Computer shutting down during virus scan

[aryama]

Hi DarkKnight

I was able to create Kaspersky Rescue Disk to a USB drive,but problem is in spite of my changing the Boot priority,putting all other things as required,my PC just doesn't boot from USB drive!! I have a Gigabyte Mother board and I think it creates quite a nuisance.Do you have any idea how to go about this? Also I dont want to make a bootable CD.

[TheDarkKnight]

Hello aryama,

Is there a reason why you don't want to make a bootable CD? Because it will work better than the USB.

I think you should make a topic in the hardware section of this forum, as I don't think your issues are malware related.

[aryama]

Hi

Actually I am not very confident about making a bootable CD?(never did one) but now I am trying again .The previous issues which I reported to you of pc getting shut down abruptly (even in BIOS) has been solved.I took out my 1GB RAM,also my AMD proccessor was getting heated up.Now pc is running fine,only shutting down whenever I am trying to scan either with Kaspersky/Malwarebytes/Combofix,even in safe mode.So I am not ruling out malware issue now.Let me scan as you had directed.

[TheDarkKnight]

OK sounds great!

[aryama]

Hi DarKKnight

I was ble to run mbar.exe and ComboFix normally from my PC(not safe mode).I am following the first step which you had asked me to do.please find the logs below.

ComboFix Log

ComboFix 13-02-15.01 - abc 02/17/2013 18:49:48.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1432 [GMT 5.5:30]

Running from: c:\documents and settings\abc\Desktop\ComboFix.exe

AV: Kaspersky PURE *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky PURE *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe

D:\Setup.exe

E:\Setup.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-01-17 to 2013-02-17 )))))))))))))))))))))))))))))))

.

.

2013-02-15 19:36 . 2013-02-15 19:36 -------- d-----w- C:\found.000

2013-02-14 20:37 . 2013-02-14 20:37 -------- d-----w- c:\documents and settings\abc\Application Data\Media Player Classic

2013-02-14 03:53 . 2013-02-14 03:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink

2013-02-13 19:22 . 2013-02-13 19:22 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-02-12 16:11 . 2007-05-22 05:32 163840 ----a-w- c:\windows\system32\unrar.dll

2013-02-12 16:11 . 2007-06-28 13:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll

2013-02-12 16:11 . 2007-06-28 13:22 765952 ----a-w- c:\windows\system32\xvidcore.dll

2013-02-12 16:11 . 2007-06-07 15:41 380928 ----a-w- c:\windows\system32\ac3filter.acm

2013-02-12 16:11 . 2004-01-25 12:48 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2013-02-12 16:11 . 2007-07-10 13:25 7680 ----a-w- c:\windows\system32\ff_vfw.dll

2013-02-12 16:11 . 2007-05-31 03:14 740442 ----a-w- c:\windows\system32\divx.dll

2013-02-12 16:11 . 2007-04-22 20:45 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2013-02-12 16:11 . 2007-04-22 20:32 73728 ----a-w- c:\windows\system32\dpl100.dll

2013-02-12 16:11 . 2013-02-12 16:11 -------- d-----w- c:\program files\K-Lite Codec Pack

2013-02-12 16:11 . 2004-01-11 18:30 348160 ----a-w- c:\windows\system32\msvcr71.dll

2013-02-11 16:50 . 2013-02-11 18:10 98168 ----a-w- c:\windows\system32\drivers\klick.dat

2013-02-11 16:50 . 2013-02-11 18:10 116189 ----a-w- c:\windows\system32\drivers\klin.dat

2013-02-11 16:47 . 2013-02-11 16:47 -------- d-----w- c:\program files\Common Files\InfoWatch

2013-02-11 16:47 . 2013-02-11 16:47 -------- d-----w- c:\program files\Kaspersky Lab

2013-02-11 16:42 . 2013-02-11 16:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files

2013-02-10 19:04 . 2013-02-10 19:04 -------- d-----w- c:\program files\CPUID

2013-02-10 08:02 . 2013-02-10 08:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Sony Corporation

2013-02-05 10:25 . 2013-02-05 10:25 -------- d-----w- C:\_OTL

2013-01-21 19:23 . 2013-01-21 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-21 19:23 . 2012-12-15 00:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-21 18:09 . 2013-01-21 18:09 -------- d-----w- c:\documents and settings\Administrator

