Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio goes mute, IE popups w/ sounds every few sec


  • This topic is locked This topic is locked
26 replies to this topic

#1 lilstarhead

lilstarhead

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 04 August 2010 - 06:12 PM

Symptoms:
Random Internet Explorer pop up ads
My wave control is near mute every few seconds.
I hear random clicking sounds in the background (like link clicks)
Random audio of advertisements playing in the background
Google links are redirected

I tried removing with superantispyware and malwarebytes but it doesn't work. And everytime I try to run the GMER program, the computer shuts off saying a serious error occurred.

Here are the DDS logs-

DDS (Ver_10-03-17.01) - NTFSx86
Run by jyoo153 at 0:20:17.48 on 08/03/2010 Tue
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1992.628 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe 4
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Pharos\Bin\PSNotify.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\student\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cpprod.stjohns.edu/
uWindow Title = Windows Internet Explorer provided by St. John's University
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\student\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Fzomukemomo] rundll32.exe "c:\windows\odiroyuyevevamiw.dll",Startup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\student\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pharos~1.lnk - c:\program files\pharos\bin\PSNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: stjohns.edu
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235748656812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237405955546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {91D4B4D5-E368-40AB-8F53-A37FA634B471} - hxxp://www.tellmemorecampus.com/bin/tol9inst.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\student\applic~1\mozilla\firefox\profiles\rylk9ohy.default\
FF - prefs.js: browser.startup.homepage - hxxp://cpprod.stjohns.edu/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\all users\application data\nexon\ngm\npNxGame.dll
FF - plugin: c:\documents and settings\student\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\student\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {D589838B-C210-4EE7-8ABA-C589E327660E} - c:\documents and settings\student\local settings\application data\{D589838B-C210-4EE7-8ABA-C589E327660E}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-26 343664]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-6-10 19496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-2-26 70728]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-3-3 53248]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 360448]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-2-27 2058776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-29 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-19 243856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-26 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-26 43288]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2008-3-4 23080]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S0 rpqhxkwj;rpqhxkwj;c:\windows\system32\drivers\covbowr.sys --> c:\windows\system32\drivers\covbowr.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-2-26 65448]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-5-18 11520]

=============== Created Last 30 ================

2010-08-03 04:14:21 0 ----a-w- c:\documents and settings\student\defogger_reenable
2010-07-13 22:31:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-03 04:07:12 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-08-02 11:57:53 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-08-02 11:57:53 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 14:45:10 32768 --sh--w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat

============= FINISH: 0:20:46.54 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/2/2009 2:55:17 AM
System Uptime: 8/2/2010 9:16:20 PM (3 hours ago)

Motherboard: LENOVO | | 7458CM1
Processor: Intel Pentium III Xeon processor | None | 2394/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 2.895 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Access Help
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.3
Adobe Shockwave Player 11
AIM 6
Akamai NetSession Interface
Apple Software Update
Ask Toolbar
BitTorrent
Conexant 20561 SmartAudio HD
Crazy Arcade
Critical Update for Windows Media Player 11 (KB959772)
DivX Setup
GOM Player
Google Chrome
Help Center
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® Network Connections Drivers
Intel® PROSet/Wireless WiFi Software
Intel® Active Management Technology
Intel® Trusted Platform Module
J2SE Development Kit 5.0 Update 11
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 15
Lenovo System Toolbox
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Message Center
Message Center Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mobile Broadband Connect
Move Media Player
Mozilla Firefox (3.5.11)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
On Screen Display
ooVoo
PhotoScape
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Rainmeter (remove only)
Real Alternative 2.0.1
Rescue and Recovery
RocketDock 1.3.5
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware Free Edition
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem Adapter
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
WD SmartWare
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Youtube Downloader HD v. 1.8.1

==== Event Viewer Messages From Past Week ========

8/2/2010 5:07:42 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 2547ffff, parameter3 a11f3c8c, parameter4 00000000.
8/1/2010 9:25:25 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
8/1/2010 9:11:53 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
8/1/2010 9:05:24 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/1/2010 7:48:54 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 3 time(s).
8/1/2010 11:29:51 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 24c3c000, parameter3 ba247c8c, parameter4 00000000.
7/30/2010 8:09:33 AM, error: System Error [1003] - Error code 00000093, parameter1 00000634, parameter2 00000000, parameter3 00000000, parameter4 00000000.
7/28/2010 6:37:45 PM, error: iastor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
7/28/2010 6:01:16 PM, error: System Error [1003] - Error code 1000000a, parameter1 0000000c, parameter2 0000001c, parameter3 00000000, parameter4 804e7565.
7/28/2010 5:58:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/28/2010 4:35:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC Fips IBMTPCHK intelppm mfehidk SASDIFSV SASKUTIL StarOpen TPHKDRV TPPWRIF TSMAPIP tvtumon
7/28/2010 4:35:22 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
7/28/2010 4:35:22 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2010 4:14:55 PM, error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/28/2010 4:14:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.

