computer randomly freezing

[Jintan]

No, it did not pick up anything in it's other scans there. Let's go with correcting an unusual boot autocheck setting, and repair the MBR as well, then check again after.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
  00,00

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

------------------

Download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:

cd\
mbr.exe -f

Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.

Then run ComboFix again, and post that C:\ComboFix.txt log please.

[warmsummer]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x890d46e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> 0x88b64330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

[warmsummer]

ComboFix 10-02-09.03 - Jason 02/09/2010 17:43:29.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1610 [GMT -7:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 00:36 . 2010-02-10 00:36 77312 ----a-w- C:\mbr.exe
2010-02-08 02:07 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-08 02:07 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-08 02:07 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-08 02:07 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-08 02:07 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-08 02:07 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-08 02:07 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-08 02:07 . 2010-01-28 22:09 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-08 02:07 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-07 16:06 . 2010-02-07 16:06 -------- d-----w- c:\program files\Alwil Software
2010-02-07 16:06 . 2010-02-07 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-06 21:42 . 2010-02-08 00:52 -------- d-----w- c:\documents and settings\Jason\Application Data\vlc
2010-02-06 21:11 . 2010-02-06 21:23 -------- d-----w- c:\documents and settings\Jason\Application Data\Winamp
2010-02-06 21:11 . 2010-02-06 21:12 -------- d-----w- c:\program files\Winamp
2010-02-06 17:58 . 2003-01-10 21:13 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
2010-02-06 17:58 . 2010-02-06 21:04 -------- d-----w- c:\program files\AOL 9.5
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\program files\Common Files\aol
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-06 17:58 . 2010-02-06 17:59 -------- d-----w- c:\program files\Common Files\aolshare
2010-02-06 16:38 . 2010-02-06 16:38 -------- d-----w- c:\program files\VideoLAN
2010-02-06 16:25 . 2010-02-06 17:59 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\AOL
2010-02-06 15:52 . 2007-10-22 10:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2010-02-06 15:51 . 2010-02-06 15:51 -------- d-----w- c:\windows\Logs
2010-02-06 01:58 . 2010-02-06 01:58 -------- d-----w- c:\program files\Common Files\Java
2010-02-06 01:58 . 2010-02-06 01:58 61440 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-643513c5-n\decora-sse.dll
2010-02-06 01:58 . 2010-02-06 01:58 503808 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\msvcp71.dll
2010-02-06 01:58 . 2010-02-06 01:58 499712 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\jmc.dll
2010-02-06 01:58 . 2010-02-06 01:58 348160 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4486da3e-n\msvcr71.dll
2010-02-06 01:58 . 2010-02-06 01:58 12800 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-643513c5-n\decora-d3d.dll
2010-02-06 01:05 . 2010-02-06 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-05 02:11 . 2010-02-05 02:11 -------- d-----w- C:\rsit
2010-02-03 04:05 . 2010-02-03 04:05 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-02-03 00:23 . 2010-02-03 00:23 -------- d-----w- c:\program files\Trend Micro
2010-02-02 04:09 . 2006-11-07 06:58 356352 ----a-w- c:\windows\system32\nvunrm.exe
2010-02-02 04:09 . 2006-10-24 05:13 1732 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-02-02 03:42 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\Jason\Application Data\Uniblue
2010-02-02 03:42 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-01-31 23:27 . 2010-02-07 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 23:27 . 2010-01-31 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-31 23:26 . 2010-01-31 23:26 -------- d-----w- c:\documents and settings\HelpAssistant\log
2010-01-31 23:18 . 2010-01-31 23:18 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-31 23:18 . 2010-01-31 23:18 -------- d-----w- c:\documents and settings\Jason\log
2010-01-31 23:13 . 2010-01-31 23:13 -------- d-----w- c:\program files\CleanUp!
2010-01-31 20:03 . 2010-01-05 10:00 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-31 20:03 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-31 03:17 . 2007-07-30 00:51 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-31 03:17 . 2007-04-25 00:30 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-01-31 03:17 . 2010-02-06 21:14 -------- d-----w- c:\program files\ffdshow
2010-01-31 00:27 . 2010-01-31 00:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-31 00:22 . 2006-11-27 08:33 19968 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2010-01-31 00:22 . 2006-11-27 08:33 58368 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2010-01-31 00:22 . 2006-11-27 08:33 110592 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-01-31 00:22 . 2006-11-27 08:33 895744 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2010-01-31 00:22 . 2006-11-27 08:33 261632 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2010-01-31 00:22 . 2006-11-27 08:31 192512 ----a-w- c:\windows\system32\fdco1.dll
2010-01-31 00:22 . 2006-11-27 08:31 9216 ----a-w- c:\windows\system32\bdco1.dll
2010-01-31 00:22 . 2006-11-07 06:58 35840 ----a-w- c:\windows\system32\nvconrm.dll
2010-01-30 23:57 . 2010-01-30 23:57 -------- d-----w- c:\documents and settings\Jason\Application Data\Windows Search
2010-01-30 22:53 . 2010-01-30 22:53 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Identities
2010-01-30 22:53 . 2010-01-30 22:53 -------- d-----w- c:\windows\system32\GroupPolicy
2010-01-30 21:56 . 2010-01-30 21:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2010-01-30 21:01 . 2010-01-30 21:01 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-30 21:01 . 2010-01-30 21:01 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.e xe
2010-01-30 19:54 . 2010-01-30 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-30 19:54 . 2010-01-30 19:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-30 19:54 . 2010-01-12 04:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-30 19:54 . 2010-01-12 04:03 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-30 19:54 . 2010-01-12 04:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-30 19:54 . 2010-01-12 04:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-30 19:54 . 2010-01-12 04:03 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-30 01:24 . 2010-01-30 01:24 -------- d-----w- c:\program files\AVG
2010-01-12 05:17 . 2010-01-12 05:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 05:17 . 2010-01-12 05:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 05:17 . 2010-01-12 05:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 05:17 . 2010-01-12 05:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 05:17 . 2010-01-12 05:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 05:17 . 2010-01-12 05:17 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 21:16 . 2009-02-14 19:36 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-02-07 21:16 . 2009-02-14 19:36 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-02-07 20:04 . 2010-01-10 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-02-06 17:59 . 2009-02-08 21:02 -------- d-----w- c:\documents and settings\Jason\Application Data\AOL
2010-02-06 16:29 . 2009-02-07 23:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-06 15:33 . 2009-02-22 05:40 -------- d-----w- c:\program files\SpeedFan
2010-02-06 03:57 . 2009-02-08 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-06 01:58 . 2009-02-08 20:45 -------- d-----w- c:\program files\Java
2010-02-05 05:59 . 2009-02-09 00:24 -------- d-----w- c:\documents and settings\Jason\Application Data\uTorrent
2010-02-04 17:01 . 2010-02-06 15:53 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 17:01 . 2010-02-06 15:53 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 17:01 . 2010-02-06 15:53 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 17:01 . 2010-02-06 15:53 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-01-30 23:57 . 2009-02-08 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-30 23:45 . 2009-10-30 22:49 -------- d-----w- c:\documents and settings\Jason\Application Data\GetRightToGo
2010-01-30 19:55 . 2009-02-07 22:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 19:55 . 2009-02-07 22:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-24 15:30 . 2009-02-08 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 15:30 . 2009-02-12 03:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 04:03 . 2009-02-07 04:51 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 04:03 . 2009-01-15 15:19 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-10-31 06:35 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-10-31 06:35 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-10-31 06:35 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03 . 2006-10-31 06:35 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-10-31 06:35 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-10-31 06:35 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-07 23:07 . 2009-02-08 22:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-02-08 22:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2008-04-14 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 00:35 . 2009-12-31 00:35 -------- d-----w- c:\documents and settings\Jason\Application Data\VirtualStore
2009-12-18 00:14 . 2009-02-08 20:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 04:42 . 2009-02-07 04:38 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"HostManager"="c:\program files\Common Files\AOL\1265479102\ee\AOLSoftware.exe" [2009-07-20 41264]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\1265479102\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2426:TCP"= 2426:TCP:Services
"8144:TCP"= 8144:TCP:Services
"9004:TCP"= 9004:TCP:Services
"5832:TCP"= 5832:TCP:Services
"6425:TCP"= 6425:TCP:Services
"5613:TCP"= 5613:TCP:Services
"5941:TCP"= 5941:TCP:Services
"9316:TCP"= 9316:TCP:Services
"7879:TCP"= 7879:TCP:Services
"2020:TCP"= 2020:TCP:Services
"3458:TCP"= 3458:TCP:Services
"5004:TCP"= 5004:TCP:Services
"2847:TCP"= 2847:TCP:Services
"6753:TCP"= 6753:TCP:Services
"5191:TCP"= 5191:TCP:Services
"6050:TCP"= 6050:TCP:Services
"5550:TCP"= 5550:TCP:Services
"1691:TCP"= 1691:TCP:Services
"5113:TCP"= 5113:TCP:Services
"8019:TCP"= 8019:TCP:Services
"5082:TCP"= 5082:TCP:Services
"5441:TCP"= 5441:TCP:Services
"4910:TCP"= 4910:TCP:Services
"9629:TCP"= 9629:TCP:Services
"4722:TCP"= 4722:TCP:Services

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/7/2010 7:07 PM 163280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/7/2010 7:07 PM 19024]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\149bzoj5.default\
FF - prefs.js: browser.startup.homepage -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************************ **************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 17:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************ **************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x890D46E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> 0x890d46e8
\Driver\atapi -> atapi.sys @ 0xb7f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> 0x88b64330
PacketIndicateHandler -> NDIS.sys @ 0xb7e36a21
SendHandler -> NDIS.sys @ 0xb7e1487b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

************************************************************ **************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-09 17:47:39
ComboFix-quarantined-files.txt 2010-02-10 00:47
ComboFix2.txt 2010-02-08 01:32
ComboFix3.txt 2010-02-07 21:46
ComboFix4.txt 2010-02-07 02:07

Pre-Run: 42,673,864,704 bytes free
Post-Run: 42,643,259,392 bytes free

- - End Of File - - C7E6BF8223B04D632DB39D872CEFA3E6

[Jintan]

If that mbr.exe -f step went off without issue then this resulting log suggests that malware might be there, but the functioning part of the MBR is okay. But this latest log does show the same possible malware issues as your first logs, and nothing pointing us to a possible file(s) involved.


Click here and download maxhandle.exe by noahdfear to your desktop, then click that file to run the scan. Important! - you will need to have an open Internet connection while running this scan.

Once it completes a command windows will open. If the malware variant is not located by it you will see this in that window:

Nothing found!

Press any key to continue . . .

If so, press any key and just let me know here nothing was located. If it does locate this malware variant it will open a log file, which should also be saved as c:\maxhandle.txt. Post that log here please.

[warmsummer]

Nothing found.

Is it time to erase the drive and start over?

[Jintan]

No, we just locate some clean file copies, then do a file exchange and determine it that brings a solution. We will need to do the file exchange via the Recovery Console. Does this now show at each bootup as an option?

Although it does not often yield helpful info I would like to check a copy of the MBR as well.

Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:

cd\
mbr.exe -c 0 64 copy_of_sectors

Then type exit and press Enter to close the command window.

Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.

c:\copy_of_sectors

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

-----------------

Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

Code:

:filefind
atapi.sys
ndis.sys

Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

[warmsummer]

http://thespykiller.co.uk/index.php/...8.new.html#new

I do believe the recovery console flashes for 2 seconds on startup.



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 06:47 on 11/02/2010 by Jason (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [02:06 07/02/2010] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 14/04/2008] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "ndis.sys"
C:\WINDOWS\ERDNT\cache\ndis.sys --a--- 182656 bytes [02:06 07/02/2010] [12:00 14/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\dllcache\ndis.sys --a--c 182656 bytes [12:00 14/04/2008] [12:00 14/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys ------ 182656 bytes [12:00 14/04/2008] [12:00 14/04/2008] 1DF7F42665C94B825322FAE71721130D

-=End Of File=-

[Jintan]

Likely that startup menu screen time is set to zero, so we need to change that. I received the file, thanks. There is some code in locations not normally written to, and/or does not match what should be in those locations in the MBR. Three analysis scans indicate it has Sinowal malware code. So either that earlier mbr.exe -f step either failed to correct the MBR, or the malware reinfected it. I tend to lean towards that second one.

Looks like there are no trustworthy file copies of those file names you just checked on your computer, so you need to locate a different XP Home Edition Service Pack 3 computer and get clean copies of these files:

C:\WINDOWS\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\ndis.sys

Once you have done that place a copy of each directly into your C drive folder (for example - C:\atapi.sys). Let me know when you have done that.


I would also like to check one user account there, to see if malware is using it for it's own means.

Go to Start > Run and type:

cmd.exe

and OK. At the prompt type or copy/paste each of the following, pressing Enter after each:

net user helpassistant > ucheck.txt&ucheck.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread please.

Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.

[warmsummer]

Here is the cmd.exe log.

I will work on finding the needed XP SP 3 files. I might have to do that at work tomorrow since my other home computer runs Vista.

Thanks for your help.

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/11/2010 6:51 AM
Password expires Never
Password changeable 2/11/2010 6:51 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/11/2010 6:51 AM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

[warmsummer]

I have the XP SP 3 atapi.sys and ndis.sys files. My friend sent them to me.

I noticed in my event viewer there is a warning at 6:59 AM that an application was still using the registry at log off. Is that related?