1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive ebay/amazon login virus - always asks for my credit card info

Discussion in 'Malware and Virus Removal Archive' started by phillipolympia, 2011/05/19.

Thread Status:
Not open for further replies.
  1. 2011/05/19
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    [Inactive] ebay/amazon login virus - always asks for my credit card info

    Every time I try to login or search amazon/ebay, the site prompts me for my credit card numbers, atm numbers, etc. I have reformatted my computer, but it is still there. Here are my logs:

    MALWAREBYTES

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6619

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    5/19/2011 8:31:14 PM
    mbam-log-2011-05-19 (20-31-14).txt

    Scan type: Quick scan
    Objects scanned: 139790
    Time elapsed: 3 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --------------------------------------------------------------
     
    phillipolympia,
    #1
  2. 2011/05/19
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Please post all the logs requested.

    As a new member with less than x number of posts any post you make which contains a URL requires approval (moderation) before it is visible.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2011/05/19
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-19 19:07:48
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 Hitachi_HDP725016GLA380 rev.GMBOA52A
    Running: 0fis0i3x.exe; Driver: C:\DOCUME~1\Phillip\LOCALS~1\Temp\pwacqaog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 841346D0 ZwAlertResumeThread
    SSDT 841376D0 ZwAlertThread
    SSDT 84136700 ZwAllocateVirtualMemory
    SSDT 842DD6F0 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3403020]
    SSDT 84110700 ZwCreateMutant
    SSDT 8413B6F0 ZwCreateThread
    SSDT 841236D0 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF34032A0]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3403800]
    SSDT 84130700 ZwFreeVirtualMemory
    SSDT 8412E6D0 ZwImpersonateAnonymousToken
    SSDT 841316D0 ZwImpersonateThread
    SSDT 8412D6F0 ZwMapViewOfSection
    SSDT 8412B6D0 ZwOpenEvent
    SSDT 8414C6D0 ZwOpenProcessToken
    SSDT 841266D0 ZwOpenSection
    SSDT 84125700 ZwOpenThreadToken
    SSDT 841DD6D0 ZwResumeThread
    SSDT 8413E6D0 ZwSetContextThread
    SSDT 84128700 ZwSetInformationProcess
    SSDT 84120700 ZwSetInformationThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3403A50]
    SSDT 841296D0 ZwSuspendProcess
    SSDT 841396D0 ZwSuspendThread
    SSDT 83886548 ZwTerminateProcess
    SSDT 8413C6D0 ZwTerminateThread
    SSDT 8414B6D0 ZwUnmapViewOfSection
    SSDT 84133700 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF617A360, 0x30AF87, 0xE8000020]
    ? system32\drivers\xpsec.sys The system cannot find the path specified. !
    ? system32\drivers\xcpip.sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[756] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 01202758
    .text C:\WINDOWS\Explorer.EXE[756] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02DD9E37
    .text C:\WINDOWS\Explorer.EXE[756] ws2_32.dll!send 71AB4C27 5 Bytes JMP 02DD99D4
    .text C:\WINDOWS\Explorer.EXE[756] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02DD9CE9
    .text C:\WINDOWS\Explorer.EXE[756] ws2_32.dll!recv 71AB676F 5 Bytes JMP 02DD9AB5
    .text C:\WINDOWS\Explorer.EXE[756] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02DD9B88
    .text C:\WINDOWS\system32\winlogon.exe[936] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 00F92946
    .text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[2396] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018E9E37
    .text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[2396] ws2_32.dll!send 71AB4C27 5 Bytes JMP 018E99D4
    .text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[2396] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 018E9CE9
    .text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[2396] ws2_32.dll!recv 71AB676F 5 Bytes JMP 018E9AB5
    .text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[2396] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018E9B88
    .text C:\WINDOWS\System32\alg.exe[2828] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B39E37
    .text C:\WINDOWS\System32\alg.exe[2828] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B399D4
    .text C:\WINDOWS\System32\alg.exe[2828] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B39CE9
    .text C:\WINDOWS\System32\alg.exe[2828] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B39AB5
    .text C:\WINDOWS\System32\alg.exe[2828] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B39B88
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 01369E37
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8F]
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!send 71AB4C27 3 Bytes JMP 013699D4
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8F]
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!WSARecv 71AB4CB5 3 Bytes JMP 01369CE9
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!WSARecv + 4 71AB4CB9 1 Byte [8F]
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!recv 71AB676F 3 Bytes JMP 01369AB5
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!recv + 4 71AB6773 1 Byte [8F]
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!WSASend 71AB68FA 3 Bytes JMP 01369B88
    .text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[2996] WS2_32.dll!WSASend + 4 71AB68FE 1 Byte [8F]
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3168] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FE9E37
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3168] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FE99D4
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3168] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FE9CE9
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3168] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FE9AB5
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3168] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FE9B88
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FD9E37
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FD99D4
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FD9CE9
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FD9AB5
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FD9B88
    .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3364] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FF9E37
    .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FF99D4
    .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FF9CE9
    .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FF9AB5
    .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FF9B88
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3424] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF9E37
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF99D4
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3424] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF9CE9
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3424] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF9AB5
    .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3424] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF9B88
    .text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[3488] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D49E37
    .text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[3488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D499D4
    .text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[3488] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D49CE9
    .text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[3488] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D49AB5
    .text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[3488] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D49B88
    .text C:\WINDOWS\system32\wuauclt.exe[4360] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EF9E37
    .text C:\WINDOWS\system32\wuauclt.exe[4360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EF99D4
    .text C:\WINDOWS\system32\wuauclt.exe[4360] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EF9CE9
    .text C:\WINDOWS\system32\wuauclt.exe[4360] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EF9AB5
    .text C:\WINDOWS\system32\wuauclt.exe[4360] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EF9B88

