Solved processes eating up memory - no log to post

Harpo · 2010/08/20

[Resolved] processes eating up memory - no log to post

Post 1:
Hello,

For the past few weeks, I've been noticing that when I turn my computer on in the morning, it's taking it *forever* to settle down for the day's work. As a result, I can't get going because all my programs are extremely slow and unresponsive.

Using System Explorer, I've identified 2 processes that are causing the problem. One of them is Windows Update! wuauclt.exe is running as a subprocess of svchost.exe, which is the 2nd process that's eating up the memory. There's a 3rd process (another subprocess of the same instance of svchost.exe) that I can't remember exactly what it's name is, but it's a Windows notification process. It doesn't take up much memory, but I figure there's a connection.

Together, these processes are taking over a half hour to do whatever they're doing so I can get my day started. This hasn't been a problem until recently. What's going on and how can I stop it?

P.S. I do my monthly updates on schedule. It's not that.

Post 2:
I hope this is the correct place to reply. I've got dds.scr scanning now - it's been running for 20 minutes, although it says shouldn't take more than 3. And my CPU is maxed at 100%.

I turned off my AV program & WinPatrol. Don't know what else might interfere with scripts running.

What do I do?

broni · 2010/08/20

Give it a few more minutes.
If it's still stalled....

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Harpo · 2010/08/20

Thank you, Broni.

I downloaded and ran otl. It hung up also and used 100% of the CPU. But I was able to determine *where* it hung up - on Firefox settings. Firefox has given me buggy trouble since releasing Ver. 3...

broni · 2010/08/20

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Harpo · 2010/08/23

exeHelper log:

exeHelper by Raktor
Build 20100414
Run at 08:41:38 on 08/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ComboFix log:

ComboFix 10-08-22.07 - Accounting & Payroll 08/23/2010 9:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.66 [GMT -7:00]
Running from: c:\documents and settings\Accounting & Payroll\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Accounting & Payroll\GoToAssistDownloadHelper.exe
c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
c:\program files\Mozilla Firefox\Plugins\npqtplugin5.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
c:\program files\Opera\program\plugins\npqtplugin2.dll
c:\program files\Opera\program\plugins\npqtplugin3.dll
c:\program files\Opera\program\plugins\npqtplugin4.dll
c:\program files\Opera\program\plugins\npqtplugin5.dll
c:\program files\Opera\program\plugins\npqtplugin6.dll
c:\program files\Opera\program\plugins\npqtplugin7.dll
c:\program files\QuickTime\Plugins\npqtplugin2.dll
c:\program files\QuickTime\Plugins\npqtplugin3.dll
c:\program files\QuickTime\Plugins\npqtplugin4.dll
c:\program files\QuickTime\Plugins\npqtplugin5.dll
c:\program files\QuickTime\Plugins\npqtplugin6.dll
c:\program files\QuickTime\Plugins\npqtplugin7.dll
c:\windows\mirc.ini
c:\windows\patch.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-05 16:47 . 2010-08-23 16:47 1290272 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-05 16:36 . 2010-08-05 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2010-08-05 16:35 . 2008-07-09 16:05 75248 ----a-w- c:\windows\zllsputility.exe
2010-08-05 16:33 . 2008-07-09 16:05 71144 ----a-w- c:\windows\system32\zlcommdb.dll
2010-08-05 16:33 . 2008-07-09 16:05 83432 ----a-w- c:\windows\system32\zlcomm.dll
2010-08-05 16:33 . 2008-07-09 16:05 1086952 ----a-w- c:\windows\system32\zpeng24.dll
2010-08-05 16:33 . 2010-08-05 16:36 -------- d-----w- c:\windows\system32\ZoneLabs
2010-08-05 16:26 . 2010-08-05 16:26 -------- d-----w- c:\program files\Zone Labs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 16:46 . 2009-03-18 18:15 -------- d-----w- c:\program files\Mozilla Sunbird
2010-08-23 16:43 . 2010-08-05 16:47 16124 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-08-23 15:59 . 2010-06-15 19:32 -------- d-----w- c:\documents and settings\Accounting & Payroll\Application Data\Abine
2010-08-20 23:20 . 2006-03-21 22:04 -------- d-----w- c:\program files\PopTray
2010-08-19 23:47 . 2010-01-21 00:35 -------- d-----w- c:\program files\Opera
2010-08-19 21:29 . 2010-04-30 23:50 -------- d-----w- c:\documents and settings\Accounting & Payroll\Application Data\vlc
2010-08-18 18:22 . 2009-04-14 16:46 1 ----a-w- c:\documents and settings\Accounting & Payroll\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-16 18:02 . 2003-05-28 21:27 54 ----a-w- c:\windows\WB_SID.DAT
2010-08-12 22:43 . 2010-05-03 17:35 -------- d-----w- c:\program files\SUPER-C
2010-08-09 21:44 . 2006-04-05 15:40 -------- d-----w- c:\program files\QuickTime
2010-08-09 21:43 . 2006-04-05 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-08-06 18:16 . 2004-07-09 18:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-05 16:44 . 2005-01-25 22:38 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-07-26 15:25 . 2010-05-26 13:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-12 18:13 . 2003-06-04 20:03 -------- d-----w- c:\program files\Otter32
2010-07-01 15:08 . 2007-10-10 17:49 -------- d-----w- c:\documents and settings\Accounting & Payroll\Application Data\U3
2010-06-30 21:45 . 2010-06-11 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-30 12:31 . 1980-01-01 07:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 02:18 . 2010-08-19 17:15 225416 ----a-w- c:\documents and settings\Accounting & Payroll\Application Data\Mozilla\Firefox\Profiles\kms31fnm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-06-24 12:22 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 1980-01-01 07:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 1980-01-01 07:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 1980-01-01 07:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2002-09-23 20:31 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 1980-01-01 07:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-26 13:59 . 2010-05-26 13:59 63488 ----a-w- c:\documents and settings\Accounting & Payroll\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 13:59 . 2010-05-26 13:59 52224 ----a-w- c:\documents and settings\Accounting & Payroll\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 13:59 . 2010-05-26 13:59 117760 ----a-w- c:\documents and settings\Accounting & Payroll\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2004-10-13 15:56 . 2004-10-13 15:56 37888 ----a-w- c:\program files\wizmo.exe
2006-05-03 10:06 . 2010-05-03 17:35 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-05-03 17:35 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-05-03 17:35 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"ClamWin "= "c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-14 86016]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

