[emeraldnzl]

Hello again sah_fb,

Logon to the Recovery Console (this will have been installed when you ran ComboFix).

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.



Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entry, and press 'Enter':

fixmbr

Reboot your machine.

After that re-run aswMBR and post the log back here.

[Advertisements]

the 1 option in instruction 4 leads to D/:MiniNT
option 3 shows C:/Windows so i pressed that
however it asks if i am sure i want to write a
new MBR? How should i answer this since the warnings
seem pretty scary ie making all partitions on hard disk
inaccessible

thanks for clarifying this for me

[sah_fb]

the 1 option in instruction 4 leads to D/:MiniNT
option 3 shows C:/Windows so i pressed that
however it asks if i am sure i want to write a
new MBR? How should i answer this since the warnings
seem pretty scary ie making all partitions on hard disk
inaccessible

thanks for clarifying this for me

[emeraldnzl]

seem pretty scary

Well done. Always come back if things don't seem quite right.

Now I think what you have is non standard and that is why we keep getting the unknown MBR.

Let's assume that for now and move on.

Firstly do this:

Please run the MGA Diagnostic Tool and post back the report it produces:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

[sah_fb]

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {59D01D75-E676-40C7-A3D3-2ACECF5CDD02}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.17.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{59D01D75-E676-40C7-A3D3-2ACECF5CDD02}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-3530927332-4033242662-3775010867</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DF253A-ABA a250n</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.10 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030627000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>3565321701846062</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.17.0"/><File Name="WgaLogon.dll" Version="1.7.17.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57712</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1751E:GENUINE C&C INC|15294:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A

[emeraldnzl]

Hi sah_fb,

Please run a free online scan with the ESET Online Scanner
Note: ESET was designed to run with Internet Explorer, compatibility with other browsers has been added recently but if you find difficulty, go to using Internet Explorer

• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use
• You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
• Click Start and if your security program asks you if you want to allow the program, click yes.
• If you anti-virus is active you may see a panel appear warning you that this may affect performance. Disabling the programs listed may speed things along.
• Make sure that the options Remove found threats and Scan archives are checked (do not worry about advanced settings)
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\b]log.txt[/b] (open Notepad > File > Open and navigate to the log.txt)
• Copy and paste that log as a reply to this topic, also tell me how your machine is now.

[sah_fb]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=be1ec0c150a2da449840df64e2a96cd2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-19 05:25:53
# local_time=2011-11-19 12:25:53 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 702960 702960 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=136259
# found=1
# cleaned=1
# scan_time=10708
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent.CBFNBEO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


avg keeps finding threats which i keep moving to virus vault or removing them.
the warning box this am after scan completed showed
"Infection";"Trojan horse BackDoor.Generic14.BQGW";"c:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1915\A0226961.sys";"N/A";11/19/2011, 05:56:53 AM"
this keeps coming up - sometimes the .sys number is different

"Infection";"Trojan horse BackDoor.Generic14.BQGW";"c:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1915\A0226924.sys";"N/A";"11/18/2011, 10:38:02 PM"

"Infection";"Trojan horse BackDoor.Generic14.BQGW";"c:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP1915\A0224904.sys";"N/A";"11/18/2011, 7:58:54 PM"

Just now the avg resident shield warning
OTL exe threat name Trojan Horse Agent 3. AXVV
located in C:/Windows/explorer.exe

still a little slow but no redirects or ping exe

Edited by sah_fb, 19 November 2011 - 05:48 AM.

[emeraldnzl]

Hello again sah_fb,

That's encouraging. The one found by ESET is a false positive - part of Hewlett Parkard nothing to worry about. The others that AVG is finding are in System Restore and would have been removed when we cleaned away the tools we have been using. We will in fact do that in this post.

I still have a slight question mark over that MBR but many computers do have non standard boot records so I think we can assume it's okay. If the problem returns then come back.

Turning to the slow computer. Malware will have been the major cause but there are other things that can contribute to a slow machine.

miekiemoes has a blog with some information about slow computing.

Just scroll down until you find it, might be helpful. Link below.

http://miekiemoes.bl...l/Slow computer

Also

Go here for information about what makes your computer slow by Artellos.

Now

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Step 2

• Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

• Download Java for Windows
  
  Reboot your computer.
  You also need to unininstall older versions of Java.
  
• Click Start > Control Panel > Add or Remove Programs
• Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:

• TFC.exe

Note: The only caveat on this is if you have the Windows Recovery Rogue infection that removes your desktop items. In that instance do not clean your temp files. Post a OTL log here in the Malware forum and seek help to correct the situation.


---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

• If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.
  
  * Click Start > Control Panel > System and Security > Windows Update
  * Under Windows Update click on Turn automatic updating on or off
  * Check items shown to ensure you receive updates automatically. Click OK.
  
  And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  
• Malwarebytes
• SuperAntiSpyWare

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!

[sah_fb]

thanks sooooo much for helping me out!!

i have followed your recommendations.

however, i am wondering if the windows firewall is sufficient,
or do you recommend another (preferably free) one?

once again ~ thanks so much for your time and effort
i truly appreciated all your help

[emeraldnzl]

Hello sah_fb,

I should have mentioned that the aswMBR and MBRCheck folder/files can just be deleted.

however, i am wondering if the windows firewall is sufficient,
or do you recommend another (preferably free) one?

My personal view is that the Windows firewall is okay for the run of the mill user. However here are two good firewalls free for personal use (remember to choose only one - running two or more anti-virus or firewalls will result in conflict and little if any protection):

• OnLine-Armour
• PC Tools Firewall Plus

once again ~ thanks so much for your time and effort
i truly appreciated all your help

You are very welcome.

I will keep this topic open for a day or two in case any issues arise.