Solved Followed 5 step removal. Next step?

[Delseg]

Hi. My computer went black and popped up numerous mini windows and pop up tabs on the bottom taskbar, one of them saying "Hard drive clusters are partly damaged". I follwed your 5 step and here are the logs:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.04.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
SEGURA :: SEGURA-PC [administrator]

2/4/2012 12:10:44 AM
mbam-log-2012-02-04 (00-10-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219016
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dll (Trojan.Agent) -> Data: rundll32 dll32,sm -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s -> Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

They were very clear instructions and downloads went smoothly. I hope I've done everything right. Your help will be greatly appreciated.

 

[Delseg]

gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-04 12:19:26
Windows 6.0.6002 Service Pack 2
Running: w90fw6cs[1].exe; Driver: C:\Users\SEGURA\AppData\Local\Temp\uwdiqpow.sys


---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\r3 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG1 9216 bytes
File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TM.blf 65536 bytes
File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\snx_rhive{9aac3892-4f02-11e1-a856-001e3340df9d}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
File C:\Windows\$NtUninstallKB65229$\2571265935 0 bytes
File C:\Windows\$NtUninstallKB65229$\2571265935\U 0 bytes
File C:\Windows\$NtUninstallKB65229$\3525520853 0 bytes

---- EOF - GMER 1.0.15 ----

 

[Delseg]

dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by SEGURA at 12:36:11 on 2012-02-04
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: RebateRobot BHO: {fa3fedf6-1a34-4076-9f25-a26a2de6a401} - c:\program files\rebaterobot\RebateRobot.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S28CC.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Skytel] Skytel.exe
mRun: [T-Mobile webConnect Manager] "c:\program files\t-mobile\webconnect manager\TMobileCM.exe" -a
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: intuit.com\community
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mktg.webex.com/client/T26L/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A3EB1582-E3FC-46E7-B3FE-56D369801665} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DAF6BA8E-8071-48B4-82AF-7E5BF8F22606} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DAF6BA8E-8071-48B4-82AF-7E5BF8F22606} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E53C32FA-66C4-49E6-AF2D-5C68493AA9CE} : DhcpNameServer = 10.177.0.34 10.166.208.148
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R? CATmobile;T-Mobile Con App Svc
R? ewusbnet;HUAWEI USB-NDIS miniport
R? ExpressInvoiceService;Express Invoice
R? fssfltr;fssfltr
R? fsssvc;Windows Live Family Safety Service
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? hwusbdev;Huawei DataCard USB PNP Device
R? tmobile_mf691_cdc_acm;T-Mobile MF691 CDC-ACM driver
R? tmobile_mf691_cdc_ecm;tmobile_mf691_cdc_ecm
R? tmobile_mf691_cpo;T-Mobile webConnect CPO device
R? TMobileRcAppSvc;T-Mobile RcApp Svc
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? CLPSLS;COMODO livePCsupport Service
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? ConfigFree Service;ConfigFree Service
S? FwLnk;FwLnk Driver
S? tmobile_mf691_dc_enum;T-Mobile MF691 DC Enumerator
S? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service
S? uwdiqpow;uwdiqpow
.
=============== Created Last 30 ================
.
2012-02-04 18:22:11 -------- d-----w- c:\users\segura\appdata\local\Comodo
2012-02-04 07:36:21 -------- d-----w- c:\programdata\CPA_VA
2012-02-04 07:29:26 -------- d-----w- c:\programdata\Comodo
2012-02-04 07:29:01 -------- d-----w- c:\program files\Comodo
2012-02-04 06:09:13 -------- d-----w- c:\users\segura\appdata\roaming\Malwarebytes
2012-02-04 06:08:44 -------- d-----w- c:\programdata\Malwarebytes
2012-02-04 06:08:42 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-04 06:08:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-04 05:56:59 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-04 05:56:58 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-04 05:56:23 41184 ----a-w- c:\windows\avastSS.scr
2012-02-04 05:55:31 -------- d-----w- c:\programdata\AVAST Software
2012-02-04 05:55:31 -------- d-----w- c:\program files\AVAST Software
2012-02-04 03:38:06 -------- d--h--w- c:\users\segura\appdata\local\CrashDumps
2012-02-04 03:01:03 -------- d--h--w- c:\users\segura\appdata\roaming\Systweak
2012-02-04 03:00:58 -------- d--h--w- C:\skin
2012-02-04 03:00:58 -------- d--h--w- C:\defaults
2012-02-04 03:00:58 -------- d--h--w- C:\content
2012-02-04 03:00:57 811 ----a-w- C:\compile.bat
2012-02-04 03:00:57 -------- d-----w- c:\program files\RebateRobot
2012-02-04 03:00:54 17280 ----a-w- c:\windows\system32\roboot.exe
2012-02-04 03:00:51 -------- d-----w- c:\program files\RegClean Pro
2012-02-03 04:55:41 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-03 04:09:45 709154 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-02-03 03:53:01 337032 ---ha-w- c:\programdata\RdsZxl2zOqKEJQ.exe
2012-01-18 03:00:32 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
.
==================== Find3M ====================
.
2011-12-20 00:59:06 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-20 00:59:04 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-20 00:58:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-20 00:58:56 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-03 19:41:57 116224 ---ha-w- c:\programdata\SqWs1pyv.exe_
.
============= FINISH: 12:44:02.66 ===============

