Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Clicks, Commercials, and Overall Slow Performance with Logs


  • This topic is locked This topic is locked
16 replies to this topic

#1 GrymReaper

GrymReaper

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 30 July 2010 - 07:19 AM

New to the forums because this is the first time I cannot solve a problem on my own. I believe that IEXPLORE.exe is running a hidden process that is causing all the problems, and for the life of me I cannot stop it. Basically about a week ago, I noticed that several times a day, random music would start playing from my PC. Oddly enough they are commercials (one for Lysol is really annoying). Also, there are random double click sounds that I hear shortly before and after the commercial....And right now there was about 3 of them as I am typing this. It's not really killing my performance, but will make things slow when loading these invisible commercials up. I think also that this issue has destroyed my start up process and would like some suggestions on other items to remove. I have already removed a few things, but start up is still mediocre. Running a WinXP Home Machine

Thanks in advance for all your help,
Chris


SEE LOGS BELOW

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 7:59:57.07 on Fri 07/30/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1244 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
svchost.exe 4
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Chris\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\b0quzkvn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-20 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-20 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-18 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-20 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-20 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-28 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100729.001\IDSXpx86.sys [2010-7-29 331640]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2009-3-4 12032]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-3-4 16128]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100729.040\NAVENG.SYS [2010-7-30 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100729.040\NAVEX15.SYS [2010-7-30 1362608]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2010-5-11 11392]
S2 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\turbine\turbine download manager\turbinemessageservice.exe" --> c:\program files\turbine\turbine download manager\TurbineMessageService.exe [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-5-11 33792]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\turbine\turbine download manager\turbinenetworkservice.exe" --> c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-3-4 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-3-4 13532]
S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2009-1-8 4136960]

=============== Created Last 30 ================

2010-07-30 11:59:06 0 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-07-30 02:20:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-29 16:00:28 0 d-----w- c:\program files\Guild Wars
2010-07-29 14:23:51 0 d-----w- c:\program files\Sun
2010-07-29 14:23:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-29 14:23:44 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-29 13:48:59 0 d-----w- c:\program files\Trend Micro
2010-07-29 00:32:49 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2010-07-29 00:32:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 00:32:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 00:32:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 00:32:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 00:18:50 0 d-----w- C:\57bff728807577ddcad4827f8a878b6a
2010-07-28 14:41:57 98816 ----a-w- c:\windows\sed.exe
2010-07-28 14:41:57 77312 ----a-w- c:\windows\MBR.exe
2010-07-28 14:41:57 256512 ----a-w- c:\windows\PEV.exe
2010-07-28 14:41:57 161792 ----a-w- c:\windows\SWREG.exe
2010-07-28 14:41:45 0 d-s---w- C:\ComboFix
2010-07-19 02:33:06 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-11 18:10:05 216064 ----a-w- c:\windows\iun3405.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 8:00:32.43 ===============



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/4/2009 2:21:03 PM
System Uptime: 7/30/2010 7:47:10 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-E
Processor: Intel Pentium III Xeon processor | LGA775 | 2504/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 225.585 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
Device ID: USB\VID_0BDA&PID_8187\0015AF64F4A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
PNP Device ID: USB\VID_0BDA&PID_8187\0015AF64F4A4
Service: RTLWUSB

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\122AB8C1E8C00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\122AB8C1E8C00
Service: NIC1394

