Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RANDOM AUDIO VIRUS: DDT AND GMER LOGS


  • This topic is locked This topic is locked
9 replies to this topic

#1 drjbkk

drjbkk

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 03 August 2010 - 08:12 AM

Went to a UN website as I have each day for many years, clicked nothing, got the redirect game, cleaned it first with Malwarebytes, but it's left a random audio virus which interrupts all audio (including Skype and other calls). Here is the DDS and the GMER report:

HERE IS DDS:
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
svchost.exe 4
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Athan\Athan.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JOSEPH REILLY\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph01104725l0374wuj5w8742319p
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph01104725l0374wuj5w8742319p
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph01104725l0374wuj5w8742319p
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Athan] c:\program files\athan\Athan.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: kent.edu
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joseph~1\applic~1\mozilla\firefox\profiles\sbkyc3tf.default\
FF - plugin: c:\documents and settings\joseph reilly\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\joseph reilly\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-20 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-20 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-20 56816]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-9-11 145152]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2010-6-7 114688]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2010-4-23 9241088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1691480]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2010-6-7 103424]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 30192]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-1-27 9216]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 TotRec8;Total Recorder WDM audio filter driver;\??\c:\windows\system32\drivers\totrec8.sys --> c:\windows\system32\drivers\TotRec8.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2010-07-30 20:52:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 20:52:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 20:52:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 19:00:04 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-24 14:18:29 411480 ----a-w- c:\windows\system32\tsccvid.dll
2010-07-24 14:18:27 0 d-----w- c:\windows\system32\QuickTime
2010-07-23 17:48:50 0 d-----w- c:\documents and settings\joseph reilly\Bluetooth Software
2010-07-08 00:52:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-07-07 17:59:28 0 d-----w- C:\PCShareManagerUpload
2010-07-07 17:58:42 0 d-----w- c:\program files\Samsung
2010-07-03 15:15:09 0 d-----w- c:\windows\Internet Logs
2010-07-03 14:59:58 0 d-----w- c:\program files\common files\Deterministic Networks
2010-07-03 14:59:54 0 d-----w- c:\program files\Cisco Systems
2010-07-03 14:59:30 1594 ----a-w- c:\windows\VPNInstall.MIF

==================== Find3M ====================

2010-06-09 23:58:21 737280 ----a-w- c:\windows\iun6002.exe
2010-05-17 14:07:21 103509 ----a-w- c:\windows\hpoins04.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2008-03-10 18:18:44 27048 ----a-w- c:\program files\Read_Me.htm
2007-03-14 16:15:40 10091 ----a-w- c:\program files\EULA.txt
2009-08-01 08:54:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-01-21 12:41:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012120100122\index.dat

============= FINISH: 7:53:39.37 ===============

HERE IS GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-03 05:08:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\kfldypow.sys


---- System - GMER 1.0.15 ----

SSDT F7DC0B0E ZwCreateKey
SSDT F7DC0B04 ZwCreateThread
SSDT F7DC0B13 ZwDeleteKey
SSDT F7DC0B1D ZwDeleteValueKey
SSDT F7DC0B22 ZwLoadKey
SSDT F7DC0AF0 ZwOpenProcess
SSDT F7DC0AF5 ZwOpenThread
SSDT F7DC0B2C ZwReplaceKey
SSDT F7DC0B27 ZwRestoreKey
SSDT F7DC0B18 ZwSetValueKey
SSDT F7DC0AFF ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[856] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3828] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 856
Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 3208
Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 3828

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 PM

Posted 03 August 2010 - 03:14 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 drjbkk

drjbkk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 August 2010 - 11:06 AM

Sorry for the delay, as I was offline for a week. Here are the MBRCheck contents and the Preformat.txt report. Thank you for any help. Problem seems to be getting worse and worse.
MBRCHECK:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 166):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7C7D000 \WINDOWS\system32\KDCOM.DLL
0xF7B8D000 \WINDOWS\system32\BOOTVID.dll
0xF772E000 ACPI.sys
0xF7C7F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF771D000 pci.sys
0xF777D000 isapnp.sys
0xF7B91000 compbatt.sys
0xF7B95000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7D45000 pciide.sys
0xF79FD000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7C81000 aliide.sys
0xF7C83000 intelide.sys
0xF7C85000 toside.sys
0xF7C87000 viaide.sys
0xF7C89000 cmdide.sys
0xF778D000 MountMgr.sys
0xF76FE000 ftdisk.sys
0xF7A05000 PartMgr.sys
0xF7B99000 ACPIEC.sys
0xF7D46000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF779D000 VolSnap.sys
0xF7B9D000 cpqarray.sys
0xF76E6000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7618000 iaStor.sys
0xF7600000 atapi.sys
0xF7BA1000 aha154x.sys
0xF7A0D000 sparrow.sys
0xF7BA5000 symc810.sys
0xF77AD000 aic78xx.sys
0xF7BA9000 dac960nt.sys
0xF77BD000 ql10wnt.sys
0xF7BAD000 amsint.sys
0xF7A15000 asc.sys
0xF7BB1000 asc3550.sys
0xF7A1D000 mraid35x.sys
0xF7A25000 i2omp.sys
0xF7BB5000 ini910u.sys
0xF77CD000 ql1240.sys
0xF77DD000 aic78u2.sys
0xF7A2D000 symc8xx.sys
0xF7A35000 sym_hi.sys
0xF7A3D000 sym_u3.sys
0xF7A45000 ABP480N5.SYS
0xF7A4D000 asc3350p.sys
0xF7C8B000 cd20xrnt.sys
0xF77ED000 ultra.sys
0xF75E7000 adpu160m.sys
0xF7A55000 dpti2o.sys
0xF77FD000 ql1080.sys
0xF780D000 ql1280.sys
0xF781D000 ql12160.sys
0xF7A5D000 perc2.sys
0xF7C8D000 perc2hib.sys
0xF7A65000 hpn.sys
0xF7BB9000 cbidf2k.sys
0xF75BB000 dac2w2k.sys
0xF782D000 disk.sys
0xF783D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF759B000 fltMgr.sys
0xF7589000 sr.sys
0xF7572000 KSecDD.sys
0xF755F000 WudfPf.sys
0xF74D2000 Ntfs.sys
0xF74A5000 NDIS.sys
0xF784D000 sisagp.sys
0xF785D000 viaagp.sys
0xF748B000 Mup.sys
0xF786D000 alim1541.sys
0xF787D000 amdagp.sys
0xF788D000 agp440.sys
0xF789D000 agpCPQ.sys
0xF78CD000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF53EB000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF53D7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF53AF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF51D2000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF78DD000 \SystemRoot\system32\DRIVERS\l1c51x86.sys
0xF7B6D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF51AE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B75000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF740A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B7D000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF7B85000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF517D000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7CB9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78FD000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF510C000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF7A75000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF6A7B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF501B000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF4FFC000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF7DDB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF790D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6A77000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF4FE5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF791D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF792D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A85000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF4FD4000 \SystemRoot\system32\DRIVERS\psched.sys
0xF793D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A8D000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A95000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF794D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7CBB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF4FB1000 \SystemRoot\system32\DRIVERS\ks.sys
0xF4F53000 \SystemRoot\system32\DRIVERS\update.sys
0xF6A6B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF59A1000 \SystemRoot\system32\DRIVERS\btport.sys
0xF799D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9A0D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA7DC9000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA7DA5000 \SystemRoot\system32\drivers\portcls.sys
0xA99FD000 \SystemRoot\system32\drivers\drmk.sys
0xA7D9D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7D05000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E88000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D07000 \SystemRoot\System32\Drivers\Beep.SYS
0xA95AA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA95A2000 \SystemRoot\System32\drivers\vga.sys
0xF7D09000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D0B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA959A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA9592000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA7D81000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA7CE2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7C89000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7C39000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA7C13000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA7BF1000 \SystemRoot\System32\drivers\afd.sys
0xA99DD000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA958A000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA7BC6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7B56000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA7D8D000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
0xA99AD000 \SystemRoot\System32\Drivers\Fips.SYS
0xA7B3A000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7D0F000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xA7B16000 \SystemRoot\System32\Drivers\M3000KNT.sys
0xA9271000 \SystemRoot\System32\Drivers\STREAM.SYS
0xA6B9F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x99B95000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9B0C0000 \SystemRoot\System32\drivers\Dxapi.sys
0x99EE6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x9A2A5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x99B81000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA5ED8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99B2C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x99A4C000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0x9999D000 \SystemRoot\system32\DRIVERS\srv.sys
0x992DE000 \SystemRoot\system32\drivers\wdmaud.sys
0x9937B000 \SystemRoot\system32\drivers\sysaudio.sys
0x9910F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA01D5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x97F52000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x96FFD000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
1192 C:\WINDOWS\system32\smss.exe
1240 csrss.exe
1264 C:\WINDOWS\system32\winlogon.exe
1312 C:\WINDOWS\system32\services.exe
1324 C:\WINDOWS\system32\lsass.exe
1504 C:\WINDOWS\system32\svchost.exe
1608 svchost.exe
1652 C:\WINDOWS\system32\svchost.exe
1700 C:\WINDOWS\system32\svchost.exe
1828 svchost.exe
1880 svchost.exe
432 C:\WINDOWS\system32\spoolsv.exe
484 C:\Program Files\Avira\AntiVir Desktop\sched.exe
528 svchost.exe
596 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
612 C:\WINDOWS\system32\ChgService.exe
632 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
736 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
764 C:\Program Files\Java\jre6\bin\jqs.exe
872 C:\WINDOWS\system32\svchost.exe
900 C:\Program Files\Acer\Acer VCM\RS_Service.exe
928 C:\WINDOWS\system32\svchost.exe
260 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
2200 C:\WINDOWS\system32\svchost.exe
2312 alg.exe
920 C:\PROGRA~1\LAUNCH~1\LManager.exe
1784 C:\WINDOWS\system32\igfxpers.exe
2088 C:\WINDOWS\system32\igfxsrvc.exe
2384 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2392 C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
2404 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2420 C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
2428 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2484 C:\Program Files\Athan\Athan.exe
2608 C:\WINDOWS\system32\ctfmon.exe
2656 C:\WINDOWS\system32\igfxext.exe
3332 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
2800 C:\WINDOWS\explorer.exe
1048 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3364 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4004 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3516 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1060 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2688 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
152 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
1328 C:\Documents and Settings\JOSEPH REILLY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2592 C:\Documents and Settings\JOSEPH REILLY\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80500000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS545016B9A300, Rev: PBBOC60F

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 99C0C1D431636F575641B48E9D2D91668EDDAA4A


Found non-standard or infected MBR.



Partition ID: Disk #0, Partition #0
Size: 10 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 139.04 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #0
Size: 244.98 MB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Acer
Name: InsydeH2O Version V1.25
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 PM

Posted 07 August 2010 - 04:56 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have custom Master Boot Records and overwriting the MBR with a standard one may result in some of the Manufacturer installed options such as Factory Restore becoming disabled.
The worst-case scenario is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which although unlikely needs to be mentioned.

If you can tell me the make and model of the PC, and whether you have a Windows installation/Recovery disc or not, I will try to find out if the fix is likely to cause issues with your computer.

So long, and thanks for all the fish.

 

 


#5 drjbkk

drjbkk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 August 2010 - 05:09 PM

I have an Acer Aspire One Netbook Model D250, XP SP3, CPU N280 Intel Atom 1.66, 1gb ram

Is there a way to track down those who do this and 1) arrest them 2) shoot them in the (*&$ing head?

What I can't understand is that I actually did not click anything, did not load anything, did not open anything..just a standard UN website that I visit every day without even clicking on any links therein.

Let me know if there is anything to do for the MBR without serious damage.
Thank you.

#6 drjbkk

drjbkk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 August 2010 - 05:22 PM

Part 2 of the answer is...no recovery disk (tsk tsk). There is a service called Acer eRecovery Management

#7 drjbkk

drjbkk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 August 2010 - 08:00 PM

Part 3 of my answer: we have another fine working Acer Aspire One, exact same model, purchased at the same time. Can I make a recovery disk on that one since it has the same MBR?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 PM

Posted 08 August 2010 - 03:29 PM

Good evening. smile.gif

QUOTE
Is there a way to track down those who do this and 1) arrest them 2) shoot them in the (*&$ing head?

I think you'll need to get in line.

QUOTE
What I can't understand is that I actually did not click anything, did not load anything, did not open anything..just a standard UN website that I visit every day without even clicking on any links therein.

Sadly that may have been enough - drive-by download

QUOTE
no recovery disk (tsk tsk).

Ah.

QUOTE
Can I make a recovery disk on that one since it has the same MBR?

In theory, yes. In practice I haven't ever tried it and so you would be a guinea-pig and your PC would be at risk of becoming an expensive paperweight.
There are various tools that have been written to allow a MBR to be backed-up and then restored and I don't see that there would be a problem, as long as the two machines were identical, with getting the MBR from the clean machine and "transplanting" it.

I've asked the great and the good here for a second opinion as I don't think that blindly trusting me is a good idea and i'll let you know exactly what the score is as soon as I do - I prefer the idea of transplant the MBR as I think that your machine has a custom MBR.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 PM

Posted 09 August 2010 - 05:56 PM

Good evening. smile.gif

At the minute nobody has posted that they have tried this, so it comes down to user choice - that's you then! whistling.gif

As I see it, you have various options:

1) Leave the PC as it is and learn to live with it. This isn't a great idea and some people report that the PC becomes more unstable with time which is a worry.
2) Replace the MBR with a standard one and hope that the machine boots OK. Your PC looks like it has a Recovery partition on it and it is likely that the Factory Restore option built into the system will be disabled as a result.
3) Transplant the MBR from another machine and hope that it boots OK.
4) Contact the PC vendor and see if they have an approved method of replacing the MBR in these sorts of circumstances.

Assuming that you wish to go with the MBR replacement in some form or another, one thing that i'm wondering about is that your machine shows one hard drive with MBRCheck, but two with Preformat.vbs - do you have two hard drives in your machine, or an external hard drive that you had connected at the time?

So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 PM

Posted 13 August 2010 - 06:27 PM

As there has been no response for 5 days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users