tyrus Posted December 24, 2010 ID:365206 Share Posted December 24, 2010 My laptop has a problem. I noticed that when streaming music from the internet, every 60seconds the music becomes garbled/distorted for about three seconds and then returns to normal only to repeat again. The battery info is also no functioning. Through observation of processes in task manager I was able to determine that rundll32.exe was likely responsible. If I end the process in task manager the problems go away. If I reboot it is reloaded and the problem re-appears. There are no other problems with the computer that I know of.I am running Avast and have done a normal scan and a boot time scan but nothing is picked up. I have also run Malwarebytes and Doufix with both not finding anything. I have followed the directions for scans etc. The only trouble I had is when I run defogger it does not prompt me to reboot after it completes. I manually rebotted before proceeding to the next steps. Here are my logs. Any help would be greatly appreciated. Thanks in advance!Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5389Windows 6.1.7600Internet Explorer 8.0.7600.1638524/12/2010 11:00:03 AMmbam-log-2010-12-24 (11-00-03).txtScan type: Full scan (C:\|Q:\|)Objects scanned: 242098Time elapsed: 35 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS (Ver_10-12-12.02) - NTFSx86 Run by Audet at 9:36:29.50 on 24/12/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1227 [GMT -7:00]AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\ibmpmsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Windows\system32\WLANExt.exeC:\Windows\system32\conhost.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\LENOVO\HOTKEY\TPHKSVC.exeC:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exeC:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exeC:\Program Files\Intel\WiFi\bin\EvtEng.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Program Files\LENOVO\HOTKEY\MICMUTE.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Lenovo\Access Connections\AcSvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\Explorer.EXEC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\System32\rundll32.exeC:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exeC:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Windows\system32\sppsvc.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exec:\Program Files\Lenovo\System Update\SUService.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Users\Audet\Downloads\dds.comC:\Windows\system32\conhost.exeC:\Windows\system32\wbem\wmiprvse.exe============== Pseudo HJT Report ===============uStart Page = hxxp://lenovo.msn.comBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dllEB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dllmRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exemRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exemRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exemRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exemRun: [TpShocks] TpShocks.exemRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitormRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /startmRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exemRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /noguimRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [dvd43] c:\program files\dvd43\dvd43_tray.exemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exemPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLLIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: igfxcui - igfxdev.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll================= FIREFOX ===================FF - ProfilePath - c:\users\audet\appdata\roaming\mozilla\firefox\profiles\mr8mjq6m.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\users\audet\appdata\locallow\unity\webplayer\loader\npUnity3D32.dllFF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}============= SERVICES / DRIVERS ===============R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-29 165584]R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2009-7-16 13480]R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-29 17744]R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-3-29 50768]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-10-5 45424]R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2009-10-5 62320]R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-2-22 125568]R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-9 122880]R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-6-7 119256]R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-22 167936]R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 136176]S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2009-8-4 362992]S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2009-8-4 309744]S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2009-8-4 166384]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-2-22 75112]S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2009-8-4 313840]S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-8-4 1124848]S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-7 1343400]S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]=============== Created Last 30 ================2010-12-22 03:39:26 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ddd7b65f-da3a-4279-9550-1306b5f832bb}\mpengine.dll2010-12-09 04:34:58 -------- d-sh--w- C:\$RECYCLE.BIN2010-12-09 04:18:14 -------- d-----w- C:\ComboFix2010-11-28 22:22:54 -------- d-----w- c:\program files\EndItAll2010-11-28 21:45:23 388096 ------r- c:\users\audet\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe2010-11-28 21:45:23 -------- d-----w- c:\program files\Trend Micro==================== Find3M ====================2010-11-13 01:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-11-08 08:20:24 89088 ------w- c:\windows\MBR.exe2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll2010-10-19 17:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll============= FINISH: 9:37:08.01 ===============GMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2010-12-24 10:21:44Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0Running: 6xj5rxd1.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys---- System - GMER 1.0.15 ----INT 0x61 ? 91041CD8INT 0x71 ? 91012058INT 0x82 ? 91012A58INT 0x90 ? 91012CD8INT 0xA2 ? 91012558INT 0xB0 ? 91041A58Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8EB21BAE]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8EB219D2]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8EB21B0C]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSectionCode \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E80599 1 Byte [06].text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}PAGE ntkrnlpa.exe!ZwLoadDriver 82FDE291 7 Bytes JMP 8EB21B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83045FBF 5 Bytes JMP 8EB1D5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ObInsertObject + 27 8305FCF3 5 Bytes JMP 8EB1F012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!NtCreateSection 8306DD63 7 Bytes JMP 8EB219D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ZwCreateProcessEx 83117EAC 7 Bytes JMP 8EB21BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BA449000 85 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]PAGE spsys.sys!?SPRevision@@3PADA + 4FE6 BA449056 61 Bytes [bA, 5E, C3, 8B, FF, 55, 8B, ...]PAGE spsys.sys!?SPRevision@@3PADA + 5024 BA449094 142 Bytes [bA, FF, 25, 80, F1, 43, BA, ...]PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BA449123 629 Bytes [45, 44, BA, FE, 05, 34, 45, ...]PAGE spsys.sys!?SPRevision@@3PADA + 5329 BA449399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]PAGE ... ---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 76533162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }.text C:\Program Files\Mozilla Firefox\firefox.exe[5452] ntdll.dll!LdrLoadDll 7780F625 5 Bytes JMP 002113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet) ---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 08: copy of MBR---- EOF - GMER 1.0.15 ----Attach.txt Link to post Share on other sites More sharing options...