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
    Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 312576708
    Disk \Device\Harddisk0\DR0 PE file @ sector 312576730

    ---- EOF - GMER 1.0.15 ----
     
    phillipolympia,
    #3
  5. 2011/05/19
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 128):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF7358000 ACPI.sys
    0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7347000 pci.sys
    0xF7487000 isapnp.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7497000 MountMgr.sys
    0xF7328000 ftdisk.sys
    0xF770F000 PartMgr.sys
    0xF798B000 UBHelper.sys
    0xF74A7000 VolSnap.sys
    0xF7310000 atapi.sys
    0xF74B7000 disk.sys
    0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF72F0000 fltMgr.sys
    0xF72DE000 sr.sys
    0xF72C7000 KSecDD.sys
    0xF723A000 Ntfs.sys
    0xF720D000 NDIS.sys
    0xF71F3000 Mup.sys
    0xF7587000 \SystemRoot\system32\DRIVERS\processr.sys
    0xF791F000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7597000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7787000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF778F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF779F000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6A60000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77A7000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6A38000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF75A7000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF6950000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF75B7000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF75C7000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF75D7000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF692D000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7999000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0xF7933000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF6807000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF799D000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF77C7000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF617A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6166000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7BAE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF75E7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF794B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF614F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF75F7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7607000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF77EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF613E000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7617000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77FF000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF780F000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7627000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF781F000 \SystemRoot\system32\DRIVERS\SymIM.sys
    0xF79A3000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF60E0000 \SystemRoot\system32\DRIVERS\update.sys
    0xF795F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7637000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7647000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7667000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF3596000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF3572000 \SystemRoot\system32\drivers\portcls.sys
    0xF7677000 \SystemRoot\system32\drivers\drmk.sys
    0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7AFE000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF787F000 \SystemRoot\System32\drivers\vga.sys
    0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF788F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7757000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF792B000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF34E5000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF348C000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF3438000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF3412000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7697000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF33ED000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xF795B000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xF79C1000 \SystemRoot\System32\Drivers\SYMDNS.SYS
    0xF7797000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
    0xF33D7000 \SystemRoot\System32\Drivers\SYMFW.SYS
    0xF77B7000 \SystemRoot\System32\Drivers\SYMIDS.SYS
    0xF3390000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20110510.001\SymIDSCo.sys
    0xF3368000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF3346000 \SystemRoot\System32\drivers\afd.sys
    0xF76A7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF76B7000 \SystemRoot\System32\Drivers\SRTSPX.SYS
    0xF32D6000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xF32AB000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF323B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF76C7000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF31DD000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xF31BF000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF7557000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF30DF000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79CB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF310F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF774F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B3B000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBA725000 \SystemRoot\system32\drivers\xpsec.sys
    0xBA6CC000 \SystemRoot\system32\drivers\xcpip.sys
    0xBA410000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xF77CF000 \??\C:\WINDOWS\system32\drivers\CO_Mon.sys
    0xB9FFF000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA534000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB9A3B000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB9A0E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB998E000 \SystemRoot\system32\DRIVERS\srv.sys
    0xF7777000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xB964B000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xB9602000 \SystemRoot\System32\Drivers\SRTSP.SYS
    0xB948B000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110519.002\NAVEX15.SYS
    0xB93D7000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110519.002\NAVENG.SYS
    0xB9396000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBF597000 \SystemRoot\System32\ATMFD.DLL
    0xB8113000 \??\C:\DOCUME~1\Phillip\LOCALS~1\Temp\pwacqaog.sys
    0xB80E8000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 40):
    0 System Idle Process
    4 System
    848 C:\WINDOWS\system32\smss.exe
    912 csrss.exe
    936 C:\WINDOWS\system32\winlogon.exe
    980 C:\WINDOWS\system32\services.exe
    996 C:\WINDOWS\system32\lsass.exe
    1352 C:\WINDOWS\system32\svchost.exe
    1556 svchost.exe
    1900 C:\WINDOWS\system32\svchost.exe
    140 svchost.exe
    276 svchost.exe
    656 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
    756 C:\WINDOWS\explorer.exe
    308 C:\WINDOWS\system32\spoolsv.exe
    3392 C:\WINDOWS\system32\rundll32.exe
    3400 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    3424 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    3488 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    3592 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
    3608 C:\WINDOWS\RTHDCPL.exe
    3656 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    3712 C:\WINDOWS\system32\ctfmon.exe
    2732 svchost.exe
    3548 C:\WINDOWS\system32\agrsmsvc.exe
    2996 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    3040 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    2944 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    3168 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    3236 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    3248 C:\WINDOWS\system32\nvsvc32.exe
    3364 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    2828 alg.exe
    2396 C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    4724 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    4360 C:\WINDOWS\system32\wuauclt.exe
    1768 C:\Program Files\Internet Explorer\iexplore.exe
    5392 C:\Program Files\Internet Explorer\iexplore.exe
    5592 C:\Program Files\Internet Explorer\iexplore.exe
    2436 C:\Documents and Settings\Phillip\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`7098f400 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`c4062200 (NTFS)