2013-01-20 11:41 . 2013-01-20 11:41 -------- d-----w- c:\documents and settings\abc\Application Data\Malwarebytes

2013-01-20 11:41 . 2013-01-20 11:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2013-01-20 08:57 . 2013-01-23 20:55 -------- d-----w- C:\TDSSKiller_Quarantine

2013-01-19 12:22 . 2013-01-19 12:22 -------- d-s---w- c:\documents and settings\abc\UserData

2013-01-19 10:15 . 2004-08-04 07:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2013-01-18 21:08 . 2013-01-18 21:08 -------- d-----w- c:\windows\system32\NtmsData

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-13 17:12 . 2013-01-13 09:32 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-13 17:12 . 2013-01-13 09:32 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-11 16:54 . 2013-01-12 22:36 16608 ----a-w- c:\windows\gdrv.sys

2013-02-07 00:11 . 2013-02-07 00:11 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]

@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]

2010-10-01 16:35 129624 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 18063872]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-01 348760]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\documents and settings\abc\Desktop\mbar\mbar.exe" [2013-01-18 1358408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2946:TCP"= 2946:TCP:mauomnix

.

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [1/13/2013 3:59 AM 88632]

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]

R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [1/13/2013 3:59 AM 39352]

R2 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 5:34 PM 743992]

R3 cpuz136;cpuz136;\??\c:\docume~1\abc\LOCALS~1\Temp\cpuz136\cpuz136_x32.sys --> c:\docume~1\abc\LOCALS~1\Temp\cpuz136\cpuz136_x32.sys [?]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/14/2013 12:52 AM 35144]

S2 liluavs;Security Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - CPUZ136

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

liluavs

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-13 17:12]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm

FF - ProfilePath - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\

FF - ExtSQL: 2013-01-12 19:02; linkfilter@kaspersky.ru; c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-43341447.sys

SafeBoot-mbamchameleon

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-17 18:53

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

Completion time: 2013-02-17 18:56:10

ComboFix-quarantined-files.txt 2013-02-17 13:26

.

Pre-Run: 46,682,120,192 bytes free

Post-Run: 46,627,180,544 bytes free

.

- - End Of File - - 006BD0229EC00C92E4B823FDD8EE581C

mbar log

-----------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

www.malwarebytes.org

Database version: v2013.02.05.08

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 6.0.2900.2180

abc :: ABC-3B1295B6860 [administrator]

2/17/2013 5:54:01 PM

mbar-log-2013-02-17 (17-54-01).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 25519

Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[TheDarkKnight]

Hello aryama,

There should also be a systemlog.txt from MBAR.

[aryama]

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2420654080

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2468171776

------------ Kernel report ------------

02/03/2013 22:42:36

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

CSCrySec.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

nvata.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

klbg.sys

\SystemRoot\system32\DRIVERS\AmdPPM.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\klmouflt.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvnetbus.sys

\SystemRoot\system32\DRIVERS\NVNRM.SYS

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\nv4_mini.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\klim5.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\NVENETFD.sys

\SystemRoot\system32\drivers\RtkHDAud.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\klif.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\??\C:\WINDOWS\system32\drivers\kl1.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\nv4_disp.dll

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\ParVdm.SYS

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff8a385ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000005f\

Lower Device Object: 0xffffffff8a408030

Lower Device Driver Name: \Driver\nvata\

Driver name found: nvata

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8a408ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-3\

Lower Device Object: 0xffffffff8a377940

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Initialization returned 0x0

Load Function returned 0x0

Downloaded database version: v2013.02.03.06

Downloaded database version: v2013.01.23.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8a408ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8a35ce08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8a408ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8a40a9e8, DeviceName: \Device\0000005d\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8a377940, DeviceName: \Device\Ide\IdeDeviceP0T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe38dce88, 0xffffffff8a408ab8, 0xffffffff88b73890

Lower DeviceData: 0xffffffffe143e3c0, 0xffffffff8a377940, 0xffffffff88a4ca70

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: F2DFF2DF

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition file system is NTFS

Partition is bootable

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 210162330

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160040803840 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312559695-312579695)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff8a385ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8a35cbf0, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8a385ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8a384f18, DeviceName: \Device\00000061\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8a408030, DeviceName: \Device\0000005f\, DriverName: \Driver\nvata\

------------ End ----------

Upper DeviceData: 0xffffffffe2cd8508, 0xffffffff8a385ab8, 0xffffffff8839eab8

Lower DeviceData: 0xffffffffe379f1b0, 0xffffffff8a408030, 0xffffffff8842b040

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: DBC0DBB

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 53882010

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2869940224

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2527477760

------------ Kernel report ------------

02/05/2013 23:26:54

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

CSCrySec.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

nvata.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

klbg.sys

\SystemRoot\system32\DRIVERS\AmdPPM.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\klmouflt.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvnetbus.sys

\SystemRoot\system32\DRIVERS\NVNRM.SYS

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\nv4_mini.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\klim5.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\NVENETFD.sys

\SystemRoot\system32\drivers\RtkHDAud.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\klif.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\??\C:\WINDOWS\system32\drivers\kl1.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\System32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\nv4_disp.dll

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\ParVdm.SYS

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\HTTP.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff8a39cab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000060\

Lower Device Object: 0xffffffff8a3a2030

Lower Device Driver Name: \Driver\nvata\

Driver name found: nvata

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8a3a3ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-3\

Lower Device Object: 0xffffffff8a39dd98

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Initialization returned 0x0

Load Function returned 0x0

Downloaded database version: v2013.02.05.08

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8a3a3ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8a3a2e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8a3a3ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8a3fa258, DeviceName: \Device\0000005e\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8a39dd98, DeviceName: \Device\Ide\IdeDeviceP0T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe34228f8, 0xffffffff8a3a3ab8, 0xffffffff889cb388

Lower DeviceData: 0xffffffffe30d28f0, 0xffffffff8a39dd98, 0xffffffff8a068800

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: F2DFF2DF

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition file system is NTFS

Partition is bootable

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 210162330

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160040803840 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312559695-312579695)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff8a39cab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8a3a2bf0, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8a39cab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8a451b98, DeviceName: \Device\00000062\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8a3a2030, DeviceName: \Device\00000060\, DriverName: \Driver\nvata\

------------ End ----------

Upper DeviceData: 0xffffffffe2e7b600, 0xffffffff8a39cab8, 0xffffffff889f1ab8

Lower DeviceData: 0xffffffffe2d65310, 0xffffffff8a3a2030, 0xffffffff8a1546e8

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: DBC0DBB

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 53882010

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2871087104

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2079830016, free: 1858027520

------------ Kernel report ------------

02/14/2013 00:52:51

------------ Loaded modules -----------

\WINDOWS\system32\ntoskrnl.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

CSCrySec.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

nvata.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

klbg.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\framebuf.dll

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR8

Upper Device Object: 0xffffffff89a2e030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000067\

Lower Device Object: 0xffffffff89adec50

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff89b0c8a0

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000060\

Lower Device Object: 0xffffffff89a7f030

Lower Device Driver Name: \Driver\nvata\

Driver name found: nvata

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff89b0c030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-3\

Lower Device Object: 0xffffffff89b5dd98

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Initialization returned 0x0

Load Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff89b0c030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff89b0ce08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff89b0c030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff89b5f338, DeviceName: \Device\0000005e\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff89b5dd98, DeviceName: \Device\Ide\IdeDeviceP0T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe1913608, 0xffffffff89b0c030, 0xffffffff898e98d8

Lower DeviceData: 0xffffffffe1911848, 0xffffffff89b5dd98, 0xffffffff898ed450

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2079830016, free: 1502441472

------------ Kernel report ------------

02/17/2013 17:39:56

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

CSCrySec.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

nvata.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

klbg.sys

\SystemRoot\system32\DRIVERS\AmdPPM.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\klmouflt.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvnetbus.sys

\SystemRoot\system32\DRIVERS\NVNRM.SYS

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\nv4_mini.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\klim5.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\NVENETFD.sys

\SystemRoot\system32\drivers\RtkHDAud.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\klif.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\??\C:\WINDOWS\system32\drivers\kl1.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\System32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\nv4_disp.dll

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\ParVdm.SYS

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\HTTP.sys

\??\C:\DOCUME~1\abc\LOCALS~1\Temp\cpuz136\cpuz136_x32.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff89c86ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000060\

Lower Device Object: 0xffffffff89c84030

Lower Device Driver Name: \Driver\nvata\

Driver name found: nvata

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff89c85ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-3\

