Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


multiple iexplore.exe processes+Win32/Patched.DX

  • This topic is locked This topic is locked
8 replies to this topic

#1 MDais


  • Members
  • 4 posts
  • Local time:02:47 AM

Posted 24 July 2010 - 01:42 PM

Hello. I got infected with a few things I can't seem to remove with malwarebytes, SAS, AVG, etc.

Multiple iexplore.exe processes run in the background when IE isn't running, complete with background clicking and audio ads. It keeps respawning when I kill it. There are some other suspicious processes in the Task Manager too(ex:wscntfy.exe).

AVG detected Win32/Patched.DX in disk.sys in C:/windows/system32/drivers but hasn't been able to remove it. Something just corrupted AVG's installation too. I think one of these has downloaded other stuff.

I can't boot into Safe Mode to fix anything either, as it hangs up during the boot. I'm not sure if this is malware-related as it's been like this for awhile. Normal boot seems to work fine for now though.

I would appreciate any assistance in removing these infections. Thanks. Here is the DDS and GMer logs.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jonathan at 12:58:18.35 on Sat 07/24/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.259 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 4
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe 4
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\NetWaiting\otherh\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe
C:\Documents and Settings\Jonathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: SuperAdBlockerBHO Class: {00000000-6c30-11d8-9363-000ae6309654} - c:\program files\superadblocker.com\super ad blocker\SABBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Super Ad Blocker Toolbar: {b4b3001e-0f56-4e51-8250-bde11547ec55} - c:\program files\superadblocker.com\super ad blocker\sabtb.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Steam] "c:\program files\valve\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\jonathan\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SuperAdBlocker] c:\program files\superadblocker.com\super ad blocker\SAdBlock.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [VirtualCloneDrive] "c:\program files\netwaiting\otherh\virtualclonedrive\VCDDaemon.exe" /s
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [felmrrof] c:\documents and settings\localservice\local settings\application data\kslgvjihq\uvsydixtssd.exe
dRun: [rjcmdnxe] c:\documents and settings\localservice\local settings\application data\bgvfuplqt\ibusuuttssd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\zyxel g-220 v2 wireless adapter utility\ZyXEL G-220 v2.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: verizon.net\www
Trusted Zone: musicmatch.com\online
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SABWinLogon - c:\program files\superadblocker.com\super ad blocker\SABWINLO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000d7} - c:\program files\superadblocker.com\super ad blocker\SABSEHB.DLL
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonathan\applic~1\mozilla\firefox\profiles\3a0moo62.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\jonathan\application data\mozilla\firefox\profiles\3a0moo62.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\jonathan\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-9 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-11-4 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-9 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-20 19072]
S1 SABDIFSV;SABDIFSV;c:\program files\superadblocker.com\super ad blocker\sabdifsv.sys [2005-9-21 5632]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\anime\sabkutil.sys --> c:\program files\anime\SABKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-9 908056]
S3 aaudstum;aaudstum;\??\c:\docume~1\jonathan\locals~1\temp\aaudstum.sys --> c:\docume~1\jonathan\locals~1\temp\aaudstum.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2009-6-6 402944]

=============== Created Last 30 ================

2010-07-24 16:10:41 0 ----a-w- c:\documents and settings\jonathan\defogger_reenable
2010-07-24 06:53:01 161280 ----a-w- C:\rmsality.exe
2010-07-24 06:43:36 525824 ----a-w- C:\dds.scr
2010-07-24 06:43:18 50477 ----a-w- C:\Defogger.exe
2010-07-21 21:36:44 6153376 ----a-w- C:\mb.exe
2010-07-21 20:42:35 2396859 ----a-w- C:\MGtools.exe
2010-07-21 20:42:12 464491 ----a-w- C:\RootRepeal.zip
2010-07-21 20:41:41 3739807 ----a-w- C:\ComboFix.exe
2010-07-21 20:26:04 50688 ----a-w- C:\ATF-Cleaner.exe
2010-07-21 06:01:45 0 d-----w- c:\docume~1\jonathan\applic~1\SuperAdBlocker.com
2010-07-21 06:00:38 0 d-----w- c:\program files\SuperAdBlocker.com
2010-07-21 05:59:21 6322200 ----a-w- C:\SuperAdBlocker.exe
2010-07-21 05:21:57 936392 ----a-w- C:\prevxcsifree.exe
2010-07-21 04:20:04 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-07-20 17:23:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-20 17:23:36 0 d-----w- c:\program files\Security Task Manager
2010-07-20 17:22:54 1709408 ----a-w- C:\taskmanager17.exe
2010-07-14 01:40:58 0 d-----w- c:\program files\Iffermoon
2010-07-13 21:44:25 38412802 ----a-w- C:\FSDemo.exe

==================== Find3M ====================

2010-07-24 07:41:33 2441864 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-24 07:41:33 210274336 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-21 04:47:32 94208 ----a-w- c:\windows\DUMP76d5.tmp
2010-07-20 14:48:13 94208 ----a-w- c:\windows\DUMP6590.tmp
2010-07-18 17:55:03 94208 ----a-w- c:\windows\DUMP638c.tmp
2010-05-28 17:17:06 94208 ----a-w- c:\windows\DUMP79a4.tmp
2010-05-27 01:03:29 83981735 ----a-w- C:\Dreamscape.exe
2007-12-05 03:42:04 21321008 ----a-w- c:\program files\QuickTimeInstaller.exe
2006-12-17 00:57:08 662817 ----a-w- c:\program files\Internet Explorer.zip
2006-09-12 21:35:18 637666 ----a-w- c:\program files\uTorrent-1.6-install.exe
2006-08-31 23:06:12 3345634 ----a-w- c:\program files\BitTornado-0.3.7-w32install.exe
2006-08-29 23:06:02 5037072 ----a-w- c:\program files\spybotsd14.exe
2006-08-29 01:05:13 5928552 ----a-w- c:\program files\winzip100.exe
2006-08-29 01:04:24 370305 ----a-w- c:\program files\Ahrimans-Prophecy-Strategy-Guide.zip
2006-08-28 04:42:25 5743211 ----a-w- c:\program files\Combined-Community-Codec-Pack-2006-07-28.exe
2006-08-27 22:06:59 88 --sh--r- c:\windows\system32\3665A567C7.sys
2008-03-05 03:25:23 56 --sh--r- c:\windows\system32\C767A56536.sys
2008-03-05 03:25:23 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:00:41.10 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 24 July 2010 - 03:41 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to enter Y or N.
  • Enter n and then when prompted press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

So long, and thanks for all the fish.



#3 MDais

  • Topic Starter

  • Members
  • 4 posts
  • Local time:02:47 AM

Posted 24 July 2010 - 06:54 PM

Alright, here you go.

MBRCheck, version 1.1.1

© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status


74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 25 July 2010 - 02:13 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable.
While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.
On the plus side, i've not had one PC become unbootable while carrying out this fix; on the negative side, that is based on a grand total of two machines.

Sadly I can't say whether the fix will behave itself on your PC or not, so you'll have to decide what you want to do and let me know.

If you do choose to go ahead, please let me have the make and model of your PC and i'll check into the possibility of a non-standard MBR before we proceed. Please understand however that there will be no guarantees either way with this, i'm afraid.

So long, and thanks for all the fish.



#5 MDais

  • Topic Starter

  • Members
  • 4 posts
  • Local time:02:47 AM

Posted 26 July 2010 - 04:35 PM

Well, I can't exactly leave it on there. I have the Windows XP re-installation disc/recovery console. Doesn't that have an MBR repair option on it, or do I need to do something else?

Will this fix do anything to my non-system files, or is my data safe?

My PC is a Dell Dimension DM051.

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 26 July 2010 - 05:10 PM

Good evening. smile.gif

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.



#7 MDais

  • Topic Starter

  • Members
  • 4 posts
  • Local time:02:47 AM

Posted 26 July 2010 - 09:52 PM

Partition ID: Disk #0, Partition #0
Size: 47.03 MB


Partition ID: Disk #0, Partition #1
Size: 71.35 GB

The computer boots from this partition.


Partition ID: Disk #0, Partition #2
Size: 3.1 GB


BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A05
Status: OK

This is the primary BIOS.


#8 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 27 July 2010 - 02:57 PM

Good evening. smile.gif

Not good news i'm afraid, as your Dell uses a customised MBR. From what I understand of Dell PCs, the Dell System Restore utility is accessed via the MBR. Writing a standard Windows MBR to the hard drive won't affect the physical state of the drive, so all the partitions and data, including your personal files, will still exist, but it will remove your ability to initiate a Factory Restore.
While this isn't a total disaster given you have a recovery disc, I am uncertain as to whether a standard Windows MBR will enable your PC to boot at all.

If the MBR repairs successfully you will have a PC that works as before but doesn't have a Factory Restore capability any more. Any Windows failure will require you to then reinstall from a disk, which will also mean that you have to install the drivers that Dell should have supplied on a disk with the PC, or you can download them from the Dell site. That isn't a big job, but it does take longer than a Factory Restore.

If Windows fails to start when you reboot the PC, you have a serious problem. The only guaranteed solution open to you at this point would be to reinstall Windows, which would overwrite your existing installation and that would leave any personal files as good as gone. A data recovery company may be able to rescue some of them, but I don't know how expensive that would be.

Data could be recovered using a boot disk, Puppy Linux for example, before reinstalling Windows, but it would be wiser to back up anything important before taking any risks.


While I am happy to guide you through the MBR repair, as I am quite interested in how things will turn out, I suggest that you think twice about satisfying my curiosity. If this was my PC I would contact Dell and see if they had a method of writing a Dell MBR to the disk that would solve your malware problem and leave your PC working how it was before.

Please think carefully about your options and if anything is unclear, ask.

So long, and thanks for all the fish.



#9 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 01 August 2010 - 01:52 PM

As there has been response for five days this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users