Jump to content

Trojan horse agent_r.xj Issues


Recommended Posts

Hi I seem to have a couple of trojan horse agents that avg says are inacessable.

After scan avg reads:

c:\windows\system32\wuauclt.exe(4020):\memory_001b0000

Trojan horse agent_r.xj

c:\windows\explorer.exe(1980):\memory_001a0000

Trojan horse agent_r.xj

I have done a full scan on MBAM it was:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5907

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.2180

01/03/2011 00:44:28

mbam-log-2011-03-01 (00-44-28).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 247417

Time elapsed: 1 hour(s), 17 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Avg new scan was the same with inacessable trojans

It is redirecting on search engines esp google and system is running slow, it did send my IE back to an old version for a while but after a reboot this seams to be ok again however search engines are still affected.

This is my dds:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Emma at 1:49:07.00 on 01/03/2011

Internet Explorer: 6.0.2900.2180

============== Running Processes ===============

\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\TalkTalk\bin\sprtcmd.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\WINDOWS\system32\wuauclt.exe

\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe

\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Emma\Desktop\Defogger.exe

C:\Documents and Settings\Emma\Desktop\dds.com

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/wanadoohome

uInternet Settings,ProxyOverride = localhost

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll

TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [kdx] "c:\program files\kontiki\KHost.exe" -all

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MediaFace Integration] "c:\program files\fellowes\mediaface 4.0\SetHook.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] "c:\program files\logitech\video\ISStart.exe"

mRun: [LogitechVideoTray] "c:\program files\logitech\video\LogiTray.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [PCSuiteTrayApplication] "c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe" -startup

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Free YouTube to Mp3 Converter - c:\documents and settings\emma\application data\dvdvideosoftiehelpers\youtubetomp3.htm

IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: WRNotifier - WRLogonNTF.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R? AVG Security Toolbar Service;AVG Security Toolbar Service

S? AVGIDSAgent;AVGIDSAgent

S? AVGIDSDriver;AVGIDSDriver

S? AVGIDSEH;AVGIDSEH

S? AVGIDSFilter;AVGIDSFilter

S? AVGIDSShim;AVGIDSShim

S? Avgldx86;AVG AVI Loader Driver

S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield

S? Avgrkx86;AVG Anti-Rootkit Driver

S? Avgtdix;AVG TDI Driver

S? avgwd;AVG WatchDog

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

S? sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk)

S? tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk)

=============== Created Last 30 ================

2011-02-28 22:49:42 -------- d-----w- c:\docume~1\emma\applic~1\Malwarebytes

2011-02-28 22:49:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-28 22:49:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-28 22:49:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-28 22:49:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-07 15:37:29 776240 ----a-w- c:\windows\system\Lead52.dll

2011-02-07 15:37:28 57344 ----a-w- c:\windows\system\bpenhan.dll

2011-02-07 15:29:59 77824 ----a-w- c:\windows\system32\Lffax10n.dll

2011-02-07 15:29:59 600576 ----a-w- c:\windows\system32\Ltwrp10n.dll

2011-02-07 15:29:59 35840 ----a-w- c:\windows\system32\Lflma10n.dll

2011-02-07 15:29:59 34304 ----a-w- c:\windows\system32\Lfbmp10n.dll

2011-02-07 15:29:59 33280 ----a-w- c:\windows\system32\Lfpcx10n.dll

2011-02-07 15:29:59 297472 ----a-w- c:\windows\system32\Ltkrn10n.dll

2011-02-07 15:29:59 28160 ----a-w- c:\windows\system32\Lfwmf10n.dll

2011-02-07 15:29:59 266752 ----a-w- c:\windows\system32\Lfcmp10n.dll

2011-02-07 15:29:59 228864 ----a-w- c:\windows\system32\Ltdis10n.dll

2011-02-07 15:29:59 122368 ----a-w- c:\windows\system32\Lftif10n.dll

2011-02-07 15:29:59 117760 ----a-w- c:\windows\system32\Ltimg10n.dll

2011-02-07 15:29:59 103424 ----a-w- c:\windows\system32\Ltfil10n.dll

2011-02-07 15:10:49 996872 ----a-w- c:\windows\system32\Cp3240mt.dll

2011-02-07 15:10:49 81920 ----a-w- c:\windows\system\Capi2032.dll

2011-02-07 15:10:49 29952 ----a-w- c:\windows\system32\Borlndmm.dll

2011-02-07 15:10:49 212480 ----a-w- c:\windows\system\Pcdlib32.dll

2011-02-07 15:10:49 1455736 ----a-w- c:\windows\system32\VCL35.BPL

2011-02-07 15:10:48 913616 ----a-w- c:\windows\system32\A258_R35.bpl

2011-02-07 15:10:48 906512 ----a-w- c:\windows\system32\A255_R35.bpl

2011-02-07 15:10:48 245912 ----a-w- c:\windows\system32\vclx35.bpl

2011-02-07 15:10:48 244024 ----a-w- c:\windows\system32\Msflxgrd.OCX

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-08-26 01:44:35 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600BB-00GUC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85F08439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85f0e7b8]; MOV EAX, [0x85f0e834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x85F1F030]

3 CLASSPNP[0xF7848FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000008c[0x85F26F18]

5 ACPI[0xF773F620] -> nt!IofCallDriver[0x804E37D5] -> [0x85F35B58]

\Driver\atapi[0x85E52030] -> IRP_MJ_CREATE -> 0x85F08439

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BB-00GUC0_____________________08.02D08#5&28f96b46&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x85F0827F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 1:52:50.32 ===============

I tried to do GMER but everytime i try and run it it gets going then encounters a problem and has to close.

I have attacted the zipped attach log

I would be so gratefull if you can help Thank youAttach.zip

Link to post
Share on other sites

Hello Emzil! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Step 1

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->-Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Step 2

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

In your next reply, please post the following logs:

  • TDSSKiller log
  • a new fresh DDS log only

Link to post
Share on other sites

Hi Borislav, Thank you so much for the help. Im Emma

I have removed ask toolbar I never used it anyway.

These are the logs you requested:

TDSSKiller log:

2011/03/01 22:13:01.0296 3136 TDSS rootkit removing tool 2.4.19.0 Feb 28 2011 17:08:37

2011/03/01 22:13:01.0671 3136 ================================================================================

2011/03/01 22:13:01.0671 3136 SystemInfo:

2011/03/01 22:13:01.0671 3136

2011/03/01 22:13:01.0703 3136 OS Version: 5.1.2600 ServicePack: 3.0

2011/03/01 22:13:01.0703 3136 Product type: Workstation

2011/03/01 22:13:01.0703 3136 ComputerName: BEAST

2011/03/01 22:13:01.0703 3136 UserName: Emma

2011/03/01 22:13:01.0703 3136 Windows directory: C:\WINDOWS

2011/03/01 22:13:01.0703 3136 System windows directory: C:\WINDOWS

2011/03/01 22:13:01.0703 3136 Processor architecture: Intel x86

2011/03/01 22:13:01.0703 3136 Number of processors: 1

2011/03/01 22:13:01.0703 3136 Page size: 0x1000

2011/03/01 22:13:01.0703 3136 Boot type: Normal boot

2011/03/01 22:13:01.0703 3136 ================================================================================

2011/03/01 22:13:10.0500 3136 Initialize success

DDS Log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Emma at 22:14:28.78 on 01/03/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.156 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Documents and Settings\Emma\Desktop\TDSSKiller.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Emma\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/wanadoohome

uInternet Settings,ProxyOverride = localhost

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll

TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [kdx] "c:\program files\kontiki\KHost.exe" -all

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MediaFace Integration] "c:\program files\fellowes\mediaface 4.0\SetHook.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] "c:\program files\logitech\video\ISStart.exe"

mRun: [LogitechVideoTray] "c:\program files\logitech\video\LogiTray.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [PCSuiteTrayApplication] "c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe" -startup

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Free YouTube to Mp3 Converter - c:\documents and settings\emma\application data\dvdvideosoftiehelpers\youtubetomp3.htm

IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: WRNotifier - WRLogonNTF.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-3 517448]

=============== Created Last 30 ================

2011-03-01 22:13:01 77912 ----a-w- c:\windows\system32\drivers\klmd.sys

2011-02-28 22:49:42 -------- d-----w- c:\docume~1\emma\applic~1\Malwarebytes

2011-02-28 22:49:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-28 22:49:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-28 22:49:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-28 22:49:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-07 15:37:29 776240 ----a-w- c:\windows\system\Lead52.dll

2011-02-07 15:37:28 57344 ----a-w- c:\windows\system\bpenhan.dll

2011-02-07 15:29:59 77824 ----a-w- c:\windows\system32\Lffax10n.dll

2011-02-07 15:29:59 600576 ----a-w- c:\windows\system32\Ltwrp10n.dll

2011-02-07 15:29:59 35840 ----a-w- c:\windows\system32\Lflma10n.dll

2011-02-07 15:29:59 34304 ----a-w- c:\windows\system32\Lfbmp10n.dll

2011-02-07 15:29:59 33280 ----a-w- c:\windows\system32\Lfpcx10n.dll

2011-02-07 15:29:59 297472 ----a-w- c:\windows\system32\Ltkrn10n.dll

2011-02-07 15:29:59 28160 ----a-w- c:\windows\system32\Lfwmf10n.dll

2011-02-07 15:29:59 266752 ----a-w- c:\windows\system32\Lfcmp10n.dll

2011-02-07 15:29:59 228864 ----a-w- c:\windows\system32\Ltdis10n.dll

2011-02-07 15:29:59 122368 ----a-w- c:\windows\system32\Lftif10n.dll

2011-02-07 15:29:59 117760 ----a-w- c:\windows\system32\Ltimg10n.dll

2011-02-07 15:29:59 103424 ----a-w- c:\windows\system32\Ltfil10n.dll

2011-02-07 15:10:49 996872 ----a-w- c:\windows\system32\Cp3240mt.dll

2011-02-07 15:10:49 81920 ----a-w- c:\windows\system\Capi2032.dll

2011-02-07 15:10:49 29952 ----a-w- c:\windows\system32\Borlndmm.dll

2011-02-07 15:10:49 212480 ----a-w- c:\windows\system\Pcdlib32.dll

2011-02-07 15:10:49 1455736 ----a-w- c:\windows\system32\VCL35.BPL

2011-02-07 15:10:48 913616 ----a-w- c:\windows\system32\A258_R35.bpl

2011-02-07 15:10:48 906512 ----a-w- c:\windows\system32\A255_R35.bpl

2011-02-07 15:10:48 245912 ----a-w- c:\windows\system32\vclx35.bpl

2011-02-07 15:10:48 244024 ----a-w- c:\windows\system32\Msflxgrd.OCX

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-08-26 01:44:35 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85C25008]<<

_asm { PUSH EBP; CALL 0x6; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x85FB9030]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }

user != kernel MBR !!!

============= FINISH: 22:16:35.84 ===============

Thanks again

Emma

Link to post
Share on other sites

I have removed ask toolbar I never used it anyway.

There is a problem, Emma. You installed it inadvertently and reluctance and the result is that you do not use it, but Ask Toolbar uses you.

Now:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hi Borislav,

Here are the logs you wanted:

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5939

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.2180

03/03/2011 01:24:55

mbam-log-2011-03-03 (01-24-55).txt

Scan type: Quick scan

Objects scanned: 174944

Time elapsed: 43 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Emma at 1:26:52.67 on 03/03/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.180 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\WINDOWS\system32\spider.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Emma\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/wanadoohome

uInternet Settings,ProxyOverride = localhost

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll

TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-gb\msntb.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [kdx] "c:\program files\kontiki\KHost.exe" -all

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MediaFace Integration] "c:\program files\fellowes\mediaface 4.0\SetHook.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [PinnacleDriverCheck] "c:\windows\system32\PSDrvCheck.exe" -CheckReg

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] "c:\program files\logitech\video\ISStart.exe"

mRun: [LogitechVideoTray] "c:\program files\logitech\video\LogiTray.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [PCSuiteTrayApplication] "c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe" -startup

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Free YouTube to Mp3 Converter - c:\documents and settings\emma\application data\dvdvideosoftiehelpers\youtubetomp3.htm

IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: WRNotifier - WRLogonNTF.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2011-02-28 22:49:42 -------- d-----w- c:\docume~1\emma\applic~1\Malwarebytes

2011-02-28 22:49:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-28 22:49:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-28 22:49:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-28 22:49:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-07 15:37:29 776240 ----a-w- c:\windows\system\Lead52.dll

