Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sound and popup problems IEXPLORER.exe


  • This topic is locked This topic is locked
8 replies to this topic

#1 FIERYpl0x

FIERYpl0x

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 28 July 2010 - 12:28 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kunnu at 0:25:46.43 on Wed 07/28/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2550.1887 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
svchost.exe 4
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
svchost.exe 4
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kunnu\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238392453906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238435824375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: c:\windows\system32\wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kunnu\applic~1\mozilla\firefox\profiles\lk7t9327.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\documents and settings\kunnu\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\kunnu\local settings\application data\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-13 55152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 T;T;c:\docume~1\kunnu\locals~1\temp\t.exe --> c:\docume~1\kunnu\locals~1\temp\T.exe [?]
S4 gupdate1c9c101eb0caf98;Google Update Service (gupdate1c9c101eb0caf98);c:\program files\google\update\GoogleUpdate.exe [2009-4-19 133104]

=============== Created Last 30 ================

2010-07-28 04:56:35 0 ----a-w- c:\documents and settings\kunnu\defogger_reenable
2010-07-24 02:09:54 98816 ----a-w- c:\windows\sed.exe
2010-07-24 02:09:54 77312 ----a-w- c:\windows\MBR.exe
2010-07-24 02:09:54 256512 ----a-w- c:\windows\PEV.exe
2010-07-24 02:09:54 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 01:45:02 0 d-----w- c:\documents and settings\kunnu\.gimp-2.6
2010-07-24 01:44:52 0 d-----w- c:\documents and settings\kunnu\.gegl-0.0
2010-07-24 01:35:54 0 ----a-w- c:\windows\system32\QLBQACGQ
2010-07-22 21:25:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 23:23:28 120 ----a-w- c:\windows\Vtomecuzozecahex.dat
2010-07-21 23:23:28 0 ----a-w- c:\windows\Mjolodafuvel.bin
2010-07-14 16:20:46 4886528 ----a-w- c:\windows\system32\stac97.cpl
2010-07-14 15:36:26 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-07-14 15:36:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-07-14 15:30:54 0 d-----w- c:\documents and settings\kunnu\temp
2010-07-14 01:42:28 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-28 04:45:15 99 ----a-w- c:\documents and settings\kunnu\jagex_runescape_preferences2.dat
2010-07-28 04:40:32 40 ----a-w- c:\documents and settings\kunnu\jagex__preferences3.dat
2010-07-28 04:40:22 46 ----a-w- c:\documents and settings\kunnu\jagex_runescape_preferences.dat
2010-07-14 16:38:19 1078 ----a-w- c:\windows\system32\drivers\sthdae.log
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-12-22 19:24:02 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 0:27:16.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 FIERYpl0x

FIERYpl0x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 July 2010 - 11:27 AM

Cmon people this is serious.... Help me pl0x

#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:38 AM

Posted 01 August 2010 - 02:04 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#4 FIERYpl0x

FIERYpl0x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 04 August 2010 - 03:54 PM

Okay thank you. I am downloading both programs at the moment.

Here is the Preformat



Partition ID: Disk #0, Partition #0
Size: 126.96 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 93.75 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 77.39 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A10
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #0
Size: 126.96 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 93.75 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 77.39 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A10
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

Edited by FIERYpl0x, 04 August 2010 - 03:59 PM.


#5 FIERYpl0x

FIERYpl0x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 04 August 2010 - 03:58 PM

Here you go.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA338000 cercsr6.sys
0xB9EF3000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xBA340000 PxHelp20.sys
0xB9EAA000 KSecDD.sys
0xB9E1D000 Ntfs.sys
0xB9DF0000 NDIS.sys
0xB9DD6000 Mup.sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA590000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA594000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB928B000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9277000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB924F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA460000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9118000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA288000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xBA298000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB9104000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA470000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA478000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB90E1000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA795000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB90CA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB90B9000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA128000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA488000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA490000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9089000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA138000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F8B000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DA2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA148000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA8B10000 \SystemRoot\system32\drivers\sthda.sys
0xA8AEC000 \SystemRoot\system32\drivers\portcls.sys
0xBA178000 \SystemRoot\system32\drivers\drmk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5EE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8AC9000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6FC000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA380000 \SystemRoot\System32\drivers\vga.sys
0xBA61E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA620000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA388000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA390000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA568000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8A6E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8A15000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA89EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA89C7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA89A5000 \SystemRoot\System32\drivers\afd.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA897A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA890A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA1F8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA88CA000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA638000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA550000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA780000 \SystemRoot\System32\drivers\dxgthk.sys
0xBA228000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA238000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA218000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xB9800000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8271000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8422000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA81CA000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7E1D000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8112000 \SystemRoot\system32\drivers\sysaudio.sys
0xA70D1000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xA70A6000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 System
404 C:\WINDOWS\system32\smss.exe
636 csrss.exe
904 C:\WINDOWS\system32\winlogon.exe
948 C:\WINDOWS\system32\services.exe
960 C:\WINDOWS\system32\lsass.exe
1148 C:\WINDOWS\system32\svchost.exe
1232 svchost.exe
1272 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1348 C:\WINDOWS\system32\svchost.exe
1456 svchost.exe
1472 C:\WINDOWS\system32\svchost.exe
1552 svchost.exe
1572 C:\WINDOWS\system32\svchost.exe
1772 C:\WINDOWS\system32\WLTRYSVC.EXE
1788 C:\WINDOWS\system32\BCMWLTRY.EXE
1840 C:\WINDOWS\system32\svchost.exe
1848 C:\WINDOWS\system32\spoolsv.exe
2020 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
160 C:\Program Files\Bonjour\mDNSResponder.exe
184 C:\WINDOWS\ehome\ehrecvr.exe
244 C:\Program Files\AlienGUIse\wbload.exe
304 C:\WINDOWS\ehome\ehSched.exe
504 C:\Program Files\Java\jre6\bin\jqs.exe
440 C:\WINDOWS\system32\PSIService.exe
576 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
660 svchost.exe
748 mcrdsvc.exe
808 C:\WINDOWS\system32\svchost.exe
1620 C:\WINDOWS\system32\dllhost.exe
1896 C:\Program Files\Google\Update\GoogleUpdate.exe
2028 alg.exe
2168 C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
2228 C:\WINDOWS\explorer.exe
2532 C:\WINDOWS\ehome\ehtray.exe
2576 C:\WINDOWS\system32\WLTRAY.EXE
2584 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2596 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2620 C:\WINDOWS\ehome\ehmsas.exe
2628 C:\WINDOWS\system32\hkcmd.exe
2644 C:\WINDOWS\system32\igfxpers.exe
2652 C:\Program Files\Microsoft Security Essentials\msseces.exe
2676 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
2716 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2756 C:\WINDOWS\system32\igfxsrvc.exe
2920 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
2976 C:\WINDOWS\system32\ctfmon.exe
4040 C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
708 C:\WINDOWS\system32\svchost.exe
1680 C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2056 C:\WINDOWS\system32\wuauclt.exe
3592 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
5688 C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4632 C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4884 C:\Documents and Settings\Kunnu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4892 iexplore.exe
4796 C:\Documents and Settings\Kunnu\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001f`bd28fa00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000037`2d061400

PhysicalDrive0 Model Number: WDCWD3200BJKT-00F4T0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 3Dumping \\.\PhysicalDisk3...
Enter filename to dump to:

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:38 AM

Posted 04 August 2010 - 05:10 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable.

If you can tell me the make and model of the PC, and whether you have a Windows installation/Recovery disc or not, I will try to find out if the fix is likely to cause issues with your computer.

So long, and thanks for all the fish.

 

 


#7 FIERYpl0x

FIERYpl0x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 05 August 2010 - 01:10 PM

I'm afraid I do not have Windows installation/recoevery disk. What do you mean by mak and and model of the PC? It's a Dell Inspiron e1405 laptop. Microsoft Windows xp version 2002 service pack 3. Genuine intel cpu. tongue.gif sorry for the confusion :s

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:38 AM

Posted 05 August 2010 - 03:06 PM

Good evening. smile.gif

While I think it should be possible to repair the MBR damage that has occurred given your PC set-up, there isn't any guarantee that I can offer that it won't end in tears, and as you don't have a Recovery Disc there is no way for you to get the PC back up and running if something goes wrong with the repair.
You need to decide whether you are willing to take the risk that your PC won't boot up properly and that it will be in effect a pretty expensive paperweight. While it won't cause any actual damage to the PC itself, Windows won't load and without an Operating System the PC is useless.

Please let me know how you wish to proceed.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:38 AM

Posted 10 August 2010 - 02:21 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users