c:\documents and settings\Accounting & Payroll\Start Menu\Programs\Startup\
PopTray.lnk - c:\program files\PopTray\PopTray.exe [2006-9-16 1666048]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-10-28 3450608]
sunbird.exe.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-18 6354540]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 10:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"ImapiService "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18086:TCP "= 18086:TCP:Vipre 18086
"18082:TCP "= 18082:TCP:Vipre 18082

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
S3 pbfilter;pbfilter;\??\c:\documents and settings\Accounting & Payroll\desktop\PeerBlock_r181__Win32_Release\pbfilter.sys --> c:\documents and settings\Accounting & Payroll\desktop\PeerBlock_r181__Win32_Release\pbfilter.sys [?]
S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [10/23/2008 6:01 AM 30272]
S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [10/23/2008 6:01 AM 37440]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S4 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run --> c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.wcb.com/home/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {3A1D4BD4-CB3F-4EB0-97C9-6674D08C4D92} = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Accounting & Payroll\Application Data\Mozilla\Firefox\Profiles\kms31fnm.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Accounting & Payroll\Application Data\Mozilla\Firefox\Profiles\kms31fnm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
FF - plugin: c:\documents and settings\Accounting & Payroll\Application Data\Mozilla\Firefox\Profiles\kms31fnm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{A9CAB51B-0D46-49FC-9BE7-E72A18E80FBA} - (no file)
WebBrowser-{A9CAB51B-0D46-49FC-9BE7-E72A18E80FBA} - (no file)
Notify-!SASWinLogon - (no file)
Notify-LMIinit - (no file)
SafeBoot-SBCSSvc

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk31]
"ImagePath "= "\??\c:\windows\system32\Drivers\pssdk31.drv "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdkLBF]
"ImagePath "= "\??\c:\windows\system32\Drivers\pssdklbf.drv "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2343720408-4265207240-1061794394-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\NMSSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-23 10:54:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 17:54

Pre-Run: 15,186,907,136 bytes free
Post-Run: 15,235,698,688 bytes free

- - End Of File - - F01915A068C593D35E3373A624DBB292

broni · 2010/08/23

OK, Combofix log looks decent now....

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

==================================================================

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Harpo · 2010/08/24

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4466

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2010 2:36:16 PM
mbam-log-2010-08-23 (14-36-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 201741
Time elapsed: 48 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{01e69986-a054-4c52-abe8-ef63df1c5211} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-23 16:49:46
Windows 5.1.2600 Service Pack 3
Running: 1jznlkj3.exe; Driver: C:\DOCUME~1\ACCOUN~1\LOCALS~1\Temp\kglirkod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF00F8040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF00F4930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF00FFA80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF00F8510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF00FE870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF00FEAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF0101FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF00F8600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF00F4F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF01006E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF0100440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF00FE580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF01008B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF00F4D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF00FE350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF00FE150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF0101250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF0100CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF00F7C00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF0101080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF00F8220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF00F5120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF0100140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF00FECD0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [10, 85, 0F, F0, 70, E8, 0F, ...]
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F00FCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F00FD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F00FD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F00FCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F00FCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F00FCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F00FD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F00FD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F00FCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F00FCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F00FD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F00FD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F00FD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F00FD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F00FCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F010A330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F00FCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F00FCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F00FD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F00FD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F00F55C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F00F5770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F00F52D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F00F5670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{248FCFB3-5914-AF2C-CCBA-9BB5E3C749D5}\InprocServer32@ C:\WINDOWS\System32\COMCTL32.OCX
Reg HKLM\SOFTWARE\Classes\CLSID\{E2C31150-817C-EEE5-40BF-056BA761D9C5}\InprocServer32@ C:\WINDOWS\system32\cewmdm.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E2C31150-817C-EEE5-40BF-056BA761D9C5}\InprocServer32@ThreadingModel Free
Reg HKLM\SOFTWARE\Classes\CLSID\{E2C31150-817C-EEE5-40BF-056BA761D9C5}\ProgID@ WMDMCESP.WMDMCESP.1
Reg HKLM\SOFTWARE\Classes\CLSID\{E2C31150-817C-EEE5-40BF-056BA761D9C5}\VersionIndependentProgID@ WMDMCESP.WMDMCESP