    PhysicalDrive0 Model Number: HitachiHDP725016GLA380, Rev: GMBOA52A

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
    SHA1: 837BFB0D14AAC6B731E258D6EFB1EEDC92CA6581


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice:
     
    phillipolympia,
    #4
  6. 2011/05/19
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Phillip at 19:13:25 on 2011-05-19
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.296 [GMT -4:00]
    .
    AV: Norton 360 *Enabled/Updated* {A5F1BC7C-EA33-4247-961C-0217208396C4}
    FW: Norton 360 *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Phillip\Desktop\dds.scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0511&m=el1200-05w
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [LaunchApp]
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe "
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe "
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0 "
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter "
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe "
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
    mRun: [osCheck] "c:\program files\norton 360\osCheck.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\phillip\application data\mozilla\firefox\profiles\xuig4ric.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-18 105592]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110519.002\NAVENG.SYS [2011-5-19 86008]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110519.002\NAVEX15.SYS [2011-5-19 1542392]
    R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
    R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
    S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-28 1245064]
    .
    =============== Created Last 30 ================
    .
    2011-05-20 00:19:13 -------- d-----w- c:\documents and settings\phillip\application data\Malwarebytes
    2011-05-20 00:18:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-20 00:18:58 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-05-20 00:18:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-20 00:18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-20 00:17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-19 23:54:13 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-05-19 23:51:08 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-05-19 23:49:21 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2011-05-19 23:49:21 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2011-05-19 23:49:20 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2011-05-19 23:49:20 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-05-19 23:40:09 -------- d-----w- c:\windows\system32\PreInstall
    2011-05-19 22:18:41 -------- d-sh--w- c:\documents and settings\phillip\IECompatCache
    2011-05-19 21:35:32 -------- d-----w- c:\windows\system32\XPSViewer
    2011-05-19 21:35:00 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-05-19 21:34:13 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-05-19 21:34:13 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-05-19 21:34:12 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-05-19 21:34:12 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-05-19 21:34:12 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-05-19 21:34:12 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-05-19 21:34:12 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-05-19 21:34:12 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-05-19 21:21:45 -------- d-sh--w- c:\documents and settings\phillip\PrivacIE
    2011-05-19 21:17:20 -------- d-sh--w- c:\documents and settings\phillip\IETldCache
    2011-05-19 21:12:19 -------- d-----w- c:\windows\ServicePackFiles
    2011-05-19 21:06:36 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2011-05-19 21:06:14 -------- d-----w- c:\windows\ie8updates
    2011-05-19 21:05:47 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-05-19 21:05:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-05-19 21:05:44 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-05-19 21:02:47 -------- dc-h--w- c:\windows\ie8
    2011-05-19 02:04:10 -------- d-----w- c:\documents and settings\all users\application data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2011-05-19 01:16:50 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
    2011-05-19 01:16:50 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
    2011-05-19 01:16:50 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
    2011-05-19 01:16:50 16384 ----a-w- c:\windows\system32\ClearEvent.exe
    2011-05-19 01:16:50 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
    2011-05-19 01:14:58 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-05-19 01:08:47 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-05-18 23:49:19 220 ----a-w- c:\windows\eRy.reg
    2011-05-18 23:49:19 140 ----a-w- c:\windows\EM_Office.reg
    2011-05-18 23:49:18 9728 ----a-w- c:\windows\HWID_detect.exe
    2011-05-18 23:49:18 839 ----a-w- c:\windows\Panel_Font_SS.cmd
    2011-05-18 23:49:18 55808 ----a-w- c:\windows\devcon.exe
    .
    ==================== Find3M ====================
    .
    2011-05-19 02:11:32 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-19 02:11:32 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-05-18 23:49:19 7 ----a-w- c:\windows\HotFix.bat
    2011-05-18 23:49:19 185 ----a-w- c:\windows\HotFix3.bat
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
    .
    ============= FINISH: 19:14:23.20 ===============
     
    phillipolympia,
    #5
  7. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log ", save it to your desktop and post in your next reply:
    [​IMG]
     
    broni,
    #6
  8. 2011/05/20
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-20 14:43:31
    -----------------------------
    14:43:31.343 OS Version: Windows 5.1.2600 Service Pack 3
    14:43:31.343 Number of processors: 1 586 0x7F02
    14:43:31.343 ComputerName: EMACHINE-7AF6B9 UserName: Phillip
    14:43:33.531 Initialize success
    14:43:36.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
    14:43:36.031 Disk 0 Vendor: Hitachi_HDP725016GLA380 GMBOA52A Size: 152627MB BusType: 3
    14:43:36.140 Disk 0 MBR read successfully
    14:43:36.156 Disk 0 MBR scan
    14:43:36.156 Disk 0 unknown MBR code
    14:43:36.234 Disk 0 MBR hidden
    14:43:36.265 Disk 0 scanning sectors +312576705
    14:43:36.390 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
    14:43:36.453 Disk 0 PE file @ sector 312576730 !
    14:43:36.453 Disk 0 scanning C:\WINDOWS\system32\drivers
    14:43:50.062 Service scanning
    14:43:51.859 Disk 0 trace - called modules:
    14:43:51.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83126aee]<<
    14:43:51.875 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849bdab8]
    14:43:52.031 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000071[0x84aba090]
    14:43:52.046 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-7[0x84a2ab58]
    14:43:52.062 Scan finished successfully
    14:44:10.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Phillip\Desktop\MBR.dat "
    14:44:11.203 The log file has been saved successfully to "C:\Documents and Settings\Phillip\Desktop\aswMBR.txt "
     
    phillipolympia,
    #7
  9. 2011/05/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2011/05/20
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    ComboFix 11-05-19.02 - Phillip 05/20/2011 21:38:05.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.438 [GMT -4:00]
    Running from: c:\documents and settings\Phillip\Desktop\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {A5F1BC7C-EA33-4247-961C-0217208396C4}
    FW: Norton 360 *Disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-20 20:19 . 2008-05-13 21:23 417792 ----a-w- c:\program files\Windows Media Player\Plugins\wmp_scrobbler.dll
    2011-05-20 20:19 . 2011-05-20 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Last.fm
    2011-05-20 20:10 . 2011-05-20 20:10 -------- d-----w- c:\program files\Last.fm
    2011-05-20 20:07 . 2011-05-20 20:07 -------- d-----w- c:\program files\iPod
    2011-05-20 20:07 . 2011-05-20 20:19 -------- d-----w- c:\program files\iTunes
    2011-05-20 20:01 . 2011-05-20 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-05-20 00:18 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-20 00:18 . 2011-05-20 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-20 00:18 . 2011-05-20 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-20 00:18 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-20 00:17 . 2011-05-20 00:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-19 23:58 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-05-19 23:58 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-05-19 23:54 . 2011-02-17 13:18 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-05-19 23:51 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-05-19 23:49 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2011-05-19 23:49 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2011-05-19 23:49 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-05-19 23:49 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2011-05-19 21:35 . 2011-05-19 21:35 -------- d-----w- c:\windows\system32\XPSViewer
    2011-05-19 21:35 . 2011-05-19 21:35 -------- d-----w- c:\program files\MSBuild
    2011-05-19 21:35 . 2011-05-19 21:35 -------- d-----w- c:\program files\Reference Assemblies
    2011-05-19 21:35 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-05-19 21:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-05-19 21:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-05-19 21:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-05-19 21:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-05-19 21:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-05-19 21:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-05-19 21:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-05-19 21:34 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-05-19 21:12 . 2011-05-19 21:12 -------- d-----w- c:\windows\ServicePackFiles
    2011-05-19 21:06 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2011-05-19 21:05 . 2011-02-22 23:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-05-19 21:05 . 2011-02-22 23:06 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-05-19 21:05 . 2011-02-22 23:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-05-19 21:02 . 2011-05-19 21:05 -------- dc-h--w- c:\windows\ie8
    2011-05-19 02:04 . 2011-05-20 20:09 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-05-19 02:04 . 2011-05-19 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2011-05-19 01:16 . 2007-04-13 15:51 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
    2011-05-19 01:16 . 2006-03-30 17:06 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
    2011-05-19 01:16 . 2006-03-23 16:02 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
    2011-05-19 01:16 . 2005-12-09 13:12 16384 ----a-w- c:\windows\system32\ClearEvent.exe
    2011-05-19 01:16 . 2004-11-03 13:06 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
    2011-05-19 01:14 . 2008-04-14 22:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-05-19 01:11 . 2011-05-19 22:18 -------- d-----w- c:\documents and settings\Phillip
    2011-05-19 01:10 . 2011-05-18 23:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
    2011-05-18 23:49 . 2008-09-02 05:34 140 ----a-w- c:\windows\EM_Office.reg
    2011-05-18 23:49 . 2007-06-06 07:19 220 ----a-w- c:\windows\eRy.reg
    2011-05-18 23:49 . 2008-08-30 16:51 839 ----a-w- c:\windows\Panel_Font_SS.cmd
    2011-05-18 23:49 . 2007-06-20 07:02 9728 ----a-w- c:\windows\HWID_detect.exe
    2011-05-18 23:49 . 2002-11-14 14:32 55808 ----a-w- c:\windows\devcon.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-19 02:11 . 2008-10-29 01:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-19 02:11 . 2008-10-29 01:26 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-05-18 23:49 . 2005-12-14 09:33 185 ----a-w- c:\windows\HotFix3.bat
    2011-05-18 23:49 . 2004-06-25 09:13 7 ----a-w- c:\windows\HotFix.bat
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-07 05:33 . 2008-04-14 22:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 13:21 . 2008-04-14 22:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2007-08-14 02:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2007-08-14 02:45 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 23:06 . 2007-08-14 02:44 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-02-22 11:41 . 2008-04-14 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-04-14 16:26 . 2011-05-19 23:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
    "nwiz "= "nwiz.exe" [2008-02-25 1626112]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
    "BkupTray "= "c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut "= "c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "UpdateP2GoShortCut "= "c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut "= "c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck "= "c:\program files\Norton 360\osCheck.exe" [2008-02-25 988512]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "RTHDCPL "= "RTHDCPL.EXE" [2008-05-16 16862720]
    "eRecoveryService "= "c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe "=
    "c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe "=
    "c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP "= 3389:TCP:Remote Desktop
    "65533:TCP "= 65533:TCP:Services
    "52344:TCP "= 52344:TCP:Services
    .
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 5:11 PM 16384]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/17/2008 5:37 PM 149352]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 2:42 AM 50424]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/18/2011 10:13 PM 105592]
    R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
    R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
    S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 7:03 AM 131072]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 12:32 AM 23888]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - COMHOST
    *Deregistered* - aswMBR
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\xuig4ric.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-LaunchApp - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-20 21:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(5048)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-05-20 21:49:13
    ComboFix-quarantined-files.txt 2011-05-21 01:49
    .
    Pre-Run: 60,019,863,552 bytes free
    Post-Run: 60,152,655,872 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 5C17450D7B7BC0BBCA341D0BF5D3BF4F
     
    phillipolympia,
    #9
  11. 2011/05/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run aswMBR.exe again...

    • Click the Scan button as before.
    • Once the scan has completed, the Fix button should become active - click it.
    • If FixMBR becomes active instead, click that one.
    • The tool will decide which option to give you, but take Fix first, if it's offered.
    • Once complete, click Save log as before, save it to your desktop and post in your next reply.
     
    broni,
    #10
  12. 2011/05/21
    phillipolympia

    phillipolympia Inactive Thread Starter

    Joined:
    2011/05/19
    Messages:
    7
    Likes Received:
    0
    i did everything you told me, and the program told me to restart asap.. i did that, and now my computer won't load windows... i'm on a friend's computer right now.. what do i do now?
     
    phillipolympia,
    #11
  13. 2011/05/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y ".)

    exit

    Reboot computer.
     
    broni,
    #12
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...