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt

==== System Restore Points ===================

RP330: 5/1/2010 8:32:05 AM - System Checkpoint
RP331: 5/3/2010 9:59:03 PM - System Checkpoint
RP332: 5/5/2010 8:15:40 AM - System Checkpoint
RP333: 5/6/2010 2:03:04 PM - System Checkpoint
RP334: 5/10/2010 4:41:12 PM - System Checkpoint
RP335: 5/11/2010 12:44:21 PM - Update to an unsigned driver
RP336: 5/11/2010 12:48:37 PM - Removed Windows Live Sign-in Assistant
RP337: 5/11/2010 12:55:41 PM - Update to an unsigned driver
RP338: 5/12/2010 5:05:13 PM - Software Distribution Service 3.0
RP339: 5/14/2010 3:45:03 PM - System Checkpoint
RP340: 5/16/2010 6:55:54 PM - System Checkpoint
RP341: 5/17/2010 7:23:05 PM - System Checkpoint
RP342: 5/19/2010 7:59:17 AM - System Checkpoint
RP343: 5/20/2010 8:13:01 AM - System Checkpoint
RP344: 5/21/2010 8:14:42 AM - System Checkpoint
RP345: 5/22/2010 2:41:08 PM - System Checkpoint
RP346: 5/23/2010 2:41:12 PM - System Checkpoint
RP347: 5/24/2010 5:21:40 PM - System Checkpoint
RP348: 5/25/2010 6:29:32 PM - System Checkpoint
RP349: 5/26/2010 5:00:58 PM - Software Distribution Service 3.0
RP350: 5/27/2010 5:11:31 PM - System Checkpoint
RP351: 5/29/2010 10:33:37 AM - System Checkpoint
RP352: 5/30/2010 7:04:32 PM - System Checkpoint
RP353: 5/31/2010 9:10:02 PM - System Checkpoint
RP354: 6/2/2010 10:50:37 AM - System Checkpoint
RP355: 6/4/2010 2:56:18 PM - System Checkpoint
RP356: 6/6/2010 10:13:54 AM - System Checkpoint
RP357: 6/7/2010 1:16:45 PM - System Checkpoint
RP358: 6/8/2010 5:49:12 PM - System Checkpoint
RP359: 6/9/2010 7:58:20 PM - System Checkpoint
RP360: 6/10/2010 8:17:28 PM - System Checkpoint
RP361: 6/10/2010 10:38:39 PM - Software Distribution Service 3.0
RP362: 6/11/2010 11:16:10 PM - System Checkpoint
RP363: 6/13/2010 10:11:19 AM - System Checkpoint
RP364: 6/14/2010 1:11:39 PM - System Checkpoint
RP365: 6/15/2010 6:56:29 PM - System Checkpoint
RP366: 6/17/2010 8:48:01 AM - System Checkpoint
RP367: 6/18/2010 5:24:38 PM - System Checkpoint
RP368: 6/21/2010 5:07:29 PM - System Checkpoint
RP369: 6/22/2010 6:04:22 PM - System Checkpoint
RP370: 6/22/2010 11:12:26 PM - Installed Jing
RP371: 6/23/2010 9:25:44 AM - Removed Jing
RP372: 6/23/2010 10:43:06 PM - Software Distribution Service 3.0
RP373: 6/25/2010 10:43:46 AM - Installed League of Legends
RP374: 6/26/2010 4:04:59 PM - System Checkpoint
RP375: 6/27/2010 4:31:34 PM - System Checkpoint
RP376: 6/28/2010 5:36:32 PM - System Checkpoint
RP377: 6/29/2010 6:18:41 PM - System Checkpoint
RP378: 7/1/2010 5:11:22 PM - System Checkpoint
RP379: 7/3/2010 10:31:51 AM - System Checkpoint
RP380: 7/19/2010 12:16:01 AM - Software Distribution Service 3.0
RP381: 7/20/2010 3:16:36 PM - System Checkpoint
RP382: 7/22/2010 7:52:36 AM - System Checkpoint
RP383: 7/23/2010 10:42:26 AM - System Checkpoint
RP384: 7/25/2010 5:56:00 PM - System Checkpoint
RP385: 7/26/2010 6:40:00 PM - System Checkpoint
RP386: 7/27/2010 6:48:07 PM - System Checkpoint
RP387: 7/28/2010 8:20:59 AM - Software Distribution Service 3.0
RP388: 7/29/2010 9:37:59 AM - Removed Adobe Reader 9.3.2.
RP389: 7/29/2010 9:39:16 AM - Removed Java™ 6 Update 12
RP390: 7/29/2010 9:41:09 AM - Removed Adobe Media Player
RP391: 7/29/2010 9:48:55 AM - Installed HiJackThis
RP392: 7/29/2010 10:22:12 AM - Installed Java™ SE Development Kit 6 Update 21
RP393: 7/29/2010 10:23:24 AM - Installed Java™ 6 Update 21