---- EOF - GMER 1.0.15 ----

MBRCheck log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000804d

Kernel Drivers (total 174):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF97C6000 \WINDOWS\system32\KDCOM.DLL
0xF96D6000 \WINDOWS\system32\BOOTVID.dll
0xF9277000 ACPI.sys
0xF97C8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9266000 pci.sys
0xF92C6000 isapnp.sys
0xF988E000 pciide.sys
0xF9546000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF97CA000 aliide.sys
0xF97CC000 cmdide.sys
0xF97CE000 toside.sys
0xF97D0000 viaide.sys
0xF97D2000 intelide.sys
0xF92D6000 MountMgr.sys
0xF9247000 ftdisk.sys
0xF97D4000 dmload.sys
0xF9221000 dmio.sys
0xF954E000 PartMgr.sys
0xF92E6000 VolSnap.sys
0xF96DA000 cpqarray.sys
0xF9209000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF91F1000 atapi.sys
0xF96DE000 aha154x.sys
0xF9556000 sparrow.sys
0xF96E2000 symc810.sys
0xF92F6000 aic78xx.sys
0xF96E6000 dac960nt.sys
0xF9306000 ql10wnt.sys
0xF96EA000 amsint.sys
0xF955E000 asc.sys
0xF96EE000 asc3550.sys
0xF9566000 mraid35x.sys
0xF956E000 i2omp.sys
0xF96F2000 ini910u.sys
0xF9316000 ql1240.sys
0xF9326000 aic78u2.sys
0xF9576000 symc8xx.sys
0xF957E000 sym_hi.sys
0xF9586000 sym_u3.sys
0xF958E000 ABP480N5.SYS
0xF9596000 asc3350p.sys
0xF97D6000 cd20xrnt.sys
0xF9336000 ultra.sys
0xF91D8000 adpu160m.sys
0xF959E000 dpti2o.sys
0xF9346000 ql1080.sys
0xF9356000 ql1280.sys
0xF9366000 ql12160.sys
0xF95A6000 perc2.sys
0xF97D8000 perc2hib.sys
0xF95AE000 hpn.sys
0xF96F6000 cbidf2k.sys
0xF91AC000 dac2w2k.sys
0xF9376000 disk.sys
0xF9386000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF918C000 fltmgr.sys
0xF9396000 PxHelp20.sys
0xF9175000 KSecDD.sys
0xF90E8000 Ntfs.sys
0xF90BB000 NDIS.sys
0xF93A6000 viaagp.sys
0xF90A7000 srescan.sys
0xF93B6000 sisagp.sys
0xF908D000 Mup.sys
0xF93C6000 agp440.sys
0xF93D6000 alim1541.sys
0xF93E6000 amdagp.sys
0xF93F6000 agpCPQ.sys
0xF9536000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF8C72000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF8C5E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF967E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8C3A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF9686000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF8C17000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF8BDB000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF8BB8000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8ABB000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF8A0B000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF968E000 \SystemRoot\System32\Drivers\Modem.SYS
0xF9035000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF9696000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF979E000 \SystemRoot\System32\DRIVERS\IPFilter.sys
0xF969E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF96A6000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF9025000 \SystemRoot\System32\DRIVERS\serial.sys
0xF97A2000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF89F7000 \SystemRoot\System32\DRIVERS\parport.sys
0xF9015000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF9005000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8978000 \SystemRoot\system32\drivers\smwdm.sys
0xF8954000 \SystemRoot\system32\drivers\portcls.sys
0xF8FF5000 \SystemRoot\system32\drivers\drmk.sys
0xF893C000 \SystemRoot\system32\drivers\aeaudio.sys
0xF99EB000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF99ED000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8FE5000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF97AA000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF8925000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8FD5000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8FC5000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF96AE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8914000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8FB5000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF96B6000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF96BE000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8844000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF8FA5000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF97FC000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF87E6000 \SystemRoot\System32\DRIVERS\update.sys
0xF9069000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF9416000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF06B2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF0697000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF9436000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF9800000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF95C6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF977A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF95CE000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF05CD000 \SystemRoot\system32\DRIVERS\klif.sys
0xF9802000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF9952000 \SystemRoot\System32\Drivers\Null.SYS
0xF9804000 \SystemRoot\System32\Drivers\Beep.SYS
0xF95DE000 \SystemRoot\System32\drivers\vga.sys
0xF9806000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF9808000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF95E6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF95EE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF9782000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF04AA000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF0451000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF0429000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF03C9000 \SystemRoot\System32\vsdatant.sys
0xF978E000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF037F000 \SystemRoot\System32\drivers\afd.sys
0xF94D6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF035D000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF95F6000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF0332000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF02C2000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF9506000 \SystemRoot\System32\Drivers\Fips.SYS
0xF029C000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF9526000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF87C2000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF95FE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF9606000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF960E000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF058D000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF0294000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF055D000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF01BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF97E4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF027C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF04F5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF9996000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01F000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF071000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF9862000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEFD6B000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFFA4000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xEFE14000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEFC4C000 \SystemRoot\System32\DRIVERS\srv.sys
0xF9866000 \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
0xEFB38000 \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
0xEF8EF000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFBF4000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
644 C:\WINDOWS\system32\smss.exe
724 csrss.exe
748 C:\WINDOWS\system32\winlogon.exe
792 C:\WINDOWS\system32\services.exe
804 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\svchost.exe
1028 svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1180 svchost.exe
1368 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1604 C:\WINDOWS\system32\spoolsv.exe
1732 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1752 C:\WINDOWS\system32\NMSSvc.Exe
1824 C:\WINDOWS\system32\HPZipm12.exe
1856 svchost.exe
1868 C:\WINDOWS\system32\svchost.exe
1880 wdfmgr.exe
700 alg.exe
132 C:\WINDOWS\system32\wscntfy.exe
232 C:\WINDOWS\explorer.exe
1308 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
1288 C:\Program Files\ClamWin\bin\ClamTray.exe
1396 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1468 C:\Program Files\PopTray\PopTray.exe
1696 C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
2208 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
2504 C:\Program Files\Mozilla Firefox\firefox.exe
3104 C:\Documents and Settings\Accounting & Payroll\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L040AVVN07-0, Rev: VA2OAF1A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4C8B6466C132CB19D9FCADF546658F91EF74A4AF