Maniac Posted December 24, 2010 ID:365225 Share Posted December 24, 2010 Hello tyrus! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
tyrus Posted December 24, 2010 Author ID:365259 Share Posted December 24, 2010 THanks for the quick reply.OK, had two problem with your directions. 1) I was not able to rename combofix before downloading. I don't get the option using Firefox. I renamed after downloading but I know you rather it done before 2) I went through Avast and stoped all types of protection. When combofix run it says Avast is still running. Tried the program Enditall but same result. Here is the log. Thanks! ComboFix 10-12-24.01 - Audet 24/12/2010 12:44:27.4.2 - x86Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1196 [GMT -7:00]Running from: c:\users\Audet\Downloads\Combo-Fix.exeAV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 ))))))))))))))))))))))))))))))).2010-12-24 19:49 . 2010-12-24 19:49 -------- d-----w- c:\users\Public\AppData\Local\temp2010-12-24 19:49 . 2010-12-24 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp2010-12-22 03:39 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDD7B65F-DA3A-4279-9550-1306B5F832BB}\mpengine.dll2010-12-09 04:18 . 2010-12-24 19:33 -------- d-----w- C:\ComboFix2010-11-28 22:22 . 2010-11-29 00:22 -------- d-----w- c:\program files\EndItAll2010-11-28 21:45 . 2010-11-28 21:45 388096 ------r- c:\users\Audet\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-11-28 21:45 . 2010-11-28 21:45 -------- d-----w- c:\program files\Trend Micro.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-21 01:09 . 2010-11-21 15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-21 01:08 . 2010-11-21 15:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-11-13 01:53 . 2010-06-12 18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-10-19 17:41 . 2010-03-29 21:48 222080 ------w- c:\windows\system32\MpSigStub.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]"TpShocks"="TpShocks.exe" [2009-07-09 337184]"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-12-10 865640]"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux1"=wdmaud.drvR2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 136176]R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-12-10 75112]R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1343400]R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]S1 aswSP;aswSP; [x]S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S2 aswFsBlk;aswFsBlk; [x]S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVChpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]2010-12-22 c:\windows\Tasks\SystemToolsDailyTest.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]..------- Supplementary Scan -------.uStart Page = hxxp://lenovo.msn.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000FF - ProfilePath - c:\users\Audet\AppData\Roaming\Mozilla\Firefox\Profiles\mr8mjq6m.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}..--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2010-12-24 12:51:23ComboFix-quarantined-files.txt 2010-12-24 19:51ComboFix2.txt 2010-12-09 04:35ComboFix3.txt 2010-12-09 03:59ComboFix4.txt 2010-11-24 13:34Pre-Run: 91,938,242,560 bytes freePost-Run: 91,894,059,008 bytes free- - End Of File - - 1E079A3884744E757E68CE6927F0B634 Link to post Share on other sites More sharing options...
Maniac Posted December 24, 2010 ID:365290 Share Posted December 24, 2010 Download MBRCheck to your desktopFor Windows XP: Double click on MBRCheck.exe to run it.For Windows Vista/7: Right click on MBRCheck.exe and select Run as AdministratorIt will show a black screen with some data on it Don't run any of the options!!!When it's done, Press Enter to close the programA file will called MBRCheck_ will appear on your desktop Please copy into to your next reply Link to post Share on other sites More sharing options...
tyrus Posted December 24, 2010 Author ID:365362 Share Posted December 24, 2010 Here is what it shows:MBRCheck, version 1.2.3© 2010, ADCommand-line: Windows Version: Windows 7 ProfessionalWindows Information: (build 7600), 32-bitBase Board Manufacturer: LENOVOBIOS Manufacturer: LENOVOSystem Manufacturer: LENOVOSystem Product Name: 2842F7ULogical Drives Mask: 0x0001000cKernel Drivers (total 202): 0x82E48000 \SystemRoot\system32\ntkrnlpa.exe 0x82E11000 \SystemRoot\system32\halmacpi.dll 0x80BCE000 \SystemRoot\system32\kdcom.dll 0x88608000 \SystemRoot\system32\mcupdate_GenuineIntel.dll 0x88680000 \SystemRoot\system32\PSHED.dll 0x88691000 \SystemRoot\system32\BOOTVID.dll 0x88699000 \SystemRoot\system32\CLFS.SYS 0x886DB000 \SystemRoot\system32\CI.dll 0x88786000 \SystemRoot\system32\drivers\Wdf01000.sys 0x8883A000 \SystemRoot\system32\drivers\WDFLDR.SYS 0x88848000 \SystemRoot\system32\DRIVERS\ACPI.sys 0x88890000 \SystemRoot\system32\DRIVERS\WMILIB.SYS 0x88899000 \SystemRoot\system32\DRIVERS\msisadrv.sys 0x888A1000 \SystemRoot\system32\DRIVERS\pci.sys 0x888CB000 \SystemRoot\system32\DRIVERS\vdrvroot.sys 0x888D6000 \SystemRoot\System32\drivers\partmgr.sys 0x888E7000 \SystemRoot\system32\DRIVERS\compbatt.sys 0x888EF000 \SystemRoot\system32\DRIVERS\BATTC.SYS 0x888FA000 \SystemRoot\system32\DRIVERS\volmgr.sys 0x8890A000 \SystemRoot\System32\drivers\volmgrx.sys 0x88955000 \SystemRoot\System32\drivers\mountmgr.sys 0x88A01000 \SystemRoot\system32\DRIVERS\iaStor.sys 0x88ADB000 \SystemRoot\system32\DRIVERS\atapi.sys 0x88AE4000 \SystemRoot\system32\DRIVERS\ataport.SYS 0x88B07000 \SystemRoot\system32\DRIVERS\msahci.sys 0x88B11000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS 0x88B1F000 \SystemRoot\system32\DRIVERS\amdxata.sys 0x88B28000 \SystemRoot\system32\drivers\fltmgr.sys 0x88B5C000 \SystemRoot\system32\drivers\fileinfo.sys 0x88B6D000 \SystemRoot\System32\Drivers\PxHelp20.sys 0x88C33000 \SystemRoot\System32\Drivers\Ntfs.sys 0x88D62000 \SystemRoot\System32\Drivers\msrpc.sys 0x88D8D000 \SystemRoot\System32\Drivers\ksecdd.sys 0x88DA0000 \SystemRoot\System32\Drivers\cng.sys 0x88C00000 \SystemRoot\System32\drivers\pcw.sys 0x88C0E000 \SystemRoot\System32\Drivers\Fs_Rec.sys 0x88E39000 \SystemRoot\system32\drivers\ndis.sys 0x88EF0000 \SystemRoot\system32\drivers\NETIO.SYS 0x88F2E000 \SystemRoot\System32\Drivers\ksecpkg.sys 0x89032000 \SystemRoot\System32\drivers\tcpip.sys 0x8917B000 \SystemRoot\System32\drivers\fwpkclnt.sys 0x891AC000 \SystemRoot\system32\DRIVERS\vmstorfl.sys 0x891B5000 \SystemRoot\system32\DRIVERS\volsnap.sys 0x891F4000 \SystemRoot\System32\DRIVERS\ApsHM86.sys 0x89000000 \SystemRoot\System32\Drivers\spldr.sys 0x88F53000 \SystemRoot\System32\drivers\rdyboost.sys 0x89008000 \SystemRoot\System32\DRIVERS\Apsx86.sys 0x88F80000 \SystemRoot\System32\Drivers\mup.sys 0x89028000 \SystemRoot\System32\drivers\hwpolicy.sys 0x88F90000 \SystemRoot\System32\DRIVERS\fvevol.sys 0x88FC2000 \SystemRoot\system32\DRIVERS\disk.sys 0x88FD3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS 0x8DCF2000 \SystemRoot\system32\DRIVERS\cdrom.sys 0x8DD11000 \SystemRoot\System32\Drivers\Null.SYS 0x8DD18000 \SystemRoot\System32\Drivers\Beep.SYS 0x8DD1F000 \SystemRoot\System32\drivers\vga.sys 0x8DD2B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS 0x8DD4C000 \SystemRoot\System32\drivers\watchdog.sys 0x8DD59000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0x8DD61000 \SystemRoot\system32\drivers\rdpencdd.sys 0x8DD69000 \SystemRoot\system32\drivers\rdprefmp.sys 0x8DD71000 \SystemRoot\System32\Drivers\Msfs.SYS 0x8DD7C000 \SystemRoot\System32\Drivers\Npfs.SYS 0x8DD8A000 \SystemRoot\system32\DRIVERS\tdx.sys 0x8DDA1000 \SystemRoot\system32\DRIVERS\TDI.SYS 0x8DDAC000 \SystemRoot\System32\Drivers\aswTdi.SYS 0x88B77000 \SystemRoot\system32\drivers\afd.sys 0x8DDB6000 \SystemRoot\System32\Drivers\aswRdr.SYS 0x8DDBB000 \SystemRoot\System32\DRIVERS\netbt.sys 0x8DDED000 \SystemRoot\system32\DRIVERS\wfplwf.sys 0x88E0D000 \SystemRoot\system32\DRIVERS\pacer.sys 0x88C17000 \SystemRoot\system32\DRIVERS\vwififlt.sys 0x88BD1000 \SystemRoot\system32\DRIVERS\netbios.sys 0x88BDF000 \SystemRoot\system32\DRIVERS\wanarp.sys 0x8DDF4000 \SystemRoot\System32\drivers\Tppwr32v.sys 0x8896B000 \SystemRoot\system32\DRIVERS\termdd.sys 0x8897B000 \SystemRoot\system32\DRIVERS\rdbss.sys 0x88E2C000 \SystemRoot\system32\drivers\nsiproxy.sys 0x88C28000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0x8DDFB000 \SystemRoot\system32\DRIVERS\smiif32.sys 0x88BF2000 \SystemRoot\System32\drivers\discache.sys 0x8CC26000 \SystemRoot\system32\drivers\csc.sys 0x8CC8A000 \SystemRoot\System32\Drivers\dfsc.sys 0x8CCA2000 \SystemRoot\system32\DRIVERS\blbdrive.sys 0x8CCB0000 \SystemRoot\System32\Drivers\aswSP.SYS 0x8CCD7000 \SystemRoot\system32\DRIVERS\tunnel.sys 0x8FE01000 \SystemRoot\system32\DRIVERS\igdkmd32.sys 0x90428000 \SystemRoot\System32\drivers\dxgkrnl.sys 0x904DF000 \SystemRoot\System32\drivers\dxgmms1.sys 0x90518000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0x90523000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0x9056E000 \SystemRoot\system32\DRIVERS\usbehci.sys 0x9057D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0x9059C000 \SystemRoot\system32\DRIVERS\jmcr.sys 0x905BB000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS 0x91E02000 \SystemRoot\system32\DRIVERS\NETw5s32.sys 0x923E1000 \SystemRoot\system32\DRIVERS\vwifibus.sys 0x8CCF8000 \SystemRoot\system32\DRIVERS\Rt86win7.sys 0x905E1000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0x923EB000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0x8CD24000 \SystemRoot\system32\DRIVERS\SynTP.sys 0x923F8000 \SystemRoot\system32\DRIVERS\USBD.SYS 0x8CD5B000 \SystemRoot\system32\DRIVERS\mouclass.sys 0x923FA000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys 0x905F9000 \SystemRoot\System32\DRIVERS\dvd43llh.sys 0x8CD68000 \SystemRoot\system32\DRIVERS\intelppm.sys 0x8CD7A000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0x8CD7E000 \SystemRoot\system32\DRIVERS\wmiacpi.sys 0x8CD87000 \SystemRoot\system32\DRIVERS\CompositeBus.sys 0x8CD94000 \SystemRoot\system32\DRIVERS\AgileVpn.sys 0x8CDA6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0x8CDBE000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0x8CDC9000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0x8CC00000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0x889BC000 \SystemRoot\system32\DRIVERS\raspptp.sys 0x889D3000 \SystemRoot\system32\DRIVERS\rassstp.sys 0x8CC18000 \SystemRoot\system32\DRIVERS\rdpbus.sys 0x8CDEB000 \SystemRoot\system32\DRIVERS\psadd.sys 0x91E00000 \SystemRoot\system32\DRIVERS\swenum.sys 0x88800000 \SystemRoot\system32\DRIVERS\ks.sys 0x8CDF2000 \SystemRoot\system32\DRIVERS\umbus.sys 0x9301F000 \SystemRoot\system32\DRIVERS\usbhub.sys 0x93063000 \SystemRoot\System32\Drivers\NDProxy.SYS 0x9441D000 \SystemRoot\system32\drivers\RTKVHDA.sys 0x946A5000 \SystemRoot\system32\drivers\portcls.sys 0x946D4000 \SystemRoot\system32\drivers\drmk.sys 0x946ED000 \SystemRoot\system32\drivers\IntcHdmi.sys 0x81E60000 \SystemRoot\System32\win32k.sys 0x94710000 \SystemRoot\System32\drivers\Dxapi.sys 0x9471A000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0x94731000 \SystemRoot\system32\DRIVERS\5U877.sys 0x94750000 \SystemRoot\system32\DRIVERS\STREAM.SYS 0x9475E000 \SystemRoot\system32\DRIVERS\monitor.sys 0x820C0000 \SystemRoot\System32\TSDDD.dll 0x94769000 \SystemRoot\system32\DRIVERS\udfs.sys 0x820F0000 \SystemRoot\System32\cdd.dll 0x947A9000 \SystemRoot\System32\Drivers\crashdmp.sys 0x93074000 \SystemRoot\System32\Drivers\dump_iaStor.sys 0x947B6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys 0x947C7000 \SystemRoot\system32\drivers\luafv.sys 0x9314E000 \??\C:\Windows\system32\drivers\aswMonFlt.sys 0x947E2000 \SystemRoot\System32\Drivers\aswFsBlk.SYS 0x947E5000 \SystemRoot\system32\drivers\WudfPf.sys 0x94400000 \SystemRoot\system32\DRIVERS\lltdio.sys 0x93185000 \SystemRoot\system32\DRIVERS\nwifi.sys 0x931CB000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0x931DB000 \SystemRoot\system32\DRIVERS\rspndr.sys 0x8DC00000 \SystemRoot\system32\drivers\HTTP.sys 0x93000000 \SystemRoot\system32\DRIVERS\bowser.sys 0x931EE000 \SystemRoot\System32\drivers\mpsdrv.sys 0x8DC85000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0x8DCA8000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys 0xABA07000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys 0xABA3A000 \SystemRoot\system32\DRIVERS\vwifimp.sys 0xABA43000 \SystemRoot\system32\drivers\peauth.sys 0xABADA000 \SystemRoot\system32\drivers\regi.sys 0xABADC000 \SystemRoot\System32\Drivers\secdrv.SYS 0xABAE6000 \SystemRoot\System32\DRIVERS\srvnet.sys 0xABB07000 \SystemRoot\System32\drivers\tcpipreg.sys 0xABB14000 \SystemRoot\System32\DRIVERS\srv2.sys 0xABB63000 \SystemRoot\System32\DRIVERS\srv.sys 0xB766F000 \??\C:\Users\Audet\AppData\Local\Temp\catchme.sys 0xB7677000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS 0x77740000 \Windows\System32\ntdll.dll 0x47FE0000 \Windows\System32\smss.exe 0x77980000 \Windows\System32\apisetschema.dll 0x00EE0000 \Windows\System32\autochk.exe 0x778A0000 \Windows\System32\msctf.dll 0x776E0000 \Windows\System32\difxapi.dll 0x776B0000 \Windows\System32\imagehlp.dll 0x775B0000 \Windows\System32\wininet.dll 0x77890000 \Windows\System32\psapi.dll 0x77520000 \Windows\System32\clbcatq.dll 0x774C0000 \Windows\System32\shlwapi.dll 0x772C0000 \Windows\System32\iertutil.dll 0x77880000 \Windows\System32\normaliz.dll 0x772A0000 \Windows\System32\sechost.dll 0x77140000 \Windows\System32\ole32.dll 0x770C0000 \Windows\System32\comdlg32.dll 0x770B0000 \Windows\System32\lpk.dll 0x76F70000 \Windows\System32\urlmon.dll 0x76ED0000 \Windows\System32\advapi32.dll 0x76E80000 \Windows\System32\Wldap32.dll 0x76DB0000 \Windows\System32\user32.dll 0x76D20000 \Windows\System32\oleaut32.dll 0x76CD0000 \Windows\System32\gdi32.dll 0x76C20000 \Windows\System32\rpcrt4.dll 0x76A80000 \Windows\System32\setupapi.dll 0x769A0000 \Windows\System32\kernel32.dll 0x768F0000 \Windows\System32\msvcrt.dll 0x75CA0000 \Windows\System32\shell32.dll 0x75C80000 \Windows\System32\imm32.dll 0x75C40000 \Windows\System32\ws2_32.dll 0x75BA0000 \Windows\System32\usp10.dll 0x75B90000 \Windows\System32\nsi.dll 0x75B40000 \Windows\System32\KernelBase.dll 0x75A20000 \Windows\System32\crypt32.dll 0x75A00000 \Windows\System32\devobj.dll 0x759D0000 \Windows\System32\cfgmgr32.dll 0x75940000 \Windows\System32\comctl32.dll 0x75910000 \Windows\System32\wintrust.dll 0x75900000 \Windows\System32\msasn1.dllProcesses (total 68): 0 System Idle Process 4 System 340 C:\Windows\System32\smss.exe 484 csrss.exe 540 C:\Windows\System32\wininit.exe 556 csrss.exe 592 C:\Windows\System32\services.exe 616 C:\Windows\System32\lsass.exe 624 C:\Windows\System32\lsm.exe 724 C:\Windows\System32\svchost.exe 784 C:\Windows\System32\winlogon.exe 848 C:\Windows\System32\ibmpmsvc.exe 904 C:\Windows\System32\svchost.exe 948 C:\Windows\System32\svchost.exe 1004 C:\Windows\System32\svchost.exe 1032 C:\Windows\System32\svchost.exe 1192 C:\Windows\System32\svchost.exe 1320 C:\Windows\System32\svchost.exe 1400 C:\Windows\System32\wlanext.exe 1408 C:\Windows\System32\conhost.exe 1424 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe 1812 C:\Windows\System32\spoolsv.exe 1840 C:\Windows\System32\svchost.exe 1932 C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe 1964 C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe 1976 C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe 2032 C:\Program Files\Intel\WiFi\bin\EvtEng.exe 496 C:\Windows\System32\svchost.exe 372 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 2004 C:\Windows\System32\svchost.exe 1340 C:\Program Files\Lenovo\HOTKEY\micmute.exe 2072 C:\Windows\System32\svchost.exe 2128 C:\Windows\System32\svchost.exe 2172 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe 2208 C:\Windows\System32\svchost.exe 2316 C:\Program Files\Lenovo\Access Connections\AcSvc.exe 2396 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe 2616 unsecapp.exe 2652 C:\Windows\System32\svchost.exe 2848 WmiPrvSE.exe 3312 C:\Windows\System32\taskhost.exe 3648 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe 3740 C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe 3872 C:\Program Files\Alwil Software\Avast5\AvastUI.exe 3920 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe 3660 C:\Windows\System32\SearchIndexer.exe 3828 C:\Program Files\Windows Media Player\wmpnetwk.exe 4220 C:\Windows\System32\svchost.exe 4584 C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe 5736 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe 5980 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe 4772 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe 4872 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 2560 C:\Program Files\Lenovo\System Update\SUService.exe 4532 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe 5156 C:\Windows\System32\svchost.exe 5384 C:\Windows\explorer.exe 5956 C:\Windows\notepad.exe 1200 C:\Program Files\Mozilla Firefox\firefox.exe 3076 C:\Program Files\EndItAll\enditall.exe 4916 C:\Windows\System32\dwm.exe 3212 C:\Windows\System32\SearchProtocolHost.exe 3916 C:\Windows\System32\SearchFilterHost.exe 4728 C:\Windows\System32\audiodg.exe 6092 dllhost.exe 6140 dllhost.exe 5376 C:\Users\Audet\Downloads\MBRCheck.exe 1912 C:\Windows\System32\conhost.exe\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`4b100000 (NTFS)\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000037`c7a00000 (NTFS)PhysicalDrive0 Model Number: WDCWD2500BEVS-08VAT2, Rev: 14.01A14 Size Device Name MBR Status -------------------------------------------- 232 GB \\.\PhysicalDrive0 Unknown MBR code SHA1: E970FC01CBF7A56C8A472E7C02D5F3CB965793C2Found non-standard or infected MBR.Enter 'Y' and hit ENTER for more options, or 'N' to exit: Options: [1] Dump the MBR of a physical disk to file. [2] Restore the MBR of a physical disk with a standard boot code. [3] Exit.Enter your choice: Done! Link to post Share on other sites More sharing options...
Maniac Posted December 24, 2010 ID:365379 Share Posted December 24, 2010 Run MBRCheck.exeWait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:Please push the 'Y' key and then press EnterWhen program ask you Enter your choice: enter 2 and press the Enter keyNow the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"Enter 0 and press the Enter key.The program will show Available MBR codes:, followed by a list of operating systems. Please enter the number for Windows 7, and then press Enter.The program will prompt for confirmation. Type 'YES' and hit Enter.Left click on the title bar (where program name and path is written).From menu chose Edit => Select AllHit the Enter key on your keyboard to copy selected text.Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"Restart your PC.Post the text in "MBRCheck results.txt" here, please. Link to post Share on other sites More sharing options...
tyrus Posted December 25, 2010 Author ID:365388 Share Posted December 25, 2010 Here you go!MBRCheck, version 1.2.3© 2010, ADCommand-line:Windows Version: Windows 7 ProfessionalWindows Information: (build 7600), 32-bitBase Board Manufacturer: LENOVOBIOS Manufacturer: LENOVOSystem Manufacturer: LENOVOSystem Product Name: 2842F7ULogical Drives Mask: 0x0001000c\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`4b100000 (NTFS)\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000037`c7a00000 (NTFS) Size Device Name MBR Status -------------------------------------------- 232 GB \\.\PhysicalDrive0 Unknown MBR code SHA1: E970FC01CBF7A56C8A472E7C02D5F3CB965793C2Found non-standard or infected MBR.Enter 'Y' and hit ENTER for more options, or 'N' to exit: yOptions: [1] Dump the MBR of a physical disk to file. [2] Restore the MBR of a physical disk with a standard boot code. [3] Exit.Enter your choice: 2Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes: [ 0] Default (Windows 7) [ 1] Windows XP [ 2] Windows Server 2003 [ 3] Windows Vista [ 4] Windows 2008 [ 5] Windows 7 [-1] CancelPlease select the MBR code to write to this drive: 5Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yDone!Press ENTER to exit... Link to post Share on other sites More sharing options...
Maniac Posted December 25, 2010 ID:365394 Share Posted December 25, 2010 Can you please post a new fresh GMER log? Link to post Share on other sites More sharing options...
tyrus Posted December 25, 2010 Author ID:365418 Share Posted December 25, 2010 Sorry took a long time a there were many crashes during scans. Here is the report...GMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2010-12-24 18:53:24Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0Running: finhojvr.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys---- System - GMER 1.0.15 ----INT 0x61 ? 92B0DCD8INT 0x71 ? 92A92058INT 0x82 ? 92A92A58INT 0x90 ? 92A92CD8INT 0xA2 ? 92A92558INT 0xB0 ? 92B0DA58Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E4DABAE]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E4DA9D2]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8E4DAB0C]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSectionCode \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E52599 1 Byte [06].text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E76F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}PAGE ntkrnlpa.exe!ZwLoadDriver 82FB0291 7 Bytes JMP 8E4DAB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83017FBF 5 Bytes JMP 8E4D65D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ObInsertObject + 27 83031CF3 5 Bytes JMP 8E4D8012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!NtCreateSection 8303FD63 7 Bytes JMP 8E4DA9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE ntkrnlpa.exe!ZwCreateProcessEx 830E9EAC 7 Bytes JMP 8E4DABB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AB47B000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AB47B123 629 Bytes [65, 47, AB, FE, 05, 34, 65, ...]PAGE spsys.sys!?SPRevision@@3PADA + 5329 AB47B399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]PAGE spsys.sys!?SPRevision@@3PADA + 538F AB47B3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]PAGE spsys.sys!?SPRevision@@3PADA + 543B AB47B4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]PAGE ... ---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] kernel32.dll!SetUnhandledExceptionFilter 76193162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }.text C:\Program Files\Mozilla Firefox\firefox.exe[4984] ntdll.dll!LdrLoadDll 7722F625 5 Bytes JMP 010B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{E300B591-2005-11DF-BCE0-806E6F6E6963} 2052730976---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 08: copy of MBR---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Maniac Posted December 25, 2010 ID:365523 Share Posted December 25, 2010 It's very stubborn... we should fix MBR, so please follow these instructions (for Vista, but they worked on Windows 7):http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/Then please post a new fresh GMER log. Link to post Share on other sites More sharing options...
tyrus Posted December 25, 2010 Author ID:365643 Share Posted December 25, 2010 OK, system recovery is installed on my hard drive. Pressing F8 during boot brings it up. After entering the console I choose dos prompt. In the DOS window I enter bootrec.exe and I am told the following:Repairs Critical Disk Structures. The following commands are supported:/FixMbr/FixBoot/ScanOS/RebuildBcdbut when I enter /fixmbr I get the following error:'fixmbr' is not a recognized as an internal or external command, operable program or batch file.I have tried /fixmbr /FixMbr fixmbr and FixMbr all with the same results. Same story with FixBoot.From the recovery tool console I choose Startup Repair and the system tries to detect a problem. After the search a report come back saying "startup repair could not detect a problem."I looked at system restore to see if there is a point before the problem but unfortunately there is not.Problem is still present. Any suggestions? Borislav, again a big thanks for your continued support and happy holidays! Link to post Share on other sites More sharing options...
Maniac Posted December 25, 2010 ID:365656 Share Posted December 25, 2010 See here for Windows 7:http://www.hddoctor.net/fix-mbr-in-windows...ta-by-yourself/ Link to post Share on other sites More sharing options...
tyrus Posted December 26, 2010 Author ID:365679 Share Posted December 26, 2010 I entered bootsect.exe in the DOS window during system recovery and was told that"updated NTFS filesystem bot code"So I belive it worked. I restarted. Problem remains. Here is the GMER log after the botsect.exe was complete. Crashed a few times before a successful scan.Thanks!GMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2010-12-25 16:55:25Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0Running: 0elui2nu.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys---- System - GMER 1.0.15 ----INT 0x61 ? 936A4058INT 0x71 ? 936A42D8INT 0x82 ? 936A4CD8INT 0xA2 ? 936A47D8Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8DCC2BAE]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8DCC29D2]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8DCC2B0C]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSectionCode \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E8D599 1 Byte [06].text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB1F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1504] kernel32.dll!SetUnhandledExceptionFilter 774D3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }.text C:\Program Files\Mozilla Firefox\firefox.exe[4800] ntdll.dll!LdrLoadDll 77B0F625 5 Bytes JMP 00BD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 1---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 08: copy of MBR---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Maniac Posted December 26, 2010 ID:365691 Share Posted December 26, 2010 No, it was not successful. Let's try this way:Download Bootkit remover to your Desktop.Extract Remover to your desktopDouble-click Remover to run it (Vista users right-click and select Run as Administrator)It will show a Black screen with some data on itRight click on the screen and click Select AllPress Ctrl+C (on keyboard) to copy the dataOpen a notepad and press Ctrl+V to paste the data Link to post Share on other sites More sharing options...
tyrus Posted December 26, 2010 Author ID:365708 Share Posted December 26, 2010 Dowloaded bootkit remover and extracted to the desktop. When I run I get the following:Bootkit Remover© 2009 eSage Labwww.esagelab.comProgram version: 1.2.0.0OS Version: Microsoft Windows 7 (build 7600), 32-bitSystem volume is \\.\C:main(): CreateFile() ERROR 5ERROR: Can't open volume device \\.\C:Done;Press any key to quit...I have tried shutting down antivirus and using Enditall to avoid conflicts. No change.??? Link to post Share on other sites More sharing options...
Maniac Posted December 26, 2010 ID:365791 Share Posted December 26, 2010 Delete your copy of ComboFix and download a new fresh one. Link to post Share on other sites More sharing options...
tyrus Posted December 26, 2010 Author ID:365890 Share Posted December 26, 2010 bootfix still not working Downloaded new combofix and ran a scan. Here it is...ComboFix 10-12-25.03 - Audet 26/12/2010 8:51.5.2 - x86Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1060 [GMT -7:00]Running from: c:\users\Audet\Downloads\COMBOFIXXX.exeAV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point.((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 ))))))))))))))))))))))))))))))).2010-12-26 15:56 . 2010-12-26 15:56 -------- d-----w- c:\users\Public\AppData\Local\temp2010-12-26 15:56 . 2010-12-26 15:56 -------- d-----w- c:\users\Default\AppData\Local\temp2010-12-24 23:50 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6DA953B9-9ED0-4F2F-9306-9FFD78CDB547}\mpengine.dll2010-12-24 19:42 . 2010-12-24 19:51 -------- d-----w- C:\Combo-Fix2010-12-09 04:18 . 2010-12-24 19:33 -------- d-----w- C:\ComboFix2010-11-28 22:22 . 2010-11-29 00:22 -------- d-----w- c:\program files\EndItAll2010-11-28 21:45 . 2010-11-28 21:45 388096 ----a-r- c:\users\Audet\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-11-28 21:45 . 2010-11-28 21:45 -------- d-----w- c:\program files\Trend Micro.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-21 01:09 . 2010-11-21 15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-21 01:08 . 2010-11-21 15:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-11-13 01:53 . 2010-06-12 18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-10-19 17:41 . 2010-03-29 21:48 222080 ----a-w- c:\windows\system32\MpSigStub.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]"TpShocks"="TpShocks.exe" [2009-07-09 337184]"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-12-10 865640]"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux1"=wdmaud.drvR2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 136176]R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-12-10 75112]R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1343400]R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]S1 aswSP;aswSP; [x]S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S2 aswFsBlk;aswFsBlk; [x]S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVChpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]2010-12-26 c:\windows\Tasks\SystemToolsDailyTest.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]..------- Supplementary Scan -------.uStart Page = hxxp://lenovo.msn.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000FF - ProfilePath - c:\users\Audet\AppData\Roaming\Mozilla\Firefox\Profiles\mr8mjq6m.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}..--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2010-12-26 08:58:32ComboFix-quarantined-files.txt 2010-12-26 15:58ComboFix2.txt 2010-12-24 19:51ComboFix3.txt 2010-12-09 04:35ComboFix4.txt 2010-12-09 03:59ComboFix5.txt 2010-12-26 15:50Pre-Run: 137,188,483,072 bytes freePost-Run: 137,012,568,064 bytes free- - End Of File - - 6B0E93D621B90328AF09EEEFCD6DB66E Link to post Share on other sites More sharing options...
