Solved Followed the 8 steps, posting logs here. Help, Please!

[SurgeonG]

Logs are big, attaching them to post. Please advise. I can't connect to windows update site. I am so tired I am ready to buy a new laptop!

 

[Bobbye]

You have a rootkit. Since you have attached the logs instead of pasting them in, using multiple posts if needed, it will take me 4 time the amount of time needed to check pasted logs.

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

============================================
Please paste all of hese logs in your next replies. If you do not, I will not review them.

Important!Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[SurgeonG]

mbr report

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

 

[SurgeonG]

combofix report

I am not sure if combo fix completed it's run. It got to a screen where it said it was done and finishing up, not to use internet till it was complete then my computer went to a blue background only. I figured it was still working so i let it sit all night like that but was still only a blue background in the morning. here is the report, please let me know if i should re run combofix.



ComboFix 10-10-22.04 - Will 10/22/2010 20:36:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1542 [GMT -7:00]
Running from: C:\Documents and Settings\Will\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-22 03:41:34 . 2010-10-22 03:41:34 -------- d-----w- C:\Documents and Settings\Will\Application Data\Malwarebytes
2010-10-22 03:41:27 . 2010-04-29 22:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-10-22 03:41:26 . 2010-10-22 03:41:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-10-22 03:41:25 . 2010-10-22 03:41:30 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-10-22 03:41:25 . 2010-04-29 22:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-10-22 03:31:58 . 2010-09-07 15:12:17 38848 ----a-w- C:\WINDOWS\avastSS.scr
2010-10-22 03:24:39 . 2010-09-07 14:52:03 165584 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2010-10-22 03:24:39 . 2010-09-07 14:47:07 17744 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010-10-22 03:24:37 . 2010-09-07 14:47:46 23376 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2010-10-22 03:24:36 . 2010-09-07 14:52:25 46672 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2010-10-22 03:24:35 . 2010-09-07 14:47:19 100176 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2010-10-22 03:24:35 . 2010-09-07 14:47:16 94544 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2010-10-22 03:24:34 . 2010-09-07 14:46:51 28880 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2010-10-22 03:24:20 . 2010-09-07 15:11:54 167592 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2010-10-22 03:24:14 . 2010-10-22 03:24:14 -------- d-----w- C:\Program Files\Alwil Software
2010-10-22 03:24:14 . 2010-10-22 03:24:14 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Alwil Software
2010-10-22 03:07:56 . 2010-10-22 03:07:56 -------- d-----w- C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla
2010-10-22 01:51:14 . 2010-10-22 01:51:14 -------- d-s---w- C:\Documents and Settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 07:24:00 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-17 02:29:54 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 19:01:14 67584]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08:42 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 21:30:44 282624]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 17:13:32 1032192]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 16:48:02 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 22:41:22 45056]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 01:29:52 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05:00 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 15:44:02 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 15:44:02 81920]
"avast5"="C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 15:12:02 2838912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-9-25 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

 

[SurgeonG]

esets report

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-23 04:14:35
# local_time=2010-10-23 09:14:35 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42773
# found=0
# cleaned=0
# scan_time=1118

 

[Bobbye]

Please update and run Malwarebytes again. The malware entry it found says No Action Taken. Please pay particular attention to the line:
Be sure that everything is checked, and click Remove Selected.

The Combofix report isn't complete, so I would like you to run it again: Before you do, please run another MBR check with this:

Download Bootkit Remover and save to your Desktop

1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
3. You will see a Black screen with some data on it.
4. Right click on the screen and click Select All.
5. Press CTRL+C to Copy
6. Open a Notepad and press CTRL+V to Paste.
7. Include the report in your next post.

Credits to Broni

Order for programs:
1. Rescan with Malwarebytes
2. Run Bootkit Remover
3. Rescan with Conbofix
Leave all logs pasted in next replies. Okay to use multiple posts.

 

[SurgeonG]

Updated and ran the test again. I checked all the boxes.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4945

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/25/2010 1:43:52 PM
mbam-log-2010-10-25 (13-43-52).txt

Scan type: Quick scan
Objects scanned: 147629
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[SurgeonG]

bootkit remover

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[SurgeonG]

combofix report

ComboFix 10-10-24.06 - Will 10/25/2010 14:17:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1671 [GMT -7:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
.