2011-02-07 15:37:28 57344 ----a-w- c:\windows\system\bpenhan.dll

2011-02-07 15:29:59 77824 ----a-w- c:\windows\system32\Lffax10n.dll

2011-02-07 15:29:59 600576 ----a-w- c:\windows\system32\Ltwrp10n.dll

2011-02-07 15:29:59 35840 ----a-w- c:\windows\system32\Lflma10n.dll

2011-02-07 15:29:59 34304 ----a-w- c:\windows\system32\Lfbmp10n.dll

2011-02-07 15:29:59 33280 ----a-w- c:\windows\system32\Lfpcx10n.dll

2011-02-07 15:29:59 297472 ----a-w- c:\windows\system32\Ltkrn10n.dll

2011-02-07 15:29:59 28160 ----a-w- c:\windows\system32\Lfwmf10n.dll

2011-02-07 15:29:59 266752 ----a-w- c:\windows\system32\Lfcmp10n.dll

2011-02-07 15:29:59 228864 ----a-w- c:\windows\system32\Ltdis10n.dll

2011-02-07 15:29:59 122368 ----a-w- c:\windows\system32\Lftif10n.dll

2011-02-07 15:29:59 117760 ----a-w- c:\windows\system32\Ltimg10n.dll

2011-02-07 15:29:59 103424 ----a-w- c:\windows\system32\Ltfil10n.dll

2011-02-07 15:10:49 996872 ----a-w- c:\windows\system32\Cp3240mt.dll

2011-02-07 15:10:49 81920 ----a-w- c:\windows\system\Capi2032.dll

2011-02-07 15:10:49 29952 ----a-w- c:\windows\system32\Borlndmm.dll

2011-02-07 15:10:49 212480 ----a-w- c:\windows\system\Pcdlib32.dll

2011-02-07 15:10:49 1455736 ----a-w- c:\windows\system32\VCL35.BPL

2011-02-07 15:10:48 913616 ----a-w- c:\windows\system32\A258_R35.bpl

2011-02-07 15:10:48 906512 ----a-w- c:\windows\system32\A255_R35.bpl

2011-02-07 15:10:48 245912 ----a-w- c:\windows\system32\vclx35.bpl

2011-02-07 15:10:48 244024 ----a-w- c:\windows\system32\Msflxgrd.OCX

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-08-26 01:44:35 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 1:28:55.87 ===============

Thank you

Emma :-)

Link to post
Share on other sites

Thanks! :)

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:

    • sAKgBd-Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi Borislav,

I downloaded combofix and disabled my anti virus but when I attempted to run the program it came up with warning box - *Conbofix cannot run when AVG is installed. This is due to AVG's targeting of combofix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool.*

What shall I do? Remove AVG compleatly? I am using AVG Free edition 2011

I will wait to see what you want me to do

Cheers

Emma

Link to post
Share on other sites

Uninstalled AVG and did combofix

It did a few updates one for itself and one for microsoft.

As it was preparing report it came up with warning: Delivery manager service encountered a problem and had to close

I hit dont send as I had to chose one. nothing closed and nothing changed then the report came.

Combofix report:

ComboFix 11-03-03.02 - Emma 04/03/2011 0:25.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.219 [GMT 0:00]

Running from: c:\documents and settings\Emma\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Start Menu\Programs\Uninstall.lnk

c:\documents and settings\Emma\Application Data\PriceGong

c:\documents and settings\Emma\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Emma\Application Data\PriceGong\Data\z.xml

----- BITS: Possible infected sites -----

hxxp://assist.talktalk.net

.

((((((((((((((((((((((((( Files Created from 2011-02-04 to 2011-03-04 )))))))))))))))))))))))))))))))

.

2011-02-28 22:49 . 2011-02-28 22:49 -------- d-----w- c:\documents and settings\Emma\Application Data\Malwarebytes

2011-02-28 22:49 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-28 22:49 . 2011-02-28 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-28 22:49 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-28 22:49 . 2011-02-28 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-28 18:50 . 2011-02-28 18:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-02-07 15:37 . 1995-05-23 00:00 776240 ----a-w- c:\windows\system\Lead52.dll

2011-02-07 15:37 . 2001-06-18 10:53 57344 ----a-w- c:\windows\system\bpenhan.dll

2011-02-07 15:29 . 1998-12-03 12:07 103424 ----a-w- c:\windows\system32\Ltfil10n.dll

2011-02-07 15:29 . 1998-12-01 14:00 266752 ----a-w- c:\windows\system32\Lfcmp10n.dll

2011-02-07 15:29 . 1998-12-01 14:00 122368 ----a-w- c:\windows\system32\Lftif10n.dll

2011-02-07 15:29 . 1998-12-01 13:59 34304 ----a-w- c:\windows\system32\Lfbmp10n.dll

2011-02-07 15:29 . 1998-12-01 13:58 297472 ----a-w- c:\windows\system32\Ltkrn10n.dll

2011-02-07 15:29 . 1998-11-30 13:51 77824 ----a-w- c:\windows\system32\Lffax10n.dll

2011-02-07 15:29 . 1998-11-22 20:46 600576 ----a-w- c:\windows\system32\Ltwrp10n.dll

2011-02-07 15:29 . 1998-10-02 19:10 28160 ----a-w- c:\windows\system32\Lfwmf10n.dll

2011-02-07 15:29 . 1998-10-02 19:09 228864 ----a-w- c:\windows\system32\Ltdis10n.dll

2011-02-07 15:29 . 1998-09-22 16:54 33280 ----a-w- c:\windows\system32\Lfpcx10n.dll

2011-02-07 15:29 . 1998-09-22 16:53 35840 ----a-w- c:\windows\system32\Lflma10n.dll

2011-02-07 15:29 . 1998-09-22 16:48 117760 ----a-w- c:\windows\system32\Ltimg10n.dll

2011-02-07 15:10 . 2000-07-11 13:59 81920 ----a-w- c:\windows\system\Capi2032.dll

2011-02-07 15:10 . 1998-02-09 03:00 996872 ----a-w- c:\windows\system32\Cp3240mt.dll

2011-02-07 15:10 . 1998-02-09 03:00 29952 ----a-w- c:\windows\system32\Borlndmm.dll

2011-02-07 15:10 . 1998-02-09 03:00 1455736 ----a-w- c:\windows\system32\VCL35.BPL

2011-02-07 15:10 . 1995-07-31 13:44 212480 ----a-w- c:\windows\system\Pcdlib32.dll

2011-02-07 15:10 . 1999-09-01 02:58 913616 ----a-w- c:\windows\system32\A258_R35.bpl

2011-02-07 15:10 . 1998-10-01 02:55 906512 ----a-w- c:\windows\system32\A255_R35.bpl

2011-02-07 15:10 . 1998-06-24 00:00 244024 ----a-w- c:\windows\system32\Msflxgrd.OCX

2011-02-07 15:10 . 1998-02-09 03:00 245912 ----a-w- c:\windows\system32\vclx35.bpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2004-10-31 13:22 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-10-31 13:21 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-10-31 13:22 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-10-31 13:21 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 17:26 . 2004-10-31 20:21 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-09 15:15 . 2004-10-31 13:22 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2004-10-31 13:21 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38 . 2004-10-31 13:22 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-08-26 01:44 . 2005-08-26 01:44 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-10-08 196608]

"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-22 2423752]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-23 98304]

"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-02-07 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-10-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-10-08 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-11-06 1359967]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-6-19 67128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-8-13 151552]

Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-8-13 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=

"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = hxxp://www.wanadoo.co.uk/cd_redirects/wanadoohome

uInternet Settings,ProxyOverride = localhost

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Free YouTube to Mp3 Converter - c:\documents and settings\Emma\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe

SafeBoot-svcWRSSSDK

MSConfigStartUp-lxbymon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-04 00:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-03-04 00:53:58

ComboFix-quarantined-files.txt 2011-03-04 00:53

Pre-Run: 134,295,965,696 bytes free

Post-Run: 136,005,722,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 0A10BCA384D6F7A94C7420365F0874BF

Hope this helps

Cheers Emma :huh:

Link to post
Share on other sites

Hi Borislav,

Not good! After I posted yesterday Pc started warning abouts threats. I had a box quickly appear a security monitor: warning about spyware infection, then warning balloons appeared stating spyware infection and anti virus needed, it then shut down and restarted by itself. Lots of pinging then my desktop wallpaper disappeared and another has appeared blue background with binary numbers all over it and a big "Warning infected protect yourself children etc" Another balloon apeared saying application cannot be executed the file tfswctrl.exe is infected. It also keeps trying to run and open System Tool which I have never heard of. I tried to download the Avira antivirus but that wont open from desktop. I have 2 red windows shields and 1 yellow.

Any Ideas???

Link to post
Share on other sites

I hope is a bad joke, if not your system is re-infected.

  • Download MBRCheck to your desktop
  • For Windows XP: Double click on MBRCheck.exe to run it.
  • For Windows Vista/7: Right click on MBRCheck.exe and select Run as Administrator
  • It will show a black screen with some data on it
  • Don't run any of the options!!!
  • When it's done, Press Enter to close the program
  • A file will called MBRCheck_ will appear on your desktop
  • Please copy into to your next reply

Link to post
Share on other sites

I downloaded mbr to desktop but it wouldnt open/run then as I was replying to you the pc shut down and restarted again on its own. When It came back up I tried mbr again and it ran for a couple of seconds then went off and left a check log but the log wont open for me to paste/copy to you it just flashes but not long enough to see what it says. A new balloon has appeared saying something about spywaremonster.

No Deff No Joke! :blink:

Link to post
Share on other sites

After doing that last reply pc shut down and restarted again own its own, when it came back up before my desktop was taken over I managed to open the mbr log.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000d

Kernel Drivers (total 179):

0x804D7000

That was it! Hope this helps Cheers Emma

Link to post
Share on other sites

Ok done, here is the log it's a bit bigger lol.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000d

Kernel Drivers (total 141):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EF000 \WINDOWS\system32\hal.dll

0xF7C88000 \WINDOWS\system32\KDCOM.DLL

0xF7B98000 \WINDOWS\system32\BOOTVID.dll

0xF7739000 ACPI.sys

0xF7C8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7728000 pci.sys

0xF7788000 isapnp.sys

0xF7D50000 pciide.sys

0xF7A08000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7C8C000 aliide.sys

0xF7C8E000 cmdide.sys

0xF7C90000 toside.sys

0xF7C92000 viaide.sys

0xF7C94000 intelide.sys

0xF7798000 MountMgr.sys

0xF7709000 ftdisk.sys

0xF7A10000 PartMgr.sys

0xF7D51000 SISIDE.SYS

0xF77A8000 VolSnap.sys

0xF7B9C000 cpqarray.sys

0xF76F1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xF76D9000 atapi.sys

0xF7BA0000 aha154x.sys

0xF7A18000 sparrow.sys

0xF7BA4000 symc810.sys

0xF77B8000 aic78xx.sys

0xF7BA8000 dac960nt.sys

0xF77C8000 ql10wnt.sys

0xF7BAC000 amsint.sys

0xF7A20000 asc.sys

0xF7BB0000 asc3550.sys

0xF7A28000 mraid35x.sys

0xF7A30000 i2omp.sys

0xF7BB4000 ini910u.sys

0xF77D8000 ql1240.sys

0xF77E8000 aic78u2.sys

0xF7A38000 symc8xx.sys

0xF7A40000 sym_hi.sys

0xF7A48000 sym_u3.sys

0xF7A50000 ABP480N5.SYS

0xF7A58000 asc3350p.sys

0xF7C96000 cd20xrnt.sys

0xF77F8000 ultra.sys

0xF76C0000 adpu160m.sys

0xF7A60000 dpti2o.sys

0xF7808000 ql1080.sys

0xF7818000 ql1280.sys

0xF7828000 ql12160.sys

0xF7A68000 perc2.sys

0xF7C98000 perc2hib.sys

0xF7A70000 hpn.sys

0xF7BB8000 cbidf2k.sys

0xF7694000 dac2w2k.sys

0xF7838000 disk.sys

0xF7848000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7674000 fltmgr.sys

0xF7662000 sr.sys

0xF764E000 drvmcdb.sys

0xF7A78000 PxHelp20.sys

0xF7637000 KSecDD.sys

0xF7624000 WudfPf.sys

0xF7597000 Ntfs.sys

0xF756A000 NDIS.sys

0xF7858000 SISAGPX.sys

0xF7868000 viaagp.sys

0xF7BBC000 RecAgent.sys

0xF7550000 Mup.sys

0xF7878000 agp440.sys

0xF7888000 alim1541.sys

0xF7898000 amdagp.sys

0xF78A8000 agpCPQ.sys

0xF78D8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7C34000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS

0xF7B88000 \SystemRoot\system32\drivers\ASAPIW2k.sys

0xF7C40000 \SystemRoot\system32\drivers\pfc.sys

0xF7C9C000 \SystemRoot\system32\drivers\sscdbhk5.sys

0xF78E8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF78F8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF7445000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7AD0000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF73F9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7B00000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF7B10000 \SystemRoot\system32\DRIVERS\sisnic.sys

0xF7B20000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF7908000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7B40000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7B50000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7918000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7C54000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF73E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7928000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7938000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7A98000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF73D1000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7948000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7AC0000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7AD8000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF7958000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7CA2000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF7373000 \SystemRoot\system32\DRIVERS\update.sys

0xF7C6C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF735C000 \SystemRoot\system32\DRIVERS\MarvinBus.sys

0xF7968000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7978000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7CA8000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7AB0000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xF7508000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7CAC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7E88000 \SystemRoot\System32\Drivers\Null.SYS

0xF7CB0000 \SystemRoot\System32\Drivers\Beep.SYS

0xF7AE8000 \SystemRoot\system32\drivers\ssrtln.sys

0xF7AF8000 \SystemRoot\System32\drivers\vga.sys

0xF7230000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0xF7CB4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7B30000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7B48000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7C38000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xF71D5000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xF717C000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xF7154000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF712E000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF710C000 \SystemRoot\System32\drivers\afd.sys

0xF7B58000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xF79A8000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF70E1000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xF7071000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF79C8000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xF7059000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7CCC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF7204000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7B60000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7E6C000 \SystemRoot\System32\drivers\dxgthk.sys

0xBFF50000 \SystemRoot\System32\framebuf.dll

0xBF012000 \SystemRoot\System32\ATMFD.DLL

0xF7039000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xF6B31000 \SystemRoot\system32\DRIVERS\srv.sys

0xF6955000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 14):

0 System Idle Process

4 System

384 C:\WINDOWS\system32\smss.exe

444 csrss.exe

468 C:\WINDOWS\system32\winlogon.exe

512 C:\WINDOWS\system32\services.exe

524 C:\WINDOWS\system32\lsass.exe

684 C:\WINDOWS\system32\svchost.exe

756 svchost.exe

852 C:\WINDOWS\system32\svchost.exe

888 svchost.exe

996 svchost.exe

1732 C:\WINDOWS\explorer.exe

176 C:\Documents and Settings\Emma\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`9c64fe00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BB-00GUC0, Rev: 08.02D08

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 7CCA7828E2215F6AB7EE29911559F39B85073820

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Cheers Emma

Link to post
Share on other sites

Iv had a look for them but all I can find is the cover with my key codes on but cant find the disks, only other disks I can find is works8, 1 for monitor and the rest are for printer etc. How can I get replacement disks?

Link to post
Share on other sites

Let's try something.

Run MBRCheck.exe

Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Please push the 'Y' key and then press Enter

When program ask you Enter your choice: enter (2) and press the Enter key

Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"

Enter 1 and press the Enter key.

The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.

The program will prompt for confirmation. Type 'YES' and hit Enter.

Left click on the title bar (where program name and path is written).

From menu chose Edit -> Select All

Hit the Enter key on your keyboard to copy selected text.

Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"

Restart your PC.

Post the text in "MBRCheck results.txt" here, please.

Link to post
Share on other sites

Hi Borislav,

Here is the log you wanted, After I confirmed with yes and entered it came up with a line saying "error opening disk(2)" then it carryed on and said done.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`9c64fe00 (NTFS)

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 7CCA7828E2215F6AB7EE29911559F39B85073820

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 1

Available MBR codes:

[ 0] Default (Windows XP)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Please select the MBR code to write to this drive: 1

This is the other log it produced

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000d

Kernel Drivers (total 141):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EF000 \WINDOWS\system32\hal.dll

0xF7C88000 \WINDOWS\system32\KDCOM.DLL

0xF7B98000 \WINDOWS\system32\BOOTVID.dll

0xF7739000 ACPI.sys

0xF7C8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7728000 pci.sys

0xF7788000 isapnp.sys

0xF7D50000 pciide.sys

0xF7A08000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7C8C000 aliide.sys

0xF7C8E000 cmdide.sys

0xF7C90000 toside.sys

0xF7C92000 viaide.sys

0xF7C94000 intelide.sys

0xF7798000 MountMgr.sys

0xF7709000 ftdisk.sys

0xF7A10000 PartMgr.sys

0xF7D51000 SISIDE.SYS

0xF77A8000 VolSnap.sys

0xF7B9C000 cpqarray.sys

0xF76F1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xF76D9000 atapi.sys

0xF7BA0000 aha154x.sys

0xF7A18000 sparrow.sys

0xF7BA4000 symc810.sys

0xF77B8000 aic78xx.sys

0xF7BA8000 dac960nt.sys

0xF77C8000 ql10wnt.sys

0xF7BAC000 amsint.sys

0xF7A20000 asc.sys

0xF7BB0000 asc3550.sys

0xF7A28000 mraid35x.sys

0xF7A30000 i2omp.sys

0xF7BB4000 ini910u.sys

0xF77D8000 ql1240.sys

0xF77E8000 aic78u2.sys

0xF7A38000 symc8xx.sys

0xF7A40000 sym_hi.sys

0xF7A48000 sym_u3.sys

0xF7A50000 ABP480N5.SYS

0xF7A58000 asc3350p.sys

0xF7C96000 cd20xrnt.sys

0xF77F8000 ultra.sys

0xF76C0000 adpu160m.sys

0xF7A60000 dpti2o.sys

0xF7808000 ql1080.sys

0xF7818000 ql1280.sys

0xF7828000 ql12160.sys

0xF7A68000 perc2.sys

0xF7C98000 perc2hib.sys

0xF7A70000 hpn.sys

0xF7BB8000 cbidf2k.sys

0xF7694000 dac2w2k.sys

0xF7838000 disk.sys

0xF7848000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7674000 fltmgr.sys

0xF7662000 sr.sys

0xF764E000 drvmcdb.sys

0xF7A78000 PxHelp20.sys

0xF7637000 KSecDD.sys

0xF7624000 WudfPf.sys

0xF7597000 Ntfs.sys

0xF756A000 NDIS.sys

0xF7858000 SISAGPX.sys

0xF7868000 viaagp.sys

0xF7BBC000 RecAgent.sys

0xF7550000 Mup.sys

0xF7878000 agp440.sys

0xF7888000 alim1541.sys

0xF7898000 amdagp.sys

0xF78A8000 agpCPQ.sys

0xF78D8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7C34000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS

0xF7B88000 \SystemRoot\system32\drivers\ASAPIW2k.sys

0xF7C40000 \SystemRoot\system32\drivers\pfc.sys

0xF7C9C000 \SystemRoot\system32\drivers\sscdbhk5.sys

0xF78E8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF78F8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF7445000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7AD0000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF73F9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7B00000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF7B10000 \SystemRoot\system32\DRIVERS\sisnic.sys

0xF7B20000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF7908000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7B40000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7B50000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7918000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7C54000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF73E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7928000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7938000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7A98000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF73D1000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7948000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7AC0000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7AD8000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF7958000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7CA2000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF7373000 \SystemRoot\system32\DRIVERS\update.sys

0xF7C6C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF735C000 \SystemRoot\system32\DRIVERS\MarvinBus.sys

0xF7968000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7978000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7CA8000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7AB0000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xF7508000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7CAE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7E69000 \SystemRoot\System32\Drivers\Null.SYS

0xF7CB2000 \SystemRoot\System32\Drivers\Beep.SYS

0xF7AE8000 \SystemRoot\system32\drivers\ssrtln.sys

0xF7AF8000 \SystemRoot\System32\drivers\vga.sys

0xF7230000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0xF7CB6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7B30000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7B48000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7C38000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xF71D5000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xF717C000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xF728C000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xF7154000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF712E000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF710C000 \SystemRoot\System32\drivers\afd.sys

0xF7998000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF70E1000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xF7071000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF79B8000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xF7059000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7CC4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF7204000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7B70000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7E39000 \SystemRoot\System32\drivers\dxgthk.sys

0xBFF50000 \SystemRoot\System32\framebuf.dll

0xBF012000 \SystemRoot\System32\ATMFD.DLL

0xF7049000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xF6A91000 \SystemRoot\system32\DRIVERS\srv.sys

0xF69F5000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 15):

0 System Idle Process

4 System

384 C:\WINDOWS\system32\smss.exe

444 csrss.exe

468 C:\WINDOWS\system32\winlogon.exe

512 C:\WINDOWS\system32\services.exe

524 C:\WINDOWS\system32\lsass.exe

680 C:\WINDOWS\system32\svchost.exe

756 svchost.exe

856 C:\WINDOWS\system32\svchost.exe

888 svchost.exe

1000 svchost.exe

1604 C:\WINDOWS\explorer.exe

404 C:\WINDOWS\system32\ctfmon.exe

1288 C:\Documents and Settings\Emma\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`9c64fe00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BB-00GUC0, Rev: 08.02D08

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 7CCA7828E2215F6AB7EE29911559F39B85073820

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 1Available MBR codes:

[ 0] Default (Windows XP)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Thanks Emma

Link to post
Share on other sites

Hi Borislav,

Ok after a bit of looking into I discovered 2 things:

1, The company has since gone bankruped.

2, Pc has system recovery preinstalled which will reinstall windows xp back to factory settings.

Would this be any good? otherwise I would have to go buy disks.

Cheers Emma

Link to post
Share on other sites

No I cant get a copy of my xp disk, my pc is an iqon and has pc angel version 3.0 on it. It gives 3 options under system recovery:

1 - Non destructive system recovery (The system recovery program, in this normal default mode of operation, recovers factory-shipped applications, drivers and the operating system without affecting any data files that you may have created since purchasing this pc).

2 - System recovery No format (This option will install a new operating system while preserving all your data. However, any windows applications + settings will need to be reinstalled. All current files are moved to "my old disk structure" directory.

3 - System recovery quick format (**Warning** This option will format the user partition on the hard disk and recover all factory-shipped files into the user partition. All your personal data files created and applications installed after the pc was purchased will be erased. If possible please quit and back up your data files before trying this destructive recovery option.

Any idea's as I cant really afford to buy disks

Cheers Emma

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.