Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Causing Unseen Audio Ads And Search Engine Redirects


  • This topic is locked This topic is locked
20 replies to this topic

#1 Kevy Duty

Kevy Duty

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 01 August 2010 - 11:02 AM

I've been experiencing a redirect problem which causes a new window to open in my browser which will flash an unsolicited screen and then continue on to my intended direction. If I do not close that window and continue browsing I will eventually see more short redirects and eventually ads playing audio coming from a window I cannot see.

I've tried many of the usual suspect spy and virus removers but have had no luck removing the problem. I've also noticed that with some programs the virus is disabling the 'Virus Scan' feature.

Here are my logs, thank you in advance for the assistance.

__________________________________________________


DDS (Ver_10-03-17.01) - NTFSx86
Run by New User at 8:46:40.10 on Sun 08/01/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.478 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ISSCAN\PskSvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\New User\Desktop\dds.scr

============== Pseudo HJT Report ===============

c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
c:\documents and settings\new user\local settings\temp\18.tmp\temp00
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Notify: avldr - avldr.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\newuse~1\applic~1\mozilla\firefox\profiles\rg42dmx1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eavbuzz.net/forum/index.php?action=unread;all;start=0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-7-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-7-27 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-6-18 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-7-27 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-7-27 116784]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-7-27 126392]
R2 PskSvcRetailInst;PskSvcRetailInst;c:\docume~1\admini~1\locals~1\temp\isscan\PskSvc.exe [2010-7-26 28928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\ipsdefs\20100730.001\IDSXpx86.sys [2010-7-30 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\virusdefs\20100731.002\NAVENG.SYS [2010-7-31 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\virusdefs\20100731.002\NAVEX15.SYS [2010-7-31 1362608]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-6-9 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 136176]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-9 24576]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2010-06-10 01:29:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-06-10 01:29:35 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-20 22:56:15 72080 ----a-w- c:\documents and settings\new user\g2mdlhlpx.exe

============= FINISH: 8:47:07.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 01 August 2010 - 02:06 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

Edited by SifuMike, 04 August 2010 - 04:46 PM.

So long, and thanks for all the fish.

 

 


#3 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 01 August 2010 - 09:26 PM