2010-10-25 20:05 . 2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32
2010-10-25 19:58 . 2004-08-04 06:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-10-23 15:47 . 2010-10-23 15:47 -------- d-----w- c:\program files\ESET
2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
2010-10-22 03:41 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-22 03:41 . 2010-10-25 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 03:41 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 03:31 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-22 03:24 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-22 03:24 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-22 03:24 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-22 03:24 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-22 03:24 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-22 03:24 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-22 03:24 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-22 03:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\program files\Alwil Software
2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-22 03:07 . 2010-10-22 03:07 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Mozilla
2010-10-22 01:51 . 2010-10-22 01:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-23_04.20.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-25 21:23 . 2010-10-25 21:23 16384 c:\windows\Temp\Perflib_Perfdata_888.dat
+ 2005-08-16 09:18 . 2010-10-25 20:39 61590 c:\windows\system32\perfc009.dat
- 2005-08-16 09:18 . 2010-10-23 03:07 61590 c:\windows\system32\perfc009.dat
+ 2010-10-25 19:58 . 2004-08-04 06:08 26496 c:\windows\system32\drivers\USBSTOR.SYS
+ 2010-10-25 19:45 . 2010-10-25 21:22 2580 c:\windows\SoftwareDistribution\EventCache\{E619B0B5-62FB-436E-AA67-284E5EC2B7BB}.bin
+ 2010-10-24 13:48 . 2010-10-24 21:23 2580 c:\windows\SoftwareDistribution\EventCache\{A1A57006-0910-47D1-8C36-AA5DFC1F16F1}.bin
+ 2005-08-16 09:18 . 2010-10-25 20:39 400090 c:\windows\system32\perfh009.dat
- 2005-08-16 09:18 . 2010-10-23 03:07 400090 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-25 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 8:24 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 8:24 PM 17744]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 14:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D80446]<<
1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x89E01AB8]
2 ntkrnlpa[0x804EEF9C] -> CLASSPNP.SYS[0xBA0E905B] -> \Device\Harddisk0\DR0[0x89E01AB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> [0x89DE89A8]
\Driver\atapi[0x89D91270] -> IRP_MJ_CREATE -> 0x89D80446
4 ntkrnlpa[0x804EEF9C] -> UNKNOWN[0x89D80449] -> [0x89DE89A8]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS541612J9SA00_________________SBDOC74P#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi DriverStartIo -> 0x89D80292
\Driver\atapi -> atapi.sys @ 0xb9f117b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
SecurityProcedure -> ntkrnlpa.exe @ 0x80582a26
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
SecurityProcedure -> ntkrnlpa.exe @ 0x80582a26
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e09ba0
PacketIndicateHandler -> NDIS.sys @ 0xb9e16b21
SendHandler -> NDIS.sys @ 0xb9df487b
user != kernel MBR !!!
sectors 231496394 (+255): user != kernel

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-10-25 14:26:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-25 21:25

Pre-Run: 73,141,604,352 bytes free
Post-Run: 73,063,165,952 bytes free

- - End Of File - - 85B62259481FD7FF5A21015F01A6DF8E

 

[SurgeonG]

Please let me know if I did something wrong. And thank you very much for all your help!

 

[Bobbye]

You didn't do anything wrong- I'm just running behind.
Please do the following:

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START 
  remover.exe fix \.\PhysicalDrive0    
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!

Checking Combofix now.

EDIT: Please don't do anymore downloading while I'm working with you unless I instruct you to: (2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32)

 

[Bobbye]

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
Firefox::
Firefox-: - Profile - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\

DDS::
uSearch Bar = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
mRun: [<NO NAME>] 
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Both the Adobe Reader and Java are out of date. Please install the newest versions of each. Then go to Add/Remove Programs and uninstall any earlier versions of each:
Visit this Adobe Reader site
Check this site .Java Updates

 

[SurgeonG]

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[SurgeonG]

ComboFix 10-10-27.A3 - Will 10/28/2010 11:58:19.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1672 [GMT -7:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll"
"c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk
c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
c:\program files\java\jre1.5.0_06\bin\ssv.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-25 23:28 . 2010-10-25 23:29 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Adobe
2010-10-25 20:05 . 2010-10-25 20:05 -------- d-----w- c:\program files\ACDSee32
2010-10-25 19:58 . 2004-08-04 06:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-25 19:58 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-10-23 15:47 . 2010-10-23 15:47 -------- d-----w- c:\program files\ESET
2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
2010-10-22 03:41 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 03:41 . 2010-10-22 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-22 03:41 . 2010-10-25 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 03:41 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 03:31 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-22 03:24 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-22 03:24 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-22 03:24 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-22 03:24 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-22 03:24 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-22 03:24 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-22 03:24 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-22 03:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\program files\Alwil Software
2010-10-22 03:24 . 2010-10-22 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-22 03:07 . 2010-10-22 03:07 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Mozilla
2010-10-22 01:51 . 2010-10-22 01:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-23_04.20.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-28 18:57 . 2010-10-28 18:57 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
- 2005-08-16 09:18 . 2010-10-23 03:07 61590 c:\windows\system32\perfc009.dat
+ 2005-08-16 09:18 . 2010-10-25 20:39 61590 c:\windows\system32\perfc009.dat
+ 2010-10-25 19:58 . 2004-08-04 06:08 26496 c:\windows\system32\drivers\USBSTOR.SYS
+ 2010-10-26 20:06 . 2010-10-26 20:06 2580 c:\windows\SoftwareDistribution\EventCache\{E71E3D8D-0177-48B9-974B-23613D167D6D}.bin
+ 2010-10-25 19:45 . 2010-10-26 02:24 3866 c:\windows\SoftwareDistribution\EventCache\{E619B0B5-62FB-436E-AA67-284E5EC2B7BB}.bin
+ 2010-10-24 13:48 . 2010-10-24 21:23 2580 c:\windows\SoftwareDistribution\EventCache\{A1A57006-0910-47D1-8C36-AA5DFC1F16F1}.bin
+ 2010-10-28 18:46 . 2010-10-28 18:46 2580 c:\windows\SoftwareDistribution\EventCache\{1127E945-02AD-489B-B85A-65D3783E9AEF}.bin
- 2005-08-16 09:18 . 2010-10-23 03:07 400090 c:\windows\system32\perfh009.dat
+ 2005-08-16 09:18 . 2010-10-25 20:39 400090 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-25 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 8:24 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 8:24 PM 17744]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\x03jkyfw.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 12:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D7C446]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-10-28 12:03:40
ComboFix-quarantined-files.txt 2010-10-28 19:03
ComboFix2.txt 2010-10-25 21:26

Pre-Run: 72,874,745,856 bytes free
Post-Run: 72,867,119,104 bytes free

- - End Of File - - 34FBCAA3990E1FEB64B1B3943454E09C

 

[Bobbye]

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START 
  remover.exe fix \.\PhysicalDrive0    
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
===========================================
The only problem you mentioned was not being able to get the Windows update. Has that improved? Do you have a malware-related problem?

 

[SurgeonG]

I still can not access windows updates. when I try it cant find the website. My computer will run for about 20 min before i get a system 32 or something like that error and windows stops working. If i go to goggle and search for something when i click on the results every single link will open at some advertisement site even if the result shows an official link.
i tried to restore an image from ghost but the problem remains. I have a dvd saved with ghost image of my computer when it was fresh out the box and if i restore that image the problem persist. should I format my hard drive then boot to ghost start up disk and restore the image? I wish you could take over my computer like the support people at work do.
than you again for all your help.


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[Bobbye]

I wish you could take over my computer like the support people at work do.

You're not going to find that on a free forum that is staffed with volunteers!

Part of the problem is that you are attempting to work on the system while I am in the process of trying to help you. And when you comment "i get a system 32 or something like that error", that doesn't help either one of us! I'd like you to do the following in the order I have set up> and nothing else:

1. Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=======================================
2. Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

• 
  Select log to query, select
• Application
• System
  
  Under Select type to list, select:
• Critical (Vista only)
• Error
  
  Click the radio button for Number of events
• Type 20 in the 1 to 20 box
• Then click the Run button.
• Notepad will open with the output log.
  
  Load the log
• In Notepad, click Edit> Select all
• Then press Edit > Copy
• Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)
=============================================
Please repeat removal.exe- I had some extra digits in the code:

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START 
  remover.exe fix \.\PhysicalDrive0    
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
=============================================
I notice you still have SP2> are you tryig to get SP3?
Don't attempt to get the updates- let me check these logs and see if we can narrow the problem down. If you want to get remote assistance, call the Geek Squad, but be prepared to pay for the help. Most of those support people get paid by someone and remote assistance is more in depth than help on a free forum like this, where we are all volunteers with different levels of experience.

 

[SurgeonG]

est log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-23 04:14:35
# local_time=2010-10-23 09:14:35 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42773
# found=0
# cleaned=0
# scan_time=1118
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ec4d0776e2c94243ad98c54672a28f2a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-31 01:56:09
# local_time=2010-10-30 06:56:09 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=46164
# found=0
# cleaned=0
# scan_time=1875

 

[SurgeonG]

test

Vino's Event Viewer v01c run on Windows XP in English
Report run at 30/10/2010 7:38:54 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 30/10/2010 6:37:23 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

 

[SurgeonG]

Log: 'Application' Date/Time: 30/10/2010 6:28:50 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

 

[SurgeonG]

Vino's Event Viewer v01c run on Windows XP in English
Report run at 30/10/2010 7:38:54 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 30/10/2010 6:37:23 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 30/10/2010 6:28:50 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 30/10/2010 6:20:38 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Log: 'Application' Date/Time: 30/10/2010 6:20:38 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Log: 'Application' Date/Time: 30/10/2010 6:18:03 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 30/10/2010 6:18:03 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 30/10/2010 6:05:18 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 30/10/2010 10:54:40 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 30/10/2010 10:54:40 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 30/10/2010 9:52:14 AM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 29/10/2010 7:37:57 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 29/10/2010 7:37:56 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 29/10/2010 7:25:11 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 29/10/2010 7:19:14 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 29/10/2010 6:58:12 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 28/10/2010 12:18:55 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 28/10/2010 12:10:13 PM
Type: error Category: 0
Event: 5 Source: crypt32
Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 28/10/2010 12:07:55 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 5.1.2600.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00021260.

Log: 'Application' Date/Time: 28/10/2010 11:45:30 AM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 27/10/2010 9:13:06 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 30/10/2010 6:06:16 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 28/10/2010 11:57:54 AM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 28/10/2010 11:50:53 AM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 27/10/2010 9:26:10 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 27/10/2010 6:37:55 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 25/10/2010 2:17:41 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 25/10/2010 2:14:14 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 25/10/2010 1:35:08 PM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Network Security service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 25/10/2010 1:34:45 PM
Type: error Category: 0
Event: 1 Source: sr
The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Log: 'System' Date/Time: 24/10/2010 6:48:02 AM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 21/10/2010 8:33:58 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The MSSQL$MICROSOFTSMLBIZ service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:33:58 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:33:57 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:33:57 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:31:59 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

Log: 'System' Date/Time: 21/10/2010 8:31:59 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

Log: 'System' Date/Time: 21/10/2010 8:31:58 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

Log: 'System' Date/Time: 21/10/2010 8:25:17 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The MSSQL$MICROSOFTSMLBIZ service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:25:17 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 21/10/2010 8:25:16 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

 

[SurgeonG]

sorry about pasting parts of the vew log before pasting the complete log. my computer was timing out when i tried to post the entire log so i had to use a friends computer to post it.

 

[SurgeonG]

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[SurgeonG]

Bobbye,
I may have been messing something up. When you tell me to run the remover.exe I have been clicking on the bootkit_remover application. it opens up a little black box realy fast then ends. it always list drive c as controlled by a rootkit. to says that to disinfect the master boot sector , use the following command: remover.ece fix <device name>

is that something i should be doing? if so where do i go to type that in? i am sorry if i should have been doing that all along and wasting your time. i really do appeciate your help and time.

 

[Bobbye]

There are 3 parts to the Bootkit Remover:

1. The scan which give the information about the MBR
2. Creating a batch file, saving, naming.
This is what is saved as fix.bat
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

The command begins with @ECHO and ends with EXIT and is named fix.bat. The device is PhysicalDrive0

3. The 'remover' part is when you double click on the fix.bat file to run it..

So here the the last part:

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START remover.exe fix \\.\PhysicalDrive0    
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output. It is possible that when you run it again, it may mot be fixed and may require other action. Just be sure the code in fix.bat is correct.

Do NOT reboot computer!