 

[Delseg]

Attach

.
==== Installed Programs ======================
.
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat Reader 3.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player
Apple Software Update
ArcSoft PhotoImpression 6
ArcSoft Print Creations
ATT-HSI
avast! Free Antivirus
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
Comodo Dragon
COMODO GeekBuddy
COMODO Internet Security
Compatibility Pack for the 2007 Office system
CyberLink PowerCinema for TOSHIBA
DVD MovieFactory for TOSHIBA
EPSON CX8400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX8400 Series Scanner Driver Update
EPSON Web-To-Page
Excel Invoice Manager 2.21.1024
Express Invoice
GearDrvs
Google Update Helper
HVAC Personnel Assessment
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Intel® Matrix Storage Manager
Java(TM) 6 Update 3
Junk Mail filter update
LimeWire 5.5.14
Malwarebytes Anti-Malware version 1.60.1.1000
mCorev32.ism_new
mCPlug
Memeo AutoBackup
mHelp
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
mMHouse
Move Networks Media Player for Internet Explorer
mPfMgr
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Music Oasis
Norton Internet Security
QuickBooks
QuickBooks Pro 2009
QuickTime
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
RebateRobot for Online Shopping version 1.0.1
RegClean Pro
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Windows Media Encoder (KB954156)
Skype™ 4.1
Spelling Dictionaries Support For Adobe Reader 8
SupportSoft Assisted Service
Synaptics Pointing Device Driver
T-Mobile webConnect Manager
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Unity Web Player
WebEx
WildTangent Games
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar
.
==== End Of File ===========================

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

============================================================

Download Bootkit Remover to your Desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[Delseg]

aswMBR

Thank you for your response and help. OK I have finally hit a roadblock. When I click the link to dl aswMBR it does ask me to run so I do. Then User Account Control box pops up asking if I will allow it. I do. Then the dialog box pops up showing it downloading. Once it completes, the box disappears then nothing happens. I did find the file and when I click it to open it, nothing happens. I tested your link on my other laptop and it downloaded and popped up the black screen with data and buttons for scan and fix mbr and stuff so your link works but for some reason this computer won't open it.

 

[Broni]

Go ahead with Bootkit Remover.

 

[Delseg]

bootkit

Grrrr I don't know why it's being difficult now.
Ok when I click on the link it takes me straight to Smartest Computing, the Downloads tab, but there is nothing available to DL. It is just white screen. I've retried this several times and at times the bottom left corner will tell me "Done" or "errors on page".
Once again I clicked the link on my working laptop and it shows your file to Download, so something is just not letting me see it on this one.