MBRCHECK

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B47000 \WINDOWS\system32\KDCOM.DLL
0xF7A57000 \WINDOWS\system32\BOOTVID.dll
0xF7518000 ACPI.sys
0xF7B49000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7507000 pci.sys
0xF7647000 isapnp.sys
0xF7657000 sshrmd.sys
0xF7667000 ssfs0bbc.sys
0xF74DA000 ssidrv.sys
0xF74AD000 \WINDOWS\system32\DRIVERS\NDIS.SYS
0xF78C7000 \WINDOWS\system32\DRIVERS\TDI.SYS
0xF7A5B000 compbatt.sys
0xF7A5F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C0F000 PCIIde.sys
0xF78CF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7B4B000 intelide.sys
0xF748F000 pcmcia.sys
0xF7677000 MountMgr.sys
0xF7470000 ftdisk.sys
0xF78D7000 PartMgr.sys
0xF7687000 VolSnap.sys
0xF7458000 atapi.sys
0xF78DF000 cercsr6.sys
0xF7440000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7697000 disk.sys
0xF76A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7420000 fltmgr.sys
0xF73CA000 SYMDS.SYS
0xF739D000 SYMEFA.SYS
0xF7386000 KSecDD.sys
0xF72F9000 Ntfs.sys
0xF72DF000 Mup.sys
0xF7847000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7AFF000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6D7E000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6D6A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF79AF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6D46000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79B7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6AEB000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF6AA8000 \SystemRoot\system32\drivers\STAC97.sys
0xF6A84000 \SystemRoot\system32\drivers\portcls.sys
0xF76D7000 \SystemRoot\system32\drivers\drmk.sys
0xF6A61000 \SystemRoot\system32\drivers\ks.sys
0xF6A2E000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6860000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xF67B3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79BF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF76E7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79D7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7B03000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF679F000 \SystemRoot\system32\DRIVERS\parport.sys
0xF6F8B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6F7B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6F6B000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF79C7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7C22000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6F5B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B13000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6788000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6F4B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6F3B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF6777000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6F2B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7947000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7937000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7232000 \SystemRoot\system32\DRIVERS\pnetmdm.sys
0xF4ED0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7807000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BEB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF4E72000 \SystemRoot\system32\DRIVERS\update.sys
0xF7226000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7897000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA764000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7C0B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8DF8000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
0xA8DD9000 \SystemRoot\system32\drivers\NAV\1107000.00C\Ironx86.SYS
0xAA36F000 \SystemRoot\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
0xA8C8D000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100801.003\NAVEX15.SYS
0xA8C68000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA8C54000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100801.003\NAVENG.SYS
0xF7B65000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C3D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C0D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF797F000 \SystemRoot\System32\drivers\vga.sys
0xF7B7B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B7D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A4F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A27000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF5B2A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8C21000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8BC8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8B71000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SYMTDI.SYS
0xA8B4B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8ECF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8AF6000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100730.001\IDSxpx86.sys
0xA8ACE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8AAC000 \SystemRoot\System32\drivers\afd.sys
0xF7787000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8A81000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8A11000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77A7000 \SystemRoot\System32\Drivers\Fips.SYS
0xA89B3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA8996000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8917000 \SystemRoot\system32\drivers\NAV\1107000.00C\ccHPx86.sys
0xA886B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100709.001\BHDrvx86.sys
0xA8E5F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8853000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B5F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7B3B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7987000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CD1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xA7AF3000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA796F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA767C000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7711000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7441000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7B57000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA7789000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA72FA000 \SystemRoot\system32\DRIVERS\srv.sys
0xF790F000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA6FB5000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA6A4C000 \SystemRoot\System32\Drivers\HTTP.sys
0xA67D1000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
616 C:\WINDOWS\system32\smss.exe
676 csrss.exe
716 C:\WINDOWS\system32\winlogon.exe
788 C:\WINDOWS\system32\services.exe
808 C:\WINDOWS\system32\lsass.exe
1012 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ISSCAN\psksvc.exe
1068 C:\WINDOWS\system32\svchost.exe
1164 svchost.exe
1208 C:\WINDOWS\system32\svchost.exe
1304 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1440 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1584 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
184 svchost.exe
276 svchost.exe
292 C:\WINDOWS\explorer.exe
1108 C:\WINDOWS\system32\spoolsv.exe
256 svchost.exe
340 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
352 C:\Program Files\Bonjour\mDNSResponder.exe
656 C:\WINDOWS\system32\svchost.exe
428 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2160 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
2248 C:\WINDOWS\system32\svchost.exe
2272 C:\WINDOWS\system32\svchost.exe
2316 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2424 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2456 C:\WINDOWS\system32\svchost.exe
3332 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
640 C:\WINDOWS\system32\ctfmon.exe
2852 alg.exe
3600 C:\Program Files\Mozilla Firefox\firefox.exe
2916 C:\Program Files\Mozilla Firefox\plugin-container.exe
3264 C:\Documents and Settings\New User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2040AH, Rev: 00000096

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!












PREFORMAT

Partition ID: Disk #0, Partition #0
Size: 37.26 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Default System BIOS
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 02 August 2010 - 02:23 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable or in some of the Manufacturer installed options such as Factory Restore becoming disabled.

If you tell me what make and model the PC is and whether you have the Windows installation disc, i'll try to find out if the fix is likely to adversely affect your machine.

So long, and thanks for all the fish.

 

 


#5 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 02 August 2010 - 09:22 PM

This is a Dell Latitude D610. I purchased it, refurbished, from a friend and she would have the installation disk, which I could probably get access to if it seems worthwhile.

. . . or I could probably purchase another used Dell from her for about $250. I'll trust your input on which would be the best option to proceed. Thanks.

Edited by Kevy Duty, 02 August 2010 - 09:22 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 03 August 2010 - 02:44 PM

Good evening. smile.gif

My best guess, and it should be stressed that it is a guess (although somewhat informed), is that you'll be OK with the fix.

There are two concerns when playing around with Dell PCs:

1) Damaging Dell System Restore. Some Dell PCs have this boot option which allows a PC to be reset to it's Factory Settings and is accessed via a custom MBR, and replacing the infected one with a standard MBR leaves DSR unavailable. As your PC doesn't have the partition that would hold DSR, it can't be affected as it doesn't exist on your machine - simple really!

2) Leaving the PC unbootable. The MBR points to the location of your Operating System and your PC relies on this information to enable it to load Windows at boot time. If the original MBR was a custom one and you replace the infected MBR with a standard one, the PC won't be able to load Windows and you have a reasonably expensive paperweight.