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

broni · 2010/08/24

Run MBRCheck again.

When it's done you'll see the following line:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Press the Y key and then press Enter

When the program asks you to Enter your choice, enter 2 and press the Enter key.

Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
Enter 0 (zero) and press the Enter key.

Next the program will show Available MBR codes:, followed by a list of operating systems.
Please enter 1 for Windows XP, and then press Enter.

Next the program will prompt for confirmation.
Type YES and hit Enter.

When it's done there should be a text file with the results on your desktop.
Please copy and paste it back here.

Then reboot, run MBRCheck again and post new log.

Harpo · 2010/08/24

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000804d

Kernel Drivers (total 174):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF97C6000 \WINDOWS\system32\KDCOM.DLL
0xF96D6000 \WINDOWS\system32\BOOTVID.dll
0xF9277000 ACPI.sys
0xF97C8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9266000 pci.sys
0xF92C6000 isapnp.sys
0xF988E000 pciide.sys
0xF9546000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF97CA000 aliide.sys
0xF97CC000 cmdide.sys
0xF97CE000 toside.sys
0xF97D0000 viaide.sys
0xF97D2000 intelide.sys
0xF92D6000 MountMgr.sys
0xF9247000 ftdisk.sys
0xF97D4000 dmload.sys
0xF9221000 dmio.sys
0xF954E000 PartMgr.sys
0xF92E6000 VolSnap.sys
0xF96DA000 cpqarray.sys
0xF9209000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF91F1000 atapi.sys
0xF96DE000 aha154x.sys
0xF9556000 sparrow.sys
0xF96E2000 symc810.sys
0xF92F6000 aic78xx.sys
0xF96E6000 dac960nt.sys
0xF9306000 ql10wnt.sys
0xF96EA000 amsint.sys
0xF955E000 asc.sys
0xF96EE000 asc3550.sys
0xF9566000 mraid35x.sys
0xF956E000 i2omp.sys
0xF96F2000 ini910u.sys
0xF9316000 ql1240.sys
0xF9326000 aic78u2.sys
0xF9576000 symc8xx.sys
0xF957E000 sym_hi.sys
0xF9586000 sym_u3.sys
0xF958E000 ABP480N5.SYS
0xF9596000 asc3350p.sys
0xF97D6000 cd20xrnt.sys
0xF9336000 ultra.sys
0xF91D8000 adpu160m.sys
0xF959E000 dpti2o.sys
0xF9346000 ql1080.sys
0xF9356000 ql1280.sys
0xF9366000 ql12160.sys
0xF95A6000 perc2.sys
0xF97D8000 perc2hib.sys
0xF95AE000 hpn.sys
0xF96F6000 cbidf2k.sys
0xF91AC000 dac2w2k.sys
0xF9376000 disk.sys
0xF9386000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF918C000 fltmgr.sys
0xF9396000 PxHelp20.sys
0xF9175000 KSecDD.sys
0xF90E8000 Ntfs.sys
0xF90BB000 NDIS.sys
0xF93A6000 viaagp.sys
0xF90A7000 srescan.sys
0xF93B6000 sisagp.sys
0xF908D000 Mup.sys
0xF93C6000 agp440.sys
0xF93D6000 alim1541.sys
0xF93E6000 amdagp.sys
0xF93F6000 agpCPQ.sys
0xF9536000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF8C72000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF8C5E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF967E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8C3A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF9686000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF8C17000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF8BDB000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF8BB8000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8ABB000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF8A0B000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF968E000 \SystemRoot\System32\Drivers\Modem.SYS
0xF9035000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF9696000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF979E000 \SystemRoot\System32\DRIVERS\IPFilter.sys
0xF969E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF96A6000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF9025000 \SystemRoot\System32\DRIVERS\serial.sys
0xF97A2000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF89F7000 \SystemRoot\System32\DRIVERS\parport.sys
0xF9015000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF9005000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8978000 \SystemRoot\system32\drivers\smwdm.sys
0xF8954000 \SystemRoot\system32\drivers\portcls.sys
0xF8FF5000 \SystemRoot\system32\drivers\drmk.sys
0xF893C000 \SystemRoot\system32\drivers\aeaudio.sys
0xF99EB000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF99ED000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8FE5000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF97AA000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF8925000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8FD5000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8FC5000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF96AE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8914000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8FB5000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF96B6000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF96BE000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8844000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF8FA5000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF97FC000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF87E6000 \SystemRoot\System32\DRIVERS\update.sys
0xF9069000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF9416000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF06B2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF0697000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF9436000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF9800000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF95C6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF977A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF95CE000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF05CD000 \SystemRoot\system32\DRIVERS\klif.sys
0xF9802000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF9952000 \SystemRoot\System32\Drivers\Null.SYS
0xF9804000 \SystemRoot\System32\Drivers\Beep.SYS
0xF95DE000 \SystemRoot\System32\drivers\vga.sys
0xF9806000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF9808000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF95E6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF95EE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF9782000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF04AA000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF0451000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF0429000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF03C9000 \SystemRoot\System32\vsdatant.sys
0xF978E000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF037F000 \SystemRoot\System32\drivers\afd.sys
0xF94D6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF035D000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF95F6000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF0332000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF02C2000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF9506000 \SystemRoot\System32\Drivers\Fips.SYS
0xF029C000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF9526000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF87C2000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF95FE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF9606000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF960E000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF058D000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF0294000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF055D000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF01BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF97E4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF027C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF04F5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF9996000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01F000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF071000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF9862000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEFD6B000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFFA4000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xEFE14000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEFC4C000 \SystemRoot\System32\DRIVERS\srv.sys
0xF9866000 \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
0xEFB38000 \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
0xEF8EF000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFBF4000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
644 C:\WINDOWS\system32\smss.exe
724 csrss.exe
748 C:\WINDOWS\system32\winlogon.exe
792 C:\WINDOWS\system32\services.exe
804 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\svchost.exe
1028 svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1180 svchost.exe
1368 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1604 C:\WINDOWS\system32\spoolsv.exe
1732 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1752 C:\WINDOWS\system32\NMSSvc.Exe
1824 C:\WINDOWS\system32\HPZipm12.exe
1856 svchost.exe
1868 C:\WINDOWS\system32\svchost.exe
1880 wdfmgr.exe
700 alg.exe
132 C:\WINDOWS\system32\wscntfy.exe
232 C:\WINDOWS\explorer.exe
1308 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
1288 C:\Program Files\ClamWin\bin\ClamTray.exe
1396 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1468 C:\Program Files\PopTray\PopTray.exe
1696 C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
2208 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
2504 C:\Program Files\Mozilla Firefox\firefox.exe
3104 C:\Documents and Settings\Accounting & Payroll\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L040AVVN07-0, Rev: VA2OAF1A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4C8B6466C132CB19D9FCADF546658F91EF74A4AF

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done!

broni · 2010/08/24

...and...

Then reboot, run MBRCheck again and post new log.
Click to expand...

Harpo · 2010/08/24

Sorry. I had left the MBRCheck window open waiting for your response, so I just entered the codes you'd provided & rebooted. Here's a fresh log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000804d

Kernel Drivers (total 174):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF97C6000 \WINDOWS\system32\KDCOM.DLL
0xF96D6000 \WINDOWS\system32\BOOTVID.dll
0xF9277000 ACPI.sys
0xF97C8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9266000 pci.sys
0xF92C6000 isapnp.sys
0xF988E000 pciide.sys
0xF9546000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF97CA000 aliide.sys
0xF97CC000 cmdide.sys
0xF97CE000 toside.sys
0xF97D0000 viaide.sys
0xF97D2000 intelide.sys
0xF92D6000 MountMgr.sys
0xF9247000 ftdisk.sys
0xF97D4000 dmload.sys
0xF9221000 dmio.sys
0xF954E000 PartMgr.sys
0xF92E6000 VolSnap.sys
0xF96DA000 cpqarray.sys
0xF9209000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF91F1000 atapi.sys
0xF96DE000 aha154x.sys
0xF9556000 sparrow.sys
0xF96E2000 symc810.sys
0xF92F6000 aic78xx.sys
0xF96E6000 dac960nt.sys
0xF9306000 ql10wnt.sys
0xF96EA000 amsint.sys
0xF955E000 asc.sys
0xF96EE000 asc3550.sys
0xF9566000 mraid35x.sys
0xF956E000 i2omp.sys
0xF96F2000 ini910u.sys
0xF9316000 ql1240.sys
0xF9326000 aic78u2.sys
0xF9576000 symc8xx.sys
0xF957E000 sym_hi.sys
0xF9586000 sym_u3.sys
0xF958E000 ABP480N5.SYS
0xF9596000 asc3350p.sys
0xF97D6000 cd20xrnt.sys
0xF9336000 ultra.sys
0xF91D8000 adpu160m.sys
0xF959E000 dpti2o.sys
0xF9346000 ql1080.sys
0xF9356000 ql1280.sys
0xF9366000 ql12160.sys
0xF95A6000 perc2.sys
0xF97D8000 perc2hib.sys
0xF95AE000 hpn.sys
0xF96F6000 cbidf2k.sys
0xF91AC000 dac2w2k.sys
0xF9376000 disk.sys
0xF9386000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF918C000 fltmgr.sys
0xF9396000 PxHelp20.sys
0xF9175000 KSecDD.sys
0xF90E8000 Ntfs.sys
0xF90BB000 NDIS.sys
0xF93A6000 viaagp.sys
0xF90A7000 srescan.sys
0xF93B6000 sisagp.sys
0xF908D000 Mup.sys
0xF93C6000 agp440.sys
0xF93D6000 alim1541.sys
0xF93E6000 amdagp.sys
0xF93F6000 agpCPQ.sys
0xF8FF5000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF8877000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF8863000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF9656000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF883F000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF965E000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF881C000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF87E0000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF87BD000 \SystemRoot\System32\DRIVERS\ks.sys
0xF86C0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF8610000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF9666000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8FE5000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF966E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF97B6000 \SystemRoot\System32\DRIVERS\IPFilter.sys
0xF9676000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF967E000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF8FD5000 \SystemRoot\System32\DRIVERS\serial.sys
0xF97BA000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF85FC000 \SystemRoot\System32\DRIVERS\parport.sys
0xF8FC5000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8FB5000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF857D000 \SystemRoot\system32\drivers\smwdm.sys
0xF8559000 \SystemRoot\system32\drivers\portcls.sys
0xF8FA5000 \SystemRoot\system32\drivers\drmk.sys
0xF8541000 \SystemRoot\system32\drivers\aeaudio.sys
0xF98E5000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF98E6000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF891D000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF97C2000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF852A000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF890D000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF88FD000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF9686000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8519000 \SystemRoot\System32\DRIVERS\psched.sys
0xF88ED000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF968E000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF9696000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF84E9000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF88DD000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF97FC000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF848B000 \SystemRoot\System32\DRIVERS\update.sys
0xF9051000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF88CD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF0357000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF033C000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF889D000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF97FE000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF96AE000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF9786000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF96B6000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF0272000 \SystemRoot\system32\DRIVERS\klif.sys
0xF9806000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF9A11000 \SystemRoot\System32\Drivers\Null.SYS
0xF9808000 \SystemRoot\System32\Drivers\Beep.SYS
0xF96CE000 \SystemRoot\System32\drivers\vga.sys
0xF980A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF980C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF95C6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF95CE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF9796000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF014F000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF00F6000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF00CE000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF006E000 \SystemRoot\System32\vsdatant.sys
0xF97A2000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF0024000 \SystemRoot\System32\drivers\afd.sys
0xF94A6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF0002000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF95D6000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFFD7000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEFF67000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF94D6000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFF41000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF9506000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF846F000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF95DE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF95E6000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF95EE000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF9015000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF0052000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF0232000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEFE61000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF983A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEFF1D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF0182000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF98CF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01F000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF071000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF9812000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEF9FD000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFB66000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xEFB4A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEF8DE000 \SystemRoot\System32\DRIVERS\srv.sys
0xF9816000 \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
0xEF7D2000 \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
0xEF581000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF6D6000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
644 C:\WINDOWS\system32\smss.exe
724 csrss.exe
748 C:\WINDOWS\system32\winlogon.exe
792 C:\WINDOWS\system32\services.exe
804 C:\WINDOWS\system32\lsass.exe
960 C:\WINDOWS\system32\svchost.exe
1028 svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1192 svchost.exe
1368 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1600 C:\WINDOWS\system32\spoolsv.exe
1732 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1752 C:\WINDOWS\system32\NMSSvc.Exe
1804 C:\WINDOWS\system32\HPZipm12.exe
1860 svchost.exe
1872 C:\WINDOWS\system32\svchost.exe
1884 wdfmgr.exe
428 alg.exe
1848 C:\WINDOWS\system32\wscntfy.exe
872 C:\WINDOWS\explorer.exe
1936 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
1640 C:\Program Files\ClamWin\bin\ClamTray.exe
1904 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1760 C:\Program Files\PopTray\PopTray.exe
324 C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
2368 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
2464 C:\Program Files\Mozilla Firefox\firefox.exe
2932 C:\Documents and Settings\Accounting & Payroll\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L040AVVN07-0, Rev: VA2OAF1A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4C8B6466C132CB19D9FCADF546658F91EF74A4AF

