Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TDS rootkit - Stopped Working!

Started by tom96 , Feb 26 2011 12:17 PM

  • This topic is locked This topic is locked

#16
tom96
Posted 01 March 2011 - 03:47 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RPMcMurphy,
The computer crashed while MalwareBytes was running. It loaded ok and ran for about 10 minutes and then the 'beautiful blue screen' appeared. After rebooting the computer started CHKDSK which is running as I type from my other computer. What should I do? try running MalwareBytes bytes again? Try running MalwareBytes in safe mode? Awaiting your instructions.

Tom
  • 0

Advertisements

#17
RPMcMurphy
Posted 01 March 2011 - 04:40 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Try the Safe Mode, Tom. If it BSOD's again, just move on to the DDS report.
  • 0

#18
tom96
Posted 01 March 2011 - 07:31 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RPMcMurphy,
MalewareBytes ran in safe mode the results are below.
DDS ran and the results are below and attached.
Thank you for all your help and efforts. This has been tedious work and I really appreciate your time.
Tom

-----BEGIN MalewareBytes----------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5920

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.16764

3/1/2011 7:53:37 PM
mbam-log-2011-03-01 (19-53-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 516500
Time elapsed: 1 hour(s), 41 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------END MalewareBytes----------------------------------------------------

-------BEGIN DDS LOG---------------------------------------------------------


DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by __ at 20:12:57.87 on Tue 03/01/2011
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.3573.2853 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Users\__\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [EPSON Stylus Photo R2400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fati9sa.exe /fu "c:\windows\temp\E_S72B3.tmp" /EF "HKCU"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SSC Service Utility] c:\program files\epson-ssc service utility\ssc_serv.exe /s
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
StartupFolder: c:\users\__\appdata\roaming\micros~1\windows\startm~1\programs\startup\mru-bl~1.lnk - c:\program files\mru-blaster\mrublaster.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\QuickSet.lnk -
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: ClearRecentProgForNewUserInStartMenu = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\__\appdata\roaming\mozilla\firefox\profiles\yfgeg5n5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-9 179712]
S3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNIMP50.sys [2006-11-16 21504]
S3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNISP50.sys [2006-11-16 20480]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070108.003\IDSvix86.sys [2008-1-9 212280]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-1-9 1174664]

=============== Created Last 30 ================

2011-03-01 21:15:26 -------- d-----w- c:\users\__\appdata\roaming\Malwarebytes
2011-03-01 21:14:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 21:14:25 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-01 21:14:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 21:14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-27 23:52:00 -------- d-----w- C:\emailExport Windows Mail Format
2011-02-27 18:32:24 -------- d-----w- C:\emailExportedFromWM
2011-02-26 22:43:36 -------- d-----w- C:\_OTL
2011-02-26 18:42:30 -------- d-----w- C:\eMailBox
2011-02-26 13:08:01 -------- d-----w- C:\_OTM
2011-02-26 02:21:57 -------- d-----w- C:\____________Bredirect Geeks to go
2011-02-13 15:21:44 -------- d-----w- C:\________________________________zillow
2011-01-31 16:53:35 -------- d-----w- C:\LIH Guide 2011

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST912082 rev.3.CD -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8605A439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x860607b8]; MOV EAX, [0x86060834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82027F37] -> \Device\Harddisk0\DR0[0x856E3630]
3 nt[0x820B07E2] -> ntkrnlpa!IofCallDriver[0x82027F37] -> [0x86082F18]
\Driver\iaStor[0x856EABD8] -> IRP_MJ_CREATE -> 0x8605A439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9120822AS_____________________________3.CDD___#4&1a4b0a3c&1&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:13:44.39 ===============

-------END DDS Log------------------------------------------------------------------------


DDS Attach is attached
  • 0

#19
RPMcMurphy
Posted 01 March 2011 - 09:57 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Looks like we have to do this the hard way:

Posted Image We need to run a fix from the recovery environment

Verify that you can access the Vista Recovery Environment

To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.

If the option Repair your computer is available, select it.

Select a language, a keyboard or an input method, and then click Next

It will ask for a password > if you have one > enter it now, or just hit OK if you don't have one.

(If Recovery Environment is not preinstalled, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.

At the Install Windows screen, select Repair your computer (image below)

Posted Image)


In the System Recovery Options dialog box, click Command Prompt

Type bootrec /fixmbr and then press ENTER

You should see "The operation completed successfully"

Type EXIT at the command prompt, then select the RESTART button to reboot your system normally.

Posted Image Try to run Combofix again.

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

  • 0

#20
tom96
Posted 02 March 2011 - 08:16 AM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Repair Your Computer is installed on my system. When I run it I get a password screen for 'other user' requesting a username and password. I have not setup any passwords on the system nor have have I seen the 'other user' before. Any suggestions? I bought this machine a refurbished unit from Dell. Is it possible Dell or the initial user setup the password?

Tom
  • 0

#21
RPMcMurphy
Posted 02 March 2011 - 04:15 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Let's try another way:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
"%userprofile%\Desktop\MBRCheck.exe" -s 0 -f 3

A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Reboot your PC and post the contents of the log and a fresh DDS.txt log

Please include the following in your next post:
  • MBRCheck log
  • A new DDS.txt log

  • 0

#22
tom96
Posted 02 March 2011 - 06:02 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi RPMcMurphy,
The MBR check ran by using the Windows Key +R and entering the following command which you provided: "%userprofile%\Desktop\MBRCheck.exe" -s 0 -f 3
The MBR log is below.

I Rebooted and then ran DDS.
The DDS log is below and the DDS Attached log is attached.
Tom


-------------BEGIN MBRCheck Log--------------------------------------
MBRCheck, version 1.2.3
© 2010, AD

Command-line: -s 0 -f 3
Windows Version: Windows Vista Business Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Vostro 1400
Logical Drives Mask: 0x0000005c

Kernel Drivers (total 168):
0x82000000 \SystemRoot\system32\ntkrnlpa.exe
0x823A1000 \SystemRoot\system32\hal.dll
0x86C45000 \SystemRoot\system32\kdcom.dll
0x8026B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80262000 \SystemRoot\system32\PSHED.dll
0x8025A000 \SystemRoot\system32\BOOTVID.dll
0x8021F000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80212000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80461000 \SystemRoot\system32\drivers\acpi.sys
0x80209000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80201000 \SystemRoot\system32\drivers\msisadrv.sys
0x8043C000 \SystemRoot\system32\drivers\pci.sys
0x8042D000 \SystemRoot\system32\drivers\volmgr.sys
0x8042A000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80420000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80410000 \SystemRoot\System32\drivers\mountmgr.sys
0x80409000 \SystemRoot\system32\DRIVERS\intelide.sys
0x807F2000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x80402000 \SystemRoot\system32\drivers\pciide.sys
0x807A8000 \SystemRoot\System32\drivers\volmgrx.sys
0x80708000 \SystemRoot\system32\drivers\iastorv.sys
0x8064A000 \SystemRoot\system32\drivers\iastor.sys
0x80642000 \SystemRoot\system32\drivers\atapi.sys
0x80624000 \SystemRoot\system32\drivers\ataport.SYS
0x81FCF000 \SystemRoot\system32\drivers\fltmgr.sys
0x80614000 \SystemRoot\system32\drivers\fileinfo.sys
0x81ECB000 \SystemRoot\system32\drivers\ndis.sys
0x81EA0000 \SystemRoot\system32\drivers\msrpc.sys
0x81E67000 \SystemRoot\system32\drivers\NETIO.SYS
0x824F8000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8248E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x81E31000 \SystemRoot\system32\drivers\volsnap.sys
0x8060C000 \SystemRoot\System32\Drivers\spldr.sys
0x81E22000 \SystemRoot\System32\drivers\partmgr.sys
0x81E13000 \SystemRoot\System32\Drivers\mup.sys
0x82469000 \SystemRoot\System32\drivers\ecache.sys
0x81E02000 \SystemRoot\system32\drivers\disk.sys
0x82448000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80603000 \SystemRoot\system32\drivers\crcdisk.sys
0x8E21E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x826A7000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8E210000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8EC19000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8EAB1000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E203000 \SystemRoot\System32\drivers\watchdog.sys
0x8EAA6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8EA69000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8EA5B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EA49000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F57A000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8EA1A000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
0x8C370000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8EA0C000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8EBC8000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8EBBA000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8EBA6000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8F529000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8EC06000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8F4FD000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x8EA01000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F4F2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F4DA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C235000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8EB62000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8F46F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8F42F000 \SystemRoot\system32\DRIVERS\storport.sys
0x8F424000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F40D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F402000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F7DD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x82698000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F6DA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F653000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8F6ED000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8EBE8000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F61C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F9C5000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0x8C263000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F646000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F8F1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C3E0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F89E000 \SystemRoot\system32\drivers\stwrt.sys
0x8F871000 \SystemRoot\system32\drivers\portcls.sys
0x8F84C000 \SystemRoot\system32\drivers\drmk.sys
0x8F80F000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8FAFD000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8FA49000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8F802000 \SystemRoot\system32\drivers\modem.sys
0x8EB74000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8E2D3000 \SystemRoot\System32\Drivers\Null.SYS
0x8E2DA000 \SystemRoot\System32\Drivers\Beep.SYS
0x8E2E1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8F600000 \SystemRoot\System32\drivers\vga.sys
0x8FA28000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E3F0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8E3F8000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8FDF5000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8FDE7000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8EB86000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8FCD5000 \SystemRoot\System32\drivers\tcpip.sys
0x8FCBC000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8FCA7000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FC79000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x8FC56000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x8FC42000 \SystemRoot\system32\DRIVERS\smb.sys
0x901B9000 \SystemRoot\system32\drivers\afd.sys
0x8FC10000 \SystemRoot\System32\DRIVERS\netbt.sys
0x901A3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FC02000 \SystemRoot\system32\DRIVERS\netbios.sys
0x90190000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9017F000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x90144000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F925000 \SystemRoot\system32\drivers\nsiproxy.sys
0x900E1000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9008E000 \SystemRoot\system32\drivers\csc.sys
0x90077000 \SystemRoot\System32\Drivers\dfsc.sys
0x9256E000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8EBE4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8EB7D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8C350000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E3D8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x92561000 \SystemRoot\System32\Drivers\crashdmp.sys
0x92413000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x924E3000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9275C000 \SystemRoot\System32\Drivers\fastfat.SYS
0x92784000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x92662000 \SystemRoot\System32\Drivers\bthport.sys
0x92651000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x8F92F000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x92637000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x9679A000 \SystemRoot\system32\drivers\btwavdt.sys
0x9671F000 \SystemRoot\system32\drivers\btwaudio.sys
0x8E294000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x97200000 \SystemRoot\System32\win32k.sys
0x8F943000 \SystemRoot\System32\drivers\Dxapi.sys
0x8F70B000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA7400000 \SystemRoot\System32\TSDDD.dll
0xA7410000 \SystemRoot\System32\cdd.dll
0xA7420000 \SystemRoot\System32\ATMFD.DLL
0xA7684000 \SystemRoot\system32\drivers\luafv.sys
0xA8EF2000 \SystemRoot\system32\drivers\spsys.sys
0xA8EC2000 \SystemRoot\system32\DRIVERS\packet.sys
0x8C390000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA9BD5000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8F97F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8E5F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAC59A000 \SystemRoot\system32\drivers\HTTP.sys
0xA9A0F000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA9E17000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA9E03000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAC406000 \SystemRoot\system32\drivers\mrxdav.sys
0xAC7E2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAC7A9000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAC797000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAC773000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAC6A7000 \SystemRoot\System32\DRIVERS\srv.sys
0x8E36D000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xAC81B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB2B22000 \SystemRoot\system32\drivers\peauth.sys
0x8F9B1000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA9FBE000 \SystemRoot\System32\drivers\tcpipreg.sys
0xB2608000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xB27BB000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA77F0000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAC8B7000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77C40000 \Windows\System32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
412 C:\Windows\System32\smss.exe
488 csrss.exe
528 C:\Windows\System32\wininit.exe
536 csrss.exe
572 C:\Windows\System32\services.exe
584 C:\Windows\System32\lsass.exe
592 C:\Windows\System32\lsm.exe
620 C:\Windows\System32\winlogon.exe
760 C:\Windows\System32\svchost.exe
820 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\audiodg.exe
1116 C:\Windows\System32\SLsvc.exe
1196 C:\Windows\System32\svchost.exe
1380 C:\Windows\System32\svchost.exe
1500 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1580 C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
1612 C:\Windows\System32\WLTRYSVC.EXE
1624 C:\Windows\System32\BCMWLTRY.EXE
1788 C:\Windows\System32\svchost.exe
1868 C:\Windows\System32\dwm.exe
1888 C:\Windows\explorer.exe
1896 C:\Windows\System32\taskeng.exe
1408 C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
1968 C:\Program Files\DellTPad\Apoint.exe
2056 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2068 C:\Windows\System32\WLTRAY.EXE
2080 C:\Program Files\Dell\MediaDirect\PCMService.exe
2160 C:\Program Files\QuickTime\QTTask.exe
2232 C:\Windows\System32\hkcmd.exe
2252 C:\Windows\System32\igfxpers.exe
2260 C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
2284 C:\Program Files\Epson-SSC Service Utility\ssc_serv.exe
2292 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2316 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
2324 C:\Program Files\Digital Line Detect\DLG.exe
2352 C:\Program Files\DellTPad\ApMsgFwd.exe
2376 C:\Program Files\DellTPad\hidfind.exe
2488 C:\Windows\System32\igfxsrvc.exe
2544 C:\Program Files\DellTPad\ApntEx.exe
2976 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
3016 C:\Program Files\Bonjour\mDNSResponder.exe
3032 C:\Windows\System32\svchost.exe
3052 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
3104 C:\Program Files\Dell Network Assistant\hnm_svc.exe
3248 C:\Windows\System32\svchost.exe
3316 C:\Windows\System32\stacsv.exe
3376 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
3436 C:\Windows\System32\svchost.exe
3468 C:\Windows\System32\svchost.exe
3512 C:\Windows\System32\SearchIndexer.exe
3668 C:\Windows\System32\drivers\XAudio.exe
3684 WUDFHost.exe
4024 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
660 C:\Windows\System32\spoolsv.exe
2224 C:\Windows\System32\mobsync.exe
1924 WmiPrvSE.exe
4060 C:\Windows\System32\wbem\WMIADAP.exe
1728 C:\Windows\System32\notepad.exe
3960 C:\Users\__\Desktop\MBRCheck.exe

Writing Windows Vista MBR code to \\.\PhysicalDrive0...
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

---------------END MBRCheck-------------------------------------------------------

---------------BEGIN - DDS log----------------------------------------------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by __ at 18:47:11.82 on Wed 03/02/2011
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.3573.2582 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Epson-SSC Service Utility\ssc_serv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\__\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [EPSON Stylus Photo R2400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fati9sa.exe /fu "c:\windows\temp\E_S72B3.tmp" /EF "HKCU"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SSC Service Utility] c:\program files\epson-ssc service utility\ssc_serv.exe /s
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
StartupFolder: c:\users\__\appdata\roaming\micros~1\windows\startm~1\programs\startup\mru-bl~1.lnk - c:\program files\mru-blaster\mrublaster.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\QuickSet.lnk -
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: ClearRecentProgForNewUserInStartMenu = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\__\appdata\roaming\mozilla\firefox\profiles\yfgeg5n5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-9 179712]
S3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNIMP50.sys [2006-11-16 21504]
S3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNISP50.sys [2006-11-16 20480]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070108.003\IDSvix86.sys [2008-1-9 212280]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-1-9 1174664]

=============== Created Last 30 ================

2011-03-01 21:15:26 -------- d-----w- c:\users\__\appdata\roaming\Malwarebytes
2011-03-01 21:14:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 21:14:25 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-01 21:14:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 21:14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-27 23:52:00 -------- d-----w- C:\emailExport Windows Mail Format
2011-02-27 18:32:24 -------- d-----w- C:\emailExportedFromWM
2011-02-26 22:43:36 -------- d-----w- C:\_OTL
2011-02-26 18:42:30 -------- d-----w- C:\eMailBox
2011-02-26 13:08:01 -------- d-----w- C:\_OTM
2011-02-26 02:21:57 -------- d-----w- C:\____________Bredirect Geeks to go
2011-02-13 15:21:44 -------- d-----w- C:\________________________________zillow

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST912082 rev.3.CD -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86C0F439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86c157b8]; MOV EAX, [0x86c15834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82027F37] -> \Device\Harddisk0\DR0[0x856DEAD8]
3 nt[0x820B07E2] -> ntkrnlpa!IofCallDriver[0x82027F37] -> [0x86C65628]
\Driver\iaStor[0x856E1AA0] -> IRP_MJ_CREATE -> 0x86C0F439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9120822AS_____________________________3.CDD___#4&1a4b0a3c&1&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 18:47:58.19 ===============

---------------END DDS log-------------------------------------------------------------------------
See the DDS Attach log which is attached...

Attached Files


  • 0

#23
RPMcMurphy
Posted 02 March 2011 - 07:27 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
I'm afraid that didn't work - we need to fix that MBR from the Recovery Environment. It may be worth contacting Dell's support to see if they can help with that password. I can't imagine they'd re-sell a PC with another users PW still in place.
  • 0

#24
tom96
Posted 03 March 2011 - 04:46 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi RPMcMurphy,
I contacted Dell. They could not help, yet, but they suspect spyware or hackers may have established the password. They ran diagnostics on my machine, over the net, and could not get around or reset the password. Dell is sending me a disk that should help. It will be a couple of days for it to arrive. I'll post back here when I finish up with Dell, re: the password issue, so we can resume.

Thanks for everything so far.

Tom
  • 0

#25
RPMcMurphy
Posted 03 March 2011 - 05:00 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
OK, Tom. Thanks for the update and for your patience. I'll leave the thread open and wait to hear from you.
  • 0

Advertisements

#26
RPMcMurphy
Posted 29 April 2011 - 10:52 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP