Help!

[lefty182]

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF79D2000 \WINDOWS\system32\KDCOM.DLL
0xF78E2000 \WINDOWS\system32\BOOTVID.dll
0xF73A3000 ACPI.sys
0xF79D4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7392000 pci.sys
0xF74D2000 isapnp.sys
0xF7A9A000 pciide.sys
0xF7752000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74E2000 MountMgr.sys
0xF7373000 ftdisk.sys
0xF79D6000 dmload.sys
0xF734D000 dmio.sys
0xF775A000 PartMgr.sys
0xF74F2000 VolSnap.sys
0xF7335000 atapi.sys
0xF7260000 iastor.sys
0xF7502000 disk.sys
0xF7512000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7240000 fltmgr.sys
0xF722E000 sr.sys
0xF7218000 DRVMCDB.SYS
0xF7201000 KSecDD.sys
0xF7174000 Ntfs.sys
0xF7147000 NDIS.sys
0xF712D000 Mup.sys
0xF7602000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF65B1000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF659D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6577000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF654C000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF7862000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6528000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF786A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF69F7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF79A6000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF79AA000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF7AFB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF69E7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79AE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6511000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF69D7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF69C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7872000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6500000 \SystemRoot\system32\DRIVERS\psched.sys
0xF69B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7882000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78B2000 \SystemRoot\system32\DRIVERS\teamviewervpn.sys
0xF64D0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF69A7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF788A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7892000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF64BB000 \SystemRoot\system32\DRIVERS\StarPortLite.sys
0xF7A3C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6498000 \SystemRoot\system32\DRIVERS\ks.sys
0xF643A000 \SystemRoot\system32\DRIVERS\update.sys
0xF79CA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6997000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A3E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6987000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEE1D7000 \SystemRoot\system32\drivers\sthda.sys
0xEE1B3000 \SystemRoot\system32\drivers\portcls.sys
0xF76F2000 \SystemRoot\system32\drivers\drmk.sys
0xEE069000 \SystemRoot\system32\drivers\sigfilt.sys
0xF7982000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A54000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7A56000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B9E000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A58000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77B2000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF77BA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF77C2000 \SystemRoot\System32\drivers\vga.sys
0xF7A5A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A5C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77CA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77D2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF798E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xED1CF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xED176000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xED13C000 \SystemRoot\System32\Drivers\avgtdix.sys
0xEC0E2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEE294000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7852000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF63FE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEE284000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF63FA000 \SystemRoot\System32\DRIVERS\ELhid.sys
0xF63F2000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7A8E000 \SystemRoot\System32\DRIVERS\ELmou.sys
0xEB9C7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF63EA000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEB9A5000 \SystemRoot\System32\drivers\afd.sys
0xEE264000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEB980000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF785A000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEB955000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB8E5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEE224000 \SystemRoot\System32\Drivers\Fips.SYS
0xF797E000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7A98000 \SystemRoot\System32\DRIVERS\ELkbd.sys
0xF79DA000 \SystemRoot\System32\DRIVERS\ELmon.sys
0xED22A000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xEB8B1000 \SystemRoot\System32\Drivers\avgldx86.sys
0xEC02A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB22F3000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA0F9000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA1EE000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB2E87000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEC06A000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7BFD000 \SystemRoot\System32\DLA\DLADResN.SYS
0xB00DD000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xED035000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF79E2000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF784A000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB00C5000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB00AF000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB37EC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAFFE2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAFF51000 \SystemRoot\System32\Drivers\HTTP.sys
0xB0053000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAFED2000 \SystemRoot\system32\DRIVERS\srv.sys
0xAFEBB000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xF7832000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xAFD58000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xAFC7B000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE274000 \SystemRoot\system32\drivers\sysaudio.sys
0xAFBDE000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xAFBAE000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xAFB88000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xAF406000 \??\C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
0xAF3B7000 \SystemRoot\system32\drivers\kmixer.sys
0xED222000 \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
868 C:\WINDOWS\system32\smss.exe
916 csrss.exe
952 C:\WINDOWS\system32\winlogon.exe
996 C:\WINDOWS\system32\services.exe
1016 C:\WINDOWS\system32\lsass.exe
1188 C:\WINDOWS\system32\svchost.exe
1272 svchost.exe
1416 C:\WINDOWS\system32\svchost.exe
1516 svchost.exe
1828 C:\WINDOWS\system32\spoolsv.exe
276 svchost.exe
308 C:\WINDOWS\system32\svchost.exe
852 C:\WINDOWS\system32\svchost.exe
1984 alg.exe
2528 C:\WINDOWS\explorer.exe
2780 C:\WINDOWS\system32\wscntfy.exe
3112 C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
3164 C:\WINDOWS\stsystra.exe
3188 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3252 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3284 C:\Documents and Settings\TempLol\Local Settings\Application Data\Dyyno Viewer\dyyno_launcher.exe
3296 C:\WINDOWS\system32\ctfmon.exe
3320 C:\Program Files\Xfire\xfire.exe
2396 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2676 C:\WINDOWS\system32\taskmgr.exe
3916 C:\Program Files\Mozilla Firefox\firefox.exe
2108 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
1344 C:\Program Files\Mozilla Firefox\plugin-container.exe
3220 C:\WINDOWS\system32\svchost.exe
2432 C:\Documents and Settings\TempLol\Desktop\MBRCheck.exe
2924 C:\WINDOWS\system32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-75NCB1, Rev: 10.02E01

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 3AD54F7704EB54BB0693EDCBFCC5A24A4C985F3E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


http://thespykiller.co.uk/index.php/topic,9416.0.html

[Jintan]

I received the MBR copy, thanks. And some of it's code matches some known malware code. So we will need to restore the MBR there with a default version. I don't see in this MBR copy any indication it is used to access any hidden recovery partition, so restoring a default version shouldn't impact anything more than remove the malware code.

You allowed ComboFix to install the built-in Recovery Console access, which we will need to repair the infected MBR.


You will want to have a copy of the next steps, as they will be done while using the Recovery Console.

Reboot the computer.

When the operating system options screen is displayed select the hilighted option below:

Microsoft Windows Recovery Console
Windows XP Media Center Edition

You may be asked to select the operating system, which is usually "1 Windows".

Once you are at the C:\Windows\> prompt type the following, pressing Enter after each:

fixmbr

Agree to any warnings. Then type exit and press Enter to reboot the system.

-----------------

After the reboot run TDSSKiller, and then ComboFix, and post those logs back here please.

[lefty182]

I have a problem! When I try to do that it says NTLDR is compressed. Ctrl+ Alt +Delete to restart. What do I do?

I forgot to say. I looked up this problem on the net and it usually shows up when people try to start their computer, but can't. My computer still boots fine, but it won't let me access the recovery console because of this error. Sadly at this point in time, I don't have a XP disk, and I can't fix the NTLDR error like most guides on the internet say to.

[Jintan]

That error message is in the MBR, or so far I had seen it in MBR code. But not in the copy you sent. Given the mess malware coders have been creating lately anything might occur. For now, see if you can use a type of boot disk, and perhaps not get that error.

Go here and create a Recovery Console CD. Just click the link (the "Download the package here" link) provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the service pack level is not really a factor.

Once you have created that, put it in the CD drive and reboot the computer. I will post the steps for that, since they are slightly different from the earlier procedure.


Load the XP CD into the CD-ROM drive and restart the system. On reboot watch for and agree to any prompts to boot from the CD. If the system only reboots to Windows stop and post back here and we will discuss steps to make changes in the BIOS.

After the installation software inspects the system and loads all necessary device drivers you will see the the "Welcome To Setup" screen, with the following menu:

This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.

Press "R" to start the Recovery Console setup. After you start the Windows Recovery Console, you receive the following message:

Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?

After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password. If there is none, just press Enter.

Then follow the previously posted steps to repair the MBR.