Maniac Posted December 26, 2010 ID:365964 Share Posted December 26, 2010 Open Notepad and copy and paste the text in the code box below into it:KillAll::MBR::Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
tyrus Posted December 26, 2010 Author ID:366023 Share Posted December 26, 2010 here it is...ComboFix 10-12-26.01 - Audet 26/12/2010 13:28:57.6.2 - x86Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1111 [GMT -7:00]Running from: c:\users\Audet\Desktop\COMBOFIXXX.exeCommand switches used :: c:\users\Audet\Desktop\CFScript.txtAV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 ))))))))))))))))))))))))))))))).2010-12-26 20:33 . 2010-12-26 20:33 -------- d-----w- c:\users\Public\AppData\Local\temp2010-12-26 20:33 . 2010-12-26 20:33 -------- d-----w- c:\users\Default\AppData\Local\temp2010-12-26 15:50 . 2010-12-26 15:58 -------- d-----w- C:\COMBOFIXXX2010-12-24 23:50 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6DA953B9-9ED0-4F2F-9306-9FFD78CDB547}\mpengine.dll2010-12-24 19:42 . 2010-12-24 19:51 -------- d-----w- C:\Combo-Fix2010-12-09 04:18 . 2010-12-24 19:33 -------- d-----w- C:\ComboFix2010-11-28 22:22 . 2010-11-29 00:22 -------- d-----w- c:\program files\EndItAll2010-11-28 21:45 . 2010-11-28 21:45 388096 ----a-r- c:\users\Audet\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-11-28 21:45 . 2010-11-28 21:45 -------- d-----w- c:\program files\Trend Micro.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-21 01:09 . 2010-11-21 15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-21 01:08 . 2010-11-21 15:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-11-13 01:53 . 2010-06-12 18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-10-19 17:41 . 2010-03-29 21:48 222080 ----a-w- c:\windows\system32\MpSigStub.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]"TpShocks"="TpShocks.exe" [2009-07-09 337184]"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-12-10 865640]"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux1"=wdmaud.drvR2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 136176]R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-12-10 75112]R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1343400]R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]S1 aswSP;aswSP; [x]S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S2 aswFsBlk;aswFsBlk; [x]S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVChpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]2010-12-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]2010-12-26 c:\windows\Tasks\SystemToolsDailyTest.job- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]..------- Supplementary Scan -------.uStart Page = hxxp://lenovo.msn.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000FF - ProfilePath - c:\users\Audet\AppData\Roaming\Mozilla\Firefox\Profiles\mr8mjq6m.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}..--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\windows\system32\ibmpmsvc.exec:\program files\Alwil Software\Avast5\AvastSvc.exec:\windows\system32\WLANExt.exec:\windows\system32\conhost.exec:\progra~1\Lenovo\HOTKEY\tpnumlk.exec:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exec:\program files\Intel\WiFi\bin\EvtEng.exec:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exec:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exec:\program files\Lenovo\Access Connections\AcSvc.exec:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exec:\windows\system32\wbem\unsecapp.exec:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exec:\program files\Lenovo\System Update\SUService.exec:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\taskhost.exec:\progra~1\Lenovo\HOTKEY\tpnumlkd.exec:\windows\system32\conhost.exe.**************************************************************************.Completion time: 2010-12-26 15:32:13 - machine was rebootedComboFix-quarantined-files.txt 2010-12-26 22:32ComboFix2.txt 2010-12-26 15:58ComboFix3.txt 2010-12-24 19:51ComboFix4.txt 2010-12-09 04:35ComboFix5.txt 2010-12-26 20:28Pre-Run: 136,763,670,528 bytes freePost-Run: 136,768,016,384 bytes free- - End Of File - - DD25FAE8D029C43603CD708658B1A31F Link to post Share on other sites More sharing options...
Maniac Posted December 27, 2010 ID:366164 Share Posted December 27, 2010 Let's try to fix MBR with Bootrec.exe :http://support.microsoft.com/kb/927392/en Link to post Share on other sites More sharing options...
tyrus Posted December 27, 2010 Author ID:366314 Share Posted December 27, 2010 Like before when I enter Bootrec.exe I see the following options available:Repairs Critical Disk Structures. The following commands are supported:/FixMbr/FixBoot/ScanOS/RebuildBcdbut when I enter /fixmbr I get the following error:'fixmbr' is not a recognized as an internal or external command, operable program or batch file.I have now tried this from both the system recovery tool on the hard drive and a recovery disk that I have made from http://neosmart.net/blog/2009/windows-7-system-repair-discs/ with the same result.I also tried bootsect.exe again and entered all 3 three options and I am told it was sucessful. bootsect /nt60 C: bootsect /nt60 SYS bootsect /nt60 ALLNo change with problem though...In the directions you linked to it mentions this:Note If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you make sure that the BCD is completely rebuilt. To do this, type the following commands at the Windows RE command prompt: * bcdedit /export C:\BCD_Backup * c: * cd boot * attrib bcd -s -h -r * ren c:\boot\bcd bcd.old * bootrec /RebuildBcdDid you want me to try this?Problem still exists on start up.Thanks again for the continued support! Link to post Share on other sites More sharing options...
tyrus Posted December 27, 2010 Author ID:366319 Share Posted December 27, 2010 Also, now on start up the rundll32.exe is listed twice in task manager. Removing one of them ends the problem until next re-boot. Link to post Share on other sites More sharing options...
Maniac Posted December 27, 2010 ID:366447 Share Posted December 27, 2010 Rundll32.exe is not a problem. It's not dangerous, there is nothing suspicious. Don't worry about rundll32.exe . You have modified MBR, this is a very serious problem, not rundll32.exe , but MBR.but when I enter /fixmbr I get the following error:Why don't you try:/FixMbr Link to post Share on other sites More sharing options...
tyrus Posted December 27, 2010 Author ID:366495 Share Posted December 27, 2010 OK,I have tried many combination's Including:"but when I enter /fixmbr I get the following error:'fixmbr' is not a recognized as an internal or external command, operable program or batch file.I have tried /fixmbr /FixMbr fixmbr and FixMbr all with the same results. Same story with FixBoot."Not sure what I am doing wrong? Link to post Share on other sites More sharing options...
Maniac Posted December 28, 2010 ID:366722 Share Posted December 28, 2010 I really don't know. Try these commands:http://www.bizzntech.com/2010/01/07/how-to...br-in-windows-7 Link to post Share on other sites More sharing options...
Recommended Posts