Trend ChipAwayVirus + MBR:\\PHYSICALDRIVE0

[lilie]

Hi

I use the free version of Avast familial on a double-boot win98se/xp pro
I got this problem 10 days ago.
At the boot this message is comming

Trend ChipAwayVirus has detected a boot virus on your hard disk.

Press <Enter> for more information (recommended)
      <C> to continue booting."

"Complete Virus Protection for the Entreprise"
Trend Micro - http://www.antivirus.com

Enter, produce..

To prevent the data lost from your computer,
Trend ChipAwayVirus will restart your computer.

Insert a bootable clean floppy disk into the floppy driver
press <r> to restart your system
      <b> to go back previous screen

For more information on viruses visit http://www.antivirus.com

Heu.. R and C

If you continue to boot up your system, the virus will be
left in your computer.
Are you sure you want to continue the boot up procedures?

Press <y> to continue to boot anyway.
      <n> to return to previous screen.

For more information on viruses visit http://www.antivirus.com

Y and the boot is on the way. My first idea was it'a a shit due to the address.. No, it,s a redirect to Trend Micro site http://us.trendmicro.com/us/products/ but nothing to help me there.
I find this on Google

Trend-Chipaway is antivirus "protection" built into the system BIOS. This can trigger false virus alerts when it doesn't recognise the operating system that you have installed.

It can be disabled by going into the BIOS.
Next locate the Virus Scanning feature. For machines with AMI BIOS, this is under the Advanced menu heading.
For machines with Award BIOS, check the Anti Virus Protection heading.

Locate Trend ChipAway Virus or Anti-virus option and change or toggle its setting to Disable.

Without making any further configuration changes, save the new settings and restart the computer.

Finally, to properly protect your system from viruses, make sure that you have a good antivirus program installed on your computer and that you keep the signature files up to date.

Nothing is fool-proof! Without knowing if it a bad, a false or simple error of code I prefer to not change anything in the bios config whitout a verry good advise.
Menu Advanced  option BIOS Update  [Disabled]
Menu Boot option Boot Virus Detection is [Enabled].

Anyway at the end of the boot, after the start of Xp, Avast produce this Alarm.

Yes I am using Avast in the french language. Sorry for my poor syntax :-)


I try many things to clear that. Scan and scan at the boottime, scan in safeboot, SmitFraudFix, ComboFix, SdFix. I am a user of Spybot and ASquare too.

I fell something was wrong with the Avast Rookit and induce me to make a bad move.


My pc is a P4 Asus P4B, 640 sdram with 2 discs.
A 40 go FAT for partitions C (win98se), D, E
A 120go FAT, F (xp pro), G, H, I, J, K, L(cd rw), M(cd), N



My boot.ini is starting Xp Pro by default after 30sec of waiting time.

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
C:\ = "Microsoft Windows"

I never touch this file but my defaul start was Xp, not the win9. It is good or not?

I am a pc user, 4 years of self trainning.
Your help will be verry appreciate.

 

[igor]

Well, did you try to perform the "Remove" option from avast! warning window?

[Lisandro]

I fell something was wrong with the Avast Rookit and induce me to make a bad move.

I'm not sure I'm reading you correctly, now you can boot but avast is showing you an error?
Which was your 'bad move'?

I never touch this file but my defaul start was Xp, not the win9. It is good or not?

If you want XP as the default, no problem. You're using two disks, Windows 98 in the first (C:\) and XP on the second, with the boot sector in the first disk.

What help do you need, now?

[lilie]

Hi

@ Igor
I accepted few times the remove option of Avast.
Avast do the scan but find nothing.

Avast have a (big) problem there i thinks. The Avast scanner work after the choice of win9/xp.
It not work before.
When Avast scan it is after the post before the boot choice win9/xp
edit. Sorry!

It's too late. The message Trend ChipAwayVirus is on!
I have to make my choice of the system I want use after this message Trend



@Tech
Yes now I can boot but Avast is showing me an error.
It's ok for the boot.ini.

I need help to resolve this message Trend Antivirus and the Alarm Avast.


Avast receive an update for the program.
Now after a reboot Avast dont give me the Alarm Rootkit.


I find this under Standard. My config was change for that.


The lines are

?.\PAGEFILE.SYS
*.TXT
*.LOG
*.INI
F:\WINDOWS\TEMP\*.TMP
*\AVAST4_\UNP*.TMP
F:\WINDOWS\WINSXS\*.MANIFEST
F:\WINDOWS\WINSXS\*CAT
F:\WINDOWS\WINSXS\*.POLICY
F:\WINDOWS\CSC\*.TMP
F:\WINDOWS\CSC\?0???  (bug with the smille, it is 6?)
*\EDB.CHK

Why? How Avast may scan all the files

@+

[igor]

Well, I may be wrong, but I think your disk is infected by MBR rootkit - and avast! is detecting it.
Whether the removal didn't work, or there's another - undetected - file on your computer which writes the MBR rootkit back each time it's started (on windows startup)... don't know.

You may also try to run GMER to see if it gives similar results.

[psw]

There is the following none about GMER in the topic about MBR Rootkit http://forum.sysinternals.com/forum_posts.asp?TID=13179&PID=66904#66904

We have noticed that GMER didn't check other physical disks except current for Master Boot Record modification

In this case system is loading from rdisk(1) What is a disk checked for rootkit by avast?

[lilie]

Thank for the help 

I edited my previous post, better explanation at the boot

"bad move" Avast scan few time with setting 'Delete file' for bad files.

 

Well, I may be wrong, but I think your disk is infected by MBR rootkit - and avast! is detecting it.
Whether the removal didn't work, or there's another - undetected - file on your computer which writes the MBR rootkit back each time it's started (on windows startup)... don't know.

Question: The Avast antirootkit need to write the MBR ?

Gmer is on my machine.




I joint a log.
Give me some settings for Gmer. I kown the program but not well.

 

[Lisandro]

Question: The Avast antirootkit need to write the MBR ?

Write? In normal conditions, not.
But cleaning, maybe avast needs to write (clean) the MBR.

[lilie]

Hi

Some off you know what is the 17EC5708-0428-4BDD-A207-3D5B70DA376F and D4ED3582-25EF-4AB0-934B-6530402E31CE ?

I find many keys in the registry

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1186&DEV_1002&SUBSYS_10401186&REV_12#4&122329e2&0&60F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\Dhcp\Parameters{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces\Tcpip_{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\PSched\Parameters\Adapters\{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\RemoteAccess\Interfaces\2InterfaceName

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\Tcpip\Parameters\Adapters\{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{17EC5708-0428-4BDD-A207-3D5B70DA376F}

HKEY_LOCAL_MACHINE
SYSTEM\ControlSet002\Services\{17EC5708-0428-4BDD-A207-3D5B70DA376F}



HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0010NetCfgInstanceId

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#SW#{48926476-2cae-4ded-a86e-73ddebed6779}#NDISIP#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{D4ED3582-25EF-4AB0-934B-6530402E31CE}

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D4ED3582-25EF-4AB0-934B-6530402E31CE}

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{D4ED3582-25EF-4AB0-934B-6530402E31CE}

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\RemoteAccess\Interfaces\3InterfaceName

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{D4ED3582-25EF-4AB0-934B-6530402E31CE}

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D4ED3582-25EF-4AB0-934B-6530402E31CE}

HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\{D4ED3582-25EF-4AB0-934B-6530402E31CE}

And more keys 


Edit
Some more...

{35D2328C-B75A-81BF-081C-B1E9DC54F3EE}
http://www.castlecops.com/tk42782-wlcstd32_dll.html

{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}
Downloader trojan causing false spyware warnings - member of the FakeAlert aka SmitFraud malware family. Detected by Kaspersky antivirus as FraudTool.Win32.XPAntivirus.h
http://www.castlecops.com/tk41417-ieobj_dll.html

{B5AF0562-94F3-42BD-F434-2604812C797D}
Parasite, detected by Kaspersky antivirus as Trojan-Downloader.Win32.Small.ddx
http://www.castlecops.com/tk39888-random_filenames_example_Frjkfl4g_dll.html

I thik it's a mutation from an old infection, 2008-02-23


@+
 

[n8p]

HELP!!!HELP!!!HELP!!!

I also get this virus

After reboot the computer and scan by Avast!
the message also shown on desktop

HOW TO Remove this vius!!!!

[Lisandro]

HELP!!!HELP!!!HELP!!!
After reboot the computer and scan by Avast!
the message also shown on desktop
HOW TO Remove this vius!!!!

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[n8p]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 09:48:25, on 2008/4/14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\桌面\software\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Tuotu] C:\Program Files\Tuotu\Tuotu.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.netvigator.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.dbay.hk/cgi-bin/AxisCamControl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CE33121-DA0D-46CF-BAA1-D66417D5496E}: NameServer = 218.102.62.71 205.252.144.126
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

[n8p]

O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

--
End of file - 10960 bytes

[n8p]

any solution to solve ?

[n8p]

I use the MBR rootkit detector  ,the result is:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x1d1c06c0 size 0x1ca !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


Can u help me how to use "mbr.exe -f" to fix.