[Test001]

Should I try it one more time.. FIXMBR and Combo...

It appears it is still there? Annoying and a pain in the butt.

[Test001]

Going to try again and will reply with the combo log...

[Test001]

ComboFix 09-11-08.03 - Matt 11/09/2009 20:28.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2340 [GMT -8:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.
2009-11-04 17:05 . 2009-11-04 17:12 -------- d-----w- c:\documents and settings\Matt\SecurityScans
2009-11-04 17:05 . 2009-11-04 17:05 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2009-11-04 16:56 . 2009-11-04 16:57 -------- d-----w- c:\program files\MagicDisc
2009-11-04 16:56 . 2009-02-25 02:42 116736 ----a-w- c:\winnt\system32\drivers\mcdbus.sys
2009-11-02 19:03 . 2009-11-02 19:03 -------- d-----w- c:\program files\Common Files\Intel
2009-11-02 18:59 . 2009-11-02 18:59 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-31 17:47 . 2009-10-31 17:47 -------- d-----w- c:\program files\Trend Micro
2009-10-31 16:36 . 2009-10-31 16:36 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-31 16:17 . 2009-10-31 16:17 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-31 16:17 . 2009-10-31 16:18 -------- d-----w- c:\program files\Roxio
2009-10-29 17:13 . 2009-10-29 17:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\InstallShield
2009-10-29 17:13 . 2009-10-29 17:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Sonic
2009-10-29 17:12 . 2009-10-31 16:17 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Roxio
2009-10-29 16:45 . 2009-10-29 16:45 -------- d-----w- c:\documents and settings\Matt\Application Data\Blackberry Desktop
2009-10-29 16:32 . 2009-10-29 17:21 256 ----a-w- c:\winnt\system32\pool.bin
2009-10-29 16:32 . 2009-10-29 16:32 -------- d-----w- c:\documents and settings\Matt\Application Data\Research In Motion
2009-10-29 15:55 . 2009-10-31 16:04 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Research In Motion
2009-10-29 15:52 . 2009-01-09 23:18 27136 ----a-r- c:\winnt\system32\drivers\RimSerial.sys
2009-10-29 15:52 . 2009-10-31 16:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-29 15:51 . 2009-10-29 15:52 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-29 15:51 . 2009-10-29 15:55 -------- d-----w- c:\program files\Research In Motion
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 19:09 . 2005-08-11 22:14 12260 ----a-w- c:\winnt\system32\Fxxplfnt.tmp
2009-11-09 15:17 . 2008-06-10 21:44 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Google Updater
2009-11-08 06:14 . 2009-10-08 03:57 -------- d-----w- c:\documents and settings\Matt\Application Data\vlc
2009-11-04 17:28 . 2007-08-18 19:51 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Microsoft Help
2009-11-02 19:03 . 2009-05-17 02:12 -------- d-----w- c:\program files\Intel
2009-10-31 17:15 . 2005-05-25 00:04 94936 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 16:37 . 2009-05-02 15:15 -------- d-----w- c:\program files\Java
2009-10-31 00:43 . 2009-05-14 18:48 -------- d-----w- c:\documents and settings\Matt\Application Data\uTorrent
2009-10-29 17:13 . 2007-03-24 19:56 -------- d-----w- c:\documents and settings\Matt\Application Data\InstallShield
2009-10-27 02:57 . 2009-05-17 06:11 -------- d-----w- c:\documents and settings\Matt\Application Data\BSplayer Pro
2009-10-08 04:22 . 2009-08-24 20:45 -------- d-----w- c:\program files\IDT
2009-10-08 04:18 . 2009-10-08 04:09 660 ----a-w- c:\winnt\system32\drivers\sthdae.log
2009-10-08 04:14 . 2009-10-08 04:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\DriverScanner
2009-10-08 04:13 . 2009-10-08 04:12 -------- dc-h--w- c:\documents and settings\All Users.WINNT\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-08 04:13 . 2009-10-08 04:13 -------- d-----w- c:\program files\Uniblue
2009-10-08 04:13 . 2009-10-08 04:13 -------- d-----w- c:\documents and settings\Matt\Application Data\Uniblue
2009-10-01 17:11 . 2008-01-19 03:45 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\FLEXnet
2009-09-25 05:37 . 2001-08-23 21:00 667136 ------w- c:\winnt\system32\wininet.dll
2009-09-25 05:37 . 2005-05-24 22:51 81920 ------w- c:\winnt\system32\ieencode.dll
2009-09-18 04:54 . 2009-04-15 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 04:53 . 2008-09-09 05:08 4045528 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-13 00:07 . 2009-09-13 00:06 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-13 00:07 . 2009-09-13 00:06 -------- d-----w- c:\program files\iTunes
2009-09-13 00:06 . 2009-09-13 00:06 -------- d-----w- c:\program files\iPod
2009-09-13 00:06 . 2007-12-26 04:26 -------- d-----w- c:\program files\Common Files\Apple
2009-09-13 00:04 . 2009-09-13 00:04 -------- d-----w- c:\program files\QuickTime
2009-09-13 00:00 . 2009-09-13 00:00 79144 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-12 03:26 . 2009-08-26 18:35 -------- d-----w- c:\program files\PeerBlock
2009-09-11 14:18 . 2001-08-23 21:00 136192 ----a-w- c:\winnt\system32\msv1_0.dll
2009-09-10 21:54 . 2008-09-04 20:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-09-04 20:45 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 21:00 58880 ----a-w- c:\winnt\system32\msasn1.dll
2009-08-28 05:12 . 2009-08-28 05:12 716272 ----a-w- c:\winnt\system32\drivers\sptd.sys
2009-08-26 08:00 . 2001-08-23 21:00 247326 ----a-w- c:\winnt\system32\strmdll.dll
2009-08-18 07:33 . 2009-08-18 07:33 1193832 ----a-w- c:\winnt\system32\FM20.DLL
2005-05-24 21:23 . 2005-05-24 21:23 21952 ---ha-w- c:\program files\folder.htt
2001-09-29 00:00 . 2008-05-22 18:43 164864 ----a-w- c:\program files\UNWISE.EXE
2006-04-11 02:48 . 2006-04-11 02:21 56 --sh--r- c:\winnt\system32\4994F12BB5.sys
2008-08-04 19:50 . 2006-04-11 02:21 1682 --sha-w- c:\winnt\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-10_00.44.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-10 04:24 . 2009-11-10 04:24 16384 c:\winnt\Temp\Perflib_Perfdata_93c.dat
+ 2009-11-10 04:24 . 2009-11-10 04:24 16384 c:\winnt\Temp\Perflib_Perfdata_908.dat
+ 1999-12-07 12:00 . 2009-11-10 00:49 81610 c:\winnt\system32\perfc009.dat
- 1999-12-07 12:00 . 2009-11-10 00:35 81610 c:\winnt\system32\perfc009.dat
+ 2001-08-23 21:00 . 2004-08-04 05:59 95360 c:\winnt\system32\drivers\atapi.sys
+ 1999-12-07 12:00 . 2009-11-10 00:49 467822 c:\winnt\system32\perfh009.dat
- 1999-12-07 12:00 . 2009-11-10 00:35 467822 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-26 90112]
"XGIWatchDog"="c:\program files\XGI\XWatDog.exe" [2005-03-01 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-07-11 466944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 442460]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-10-31 623960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Trirot"="Trirot.exe" - c:\winnt\system32\Trirot.exe [2005-03-01 65536]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2008-04-14 143360]
"RegServer"="regserve.exe" - c:\winnt\system32\RegServe.exe [2005-03-01 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\winnt\system32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\winnt\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 2:31 PM 24652]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [5/16/2009 8:36 PM 108160]
R3 itecir;ITECIR Infrared Receiver;c:\winnt\system32\drivers\itecir.sys [5/16/2009 6:51 PM 54784]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\winnt\system32\drivers\k57xp32.sys [5/16/2009 6:45 PM 174592]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\winnt\system32\drivers\OA001Ufd.sys [5/16/2009 7:27 PM 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\winnt\system32\drivers\OA001Vid.sys [5/16/2009 7:27 PM 279488]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\winnt\system32\AWINDIS5.SYS [8/8/2005 12:08 PM 16194]
S3 hcdriver;EHCI;c:\winnt\system32\drivers\hcdriver.sys [12/2/2005 11:46 AM 46080]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\winnt\system32\DRIVERS\wg511nd5.sys --> c:\winnt\system32\DRIVERS\wg511nd5.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [8/26/2009 10:35 AM 6144]
S3 ptiusbf;PTI USB Filter;c:\winnt\system32\DRIVERS\PTIUSBF.SYS --> c:\winnt\system32\DRIVERS\PTIUSBF.SYS [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S3 Xgiv3;Xgiv3;c:\winnt\system32\drivers\Xgiv3m.sys [5/24/2005 2:32 PM 337408]
S4 RT80x86;Ralink 802.11n Wireless Driver;c:\winnt\system32\DRIVERS\RT2860.sys --> c:\winnt\system32\DRIVERS\RT2860.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
2009-11-10 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-10 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: rapmls.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 20:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AFA21F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8afa21f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1993962763-1844237615-725345543-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C0B0701-6A33-7AD8-CDD1-91A3D55087AC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\winnt\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(724)
c:\winnt\system32\relog_ap.dll
.
Completion time: 2009-11-10 20:36
ComboFix-quarantined-files.txt 2009-11-10 04:36
ComboFix2.txt 2009-11-10 04:05
ComboFix3.txt 2009-11-10 03:33
ComboFix4.txt 2009-11-10 00:48
Pre-Run: 73,590,624,256 bytes free
Post-Run: 73,559,445,504 bytes free
- - End Of File - - 9A50FB0178255D9C051A366926E920EE

[Test001]

Thanks again for all your thoughts and time...

[Test001]

Just ran MBR.exe from gmer and this is the findings...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Not sure why combo fix is showing the Rootkit infection in the MBR?

[sjpritch25]

Please reboot your computer one more time, but everything looks okay. It a false positive related to daemon tools. We can run gmer again.

How is everything?

[Test001]

Thanks for the reply... The system still takes longer than ususal to load all resources / services. I am going to remove some large files and hopefuuly this will help resolve the issue. Around 200 gigs... I am running 320gig sata2.

[sjpritch25]

okay