While number 2 won't damage the PC itself, and you can reinstall Windows assuming you get hold of the installation disc from your friend, it will render your existing installation deaded. Reinstalling Windows will overwrite your existing installation and leave any personal data you had onboard very difficult to retrieve as it will need a data recovery company and some cold hard cash to do.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The reasons I have for thinking that you'll be OK are as follows:

1) I help fix a Dell Latitude D620 with the same issue, which didn't have a Recovery Partition so it was a similar setup to yours, and there was no problem.

2) Your friend probably reinstalled Windows from the disc before she sold you the PC. I've done the same with a Dell lappy that I passed on to a member of my family, and on my PC it left the machine with a standard MBR - it was Vista, but I don't see that having XP makes any difference.

My best advice is to first back up any important data as it is better to be safe rather than sorry when you play with the MBR anyway.
I'd then call your friend and check that you can get hold of an installation disc. I would get this regardless of whether you will actually need it or not, unless she wants paying and then you'll have to decide whether it's worth having the lifeline that it may offer in the future close to hand.
Finally i'd let me walk you through replacing the MBR and then we'll both know if I was right or not. Obviously i'll leave it to you to decide what's right for you.

So long, and thanks for all the fish.

 

 


#7 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2010 - 03:00 PM

I'm fine with that, let's replace the MBR. I've already got everything backed up and am ready to go.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 03 August 2010 - 03:22 PM

Go Team! thumbup.gif

Run MBRCheck.exe again but, when prompted, enter Y this time for further options.
At the "Options" prompt enter 2 - this will overwrite the malicious boot code.
When asked for the "Physical Drive Number", enter 0
When asked for the "MBR Code to write", enter 1
Enter YES to confirm your actions.

Please reboot your PC and let me have the contents of the new text file that will have been created on your Desktop.

So long, and thanks for all the fish.

 

 


#9 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2010 - 06:23 PM

Ok, it rebooted!

Here's the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 135):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B47000 \WINDOWS\system32\KDCOM.DLL
0xF7A57000 \WINDOWS\system32\BOOTVID.dll
0xF7518000 ACPI.sys
0xF7B49000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7507000 pci.sys
0xF7647000 isapnp.sys
0xF7657000 sshrmd.sys
0xF7667000 ssfs0bbc.sys
0xF74DA000 ssidrv.sys
0xF74AD000 \WINDOWS\system32\DRIVERS\NDIS.SYS
0xF78C7000 \WINDOWS\system32\DRIVERS\TDI.SYS
0xF7A5B000 compbatt.sys
0xF7A5F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C0F000 PCIIde.sys
0xF78CF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7B4B000 intelide.sys
0xF748F000 pcmcia.sys
0xF7677000 MountMgr.sys
0xF7470000 ftdisk.sys
0xF78D7000 PartMgr.sys
0xF7687000 VolSnap.sys
0xF7458000 atapi.sys
0xF78DF000 cercsr6.sys
0xF7440000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7697000 disk.sys
0xF76A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7420000 fltmgr.sys
0xF73CA000 SYMDS.SYS
0xF739D000 SYMEFA.SYS
0xF7386000 KSecDD.sys
0xF72F9000 Ntfs.sys
0xF72DF000 Mup.sys
0xF7817000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF728E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6D3F000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6D2B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF798F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6D07000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7997000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6A1A000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF69D7000 \SystemRoot\system32\drivers\STAC97.sys
0xF69B3000 \SystemRoot\system32\drivers\portcls.sys
0xF7897000 \SystemRoot\system32\drivers\drmk.sys
0xF6990000 \SystemRoot\system32\drivers\ks.sys
0xF695D000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6860000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xF67B3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF799F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79A7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79B7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6F8B000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7AEB000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF679F000 \SystemRoot\system32\DRIVERS\parport.sys
0xF6F7B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6F6B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6F5B000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF79BF000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7CED000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6F4B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AF7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6788000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6F3B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6F2B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF6777000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6F1B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78FF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7907000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF724A000 \SystemRoot\system32\DRIVERS\pnetmdm.sys
0xF4F30000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BEB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF4ED2000 \SystemRoot\system32\DRIVERS\update.sys
0xF723E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7847000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4DC6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B7B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA92FE000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
0xA92DF000 \SystemRoot\system32\drivers\NAV\1107000.00C\Ironx86.SYS
0xAA335000 \SystemRoot\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
0xA9193000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100802.002\NAVEX15.SYS
0xA916E000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA915A000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100802.002\NAVENG.SYS
0xF7B5D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C22000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B5F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A17000 \SystemRoot\System32\drivers\vga.sys
0xF7B6F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B71000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A07000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A27000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF728A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9127000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA90CE000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9077000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SYMTDI.SYS
0xA9022000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100730.001\IDSxpx86.sys
0xA8FFC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7827000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8FD4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8FB2000 \SystemRoot\System32\drivers\afd.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8F87000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8F17000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77C7000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8EB9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA8E9C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8E1D000 \SystemRoot\system32\drivers\NAV\1107000.00C\ccHPx86.sys
0xA8D71000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100709.001\BHDrvx86.sys
0xF4D76000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8D59000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B9F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4EBA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF795F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CAB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7D93000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA7B6B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA792A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF76C7000 \SystemRoot\system32\drivers\sysaudio.sys
0xA769F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7B5B000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA7957000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA75F8000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9BC3000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA6EC8000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA6943000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
604 C:\WINDOWS\system32\smss.exe
680 csrss.exe
724 C:\WINDOWS\system32\winlogon.exe
796 C:\WINDOWS\system32\services.exe
808 C:\WINDOWS\system32\lsass.exe
980 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ISSCAN\psksvc.exe
1040 C:\WINDOWS\system32\svchost.exe
1168 svchost.exe
1208 C:\WINDOWS\system32\svchost.exe
1312 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1384 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1752 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1876 C:\WINDOWS\explorer.exe
448 svchost.exe
484 svchost.exe
1140 C:\WINDOWS\system32\spoolsv.exe
1656 svchost.exe
1688 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1704 C:\Program Files\Bonjour\mDNSResponder.exe
2112 C:\WINDOWS\system32\svchost.exe
2228 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2360 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
2524 C:\WINDOWS\system32\svchost.exe
2540 C:\WINDOWS\system32\svchost.exe
2568 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2648 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2684 C:\WINDOWS\system32\svchost.exe
3600 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
2076 alg.exe
3480 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3232 C:\WINDOWS\system32\ctfmon.exe
3216 wmiprvse.exe
3364 C:\Program Files\Mozilla Firefox\firefox.exe
648 C:\Program Files\Mozilla Firefox\plugin-container.exe
3136 C:\Documents and Settings\New User\Desktop\MBRCheck.exe
544 C:\WINDOWS\system32\taskmgr.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2040AH, Rev: 00000096

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 04 August 2010 - 02:24 PM

Good evening. smile.gif

I have to admit, I did begin to wonder... whistling.gif

OK, I assume that as the PC rebooted that all is well with it as far as the nasty is concerned, but i'd like you to run MBRCheck one last time and let me have the text file that it creates.
In theory you should be prompted to press <ENTER> once the scan has completed as there should be no nasty to cause you to be offered further options.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd also like you to run the following, just to check your hard drive for other nasties and post accordingly:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#11 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 04 August 2010 - 02:45 PM

It did reboot but I am still experiencing the redirect. I will post a new MBR Check log when I get back to the computer tonight, about 7:30 EST.

#12 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 04 August 2010 - 09:26 PM

Sorry, took a little longer to get online. Here is my latest MBRCheck log:









MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B47000 \WINDOWS\system32\KDCOM.DLL
0xF7A57000 \WINDOWS\system32\BOOTVID.dll
0xF7518000 ACPI.sys
0xF7B49000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7507000 pci.sys
0xF7647000 isapnp.sys
0xF7657000 sshrmd.sys
0xF7667000 ssfs0bbc.sys
0xF74DA000 ssidrv.sys
0xF74AD000 \WINDOWS\system32\DRIVERS\NDIS.SYS
0xF78C7000 \WINDOWS\system32\DRIVERS\TDI.SYS
0xF7A5B000 compbatt.sys
0xF7A5F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C0F000 PCIIde.sys
0xF78CF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7B4B000 intelide.sys
0xF748F000 pcmcia.sys
0xF7677000 MountMgr.sys
0xF7470000 ftdisk.sys
0xF78D7000 PartMgr.sys
0xF7687000 VolSnap.sys
0xF7458000 atapi.sys
0xF78DF000 cercsr6.sys
0xF7440000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7697000 disk.sys
0xF76A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7420000 fltmgr.sys
0xF73CA000 SYMDS.SYS
0xF739D000 SYMEFA.SYS
0xF7386000 KSecDD.sys
0xF72F9000 Ntfs.sys
0xF72DF000 Mup.sys
0xF7817000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7AEB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6D3F000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6D2B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF797F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6D07000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7987000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6A1A000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF69D7000 \SystemRoot\system32\drivers\STAC97.sys
0xF69B3000 \SystemRoot\system32\drivers\portcls.sys
0xF7897000 \SystemRoot\system32\drivers\drmk.sys
0xF6990000 \SystemRoot\system32\drivers\ks.sys
0xF695D000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6860000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xF67B3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF798F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7997000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79A7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6F8B000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7AF7000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF679F000 \SystemRoot\system32\DRIVERS\parport.sys
0xF6F7B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6F6B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6F5B000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF79AF000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7D14000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6F4B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AFF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6788000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6F3B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6F2B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF6777000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6F1B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7907000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF791F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF722E000 \SystemRoot\system32\DRIVERS\pnetmdm.sys
0xF4E1C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7807000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BFF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF4DBE000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B33000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7797000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA4B5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B63000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8539000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
0xA851A000 \SystemRoot\system32\drivers\NAV\1107000.00C\Ironx86.SYS
0xA98D6000 \SystemRoot\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
0xA83CE000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100803.024\NAVEX15.SYS
0xA83A9000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA8395000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100803.024\NAVENG.SYS
0xF7B91000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CD1000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B93000 \SystemRoot\System32\Drivers\Beep.SYS
0xA977D000 \SystemRoot\System32\drivers\vga.sys
0xF7B9B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B9F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9775000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA976D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAA377000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8362000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8309000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA82B2000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SYMTDI.SYS
0xA828C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA98B6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8237000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100803.001\IDSxpx86.sys
0xA820F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA81ED000 \SystemRoot\System32\drivers\afd.sys
0xF7707000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA81C2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8152000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7777000 \SystemRoot\System32\Drivers\Fips.SYS
0xA80F4000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA80D7000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8058000 \SystemRoot\system32\drivers\NAV\1107000.00C\ccHPx86.sys
0xA7FAC000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100709.001\BHDrvx86.sys
0xA8D3A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7F94000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BFD000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8F7D000 \SystemRoot\System32\drivers\Dxapi.sys
0xA8FD3000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C40000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7F58000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA7D84000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7C87000 \SystemRoot\system32\drivers\wdmaud.sys
0xA85E0000 \SystemRoot\system32\drivers\sysaudio.sys
0xA79D4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7BD3000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA7B41000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA788D000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9E27000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA73CD000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA6DF8000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6D7D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
620 C:\WINDOWS\system32\smss.exe
680 csrss.exe
740 C:\WINDOWS\system32\winlogon.exe
800 C:\WINDOWS\system32\services.exe
812 C:\WINDOWS\system32\lsass.exe
1032 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ISSCAN\psksvc.exe
1104 C:\WINDOWS\system32\svchost.exe
1176 svchost.exe
1216 C:\WINDOWS\system32\svchost.exe
1272 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1352 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1388 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
2036 svchost.exe
184 C:\WINDOWS\explorer.exe
256 svchost.exe
744 C:\WINDOWS\system32\spoolsv.exe
2088 svchost.exe
2116 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2128 C:\Program Files\Bonjour\mDNSResponder.exe
2340 C:\WINDOWS\system32\svchost.exe
2368 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2492 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
2648 C:\WINDOWS\system32\svchost.exe
2668 C:\WINDOWS\system32\svchost.exe
2696 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2808 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2840 C:\WINDOWS\system32\svchost.exe
3728 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
4072 C:\WINDOWS\system32\wuauclt.exe
2592 alg.exe
2428 C:\Program Files\mSpot\mSpot\mSpot.exe
3228 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3364 C:\WINDOWS\system32\ctfmon.exe
3632 C:\Documents and Settings\New User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2040AH, Rev: 00000096

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:23 PM

Posted 05 August 2010 - 02:22 PM

Good evening. smile.gif

Not what I was hoping to see. How easy would it be for you to get hold of the Windows installation disc, because that offers another method of resetting the MBR that may prove more effective?

So long, and thanks for all the fish.

 

 


#14 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 August 2010 - 02:33 PM

I'll see what I can do. Be back as soon as I figure it out.

#15 Kevy Duty

Kevy Duty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 August 2010 - 02:45 PM

Ok, I should be able to have the disk shortly. You can proceed with the next step




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users