==== End Of File ===========================

Any help is appreciated, thanks. smile.gif

Edited by Noviciate, 05 August 2010 - 05:30 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 05 August 2010 - 05:32 PM

Good evening. smile.gif

Please don't post logs using the Quote tags, or any others for that matter - it doesn't make the information any easier to read.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Can you tell me the make and model of the computer and also whether or not you have the Windows installation disc that some PCs come with.

So long, and thanks for all the fish.

 

 


#3 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 05 August 2010 - 08:24 PM

Got it, sorry about that. ^^;


Here are the text files-

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9E31000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E11000 fltmgr.sys
0xBA0F8000 PxHelp20.sys
0xB9DFA000 KSecDD.sys
0xB9D6D000 Ntfs.sys
0xB9D40000 NDIS.sys
0xB9D21000 Apsx86.sys
0xBA338000 ApsHM86.sys
0xB9D07000 Mup.sys
0xB9CB5000 mfehidk.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB89F7000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB89E3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA2E8000 \SystemRoot\system32\DRIVERS\HECI.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C34000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB89A5000 \SystemRoot\system32\DRIVERS\e1y5132.sys
0xBA430000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8981000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8959000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB85E2000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xBA308000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA440000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA318000 \SystemRoot\system32\DRIVERS\tp4track.sys
0xBA128000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB84FF000 \SystemRoot\System32\Drivers\wdf01000.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9BC8000 \SystemRoot\system32\DRIVERS\tpm.sys
0xB9BC0000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA470000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xB9BB8000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB9BB4000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xBA7E7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB901C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9BB0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7D67000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB900C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8FFC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7B24000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8FEC000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA490000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA498000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7AF4000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8FDC000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\psadd.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0xBA5EA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7AA9000 \SystemRoot\system32\DRIVERS\ks.sys
0xB7A4B000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C91000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA198000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA6E65000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA640000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA32D1000 \SystemRoot\system32\drivers\CHDAU32.sys
0xA32AD000 \SystemRoot\system32\drivers\portcls.sys
0xA5ACA000 \SystemRoot\system32\drivers\drmk.sys
0xA3279000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA30C9000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA3016000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xA68F4000 \SystemRoot\System32\Drivers\Modem.SYS
0x9F41F000 \SystemRoot\system32\DRIVERS\tvtumon.sys
0xBA62E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA000F000 \SystemRoot\System32\Drivers\Null.SYS
0xBA630000 \SystemRoot\System32\Drivers\Beep.SYS
0x9FA70000 \SystemRoot\System32\drivers\vga.sys
0xBA632000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA634000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9FA68000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9FA60000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9FEB2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9DF62000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9DF09000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9DEE3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9F40F000 \SystemRoot\system32\drivers\mfetdik.sys
0x9F3FF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9DEBB000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9DE99000 \SystemRoot\System32\drivers\afd.sys
0x9F3EF000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9FA58000 \SystemRoot\System32\Drivers\StarOpen.SYS
0x9FA50000 \SystemRoot\System32\drivers\TSMAPIP.SYS
0x9FA48000 \SystemRoot\System32\drivers\Tppwrif.sys
0x9F0FE000 \SystemRoot\system32\DRIVERS\TPHKDRV.sys
0x9DE57000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x9F0F6000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x9DE2C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9DDBC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA636000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0x9EC42000 \SystemRoot\System32\Drivers\Fips.SYS
0x9FEA2000 \SystemRoot\System32\drivers\ANC.SYS
0x9E005000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9DD9E000 \SystemRoot\System32\Drivers\usbvideo.sys
0x9DCC4000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA6829000 \SystemRoot\System32\drivers\Dxapi.sys
0x9DFD5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA3A58000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF296000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA1D1F000 \SystemRoot\system32\DRIVERS\tvtfilter.sys
0x9DFB5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA683D000 \SystemRoot\system32\DRIVERS\s24trans.sys
0x9DBDF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9DAC0000 \SystemRoot\system32\DRIVERS\srv.sys
0x9DB8B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9F0B2000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0xA3CBD000 \??\C:\WINDOWS\TEMP\mc21.tmp
0x9D19B000 \SystemRoot\system32\drivers\wdmaud.sys
0x9D2C8000 \SystemRoot\system32\drivers\sysaudio.sys
0x9AD19000 \SystemRoot\system32\drivers\mfeavfk.sys
0x9AC03000 \SystemRoot\System32\Drivers\HTTP.sys
0x9668F000 \SystemRoot\system32\drivers\kmixer.sys
0x9223F000 \SystemRoot\system32\drivers\mfeapfk.sys
0x9D378000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 93):
0 System Idle Process
4 System
900 C:\WINDOWS\system32\smss.exe
960 C:\WINDOWS\system32\csrss.exe
996 C:\WINDOWS\system32\winlogon.exe
1040 C:\WINDOWS\system32\services.exe
1060 C:\WINDOWS\system32\lsass.exe
1236 C:\WINDOWS\system32\ibmpmsvc.exe
1268 C:\WINDOWS\system32\svchost.exe
1336 C:\WINDOWS\system32\svchost.exe
1480 C:\WINDOWS\system32\svchost.exe
1592 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
1648 C:\WINDOWS\system32\svchost.exe
1668 C:\WINDOWS\system32\svchost.exe
1780 C:\WINDOWS\system32\svchost.exe
1800 C:\WINDOWS\system32\svchost.exe
240 C:\WINDOWS\system32\spoolsv.exe
320 C:\WINDOWS\system32\svchost.exe
380 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
512 C:\WINDOWS\system32\svchost.exe
592 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
644 C:\Program Files\Java\jre6\bin\jqs.exe
700 C:\Program Files\Intel\AMT\LMS.exe
740 C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
832 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
1112 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
1400 C:\WINDOWS\system32\mfevtps.exe
1444 C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
1632 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
1884 C:\WINDOWS\system32\rpcnet.exe
2008 C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
808 C:\WINDOWS\system32\svchost.exe
828 C:\WINDOWS\system32\svchost.exe
920 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
1432 C:\WINDOWS\system32\TPHDEXLG.exe
1576 C:\WINDOWS\system32\TpKmpSvc.exe
1880 C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
1956 C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
2076 C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
2116 C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
2180 C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
2328 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2436 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
2496 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
2624 C:\WINDOWS\system32\svchost.exe
2640 C:\WINDOWS\system32\searchindexer.exe
2696 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
2744 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
2824 C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
2848 C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
3208 C:\WINDOWS\system32\wbem\wmiprvse.exe
3800 C:\WINDOWS\explorer.exe
3852 C:\WINDOWS\system32\ctfmon.exe
944 C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
2140 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
2168 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2192 C:\WINDOWS\system32\igfxtray.exe
2228 C:\WINDOWS\system32\hkcmd.exe
2252 C:\Program Files\McAfee\Common Framework\McTray.exe
2372 C:\WINDOWS\system32\igfxpers.exe
2488 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
2512 C:\WINDOWS\system32\igfxsrvc.exe
2756 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
3048 C:\WINDOWS\system32\TpShocks.exe
3056 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
2888 C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
3152 C:\Program Files\Lenovo\ZOOM\TpScrex.exe
3184 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
3228 C:\WINDOWS\system32\rundll32.exe
3272 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.EXE
1544 C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.EXE
3448 C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
3820 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
3848 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
4024 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
1460 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
3580 C:\Program Files\RocketDock\RocketDock.exe
3744 C:\Program Files\Pharos\Bin\PSNotify.exe
4040 C:\Program Files\Rainmeter\Rainmeter.exe
3032 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
784 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
2404 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
3000 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
6112 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
5812 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
5352 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.EXE
5392 C:\WINDOWS\system32\conime.exe
500 C:\Program Files\Mozilla Firefox\firefox.exe
5404 C:\Program Files\Internet Explorer\iexplore.exe
2016 C:\WINDOWS\system32\sndvol32.exe
4012 C:\Program Files\Internet Explorer\iexplore.exe
5056 C:\Program Files\Internet Explorer\iexplore.exe
4492 C:\Documents and Settings\student\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00762000 (NTFS)

PhysicalDrive0 Model Number: HITACHIHTS723216L9SA60, Rev: FC2ZC50B

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

----------


Partition ID: Disk #0, Partition #0
Size: 149.04 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: LENOVO
Name: Ver 1.00PARTTBL
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


This is a lenovo x200 thinkpad laptop and no, I don't have the windows installation disc.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 06 August 2010 - 05:25 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable.
While the PC won't actually be damaged in any real sense, the operating system could fail to load and that will render your machine as good as useless.
As you don't have any way of reinstalling Windows should something go wrong, you should be aware that there is a possibility that your PC will become an expensive paperweight.

Please ask me any questions you have and let me know if you are willing to undertake the fix.

So long, and thanks for all the fish.

 

 


#5 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 06 August 2010 - 11:10 PM

that doesn't sound good at all. :\

is it possible for me to use any windows installation disc? like one that was from another computer? and is replacing the mbr costly? what kind of steps would i have to take to undo the altercations? would reformating the pc get rid of the changes made to the RMB? or system restore?

also, is there any way i can make this laptop usable until dec/jan? i'll be getting a new one around that time but i need this for school until then. is there any program that would help if replacing the RMB is not an option?

thanks so much for your help.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 07 August 2010 - 04:03 PM

Good evening. smile.gif

QUOTE
is it possible for me to use any windows installation disc? like one that was from another computer?

The Windows installation disc would only be necessary as a second string in attempting a clean overwrite of the MBR or as a safety net if things went badly wrong and Windows needed to be reinstalled.
For the MBR overwrite any XP installation disc that provides the Recovery Console is OK. For an installation, I don't know.

QUOTE
and is replacing the mbr costly?

Is "free" too expensive for you? tongue.gif

QUOTE
what kind of steps would i have to take to undo the altercations?

You need to overwrite the MBR to "kill" the nasty. There are two methods - one involves the use of an installation disc and something called the Recovery Console and the other is with MBRCheck.

QUOTE
would reformating the pc get rid of the changes made to the RMB?

If replacing the MBR with a default one "breaks" Windows then, although your operating System is borked, the MBR is clean. Reinstalling Windows completes the fix - if a reinstallation can be called a fix.

QUOTE
also, is there any way i can make this laptop usable until dec/jan?

If you turn the sound down, is the PC usable?

QUOTE
is there any program that would help if replacing the RMB is not an option?

The only way to remove the nasty is to repair the MBR.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In theory your computer should be OK as it only has one partition so I would expect a standard MBR. The problem is that I don't know that this is the case for certain and there is always a possibility that something may go wrong and the MBR could become corrupt.
If the PC came with an XP installation disc and hence you had access to the Recovery Console you could have a second attempt at repairing the MBR and then reinstall Windows as a final option.

The method I would use would be to run MBRCheck and allow it to rewrite the MBR. The PC then needs to be rebooted and hopefully it should start as normal and now be clean. Should it not restart then you would use a Windows installation disc and try to rewrite the MBR again. If that didn't allow the PC to reboot you would need to reinstall Windows to sort things out.

Can you get hold of an XP installation disc?

So long, and thanks for all the fish.

 

 


#7 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 07 August 2010 - 07:03 PM

thank you! that clears up a lot. :D

i can try to get hold of an xp installation disc. i'm going to ask my friends to see if they have one but i can't guarantee it. is it likely that i would need it?

and no, the pc isn't usable even with the sound down. i don't know if it's the mbr change or another virus but my laptop automatically reboots itself (like every 10 minutes) because of a serious error. idk what. i tried to take a picture of the blue screen but it went by too fast. .__.

also, this message always pops up after my computer gets restarted



so system restore wouldn't work? i knew it wouldn't be that easy.

Edited by lilstarhead, 07 August 2010 - 07:46 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 08 August 2010 - 03:38 PM

Good evening. smile.gif

QUOTE
i tried to take a picture of the blue screen but it went by too fast. .__.


Go to Control Panel>System.
Select the Advanced Tab.
Locate the Startup and Recovery section and click the Settings button.
Locate the Automatically Restart checkbox and uncheck it.
Finally click OK and OK.
Now it won't reboot so you can now read the screen.

QUOTE
is it likely that i would need it?


Hopefully not, but if you do and you don't have it... I'm working with worst-case scenario and I prefer to be as prepared as possible.
For what it's worth I haven't had a PC die on me while dealing with this infection. Sadly that's from a total of one attempt at replacing the MBR, so although it's a 100% success rate it doesn't hold much weight - it's a relatively new infection.

If you can't live with the PC as it is, then there doesn't seem to be much choice, but that's easy for me to type.

So long, and thanks for all the fish.

 

 


#9 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 August 2010 - 09:00 PM

Okay, my laptop is beyond usable now. It keeps getting worse and worse. It even reboots itself in safe mode so I think I need to risk it and try the MBRCheck. :S

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 09 August 2010 - 02:41 PM

Good evening. smile.gif

If you can, and need to, back up anything important before you begin - you may be grateful.

Run MBRCheck.exe again but, when prompted, enter Y this time for further options.
At the "Options" prompt enter 2 - this will overwrite the malicious boot code.
When asked for the "Physical Drive Number", enter 0
When asked for the "MBR Code to write", enter 1
Enter YES to confirm your actions - it needs to be YES and not Y.

Please immediately reboot your PC and let me have the contents of the new text file that will have been created on your Desktop.

So long, and thanks for all the fish.

 

 


#11 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 10 August 2010 - 03:08 PM

is this a sufficent way to back up my stuff?

http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 10 August 2010 - 03:20 PM

That will work fine.

So long, and thanks for all the fish.

 

 


#13 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 12 August 2010 - 04:10 PM

Thankfully, I did not need the windows installation disc. :D

Here is the log-

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004

Kernel Drivers (total 98):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7B05000 iaStor.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7647000 PxHelp20.sys
0xF7463000 KSecDD.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xBA727000 Apsx86.sys
0xF7717000 ApsHM86.sys
0xBA70D000 Mup.sys
0xF7687000 \SystemRoot\system32\DRIVERS\HECI.sys
0xBA4A2000 \SystemRoot\system32\DRIVERS\e1y5132.sys
0xF7777000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA47E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA456000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA0DF000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xF7697000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\tp4track.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xBA063000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF7727000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA673000 \SystemRoot\system32\DRIVERS\tpm.sys
0xF7747000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xBA65F000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA657000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA64F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA024000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7797000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA013000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9FE3000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7587000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79D5000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9FC0000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9F62000 \SystemRoot\system32\DRIVERS\update.sys
0xBA576000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7577000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7567000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79DB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79E3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A79000 \SystemRoot\System32\Drivers\Null.SYS
0xF79E7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7767000 \SystemRoot\System32\drivers\vga.sys
0xB9DEE000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF79EB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF778F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77AF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA05F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB9DBB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB9D62000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9D3C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA62A000 \SystemRoot\system32\drivers\mfetdik.sys
0xB9D14000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9CF2000 \SystemRoot\System32\drivers\afd.sys
0xBA61A000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB9CC7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB9C57000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB9E3A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9B55000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA04B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF776F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AB4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9633000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9334000 \SystemRoot\system32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
804 C:\WINDOWS\system32\smss.exe
856 csrss.exe
880 C:\WINDOWS\system32\winlogon.exe
924 C:\WINDOWS\system32\services.exe
936 C:\WINDOWS\system32\savedump.exe
944 C:\WINDOWS\system32\lsass.exe
1104 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1416 C:\WINDOWS\system32\svchost.exe
1432 svchost.exe
1520 svchost.exe
1528 C:\WINDOWS\system32\svchost.exe
236 C:\WINDOWS\system32\svchost.exe
288 C:\WINDOWS\explorer.exe
580 wmiprvse.exe
1388 C:\Program Files\Mozilla Firefox\firefox.exe
1348 C:\WINDOWS\system32\ctfmon.exe
788 C:\Documents and Settings\student\Desktop\MBRCheck.exe
1012 C:\WINDOWS\system32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00762000 (NTFS)

PhysicalDrive0 Model Number: HITACHIHTS723216L9SA60, Rev: FC2ZC50B

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 21F90E0E667BACE75F5AC6E7E970707D0CC69766


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!




I don't know if this fixed my PC. It seems faster and not so bogged down anymore but when I start up the PC, I get a blue screen and it reboots itself. On safe mode, it's fine though. Is it a different virus or is my MBR still altered?

Running malwarebytes and superantispyware as I type.

Edited by lilstarhead, 12 August 2010 - 04:39 PM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:43 AM

Posted 12 August 2010 - 04:58 PM

Good evening. smile.gif

Follow the steps here if you haven't already - this will allow you to make a note of any error code that Windows displays in the blue screen rather than have it immediately reboot.
Please let me have any information that you can find the next time the machine does this.

So long, and thanks for all the fish.

 

 


#15 lilstarhead

lilstarhead
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 12 August 2010 - 10:00 PM

Got it. smile.gif But my computer seems fine after the superantispyware scan. Nvm. -___- Okay, it rebooted twice and I got 2 diff blue screens.

BAD_POOL_CALLER

and

IRQL_NOT_LESS_OR_EQUAL

I don't know if this is relevant but here is the log for the scan from earlier-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/12/2010 at 05:50 PM

Application Version : 4.40.1002

Core Rules Database Version : 5350
Trace Rules Database Version: 3162

Scan type : Complete Scan
Total Scan Time : 00:43:29

Memory items scanned : 328
Memory threats detected : 0
Registry items scanned : 8078
Registry threats detected : 0
File items scanned : 23008
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[1].txt

Edited by lilstarhead, 12 August 2010 - 10:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users