Lower Device Object: 0xffffffff89c94d98

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Initialization returned 0x0

Load Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff89c85ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff89c84e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff89c85ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff89c949e8, DeviceName: \Device\0000005e\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff89c94d98, DeviceName: \Device\Ide\IdeDeviceP0T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe2f64958, 0xffffffff89c85ab8, 0xffffffff87d93408

Lower DeviceData: 0xffffffffe18ae7e8, 0xffffffff89c94d98, 0xffffffff89ba1988

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: F2DFF2DF

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition file system is NTFS

Partition is bootable

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 210162330

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160040803840 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312559695-312579695)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff89c86ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff89c84bf0, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff89c86ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff89c61f18, DeviceName: \Device\00000062\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff89c84030, DeviceName: \Device\00000060\, DriverName: \Driver\nvata\

------------ End ----------

Upper DeviceData: 0xffffffffe30d5478, 0xffffffff89c86ab8, 0xffffffff87d96040

Lower DeviceData: 0xffffffffe10b66d8, 0xffffffff89c84030, 0xffffffff87c9e378

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: DBC0DBB

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 102398247

Partition 1 type is Extended with LBA (0xf)

Partition is NOT ACTIVE.

Partition starts at LBA: 102398310 Numsec = 53882010

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 3153571840, free: 2872922112

=======================================

[aryama]

Hi

I have provided the systemlog.txt from MBAR above.Also ran Kaspersky Rescue disk from CD,here is the log.

Please note:- I was unable to update the databases,since I couldnt find how to connect to my internet from there.

Objects Scan: completed 1 hour ago (events: 2, objects: 149671, time: 00:24:52)

2/18/13 11:27 PM Task completed

2/18/13 11:02 PM Task started

[TheDarkKnight]

Hello aryama,

Well those scans came back clean.

Please download HitmanPro.

• For 32-bit Operating System - .
  
• This is the mirror -
  
• For 64-bit Operating System -
  
• This is the mirror -
  
• Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select Run as administrator).

• Click on the next button. You must agree with the terms of EULA.
  
• Check the box beside "No, I only want to perform a one-time scan to check this computer".
  
• Click on the next button.
  
• The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  
• When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
  
• on the next button.
  
• Click on the "Export scan results to XML file".
  
• Save that file to your Desktop and zip and attach it in your next reply.

[aryama]

Please find the log in the attachment

HitmanPro_20130219_2333.zip

[TheDarkKnight]

Hello aryama,

Can you please post the contents of the .xlm file.

[aryama]

<Log computer="ABC-3B1295B6860" windows="5.1.2.2600.X86/2" scan="Normal" version="3.7.2.188" date="2013-02-19T23:28:34" timeSpentInSecs="90" filesProcessed="13815"><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:ad.yieldmanager.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:ads.creative-serving.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:ads.ibibo.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:ads.indiatimes.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:advertising.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:apmebf.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:at.atwola.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:atdmt.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:bs.serving-sys.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:doubleclick.net" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:fastclick.net" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:questionmarket.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\fspdqyga.default\cookies.sqlite:serving-sys.com" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Cookies\abc@atdmt[2].txt" /></Item><Item type="Cookie" score="0.0" status="None"><File path="C:\Documents and Settings\abc\Cookies\abc@c.atdmt[2].txt" /></Item></Log>

[TheDarkKnight]

Hello aryama,

That only found cookies. I think maybe it is hardware related.

Please make a topic here:

http://forums.malwarebytes.org/index.php?showforum=6

And provide a link to this topic. If you are happy to do that then I will give you some advice on how to stay safe and how to cleanup the tools used.

[aryama]

Hi DarkKnight

I have created a topic as you mentioned.Here is the link

http://forums.malwarebytes.org/index.php?showtopic=122898

Thanks a lot for your help.Please suggest how to stay safe and how to remove the softwares used.

Also are you sure my system doesn't have any virus/malwares ? I am asking this since I have stopped doing any financial transactions,fearing virus,but now can I start it again?

[TheDarkKnight]

Good afternoon aryama,

Also are you sure my system doesn't have any virus/malwares ? I am asking this since I have stopped doing any financial transactions,fearing virus,but now can I start it again?

Your scans have not indicated malware is present.

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

To remove all of the tools we used and the files and folders they created do the following:

Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[aryama]

Thanks a lot DarkKnight for your help.I will try to follow the guidelines you mentioned.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!