==== Installed Programs ======================

µTorrent
2Wire Wireless Client
Adobe Flash Player 10 Plugin
AI Suite
Aion
ASUS WiFi-AP Solo
ASUSUpdate
Atlantica Online
AutoUpdate
CamStudio
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
ConvertXtoDVD 3.0.0.1
Dell Driver Download Manager
DesignPro 5.4 Limited Edition
DivX Codec
DivX Player
DivX Version Checker
DVDFab 6.0.6.0 (04/09/2009)
ERUNT 1.1j
FLV Player 2.0 (build 25)
GradeQuick Web Plugin
Greetings Workshop
Guild Wars
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Extended Capabilities 4.7
HP LaserJet 3050/3052/3055/3390/3392 3.0
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
HP Software Update
hpp3390usg
hppFaxDrv3390
hppFaxUtility
hppFonts
hppIOFiles
hppLJ3390
hppManuals3390
hppscan3390
hppScanTo
hppSendFax
hppTooCool
hppToolBoxFX
hpzTLBXFX
ImageMixer3
IrfanView (remove only)
Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 21
Java™ SE Development Kit 6 Update 21
JMB36X Raid Configurer
League of Legends
Malwarebytes' Anti-Malware
MarketResearch
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NCsoft Launcher
Norton Internet Security
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
PC Probe II
QFolder
Razer Lachesis
Razer Lycosa
Runes of Magic
SAMSUNG PC Share Manager
SBC Yahoo! Applications
SBC Yahoo! DSL Home Networking Installer
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Skype Toolbars
Skype™ 4.2
SoundMAX
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
ViewSonic Monitor Drivers
Virtual Cable Tester
WebFldrs XP
Winamp
Winamp Application Detect
Windows Driver Package - MOTOROLA (uisp) USB (09/08/2006 1.2.0.0)
Windows Driver Package - Razer (HidUsb) HIDClass (01/11/2007 1.0)
Windows Driver Package - Razer (HidUsb) HIDClass (05/10/2007 1.00)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/29/2010 9:38:32 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/29/2010 9:35:44 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
7/29/2010 9:35:44 AM, error: Service Control Manager [7000] - The Turbine Message Service - Live service failed to start due to the following error: The system cannot find the file specified.
7/29/2010 9:35:44 AM, error: Service Control Manager [7000] - The DUALSHOCK3 Controller HID Minidriver (USB) Beta service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/29/2010 9:35:44 AM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.
7/28/2010 8:22:29 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
7/28/2010 8:22:29 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
7/28/2010 8:22:29 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
7/28/2010 8:22:29 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
7/28/2010 8:16:05 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 00bfff7c, parameter3 b4b09c8c, parameter4 00000000.
7/26/2010 7:34:27 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 30 July 2010 - 03:11 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 30 July 2010 - 09:53 PM

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Unknown MBR code








Partition ID: Disk #0, Partition #0
Size: 465.75 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: American Megatrends Inc.
Name: BIOS Date: 03/12/08 10:02:08 Ver: 08.00.12
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 31 July 2010 - 02:41 PM

Good evening. smile.gif

Can you tell me the make and model of the PC and whether or not you have the Windows installation disc that came with it. Also, will you do the following:

Download this file and save it to your Desktop.
Go to Start > Run..., copy and paste the following into the textbox and click OK:

"%userprofile%\Desktop\MBRCheck_beta.exe" -s 0 -d mbrdump3.dat

A Command Window should open and once the tool has completed you will be prompted to click to finish the procedure - please do so.
You should see a file called mbrdump3.dat appear on your Desktop. You will need to create a zipped folder and drop the file into it and then attach it in your next reply - Step 9 here explains how to do that if you are unsure.

So long, and thanks for all the fish.

 

 


#5 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 31 July 2010 - 05:29 PM

Hi Novicate,

MY PC is a rig that I build about 2-1/2 years ago, but here is the setup. I do have the Win XP disc as well:

ASUS P5K-E/WIFI-AP LGA 775 Intel P35 ATX Intel Motherboard
Intel Core 2 Quad Q9300 Yorkfield 2.5GHz LGA 775 95W Quad-Core Processor
EVGA 512-P3-N801-AR GeForce 8800 GT 512MB 256-bit GDDR3 PCI Express 2.0 x16 SLI Cards
CORSAIR CMPSU-550VX 550W

The MRB check give the following, w/o any .dat file being created:

"Known-bad MBR code dedected (Whistler /Black Internet)

Then the next few lines say:

"Found non-standard or infected MBR>
Enter Y and hit Enter for More options, or N to exit:"

If i hit Y then i get the following:

1 dump the MBR of a physical disk to file
2 restore the MBR of a physical disk with a standard boot code.
3. exit

I just hit exit, not sure what to do.

Thanks in advance,
Grym

Edited by GrymReaper, 31 July 2010 - 05:30 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 31 July 2010 - 07:05 PM

The last file is a beta version, so it doesn't appear to behave as I expected - you'll need to wing it a little then.
Run the file again and this time after selecting Y go for option 1.
I don't know whether you need to specify a file name or not, but if you do, go for mbrdump3.dat
Hopefully you can get a dump this way, but if in doubt exit out.

So long, and thanks for all the fish.

 

 


#7 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 02 August 2010 - 12:55 PM

Ok attached...

Performance has gotten really bad, now I see IE pop ups regularly with an increased amount of clicks, even to the point where it bogs the PC down to a complete crawl.

Attached Files


Edited by GrymReaper, 02 August 2010 - 01:00 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 02 August 2010 - 02:42 PM

Good evening. smile.gif

Give me five minutes.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 02 August 2010 - 02:57 PM

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable.
While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.

The fact that you've built the rig yourself, and pressumably installed the OS too, means that it's highly unlikely that the fix will do any harm as you should have had the standard MBR installed anyway.
However I have to stress what you should already know - your PC will do everything in it's power to mess with your day if it can!
Before you proceed I suggest you back up any important data as things sometimes go wrong for no discernable reason and it's never good to wish that you'd done so when it's too late.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step 1: Read through the rest and ask anything BEFORE you do anything that you may wish you hadn't with hindsight!

Step 2: You will need to set the CD-Rom as first boot device if it isn't already.

Step 3: Boot from the disc, access the Recovery Console and run the command fixmbr - handily, you get a walkthrough of both the Recovery Console and repairing the MBR here.
You may be prompted that the MBR is non-standard, which it is because it is infected. You'll need to confirm that you wish to go ahead in this case to complete the fix.

Step 4: Download afresh copy of MBRCheck.exe by a_d_13 from here (it's a new version) and double clikc it to run it and let me have the log that's produced.

So long, and thanks for all the fish.

 

 


#10 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 02 August 2010 - 03:23 PM

Thanks Novicate,

So,

I build the machine myself, and it does have a licensed version of Win XP (NOT a downloaded and/or hacked version). Is there anyway to unknowingly change the MBR??? Because I have not done anything special to the OS, Boot, Bios etc.....Would you still recommend backing things up?

#11 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 02 August 2010 - 04:26 PM

Backed up stuff on an old HDD...wouldn't be a total geek if I didn't have at least 2 extra HDDs...but it may have worked because I now see "Windows XP MBR code detected" instead of the evil red text. So far I have no clicks or commercials to this point.....totally odd. So the virus/malware I got infected the MBR and made it do that.....so nuts. Now for some odd reason, my DVD drive door wont open lol...Time for the brute force method.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB80F8000 jraid.sys
0xB7F19000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB8108000 disk.sys
0xB8118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EF9000 fltmgr.sys
0xB7EA3000 SYMDS.SYS
0xB7E91000 sr.sys
0xB7E64000 SYMEFA.SYS
0xB8128000 PxHelp20.sys
0xB7E4D000 KSecDD.sys
0xB7DC0000 Ntfs.sys
0xB7D93000 NDIS.sys
0xB7D79000 Mup.sys
0xB85AC000 JGOGO.sys
0xB7836000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7056000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7042000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8440000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB701E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8448000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB6FF6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6FB5000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xB8458000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB85EE000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB7826000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7D55000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB7806000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB77F6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB77E6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6F92000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8700000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB77D6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7D41000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6F7B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB77C6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB77B6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8490000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6F6A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8188000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB84B0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8198000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8350000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85F4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6F0C000 \SystemRoot\system32\DRIVERS\update.sys
0xB7B62000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB81B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB81D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85FA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB4D98000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB4D74000 \SystemRoot\system32\drivers\portcls.sys
0xB81E8000 \SystemRoot\system32\drivers\drmk.sys
0xB4D5D000 \SystemRoot\system32\drivers\AEAudio.sys
0xB4CFD000 \SystemRoot\system32\drivers\Senfilt.sys
0xB83A8000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB8600000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8738000 \SystemRoot\System32\Drivers\Null.SYS
0xB8604000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8208000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83D0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB83D8000 \SystemRoot\System32\drivers\vga.sys
0xB8608000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB860C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB83E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB83F8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8594000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB4CA2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4C49000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4BF2000 \SystemRoot\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS
0xB4BCC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB8218000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4BA7000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB4B52000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100730.001\IDSxpx86.sys
0xB4B2A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB4B08000 \SystemRoot\System32\drivers\afd.sys
0xB8228000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4A49000 \SystemRoot\system32\drivers\NIS\1107000.00C\Ironx86.SYS
0xB8238000 \SystemRoot\system32\drivers\NIS\1107000.00C\SRTSPX.SYS
0xB4A1E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB49AE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8248000 \SystemRoot\System32\Drivers\Fips.SYS
0xB4950000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB4933000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB488C000 \SystemRoot\system32\drivers\NIS\1107000.00C\ccHPx86.sys
0xB47E0000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100709.001\BHDrvx86.sys
0xB8610000 \SystemRoot\system32\drivers\AsIO.sys
0xB8438000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB5DE8000 \SystemRoot\System32\Drivers\Lycosa.sys
0xB8558000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8268000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB4CF5000 \SystemRoot\system32\drivers\Lachesis.sys
0xB4CED000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB4CE5000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8278000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB47A0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8616000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8588000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8480000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB87EE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB8398000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB4490000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xB41B3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB3EDC000 \SystemRoot\system32\DRIVERS\srv.sys
0xB3D45000 \SystemRoot\System32\Drivers\NIS\1107000.00C\SRTSP.SYS
0xB3BF9000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100802.002\NAVEX15.SYS
0xB3BE5000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100802.002\NAVENG.SYS
0xB3AE0000 \SystemRoot\system32\drivers\wdmaud.sys
0xB42E0000 \SystemRoot\system32\drivers\sysaudio.sys
0xB360B000 \SystemRoot\System32\Drivers\HTTP.sys
0xB31A8000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
600 C:\WINDOWS\system32\smss.exe
648 csrss.exe
672 C:\WINDOWS\system32\winlogon.exe
716 C:\WINDOWS\system32\services.exe
728 C:\WINDOWS\system32\lsass.exe
884 C:\WINDOWS\system32\nvsvc32.exe
924 C:\WINDOWS\system32\svchost.exe
992 svchost.exe
1112 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1300 svchost.exe
1404 C:\WINDOWS\system32\spoolsv.exe
1508 svchost.exe
1564 C:\Program Files\Java\jre6\bin\jqs.exe
1592 C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
1616 C:\WINDOWS\system32\HPZipm12.exe
1668 C:\WINDOWS\system32\svchost.exe
1696 wdfmgr.exe
2028 C:\Program Files\Canon\CAL\CALMAIN.exe
916 C:\WINDOWS\system32\wuauclt.exe
1448 alg.exe
268 C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
1972 C:\WINDOWS\explorer.exe
2236 C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
2280 C:\Program Files\Razer\Lachesis\razerhid.exe
2296 C:\WINDOWS\system32\rundll32.exe
2968 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3528 C:\Program Files\Razer\Lachesis\OSD.exe
3156 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
3524 C:\WINDOWS\system32\ctfmon.exe
4016 C:\WINDOWS\system32\svchost.exe
532 C:\Program Files\Razer\Lachesis\razertra.exe
536 C:\Program Files\Razer\Lachesis\razerofa.exe
2912 C:\Program Files\Mozilla Firefox\firefox.exe
3456 C:\Program Files\Mozilla Firefox\plugin-container.exe
2400 C:\Documents and Settings\Chris\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD5000AACS-00ZUB0, Rev: 01.01B01

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:32 PM

Posted 02 August 2010 - 05:17 PM

QUOTE
So the virus/malware I got infected the MBR and made it do that.....so nuts.

So true! dance.gif OK, just as a quick check for anything else that may be lurking, will you work through the following and post accordingly, once you've finished poking a paper-clip in the drive access hole of course:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.


So long, and thanks for all the fish.

 

 


#13 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 02 August 2010 - 05:48 PM

Paper clip didnt work, had to take the cover off...but I digress. Other than that, the PC seems to be back to normal, no more bogging up etc.

DDS LOG BELOW...RUNNING MBAM FULL SCAN NOW...so that may take a bit

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 18:46:25.37 on Mon 08/02/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1311 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Chris\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\b0quzkvn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-20 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-20 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-18 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-20 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-20 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-28 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100730.001\IDSXpx86.sys [2010-7-31 331640]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2009-3-4 12032]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-3-4 16128]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-28 38224]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100802.002\NAVENG.SYS [2010-8-2 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100802.002\NAVEX15.SYS [2010-8-2 1362608]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2010-5-11 11392]
S2 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\turbine\turbine download manager\turbinemessageservice.exe" --> c:\program files\turbine\turbine download manager\TurbineMessageService.exe [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-5-11 33792]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\turbine\turbine download manager\turbinenetworkservice.exe" --> c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-3-4 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-3-4 13532]
S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2009-1-8 4136960]

=============== Created Last 30 ================

2010-07-30 11:59:06 0 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-07-30 02:20:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-29 16:00:28 0 d-----w- c:\program files\Guild Wars
2010-07-29 14:23:51 0 d-----w- c:\program files\Sun
2010-07-29 14:23:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-29 14:23:44 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-29 13:48:59 0 d-----w- c:\program files\Trend Micro
2010-07-29 00:32:49 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2010-07-29 00:32:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 00:32:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 00:32:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 00:32:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 00:18:50 0 d-----w- C:\57bff728807577ddcad4827f8a878b6a
2010-07-28 14:41:57 98816 ----a-w- c:\windows\sed.exe
2010-07-28 14:41:57 77312 ----a-w- c:\windows\MBR.exe
2010-07-28 14:41:57 256512 ----a-w- c:\windows\PEV.exe
2010-07-28 14:41:57 161792 ----a-w- c:\windows\SWREG.exe
2010-07-28 14:41:45 0 d-s---w- C:\ComboFix
2010-07-19 02:33:06 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-11 18:10:05 216064 ----a-w- c:\windows\iun3405.exe
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 18:46:55.14 ===============

Edited by GrymReaper, 02 August 2010 - 05:48 PM.


#14 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 02 August 2010 - 08:15 PM

Any my MBAM Log: 4 items

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4364

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/2/2010 9:14:48 PM
mbam-log-2010-08-02 (21-14-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 373298
Time elapsed: 1 hour(s), 48 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3560680-60DC-4E4A-A7CD-D72EEC4A084B}\RP336\A0050865.dll (Adware.EcoBar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A3560680-60DC-4E4A-A7CD-D72EEC4A084B}\RP336\A0050868.dll (Adware.EcoBar) -> Quarantined and deleted successfully.


#15 GrymReaper

GrymReaper
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 03 August 2010 - 09:25 AM

Update: all is running well for 12 hrs now




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users