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

broni · 2010/08/24

Unfortunately, our fix didn't work...
Let's try a different way...

Please download NTBR by noahdfear and save it to your Desktop.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 1 to overwrite the infected MBR Code with the Standard MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted run MBRCheck one more time and let me have the log produced.

Harpo · 2010/08/24

IBM's Setup Utility options are a little different than those presented in the link. However, I was able to find the startup sequence OK.

IBM has a Primary Startup Sequence, an Automatic Startup Sequence, and an Error Startup Sequence. The Primary Startup Sequence is set as follows:

First startup device: Removable
Second startup device: Hard Disk 0
Third startup device: CD/DVD-ROM
Fourth startup device: Network

Options for first startup device are:
Removable
Hard Disk 1
Hard Disk 2
Hard Disk 3

The CD will not boot with the current settings.

Note: I could not modify "Removable" to be anything other than "Diskette Drive A: "

broni · 2010/08/24

I can't be sure, but I think, you have to select "Third startup device: CD/DVD-ROM" and move it up.
It surely must be a way to do it.

Harpo · 2010/08/24

I can determine no way to boot from the Primary Startup Sequence - the device order can't be changed and CD/DVD isn't available as an option for the first device.

However, here are the settings for Automatic Startup Sequence (which is enabled):

First Startup Device: Network (other options are CD/DVD-ROM, HD1, HD2, HD3)
Second Startup Device: Hard Disk 0 (other options are same as first device)
Third & Fourth Devices are disabled.

Should I temporarily change the First Device in the Automatic Startup Sequence to CD/DVD-ROM?

broni · 2010/08/24

Yes, please.

Harpo · 2010/08/24

I think we got it! Here's the new log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000804d

Kernel Drivers (total 174):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF97C6000 \WINDOWS\system32\KDCOM.DLL
0xF96D6000 \WINDOWS\system32\BOOTVID.dll
0xF9277000 ACPI.sys
0xF97C8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9266000 pci.sys
0xF92C6000 isapnp.sys
0xF988E000 pciide.sys
0xF9546000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF97CA000 aliide.sys
0xF97CC000 cmdide.sys
0xF97CE000 toside.sys
0xF97D0000 viaide.sys
0xF97D2000 intelide.sys
0xF92D6000 MountMgr.sys
0xF9247000 ftdisk.sys
0xF97D4000 dmload.sys
0xF9221000 dmio.sys
0xF954E000 PartMgr.sys
0xF92E6000 VolSnap.sys
0xF96DA000 cpqarray.sys
0xF9209000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF91F1000 atapi.sys
0xF96DE000 aha154x.sys
0xF9556000 sparrow.sys
0xF96E2000 symc810.sys
0xF92F6000 aic78xx.sys
0xF96E6000 dac960nt.sys
0xF9306000 ql10wnt.sys
0xF96EA000 amsint.sys
0xF955E000 asc.sys
0xF96EE000 asc3550.sys
0xF9566000 mraid35x.sys
0xF956E000 i2omp.sys
0xF96F2000 ini910u.sys
0xF9316000 ql1240.sys
0xF9326000 aic78u2.sys
0xF9576000 symc8xx.sys
0xF957E000 sym_hi.sys
0xF9586000 sym_u3.sys
0xF958E000 ABP480N5.SYS
0xF9596000 asc3350p.sys
0xF97D6000 cd20xrnt.sys
0xF9336000 ultra.sys
0xF91D8000 adpu160m.sys
0xF959E000 dpti2o.sys
0xF9346000 ql1080.sys
0xF9356000 ql1280.sys
0xF9366000 ql12160.sys
0xF95A6000 perc2.sys
0xF97D8000 perc2hib.sys
0xF95AE000 hpn.sys
0xF96F6000 cbidf2k.sys
0xF91AC000 dac2w2k.sys
0xF9376000 disk.sys
0xF9386000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF918C000 fltmgr.sys
0xF9396000 PxHelp20.sys
0xF9175000 KSecDD.sys
0xF90E8000 Ntfs.sys
0xF90BB000 NDIS.sys
0xF93A6000 viaagp.sys
0xF90A7000 srescan.sys
0xF93B6000 sisagp.sys
0xF908D000 Mup.sys
0xF93C6000 agp440.sys
0xF93D6000 alim1541.sys
0xF93E6000 amdagp.sys
0xF93F6000 agpCPQ.sys
0xF8FA5000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF8734000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF8720000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF966E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF86FC000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF9676000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF86D9000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF869D000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF867A000 \SystemRoot\System32\DRIVERS\ks.sys
0xF857D000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF84CD000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF967E000 \SystemRoot\System32\Drivers\Modem.SYS
0xF9416000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF9686000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF97B6000 \SystemRoot\System32\DRIVERS\IPFilter.sys
0xF968E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF9696000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF87DA000 \SystemRoot\System32\DRIVERS\serial.sys
0xF97BA000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF84B9000 \SystemRoot\System32\DRIVERS\parport.sys
0xF87CA000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF87BA000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF843A000 \SystemRoot\system32\drivers\smwdm.sys
0xF8416000 \SystemRoot\system32\drivers\portcls.sys
0xF87AA000 \SystemRoot\system32\drivers\drmk.sys
0xF83FE000 \SystemRoot\system32\drivers\aeaudio.sys
0xF9924000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF9925000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF879A000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF97C2000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF83E7000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF878A000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF877A000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF969E000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF835E000 \SystemRoot\System32\DRIVERS\psched.sys
0xF876A000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF96AE000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF96B6000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF832E000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF875A000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF97F4000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF82D0000 \SystemRoot\System32\DRIVERS\update.sys
0xF9055000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF874A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF0214000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF01F9000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF9436000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF97F6000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF96C6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF9782000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF012F000 \SystemRoot\system32\DRIVERS\klif.sys
0xF97F8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF99B2000 \SystemRoot\System32\Drivers\Null.SYS
0xF97FA000 \SystemRoot\System32\Drivers\Beep.SYS
0xF95C6000 \SystemRoot\System32\drivers\vga.sys
0xF97FC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF97FE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF95CE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF95D6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF978A000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF00FC000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF00A3000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF007B000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF001B000 \SystemRoot\System32\vsdatant.sys
0xF979A000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEFFD1000 \SystemRoot\System32\drivers\afd.sys
0xF9486000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEFF0F000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF95DE000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFE94000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEFE24000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF94B6000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFDFE000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF94D6000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF95E6000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF9506000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF82AC000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF95EE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF95F6000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF95FE000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF8FD5000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF82A8000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xEFD1E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF9814000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF01ED000 \SystemRoot\System32\drivers\Dxapi.sys
0xF9606000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF98DF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01F000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF071000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF9882000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEF8CD000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFA36000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xEFA0A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF9884000 \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
0xEF6BE000 \SystemRoot\System32\DRIVERS\srv.sys
0xEF569000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF775000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF632000 \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
596 C:\WINDOWS\system32\smss.exe
724 csrss.exe
748 C:\WINDOWS\system32\winlogon.exe
792 C:\WINDOWS\system32\services.exe
804 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\svchost.exe
1028 svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1192 svchost.exe
1368 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1604 C:\WINDOWS\system32\spoolsv.exe
1732 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1752 C:\WINDOWS\system32\NMSSvc.Exe
1772 C:\WINDOWS\system32\HPZipm12.exe
1812 svchost.exe
1824 C:\WINDOWS\system32\svchost.exe
1836 wdfmgr.exe
396 C:\WINDOWS\system32\wuauclt.exe
1496 C:\WINDOWS\explorer.exe
1584 C:\WINDOWS\system32\wscntfy.exe
1664 alg.exe
172 wmiprvse.exe
512 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
500 C:\Program Files\ClamWin\bin\ClamTray.exe
1140 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1292 C:\Program Files\PopTray\PopTray.exe
1308 C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
2296 C:\Documents and Settings\Accounting & Payroll\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L040AVVN07-0, Rev: VA2OAF1A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

~~~~~~~~~
So, am I good to go? And can you tell me anything about what it was (like a name), so I can research it and find out what it was doing and try to figure out where I might've picked it up? And can you give any tips on how to tell when what *should* be a system file isn't a system file?

broni · 2010/08/24

Looks good now
But...you're not good to go, yet.
We need to make sure, your computer is totally clean.

As for the above issue, your MBR (master boot record) was infected.

Now....

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Harpo · 2010/08/24

I'm afraid it's hanging up again when it gets to Firefox settings...

broni · 2010/08/24

Is it totally frozen?

If so, try to close all running programs and run it again.

Log in or Sign up

Solved processes eating up memory - no log to post

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved processes eating up memory - no log to post

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Harpo Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches