Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

The wave bar in my Volume control keeps going down (with correct logs)

This is a discussion on The wave bar in my Volume control keeps going down (with correct logs) within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hey there, As the title says, every 5-10 minutes the wave bar in my volume control goes down, without my


 
 
Thread Tools Search this Thread
Old 07-15-2010, 05:43 AM   #1
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Hey there,

As the title says, every 5-10 minutes the wave bar in my volume control goes down, without my permission or interfering. Can you help me resolve this problem?

- I do not have access to a Windows Install disc, or a Boot CD.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:52:35.84 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.765.196 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
svchost.exe 4
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
svchost.exe 4
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [zCpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: danskebank.dk
DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} - hxxps://netbank.danskebank.dk/html/activex/DB/Menu.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266433746118
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266433725399
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\sn8ls779.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15158&locale=en_EU&apn_uid=27D1B282-91C0-4B4B-9330-2E590D07EF14&apn_ptnrs=UG&apn_sauid=F774DB48-0433-4EA5-9662-44CC2FE3D087&apn_dtid=&q=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-2-17 189448]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-17 56816]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-2-17 113536]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-2-17 228408]

=============== Created Last 30 ================

2010-07-14 14:42:34 0 d-----w- c:\program files\Trend Micro
2010-07-13 18:15:51 0 d-----w- c:\windows\pss
2010-07-13 17:19:29 4874 ----a-w- c:\windows\system32\tmp.reg
2010-07-13 15:02:48 110467 ----a-w- c:\windows\War3Unin.dat
2010-07-13 15:02:45 2829 ----a-w- c:\windows\War3Unin.pif
2010-07-13 15:02:45 139264 ----a-w- c:\windows\War3Unin.exe
2010-07-11 17:45:32 0 d-----w- c:\docume~1\admini~1\applic~1\My Games
2010-07-11 17:28:55 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-07-11 17:28:55 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-07-11 17:28:55 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-07-11 17:28:55 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-07-11 17:28:54 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-07-11 17:16:07 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2010-07-11 17:16:07 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2010-07-11 16:32:33 0 d-----w- c:\program files\Firaxis Games
2010-07-11 14:13:09 0 d-----w- c:\program files\SystemRequirementsLab
2010-07-07 15:48:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-21 22:51:24 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-06-21 22:47:29 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 09:47:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 09:47:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-02-17 15:31:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021720100218\index.dat

============= FINISH: 16:53:01.07 ===============
Attached Files
File Type: zip Attach.zip (5.9 KB, 13 views)

__________________
stisen is offline  
Old 07-15-2010, 10:25 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi,

Please do the following:


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



NEXT


Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.

__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-16-2010, 07:11 AM   #3
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



I have downloaded the combofix and done everything you told me. It gets through all the stages (1-50) and tells me its complete. Right after that i get the "blue screen of death"...

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Error reading raw MBR!

Done! Press ENTER to exit...


What do i do from here?
__________________
stisen is offline  
Old 07-16-2010, 08:03 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi


Your MBR couldn't be read, can you please advise what type of Disks you have? SCSI disk or some other type?



Please delete the copy of ComboFix that you have on your desktop and download a fresh copy, but rename it to combo.com before saving it to your desktop.

then tap into safe mode and run it in safe mode. If ComboFix reboots your computer make sure you boot back into safe mode so it can create a log.

Link 1


how to enter safe mode:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


make sure your extensions are showing or you will end up with combo.com.exe
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Click Apply, and then click OK.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-16-2010, 08:26 AM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi,

Please do the following:
  1. Go to Start->Run and type in notepad and hit OK.
  2. Then copy and paste the content of the following codebox into Notepad:

    Code:
    script removed
  3. Save the file to your DESKTOP as "find.bat". Make sure to save it with the quotes.
  4. Once saved, the icon to click should look like this on your desktop:


  5. Double click find.bat. to run it. A small black box should open and close - this is normal.


A zipped file called Attach_this.zip will be created on your desktop.

Please upload that file here.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-16-2010, 08:27 AM   #6
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Ok, that worked. I have added the log to this message.

In device manager it says that my disc is a SCSI/RAID Host Controller. I also noticed that there is a question mark on it, which usually isnt there. Should i reinstall the drivers for it?
Attached Files
File Type: txt log.txt (17.3 KB, 12 views)
__________________
stisen is offline  
Old 07-16-2010, 08:30 AM   #7
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



The new log you wanted:
Attached Files
File Type: zip Attach_this.zip (654 Bytes, 14 views)
__________________
stisen is offline  
Old 07-16-2010, 09:05 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Are you able to access the recovery console

when you first boot up you will have an option of which OS to log into

you will only have a couple of seconds before your OS starts loading, so be quick

arrow up to recovery console, choose windows (1) and let me know if it loads


If it doesn't - please try updating the drivers with the warning triangles and then try it again.

thanks

let me know how that goes
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-17-2010, 02:15 AM   #9
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



I tried to do the recovery console. After I hit enter, the curser just blinks in the top left corner. I waited 30 minutes, but nothing happened. Does it take that long?

To be honest im not sure what drivers to use for the disc. I have attached a picture of how my device manager looks like. Is it a serious problem and can it cause my problems?
Attached Thumbnails
Click image for larger version

Name:	Device Manager.JPG
Views:	15
Size:	41.8 KB
ID:	74885  
__________________
stisen is offline  
Old 07-17-2010, 03:16 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi

we will deal with your driver issue after, but first we need to fix your MBR

(NOTE TO GUESTS READING THIS TOPIC: This fix is specifically designed for this user - DO NOT attempt this fix on your own machine - start a new topic of your own)

Please do the following:

Please download MBRFix and save it to your desktop.

(you will need to scroll down the page a bit before you see the download link)

Extract the files to it's own folder.


Then do the following:
  1. Go to Start->Run and type in notepad and hit OK.
  2. Then copy and paste the content of the following codebox into Notepad:

    Code:
    script removed
  3. IMPORTANT! Save the file to the same folder, MBR Fix was extracted to
  4. Save as as "check.bat".

    Make sure to save it with the quotes.
  5. Once saved, the icon to click should look like this in the folder:


  6. Double click check.bat. to run it. A small black box should open and close - this is normal.


    A zipped file called AttachThisB.zip will be created on your desktop

    please attach it to your next reply.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-17-2010, 04:12 AM   #11
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Ok here it is:
Attached Files
File Type: zip AttachThisB.zip (666 Bytes, 11 views)
__________________
stisen is offline  
Old 07-17-2010, 05:40 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi,

Your MBR is infected and it needs to be fixed before Windows loads the infection:


Please follow these instructions carefully.

You will need a CD to burn a boot disk

First if you don't have a utility that can burn an .iso file to disk please download this one from here:

Install this .iso burner on your machine first.


NEXT


1) Download this file

2) Click it and it shall create an ISO for you for which you need to burn to CD (double click the iso file the IsoBurner will step you through the burning process)

3) Once you have the boot disk created, boot the machine using the bootable CD (make sure your computer is set to boot from CD first - press F9 on start up and choose CD as the first boot device)

As long as you boot your machine using that cd, the mbr-based infection that you have cannot be loaded., so we can fix the infection.

Now please do the following:
  1. Go to Start->Run and type in notepad and hit OK.
  2. Then copy and paste the content of the following codebox into Notepad:

    Code:
    @ECHO OFF
    MBRFIX /DRIVE 0 FIXMBR /YES
    ECHO.&ECHO.A reboot is required&ECHO.&PAUSE
    DEL %0
  3. IMPORTANT! Save the file to the same folder, MBR Fix was extracted to
  4. Save as as "check.bat".

    Make sure to save it with the quotes.
  5. Once saved, the icon to click should look like this on your desktop:


  6. Double click check.bat. to run it. A small black box should open and close - this is normal.



Please reboot you machine and start windows normally.

Let me know how that goes.

Now re-run MBRCheck as we did initially for a status check and post the resulting log.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-18-2010, 04:13 AM   #13
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Im doing as you are writing. It tells me the burning was successful, but it wont boot from the disc and when i open the CD there is nothing on it. Can i make the boot disc in another way? Maybe with a USB?
__________________
stisen is offline  
Old 07-18-2010, 05:21 AM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



I will need to look into that, let me check.

when you download the file and double click on it, how large is burnthis.iso (right click the file > properties, should tell you the size)
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-18-2010, 05:58 AM   #15
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



It's 1.76 mb.
__________________
stisen is offline  
Old 07-18-2010, 10:30 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



Hi,

that is correct, if you look at the properties on the CD you burned, you will see the size is the same 1.76 MB - you wont see any files on the CD

If you heard your system was booting from the CD (ie: drive was whirring and light was flickering) then yes you were actually booting from the CD, your windows desktop should have loaded normally,

now you can go ahead and run that batch to fix the infected MBR,

when that is done reboot normally.

Run MBRCheck as we first did initially to get a status check and post the results:

Note: did you see this message when booting with the CD - "Searching for Boot record from CDROM"
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-19-2010, 07:13 AM   #17
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Hi again,

You are right the CD has 1.76 mb used space.

When my computer starts the drive is whirring and light goes on, but i dont know if it is booting from it, as it doesn't explicit show the usual searching for Boot record, which you mentioned.

I ran the batch again, but it gives an error message that it cant recognize the program as a batch file, operational file etc. I have run the MBRCheck and the result is:

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Error reading raw MBR!

Done! Press ENTER to exit...
__________________
stisen is offline  
Old 07-19-2010, 07:15 AM   #18
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Btw, funny enough, when i boot from the CD, the wave bar doesn't go down. Don't know if you can use that for anything?
__________________
stisen is offline  
Old 07-19-2010, 09:11 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,703
OS: XP, Vista, Win7



did you save the batch file in the same folder as the MBRFix as we did before or else it wont work.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 07-19-2010, 01:51 PM   #20
Registered Member
 
Join Date: Aug 2007
Posts: 50
OS: Windows 7 Ultimate 64-bit



Yeah sorry you are right I didnt...

Now I have done it with the batch file in the same folder as the MBRFix, which seemed to make it work as intended. I got this result:

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Error reading raw MBR!

Done! Press ENTER to exit...

So i guess it didnt work?

__________________
stisen is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:27 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts