Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


The ever popular invisible IE popups + sound muting issue

  • This topic is locked This topic is locked
8 replies to this topic

#1 ExtremelyFrustrated!


  • Members
  • 4 posts
  • Local time:01:25 PM

Posted 07 August 2010 - 03:29 AM

Found this forum via searching my computers symptoms, as it seems quite a few users here have the same problem. I exclusively use firefox as a browser, yet the iexplore.exe process is almost constantly running, bringing up invisible popups. I know of their existence because i wrote a script to search for hidden windows with "Internet Explorer" in the title and make them visible, and low and behold, every time i run it a popup appears. My wave volume is also set to 50% (unlike most users, who seem to have it set to 0%) However my volume goes silent, even though it claims to be at full volume. This is fixed by turning it up and down one click or so. The invisible popups also deactivate whatever window i have open, in addition to minimizing full screen programs (namely a game that just so happens to be buggy enough to crash any time it is minimized). Also, this is probably of no importance, but interesting nonetheless: i have a mouse which automatically detects the length of a page, and for pages over a certain length it increases the sensitivity of the scroll wheel. It seems to detect such a page and increases its sensitivity any time one of these invisible popups open, and goes back to normal if i switch to a different program. On rare occasions (every several hours or so) one of the popups will be visible, just like one might expect a popup to be. There are also occasional audio ads ("Congratulations, you won!"). There was a search hijacking virus that had infected another computer at my house, i discovered an executable file with a name similar to the one on the infected computer, and removed it, all that seems to remain the mysterious symptoms i have just described. The following is a DDS and GMER log, i have replaced the user name where it appears in the dds log due to the fact that it is my full name, which i do not wish to post on the internet. Also when i used defogger to disable my cd emulation, windows said it had detected a recent hardware change and needed to be re-activated in the next three days. Will this go away when i re-enable the virtual drives? (there were five of them) the computer also bluescreened the first time i tried to run a scan with GMER, after lsass.exe began using massive amounts of cpu time about halfway through the scan. i rebooted and was able to complete the scan, although lsass.exe and AVG used 100% of my cpu the entire time, and it took about three hours. anyway, the logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by *DELETED MY FULL NAME* at 21:39:47.65 on Fri 08/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1408 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe 4
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Documents and Settings\*DELETED MY FULL NAME*\My Documents\Macros and such\WoW\numpad.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ergodex\bin\ergomon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe 4
C:\Documents and Settings\*DELETED MY FULL NAME*\My Documents\Firefox dls\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Numpad] c:\documents and settings\*DELETED MY FULL NAME*\my documents\macros and such\wow\numpad.exe
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck /waitstart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ErgoMon] "c:\program files\ergodex\bin\ergomon.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [vvbpieov] c:\documents and settings\localservice\local settings\application data\pcijdvcac\xmhwvgxtssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {935CD1A4-59F3-4F64-AC29-6CA3FDA4D77E} =,
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lukemc~1\applic~1\mozilla\firefox\profiles\02l276ng.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Random|http://bash.org/?random|http://us.blizzard.com/diablo3/world/|http://www.google.com/
FF - component: c:\documents and settings\*DELETED MY FULL NAME*\application data\mozilla\firefox\profiles\02l276ng.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-31 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-31 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-31 243024]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-11-18 33824]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-11-16 392824]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-31 308136]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-11-27 3712]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ErgoDvr;Ergodex DX1;c:\windows\system32\drivers\ergodvr.sys [2006-12-24 25771]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-12 1684736]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-1-31 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-08-07 04:06:27 160 ----a-w- c:\documents and settings\*DELETED MY FULL NAME*\defogger_reenable
2010-08-07 04:02:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-08-07 04:01:09 0 d-----w- c:\program files\Pando Networks
2010-08-02 06:28:02 354304 ----a-w- c:\windows\system32\pythoncom26.dll
2010-08-02 06:28:02 110592 ----a-w- c:\windows\system32\pywintypes26.dll
2010-08-02 06:26:13 0 d-----w- C:\Python26
2010-07-31 23:55:30 0 d--h--w- C:\$AVG
2010-07-31 23:55:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-31 23:55:19 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-31 23:55:15 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-31 23:54:59 0 d-----w- c:\windows\system32\drivers\Avg
2010-07-31 23:54:44 0 d-----w- c:\program files\AVG
2010-07-31 23:54:43 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-31 10:40:25 0 d-----w- c:\program files\Electric Sheep
2010-07-31 10:40:25 0 d-----w- c:\docume~1\alluse~1\applic~1\ElectricSheep
2010-07-31 10:40:20 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-07-31 10:40:17 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-07-31 07:27:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-31 07:03:43 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-31 07:03:43 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-07-31 07:03:43 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-07-31 07:03:43 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

==================== Find3M ====================

2010-07-20 05:04:34 99 ----a-w- c:\documents and settings\*DELETED MY FULL NAME*\jagex_runescape_preferences2.dat
2010-07-20 04:31:11 46 ----a-w- c:\documents and settings\*DELETED MY FULL NAME*\jagex_runescape_preferences.dat
2010-05-30 01:52:39 0 ----a-w- c:\documents and settings\*DELETED MY FULL NAME*\jagex__preferences3.dat
2010-05-17 06:53:30 3245056 ----a-w- c:\windows\es.scr
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 21:40:13.96 ===============

GMER - http://www.gmer.net
Rootkit scan 2010-08-07 00:04:13
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\LUKEMC~1\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xB40FD8D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB40FA2D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB41050D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xB40FDC60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xB4103EE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xB4104110]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xB41076D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xB40FDD40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB40FA950]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB41060B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB4105D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xB4103C50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB41063E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB40FA7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xB41039A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xB41037C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB41066D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xB40FD570]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB4106980]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xB40FDA80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB40FAAC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB4105897]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xB4104340]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2BEC 805037EC 12 Bytes [60, DC, 0F, B4, E0, 3E, 10, ...]
? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C84380, 0x5414D5, 0xE8000020]
.text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xB8238280, 0x7B04, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB341D300, 0x3AE88, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83A8300, 0x1B7E, 0xE8000020]
.text ntkrnlpa.exe!ZwYieldExecution + 3194 805037EC 12 Bytes [60, DC, 0F, B4, E0, 3E, 10, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 51981CE2 C:\PROGRA~1\DVDREG~1\DVDShell.dll (DVD Region-Free Shell Module/Fengtao Software Inc.)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 4040

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC5 0xB0 0x8D 0x9E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x1E 0x46 0x71 0xBF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA7 0x9E 0x22 0x42 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xE2 0x06 0x1A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0x0C 0xCE 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xED 0x89 0x68 0xF0 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE4 0x77 0x88 0x46 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x8A 0x57 0xB2 0x8C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x47 0x0B 0x37 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x1E 0x46 0x71 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA7 0x9E 0x22 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xE2 0x06 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD8 0xA8 0x76 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x30 0x81 0x1B 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xDE 0x22 0x2D 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x51 0x3D 0x5E 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xA7 0xCC 0x67 0x49 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x47 0x0B 0x37 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x1E 0x46 0x71 0xBF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA7 0x9E 0x22 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xE2 0x06 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD8 0xA8 0x76 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x30 0x81 0x1B 0xF5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xDE 0x22 0x2D 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x51 0x3D 0x5E 0x95 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xA7 0xCC 0x67 0x49 ...

---- EOF - GMER 1.0.15 ----

Thank you in advance for your help, I have email notification turned on and will be awaiting your reply.

Edit: It may also be worth mentioning, although i think the DDS log mentions this, that i am using AVG 9.0, Spybot SD, and Zonealarm, none of which have proved terribly helpful, with the exception of zone alarm which i can use to prevent internet explorer from gaining internet access and doing god knows what. (although it tends to increase the rate at which it attempts to open popups, so it instead loads LOTS of invisible "page cannot be displayed" windows)

Edited by ExtremelyFrustrated!, 07 August 2010 - 03:34 AM.

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:25 PM

Posted 12 August 2010 - 02:57 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.



#3 ExtremelyFrustrated!

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:25 PM

Posted 12 August 2010 - 09:19 PM

Alrighty, the logs are as follows (again, I deleted my name from the file paths):

MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB85AC000 viaide.sys
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AE000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80D8000 disk.sys
0xB7EEC000 fltMgr.sys
0xB7EDA000 sr.sys
0xB7EC3000 KSecDD.sys
0xB7E36000 Ntfs.sys
0xB7E09000 NDIS.sys
0xB80F8000 uagp35.sys
0xB8108000 srescan.sys
0xB8118000 ohci1394.sys
0xB8128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB7DEE000 Mup.sys
0xB8148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB778C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB68A7000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6893000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB777C000 \SystemRoot\system32\DRIVERS\HECI.sys
0xB6856000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xB83F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6833000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB680E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB776C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB775C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8158000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB67EB000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8400000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB678E000 \SystemRoot\system32\drivers\cmaudio.sys
0xB676C000 \SystemRoot\system32\drivers\portcls.sys
0xB8168000 \SystemRoot\system32\drivers\drmk.sys
0xB6711000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB8408000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB8178000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8584000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB87B9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8188000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB858C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB66FA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8198000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB66E9000 \SystemRoot\system32\DRIVERS\psched.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB81C8000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB66B8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8430000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85CA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6684000 \SystemRoot\system32\DRIVERS\update.sys
0xB7DB9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB81F8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8208000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85CC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB3F4E000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB857C000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xB8438000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB85D2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB874D000 \SystemRoot\System32\Drivers\Null.SYS
0xB85D4000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8448000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8450000 \SystemRoot\System32\drivers\vga.sys
0xB85D6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85D8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8458000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8460000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB4560000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB3ECB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB3E73000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB3E2A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB3DF0000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB8298000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8468000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB3DC8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB3D69000 \SystemRoot\System32\vsdatant.sys
0xB4544000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB3D47000 \SystemRoot\System32\drivers\afd.sys
0xB8248000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB3C7B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB8268000 \??\C:\WINDOWS\system32\drivers\oreans32.sys
0xB3C0C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8278000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8470000 \SystemRoot\system32\DRIVERS\ergodvr.sys
0xB8480000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB3BD8000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB3F32000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB8488000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xB82B8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB3B35000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB3F2E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8490000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB82D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB3B24000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB3B0C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB861A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB84A8000 \SystemRoot\System32\watchdog.sys
0xB3E67000 \SystemRoot\System32\drivers\Dxapi.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB86B6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xB37F4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3317000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB320C000 \SystemRoot\system32\DRIVERS\atksgt.sys
0xB8690000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xB3191000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8378000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0xB30A6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB2D71000 \SystemRoot\system32\drivers\wdmaud.sys
0xB2ED6000 \SystemRoot\system32\drivers\sysaudio.sys
0xB22D2000 \SystemRoot\System32\Drivers\HTTP.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB0D9E000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x00400000 \WINDOWS\system32\ntkrnlpa.exe

Processes (total 54):
0 System Idle Process
4 System
752 C:\WINDOWS\system32\smss.exe
804 csrss.exe
828 C:\WINDOWS\system32\winlogon.exe
872 C:\WINDOWS\system32\services.exe
884 C:\WINDOWS\system32\lsass.exe
1044 C:\WINDOWS\system32\nvsvc32.exe
1088 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1252 C:\WINDOWS\system32\svchost.exe
1396 svchost.exe
1476 svchost.exe
1500 C:\Program Files\AVG\AVG9\avgchsvx.exe
1508 C:\Program Files\AVG\AVG9\avgrsx.exe
1560 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1640 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1888 C:\WINDOWS\system32\svchost.exe
516 C:\WINDOWS\system32\spoolsv.exe
648 C:\WINDOWS\system32\svchost.exe
724 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
768 C:\Program Files\AVG\AVG9\avgwdsvc.exe
780 C:\WINDOWS\system32\drivers\CDANTSRV.EXE
1320 C:\WINDOWS\system32\PnkBstrA.exe
1332 C:\WINDOWS\system32\PnkBstrB.exe
1524 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
1488 C:\WINDOWS\system32\svchost.exe
1980 C:\Program Files\AVG\AVG9\avgnsx.exe
2240 alg.exe
2064 C:\WINDOWS\explorer.exe
2124 C:\Documents and Settings\*FULL NAME DELETED*\My Documents\Macros and such\WoW\numpad.exe
2120 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
2104 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1192 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
2548 C:\Program Files\QuickTime\QTTask.exe
2696 C:\Program Files\iTunes\iTunesHelper.exe
2776 C:\WINDOWS\system32\rundll32.exe
228 C:\Program Files\Ergodex\bin\ergomon.exe
2896 C:\WINDOWS\mixer.exe
2904 C:\PROGRA~1\AVG\AVG9\avgtray.exe
2932 C:\Program Files\Messenger\msmsgs.exe
2984 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
3008 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3016 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
3036 C:\Program Files\Skype\Phone\Skype.exe
3148 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3828 C:\Program Files\iPod\bin\iPodService.exe
4084 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3384 C:\Program Files\Skype\Plugin Manager\skypePM.exe
1964 C:\Program Files\Windows Live\Contacts\wlcomm.exe
3248 C:\Program Files\Windows Live\Messenger\wlcsdk.exe
3768 C:\Program Files\Mozilla Firefox\firefox.exe
3812 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
2012 C:\Documents and Settings\*FULL NAME DELETED*\My Documents\Firefox dls\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6B300S0, Rev: BANC1B10

Size Device Name MBR Status
279 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 0329912AA3B8D9245C2EC7B036FE84D4F51A991A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


And the preformat log:

Partition ID: Disk #0, Partition #0
Size: 279.47 GB

The computer boots from this partition.


BIOS Manufacturer: Intel Corp.
Name: Default System BIOS
Status: OK

This is the primary BIOS.


Unfortunately it would appear that my MBR is in fact infected. Is that a reasonable thing to consider fixing? I ask because my hard drive is about six years old and almost out of space, and I have been considering replacing it. But I wasn't planning on doing that for another few months, although I could conceivably expedite the process.

Again, thank you for your help, I await further instruction.

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:25 PM

Posted 13 August 2010 - 02:57 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have custom Master Boot Records and overwriting the infected MBR with a standard one may result in some of the Manufacturer installed options such as Factory Restore becoming disabled.
The worst-case scenario is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which, although unlikely, needs to be mentioned. While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.

If you can tell me the make and model of the PC, and whether you have a Windows installation/Recovery disc or not, I will try to find out if the fix is likely to cause issues with your computer.

So long, and thanks for all the fish.



#5 ExtremelyFrustrated!

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:25 PM

Posted 15 August 2010 - 03:26 PM

I do have an XP install disc. This is a computer I built myself, and as such lacks a make and model. The hard drive is a 300GB 7200RPM Maxtor 6B300SO, and is six years old. I am not terribly concerned about the computer becoming unusable, as I can simply reinstall windows. However, if replacing the MBR does go badly, would I still be able to access my data on the drive by putting it in an external hard drive enclosure (even if the drive is unbootable)? I ask because there is some new data on the computer since I last backed up, and the external drive that I put backups on is currently not easily accessible.

Thank you in advance.

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:25 PM

Posted 15 August 2010 - 03:58 PM

Good evening. smile.gif

I love a poster with an installation disc and a healthy willingness to reinstall - it makes things easier all round.

However, if replacing the MBR does go badly, would I still be able to access my data on the drive by putting it in an external hard drive enclosure (even if the drive is unbootable)?

As far as i'm aware, Yes. If the data is vital then you should consider backing it up to discs or flashdrives as a safety net anyway - you know how PCs like to get the blood pressure up at every opportunity.

Any risk is minimal, but I prefer to deal with worst case then you should be prepared to deal with any eventuality.


You get the standard set of instructions, but as you built the PC yourself you probably know some/most of them anyway:

Step 1: You will need to set the CD-Rom as first boot device if it isn't already. There's a handy pictorial guide here. As long as you don't get too carried away you won't do any harm, and you should get the option to exit the BIOS without saving any changes if you are unsure what you did was right.
Obviously if you are sure, make sure that you exit with changes saved.

Step 2: Boot from the disc, access the Recovery Console and run the command fixmbr - handily, you get a walkthrough of both the Recovery Console and repairing the MBR here.

Windows may warn that your MBR is non-standard and prompt for confirmation - this is due to the MBR being infected and you should tell Windows to continue.

Step 3: Once you have rebooted the PC, run MBRCheck.exe again and let me have the log produced. Please make sure you post the latest log, the date will be in the file name, or we'll go round in circles until the end of time.

If I haven't made something clear, please ask BEFORE you begin.

So long, and thanks for all the fish.



#7 ExtremelyFrustrated!

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:25 PM

Posted 17 August 2010 - 09:44 PM

I am having difficulty finding my windows XP disk, but i will run the fix as soon as i can find it, although i am not sure when that will be.

#8 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:25 PM

Posted 18 August 2010 - 02:38 PM

Good evening. smile.gif

There are a couple of other methods of dealing with this nasty, so if the disc isn't close to hand let me know and we'll take a different hammer to the PC - metaphorically of course!

So long, and thanks for all the fish.



#9 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:25 PM

Posted 23 August 2010 - 02:23 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users