[theprodigycmb]

ok 007, here are the next 2 logs you requested. the mbr log when ran from c:/windows...

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4c8ed45 size 0x1ae !
copy of MBR has been found in sector 62 !

it looks the same to me...
and the gmer.log directly after the reboot....

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-15 18:49:39
Windows 5.1.2600 Service Pack 3

---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x4c8ed45 size 0x1ae
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- EOF - GMER 1.0.15 ----


as for why I didnt think the online scanner finished everything, well I lookd at it right before going outside and it was only at 7%. it had been scanning for almost an hour at that point. I was outside long enough to feed my puppy and change his water, lets say 10 minutes, and when I had returned the scan was completed. just felt that if it took an hour to get to only 7%, then how could it complete the scan in such a short time from that point. just didnt make sense to me.

not sure if I had mentioned before, but one of the anti virus scanners I was using had to be removed and uninstalled in the beginning. Fix-it utilities 8. for some reason I could not disable the program, even from the start up menu or from the program itself. it just didnt give me the option. without that program installed, things seem to be running a little faster, but malwarebytes still shows the vundo h. this scanner (fix-it) however could see it and it always reported it as removed successfully, but it still showed with malwarebytes, though it could never remove it either...

thanks again...

[sjb007]

Hi there theprodigycmb

Just to let you know I have not forgetten you....

I am in the process of checking your MBR Boot Record with other experts and will get back to you as soon as permissable.

[theprodigycmb]

do what you've gotta do my friend. appreciate the info.

[sjb007]

Hi there

Your MBR Boot record is clear.

I notice that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me..
First I want you to update MBAM so we have the latest definitions onboard
Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button.

• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/list]

===============================

Please run a fresh scan with combofix. If you get a requester asking to update combofix please allow it to do so.

Post back with both logs in your next reply, also update me on how things are running