administrator (right-click on avast! setup file and from the Drop Down Menu select the Run As Administrator option).

    Best regards,

    Jakub Vanous
    AVAST Software a.s.

    Ticket Details
    ===================
    Ticket ID: NTW-571558
    Department: [ENG] Technical support
    Priority: Default
    Status: On Hold


    I tried it amd it would not install to uninastall..the old Avast4 is on self=proptect mode. I could not even start in Safe Mode.

    Thanx once again,
    Sandra
     
  7. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please, never zip any files. It's an extra work for us to unzip them.
    Our instructions don't ask for zipping.
    Please, repost with straight files attached.
     
  8. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    Sorry,Broni,
    I could swear I read that I can never post any text files-they contain viruses..that they must be zipped. I am always wrong - this is judt another time.

    here is the info you requested:

    SuperAntiSpyware scan log 8-27-2010

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/27/2010 at 11:43 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5362
    Trace Rules Database Version: 3174

    Scan type : Complete Scan
    Total Scan Time : 00:21:40

    Memory items scanned : 380
    Memory threats detected : 0
    Registry items scanned : 6388
    Registry threats detected : 0
    File items scanned : 19829
    File threats detected : 1

    Trojan.Agent/Gen-Nullo[Short]
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWSCAN.DLL

    this was already quarantined and removed in the middle of August, 2010

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 125):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF79DC000 \WINDOWS\system32\KDCOM.DLL
    0xF78EC000 \WINDOWS\system32\BOOTVID.dll
    0xF73AD000 ACPI.sys
    0xF79DE000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF739C000 pci.sys
    0xF74DC000 isapnp.sys
    0xF7AA4000 pciide.sys
    0xF775C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF79E0000 viaide.sys
    0xF79E2000 intelide.sys
    0xF74EC000 MountMgr.sys
    0xF737D000 ftdisk.sys
    0xF7764000 PartMgr.sys
    0xF74FC000 VolSnap.sys
    0xF72A8000 iaStor.sys
    0xF7290000 atapi.sys
    0xF750C000 disk.sys
    0xF751C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7270000 fltmgr.sys
    0xF725E000 sr.sys
    0xF752C000 PxHelp20.sys
    0xF7247000 KSecDD.sys
    0xF71BA000 Ntfs.sys
    0xF718D000 NDIS.sys
    0xF716E000 xpacket.sys
    0xF7154000 Mup.sys
    0xF770C000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF6BC9000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6BB5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7834000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6B91000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF783C000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF771C000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF772C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF773C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6B6E000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6A51000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7A04000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF784C000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6A29000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF79C8000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF69DE000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF69A7000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF774C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7854000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A08000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF7BE9000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF755C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF79CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6990000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF756C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF757C000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF785C000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF697F000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF758C000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7864000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF786C000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6943000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF759C000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7874000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A0C000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF68E5000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6F4D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF75AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF75BC000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF75CC000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF30DA000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF30B6000 \SystemRoot\system32\drivers\portcls.sys
    0xF75DC000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A10000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B81000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A12000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78B4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF78BC000 \SystemRoot\System32\drivers\vga.sys
    0xF7A14000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A16000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78C4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78CC000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7990000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF3033000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF2FDA000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF2FB2000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF75FC000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF2F90000 \SystemRoot\System32\drivers\afd.sys
    0xF760C000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF2F6E000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF78D4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF2F43000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF2ED3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF762C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF2EAD000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF763C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78DC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF696F000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF764C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF2E64000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF78E4000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF77A4000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF696B000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF6967000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF695F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF2E40000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF2E28000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A24000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF308E000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77BC000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B15000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7894000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
    0xBA51C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA391000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB9A59000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB97BC000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB99A1000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB9587000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB93F0000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB9107000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB7BBC000 \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\uwlcraoc.sys
    0xB7ACF000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 33):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    656 csrss.exe
    680 C:\WINDOWS\system32\winlogon.exe
    724 C:\WINDOWS\system32\services.exe
    736 C:\WINDOWS\system32\lsass.exe
    900 C:\WINDOWS\system32\svchost.exe
    948 svchost.exe
    1044 C:\WINDOWS\system32\svchost.exe
    1092 svchost.exe
    1184 svchost.exe
    1568 C:\WINDOWS\explorer.exe
    1780 C:\WINDOWS\RTHDCPL.EXE
    1832 C:\Program Files\PeoplePC\ISP7000\Browser\BartShel.exe
    1828 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1848 C:\Program Files\Filseclab\xfilter\xfilter.exe
    1864 C:\WINDOWS\system32\ctfmon.exe
    660 C:\WINDOWS\system32\spoolsv.exe
    152 C:\WINDOWS\system\hpsysdrv.exe
    1448 svchost.exe
    444 C:\Program Files\LSI SoftModem\agrsmsvc.exe
    456 aspnet_state.exe
    1920 PresentationFontCache.exe
    564 C:\Program Files\Java\jre6\bin\jqs.exe
    584 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1000 C:\WINDOWS\system32\nvsvc32.exe
    2448 alg.exe
    2812 C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    2956 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    4092 C:\Program Files\Internet Explorer\iexplore.exe
    1932 C:\Program Files\Internet Explorer\iexplore.exe
    2820 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`c0050e00 (FAT32)

    PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice:

    Done!

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-27 16:34:58
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\uwlcraoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4490

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/27/2010 3:46:14 PM
    mbam-log-2010-08-27 (15-46-14).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 182135
    Time elapsed: 20 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    I still need DDS logs.
     
  10. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Compaq_Owner at 17:21:48.96 on Fri 08/20/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.57 [GMT -4:00]

    AV: avast! antivirus 4.8.0 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Filseclab Personal Firewall *enabled* {EB4DA513-3B0A-4FCB-86A7-F1243757EFF2}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k eapsvcs
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k dot3svc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\PeoplePC\ISP7000\Browser\Bartshel.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Filseclab\xfilter\xfilter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system\hpsysdrv.exe
    svchost.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://home.peoplepc.com/websearch
    uSearch Page =
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearch Bar = hxxp://home.peoplepc.com/search/
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyOverride = local
    mSearchAssistant =
    BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
    BHO: ZoomInto: {2f3d6d62-fab0-401a-90b6-1b20c2d4448d} - c:\program files\zoominto solutions\zoominto 13.1.1\ZoomInto.dll
    BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\people~1\PRPL_I~1.DLL
    BHO: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [Bart Station] c:\program files\peoplepc\isp7000\bin\PPCOLink.exe -STATION
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [XFILTER] "c:\program files\filseclab\xfilter\xfilter.exe" -a
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
    IE: ZoomInto - c:\documents and settings\compaq_owner\application data\zoominto\zoominto.htm
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: c:\program files\filseclab\xfilter\XFILTER.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238518495328
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {523E608B-4D4B-41B8-908D-FEA1131E7ED1} = 207.69.188.185,207.69.188.186
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\o80qd9p5.sandra\
    FF - prefs.js: browser.search.selectedEngine - Scroogle SSL
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2010-3-3 124752]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-17 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-3-23 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-17 20560]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-17 138680]
    S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
    S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4\ashWebSv.exe [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\14f.tmp --> c:\windows\system32\14F.tmp [?]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 12872]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-3-23 120168]

    =============== Created Last 30 ================

    2010-08-20 18:39:04 0 d-----w- c:\program files\Trend Micro
    2010-08-16 17:37:23 0 d-----w- c:\docume~1\compaq~1\applic~1\VSRevoGroup
    2010-08-16 04:20:45 0 d-----w- c:\program files\Sophos
    2010-08-16 03:43:09 2626 ----a-w- c:\windows\system32\config.bak
    2010-08-16 03:43:09 2577 ----a-w- c:\windows\config.nt
    2010-08-16 03:43:09 1688 ----a-w- c:\windows\system32\autoexec.bak
    2010-08-16 03:43:09 1688 ----a-w- c:\windows\autoexec.nt
    2010-08-16 02:16:58 0 d-----w- c:\program files\Speccy
    2010-08-14 21:00:40 0 d-----w- c:\program files\SRWare Iron
    2010-08-13 17:28:18 0 d-----w- C:\AV-CLS
    2010-08-12 22:17:06 165032 ----a-w- c:\windows\system32\asw2B4.tmp
    2010-08-10 07:21:41 0 d-----w- c:\docume~1\compaq~1\applic~1\DiskSpaceFan
    2010-08-10 07:20:49 0 d-----w- c:\program files\DiskSpaceFan
    2010-08-10 07:05:07 0 d-----w- c:\program files\ZPaint 1.4
    2010-07-29 14:13:20 0 d-----w- c:\program files\Citrix
    2010-07-29 14:13:03 103784 ----a-w- c:\documents and settings\compaq_owner\GoToAssistDownloadHelper.exe

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 21:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
    2009-03-31 19:23:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

    ============= FINISH: 17:22:28.76 ===============
     
  11. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Run MBRCheck again.

    When it's done you'll see the following line:
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Press the Y key and then press Enter

    When the program asks you to Enter your choice, enter 2 and press the Enter key.

    Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
    Enter 0 (zero) and press the Enter key.

    Next the program will show Available MBR codes:, followed by a list of operating systems.
    Please enter 1 for Windows XP, and then press Enter.

    Next the program will prompt for confirmation.
    Type YES and hit Enter.

    When it's done there should be a text file with the results on your desktop.
    Please copy and paste it back here.

    Then reboot, run MBRCheck again and post new log.
     
     
  12. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 124):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF79DC000 \WINDOWS\system32\KDCOM.DLL
    0xF78EC000 \WINDOWS\system32\BOOTVID.dll
    0xF73AD000 ACPI.sys
    0xF79DE000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF739C000 pci.sys
    0xF74DC000 isapnp.sys
    0xF7AA4000 pciide.sys
    0xF775C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF79E0000 viaide.sys
    0xF79E2000 intelide.sys
    0xF74EC000 MountMgr.sys
    0xF737D000 ftdisk.sys
    0xF7764000 PartMgr.sys
    0xF74FC000 VolSnap.sys
    0xF72A8000 iaStor.sys
    0xF7290000 atapi.sys
    0xF750C000 disk.sys
    0xF751C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7270000 fltmgr.sys
    0xF725E000 sr.sys
    0xF752C000 PxHelp20.sys
    0xF7247000 KSecDD.sys
    0xF71BA000 Ntfs.sys
    0xF718D000 NDIS.sys
    0xF716E000 xpacket.sys
    0xF7154000 Mup.sys
    0xF772C000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF6DAC000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6D98000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF781C000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6D74000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7824000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF773C000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF774C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF755C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6D51000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6C34000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7A00000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF782C000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6C0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF79D0000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF6BC1000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF6B8A000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF756C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF783C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A02000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF7BEE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF757C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF79D4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6B73000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF758C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF759C000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7844000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6B62000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF75AC000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF784C000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7854000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6B26000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF75BC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF785C000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A06000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6A94000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7124000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF75CC000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF75DC000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF75EC000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF32BD000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF3299000 \SystemRoot\system32\drivers\portcls.sys
    0xF75FC000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A0C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B81000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A0E000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7894000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF789C000 \SystemRoot\System32\drivers\vga.sys
    0xF7A10000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A12000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78A4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78AC000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF799C000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF3216000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF31BD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF3195000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF761C000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF3173000 \SystemRoot\System32\drivers\afd.sys
    0xF762C000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF3151000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF78B4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF312B000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF764C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF3100000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF3090000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF765C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF78BC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF6B5A000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF767C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF306F000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF78C4000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF78CC000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF6B52000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF6B4E000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF6B46000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF3023000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF300B000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A1E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF326D000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF78E4000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B1E000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF77D4000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
    0xF3251000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA391000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB99C4000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB9B59000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB9A49000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB95D7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB94B8000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB91CF000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB53CD000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 36):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    672 csrss.exe
    696 C:\WINDOWS\system32\winlogon.exe
    740 C:\WINDOWS\system32\services.exe
    752 C:\WINDOWS\system32\lsass.exe
    916 C:\WINDOWS\system32\svchost.exe
    964 svchost.exe
    1060 C:\WINDOWS\system32\svchost.exe
    1112 svchost.exe
    1156 svchost.exe
    1420 C:\WINDOWS\system32\spoolsv.exe
    1640 C:\WINDOWS\explorer.exe
    1872 C:\WINDOWS\RTHDCPL.EXE
    1916 C:\Program Files\PeoplePC\ISP7000\Browser\BartShel.exe
    1932 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1940 C:\Program Files\Filseclab\xfilter\xfilter.exe
    1952 C:\WINDOWS\system32\ctfmon.exe
    640 svchost.exe
    676 C:\Program Files\LSI SoftModem\agrsmsvc.exe
    820 aspnet_state.exe
    924 PresentationFontCache.exe
    1148 C:\Program Files\Java\jre6\bin\jqs.exe
    1192 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1248 C:\WINDOWS\system32\nvsvc32.exe
    2072 alg.exe
    2400 C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    2612 C:\WINDOWS\system\hpsysdrv.exe
    2636 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    1976 C:\Program Files\Internet Explorer\iexplore.exe
    3092 C:\Program Files\Internet Explorer\iexplore.exe
    1520 C:\Program Files\Internet Explorer\iexplore.exe
    2852 C:\Program Files\Internet Explorer\iexplore.exe
    2512 C:\Program Files\Internet Explorer\iexplore.exe
    4092 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`c0050e00 (FAT32)

    PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive: 1
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
    Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.


    Done!
     
  13. Broni

    Broni Malware Annihilator Posts: 47,986   +271

     
  14. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    Do I follow the last instructions or is this what you want?

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 124):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF79DC000 \WINDOWS\system32\KDCOM.DLL
    0xF78EC000 \WINDOWS\system32\BOOTVID.dll
    0xF73AD000 ACPI.sys
    0xF79DE000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF739C000 pci.sys
    0xF74DC000 isapnp.sys
    0xF7AA4000 pciide.sys
    0xF775C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF79E0000 viaide.sys
    0xF79E2000 intelide.sys
    0xF74EC000 MountMgr.sys
    0xF737D000 ftdisk.sys
    0xF7764000 PartMgr.sys
    0xF74FC000 VolSnap.sys
    0xF72A8000 iaStor.sys
    0xF7290000 atapi.sys
    0xF750C000 disk.sys
    0xF751C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7270000 fltmgr.sys
    0xF725E000 sr.sys
    0xF752C000 PxHelp20.sys
    0xF7247000 KSecDD.sys
    0xF71BA000 Ntfs.sys
    0xF718D000 NDIS.sys
    0xF716E000 xpacket.sys
    0xF7154000 Mup.sys
    0xF771C000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF6DAC000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6D98000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7824000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6D74000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF782C000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF772C000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF773C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF774C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6D51000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6C34000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7A02000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7834000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6C0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF79D0000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF6BC1000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF6B8A000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF755C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF783C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A04000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF7BEB000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF756C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF79D4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6B73000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF757C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF758C000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7844000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6B62000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF759C000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF784C000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7854000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6B26000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF75AC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF785C000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A08000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6AC8000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7124000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF75CC000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF75DC000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF75EC000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF32BD000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF3299000 \SystemRoot\system32\drivers\portcls.sys
    0xF75FC000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A0E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B81000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A10000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF789C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF78A4000 \SystemRoot\System32\drivers\vga.sys
    0xF7A12000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A14000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78AC000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78B4000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF799C000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF3216000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF31BD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF3195000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF761C000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF3173000 \SystemRoot\System32\drivers\afd.sys
    0xF762C000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF3151000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF78BC000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF3126000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF30B6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF764C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF3090000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF765C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78C4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF6B4E000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF766C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF3047000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF78CC000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF78D4000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF6B4A000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF6B46000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF6B3E000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF3023000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF300B000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A2A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF3261000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77AC000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B2D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7884000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
    0xBA514000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA391000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB999C000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA2C9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB981C000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB96C7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB9440000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB91F7000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB8428000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 34):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    672 csrss.exe
    696 C:\WINDOWS\system32\winlogon.exe
    740 C:\WINDOWS\system32\services.exe
    752 C:\WINDOWS\system32\lsass.exe
    916 C:\WINDOWS\system32\svchost.exe
    964 svchost.exe
    1060 C:\WINDOWS\system32\svchost.exe
    1112 svchost.exe
    1204 svchost.exe
    1556 C:\WINDOWS\system32\spoolsv.exe
    1676 C:\WINDOWS\explorer.exe
    284 C:\WINDOWS\RTHDCPL.EXE
    440 C:\Program Files\PeoplePC\ISP7000\Browser\BartShel.exe
    444 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    472 C:\Program Files\Filseclab\xfilter\xfilter.exe
    500 C:\WINDOWS\system32\ctfmon.exe
    756 svchost.exe
    1136 C:\Program Files\LSI SoftModem\agrsmsvc.exe
    1096 aspnet_state.exe
    1472 PresentationFontCache.exe
    1548 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    1652 C:\Program Files\Java\jre6\bin\jqs.exe
    1696 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1716 C:\WINDOWS\system32\nvsvc32.exe
    2124 alg.exe
    2452 C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    2560 C:\WINDOWS\system\hpsysdrv.exe
    2600 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    2888 C:\Program Files\Internet Explorer\iexplore.exe
    3032 C:\Program Files\Internet Explorer\iexplore.exe
    3440 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`c0050e00 (FAT32)

    PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  15. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Unfortunately, our fix didn't work.
    We need to use different way to do it.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted run MBRCheck one more time and let me have the log produced.
     
  16. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    Good Morning,

    I went to Bios and had a look. I have questions:
    1. On top row choices: Main - Advanced - Power - Boot - Exit
    Under Advanced - the only reference to "boot" is this Onborad LAN BOOT ROM

    2. Under Boot menu: it lists first BOOT-TIME DIAGNOSTIC [disabled]
    Boot Device Priority
    1st [floppy] TEAC USB
    2nd [CD-ROM Group] Phillips DVD88
    3rd [HDD Group] Samsung
    4th [Network Boot Group] Not Installed

    What order do I put these in, please?
    Do I change any other setting?

    3. What is 'Onboard LAN BOOT ROM? under 'Advanced" in upper menu?

    This BIOS is a little different than example cited in 'How to Set BIOS from CDROM' article.

    Thank you very much.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Your boot order is fine. Go ahead with creating CD.
     
  18. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    Sorry. Broni,
    Please ignore the last post..
    this is the new one:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 123):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF79DC000 \WINDOWS\system32\KDCOM.DLL
    0xF78EC000 \WINDOWS\system32\BOOTVID.dll
    0xF73AD000 ACPI.sys
    0xF79DE000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF739C000 pci.sys
    0xF74DC000 isapnp.sys
    0xF7AA4000 pciide.sys
    0xF775C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF79E0000 viaide.sys
    0xF79E2000 intelide.sys
    0xF74EC000 MountMgr.sys
    0xF737D000 ftdisk.sys
    0xF7764000 PartMgr.sys
    0xF74FC000 VolSnap.sys
    0xF72A8000 iaStor.sys
    0xF7290000 atapi.sys
    0xF750C000 disk.sys
    0xF751C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7270000 fltmgr.sys
    0xF725E000 sr.sys
    0xF752C000 PxHelp20.sys
    0xF7247000 KSecDD.sys
    0xF71BA000 Ntfs.sys
    0xF718D000 NDIS.sys
    0xF716E000 xpacket.sys
    0xF7154000 Mup.sys
    0xF756C000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF6DAC000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6D98000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF781C000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6D74000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7824000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF757C000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF758C000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF759C000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6D51000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6C34000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF79FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF782C000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6C0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF79D8000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF6BC1000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF6B8A000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF75AC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF783C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A00000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF7BEA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF75BC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7130000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6B73000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF75CC000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF75DC000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF784C000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6B62000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF75EC000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7854000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF785C000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6AF2000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF75FC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7864000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A04000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6A94000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7120000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF760C000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF761C000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF762C000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF32BD000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF3299000 \SystemRoot\system32\drivers\portcls.sys
    0xF763C000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A08000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B81000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A0A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78A4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF78AC000 \SystemRoot\System32\drivers\vga.sys
    0xF7A0C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A0E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78B4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78BC000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF79A0000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF3216000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF31BD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF3195000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF765C000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF3173000 \SystemRoot\System32\drivers\afd.sys
    0xF766C000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF3151000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF78C4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF3126000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF30B6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF768C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF3090000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF769C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78CC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF6B52000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF76AC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF3047000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF78D4000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF78DC000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF6B4A000 \SystemRoot\system32\DRIVERS\sfloppy.sys
    0xF6B46000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF6B3E000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF3023000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF300B000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A22000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF3259000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77B4000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B3A000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF788C000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
    0xBA518000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA391000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB999C000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA430000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB98EE000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB96C7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB9468000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB91F7000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 34):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    672 csrss.exe
    696 C:\WINDOWS\system32\winlogon.exe
    740 C:\WINDOWS\system32\services.exe
    752 C:\WINDOWS\system32\lsass.exe
    916 C:\WINDOWS\system32\svchost.exe
    964 svchost.exe
    1060 C:\WINDOWS\system32\svchost.exe
    1108 svchost.exe
    1172 svchost.exe
    1548 C:\WINDOWS\system32\spoolsv.exe
    1652 C:\WINDOWS\explorer.exe
    248 C:\WINDOWS\RTHDCPL.EXE
    292 C:\Program Files\PeoplePC\ISP7000\Browser\BartShel.exe
    436 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    456 C:\Program Files\Filseclab\xfilter\xfilter.exe
    496 C:\WINDOWS\system32\ctfmon.exe
    816 svchost.exe
    1104 C:\Program Files\LSI SoftModem\agrsmsvc.exe
    1148 aspnet_state.exe
    1436 PresentationFontCache.exe
    1492 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    1668 C:\Program Files\Java\jre6\bin\jqs.exe
    1728 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1752 C:\WINDOWS\system32\nvsvc32.exe
    232 C:\WINDOWS\system32\wuauclt.exe
    1948 alg.exe
    2448 C:\PROGRA~1\PeoplePC\ISP7000\Browser\PPShared.exe
    2564 C:\WINDOWS\system\hpsysdrv.exe
    2584 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    2684 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe
    2728 wmiprvse.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`c0050e00 (FAT32)

    PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  19. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    We go it. Good job :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  20. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    I am afraid to try to delete Avast4 in Self-Protect mode.
    In facty I am going to wait and hear what you have to say about this issue.
    I do need to put Avira back on ASAP.
    Thank you.,
    s
     
  21. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Do nothing else, but what I tell you.
    Make sure, Windows firewall is ON and you're safe.
     
  22. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    ComboFix 10-08-28.02 - Compaq_Owner 08/29/2010 22:26:44.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.220 [GMT -4:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.0 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Filseclab Personal Firewall *disabled* {EB4DA513-3B0A-4FCB-86A7-F1243757EFF2}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Compaq_Owner\GoToAssistDownloadHelper.exe
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
    .

    2010-08-28 04:28 . 2010-08-28 04:28 -------- d-----w- c:\program files\7-Zip
    2010-08-27 19:14 . 2010-08-27 19:14 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2010-08-27 19:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-27 19:13 . 2010-08-27 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-27 19:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-27 16:24 . 2006-09-02 02:45 222 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\o80qd9p5.Sandra\extensions\Extended@spanglerco.com\open.cmd
    2010-08-27 10:41 . 2010-08-27 10:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Temp
    2010-08-27 10:40 . 2010-08-27 10:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google
    2010-08-23 19:29 . 2008-04-14 00:12 11325 ----a-w- c:\windows\system32\dllcache\vchnt5.dll
    2010-08-22 17:35 . 2010-08-22 17:35 -------- d-----w- c:\program files\MSECache
    2010-08-21 08:01 . 2010-08-21 08:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Help
    2010-08-20 18:39 . 2010-08-20 18:39 388096 ------r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-20 18:39 . 2010-08-20 18:39 -------- d-----w- c:\program files\Trend Micro
    2010-08-16 17:37 . 2010-08-16 17:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\VSRevoGroup
    2010-08-16 04:20 . 2010-08-16 04:20 -------- d-----w- c:\program files\Sophos
    2010-08-16 02:16 . 2010-08-16 02:17 -------- d-----w- c:\program files\Speccy
    2010-08-14 22:28 . 2010-08-14 22:28 -------- d-----w- c:\program files\Common Files\Java
    2010-08-14 22:28 . 2010-08-14 22:28 503808 ------w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1a4b79aa-n\msvcp71.dll
    2010-08-14 22:28 . 2010-08-14 22:28 499712 ------w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1a4b79aa-n\jmc.dll
    2010-08-14 22:28 . 2010-08-14 22:28 348160 ------w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1a4b79aa-n\msvcr71.dll
    2010-08-14 22:27 . 2010-08-14 22:27 61440 ------w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5157a20a-n\decora-sse.dll
    2010-08-14 22:27 . 2010-08-14 22:27 12800 ------w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5157a20a-n\decora-d3d.dll
    2010-08-14 21:00 . 2010-08-14 21:00 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Chromium
    2010-08-14 21:00 . 2010-08-14 21:00 -------- d-----w- c:\program files\SRWare Iron
    2010-08-13 17:28 . 2010-08-16 03:54 -------- d-----w- C:\AV-CLS
    2010-08-13 00:25 . 2010-08-13 03:48 -------- d-----w- c:\windows\BDOSCAN8
    2010-08-10 07:21 . 2010-08-10 07:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DiskSpaceFan
    2010-08-10 07:20 . 2010-08-10 07:20 -------- d-----w- c:\program files\DiskSpaceFan
    2010-08-10 07:05 . 2010-08-10 07:05 -------- d-----w- c:\program files\ZPaint 1.4
    2010-08-07 07:50 . 2010-08-16 03:59 63488 ------w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-08-05 20:43 . 2010-08-05 20:43 52224 ------w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-30 02:21 . 2009-03-30 11:33 50880 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-30 02:00 . 2009-04-07 14:46 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-08-30 01:42 . 2010-01-28 18:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\StumbleUpon
    2010-08-30 01:32 . 2010-06-28 21:45 243840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-08-26 21:40 . 2010-01-16 14:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PeoplePal
    2010-08-26 21:22 . 2009-04-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\VistaCodecs
    2010-08-25 17:38 . 2010-03-03 04:40 -------- d-----w- c:\program files\Common Files\Filseclab
    2010-08-22 17:08 . 2010-02-16 20:16 -------- d-----w- c:\program files\Recuva
    2010-08-21 10:01 . 2001-06-27 22:29 1134592 ----a-w- c:\windows\system32\ntbackup.exe
    2010-08-20 19:36 . 2009-03-30 12:23 -------- d-----w- c:\program files\Alwil Software
    2010-08-17 06:46 . 2009-03-30 15:31 -------- d-----w- c:\program files\VS Revo Group
    2010-08-16 03:58 . 2009-04-05 19:18 117760 ------w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-16 02:13 . 2009-04-01 04:49 -------- d-----w- c:\program files\CCleaner
    2010-08-14 22:27 . 2005-05-11 00:28 -------- d-----w- c:\program files\Java
    2010-08-05 20:59 . 2009-04-05 19:17 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-29 14:13 . 2010-07-29 14:13 -------- d-----w- c:\program files\Citrix
    2010-07-27 11:56 . 2009-12-09 21:53 -------- d-----w- c:\program files\HeyDoc
    2010-07-17 09:00 . 2010-04-16 22:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "nwiz"="nwiz.exe" [2006-05-09 1519616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
    "Bart Station"="c:\program files\PeoplePC\ISP7000\BIN\PPCOLink.exe" [2008-02-25 25944]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "XFILTER"="c:\program files\Filseclab\xfilter\xfilter.exe" [2006-12-23 901120]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-5-10 27136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-10-26 04:37 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\AV-CLS\\WGET.EXE"=

    R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [3/3/2010 12:40 AM 126224]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/17/2009 12:11 AM 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [3/23/2009 2:07 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/17/2009 12:11 AM 20560]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\14F.tmp --> c:\windows\system32\14F.tmp [?]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 12872]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/23/2009 11:43 PM 120168]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2204943530-153763967-1977393198-1009Core.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 10:40]

    2010-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2204943530-153763967-1977393198-1009UA.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 10:40]

    2010-08-24 c:\windows\Tasks\HPCeeSchedule.job
    - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 02:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://home.peoplepc.com/websearch
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyOverride = local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
    IE: ZoomInto - c:\documents and settings\Compaq_Owner\Application Data\Zoominto\zoominto.htm
    LSP: c:\program files\Filseclab\xfilter\XFILTER.DLL
    TCP: {523E608B-4D4B-41B8-908D-FEA1131E7ED1} = 207.69.188.185,207.69.188.186
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\o80qd9p5.Sandra\
    FF - prefs.js: browser.search.selectedEngine - Scroogle SSL
    FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
    AddRemove-LSI Soft Modem - c:\windows\agrsmdel



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-29 22:31
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\14F.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2204943530-153763967-1977393198-1009\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(696)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(752)
    c:\program files\Filseclab\xfilter\XFILTER.DLL
    .
    Completion time: 2010-08-29 22:33:48
    ComboFix-quarantined-files.txt 2010-08-30 02:33

    Pre-Run: 175,249,088,512 bytes free
    Post-Run: 175,208,292,352 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - F445B8A5A44FAA501928C7C52F50B01B
     
  23. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    It looks good :)

    Now, we'll try to remove Avast.

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  24. systemmistress

    systemmistress TS Rookie Topic Starter Posts: 75

    I tried to post log files from OTL and got a message that the file is too long (780000 and max is (20000)

    How do you want this split?
     
  25. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Yes, please.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.