 

[Broni]

Uploaded it for you here: http://www.uploadmb.com/dw.php?id=1328421577

 

[Delseg]

Bootkit Remover

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[Broni]

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[Delseg]

32 bit

ListParts by Farbar
Ran by SEGURA on 05-02-2012 at 21:01:51
Windows Vista (X86)
Running From: C:\Users\SEGURA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B56095XT
************************************************************

========================= Memory info ======================

Percentage of memory in use: 48%
Total physical RAM: 3061.21 MB
Available physical RAM: 1589.08 MB
Total Pagefile: 6324.7 MB
Available Pagefile: 4602.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.65 MB

======================= Partitions =========================

1 Drive c: (SQ004710V01) (Fixed) (Total:231.42 GB) (Free:171.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 231 GB 1501 MB
Partition 3 Primary 1016 KB 233 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004710V01 NTFS Partition 231 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.



****** End Of Log ******

 

[Broni]

You're infected with TDL rootkit.

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Press Tool at the top
• Choose Open Terminal
• Type parted /dev/sda set 2 boot on
• Press Enter
• Type parted /dev/sda rm 3
• Press Enter
• Remove xPUD CD, reboot, run aswMBR and post the log

 

[Delseg]

stuck

Ok I was able to do steps up to burn the image but when you say "boot the bad computer from the cd", I just can't figure out what to do. The only tool(s) I'm coming across is on the top of the window and there isn't anything about opening terminal. Can you elaborate for me as to what's next? I'm sorry I don't know what you mean.

 

[Broni]

What menu items do you have listed at the top?

 

[Delseg]

under "computer"

file edit view tools help; Under tools- "map network drive, disconnect network drive, open sync center, folder options. DVD drive window-Security Catalog "Boot", File Folder "Boot" "OPT", a CFG file, and a BIN file. Everytime one of those are clicked, the tool bar options don't change. Am I doing something wrong?

 

[Broni]

Something has changed there.
What options do you have under "File"?

 

[Delseg]

file

"Add a network location" and "close"
That's under the DVD drive. If I click on an icon and go to file I get: Open, explore, share, scan OPT, scan with malwarebytes, burn to disk, send to, new, properties, and close.

 

[Broni]

You're doing something wrong.
Are you booted from GETxPUD CD?

 

[Delseg]

Booted?

I'm sorry but I don't know what that means. How do I boot from the cd?

 

[Broni]

Put the CD in and restart computer.
Watch the screen.
At some point you should see a message:
"Press any key to boot from CD".
If this is Dell computer press F12 at Dell's logo and you'll see the option to boot from the CD.

 

[Delseg]

Yea I inserted the CD, Restarted, and watched the screen. Nothing. It said "shutting down", then went black for a second, then I saw a rectangle with little blocks with moving colors, screen changed again to a blue window with the Windows logo in the middle, then straight to the desktop background. Never saw a message When I do insert the CD it takes me to Windows Photo Gallery :/

 

[Broni]

See if you can boot another working computer with it.

 

[Delseg]

Yes I was able to do it on my clean computer. After pressing restart and shutting down it went straight to the xpud screen and booted. It's in a Welcome to xPUD home screen now on my clean computer.

 

[Broni]

Let's try different way.

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

===========================================================================================

Download Download gparted-live-0.11.0-7.iso (119.8 MB

Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
Boot off of the newly created Gparted CD.

You should be here:

Press Enter.

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:

Choose your language and press ENTER. English is default [33]:

Once again, at this prompt, press ENTER:

You will now be taken to the main GUI screen below:

According to your logs, the partition that you want to delete is the small partition of 1016 KB.
Click on it to highlight it.
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

Now you should be here:

Is "boot" next to your OS drive?

If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

In the menu that pops up, place a checkmark in boot like the picture below:

Now double-click the

button.

You should receive a small pop up like this:

Choose reboot and then press OK.