Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP ie opening, mouse click sounds, random pop-up full screen ads


  • This topic is locked This topic is locked
12 replies to this topic

#1 jamartin

jamartin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 August 2010 - 01:55 PM

IE will randomly open and will repeatedly attempt to access the internet, can hear the ie mouse clicking sounds, if IE is not blocked by firewall has displayed random pop-up full screen ads or sound clips.

I have tried a number of malware/anti-virus products and nothing seems to show up. When I downloaded GMER, I had to rename the file, so I could run it. When I run the scan, it either freezes or crashes (solid black screen followed by reboot) the computer after 20 minutes or so of scanning. Below is the DDS log, please let me know if I can do the scan in segments or remove additional check boxes other than IAT/EAT.

Any help would be greatly appreciated.

Thank you

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by zeus at 11:19:40.39 on Mon 08/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe 4
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe 4
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\zeus\Desktop\Defogger.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Documents and Settings\zeus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.0\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {A968A4B4-C492-4834-B651-17602C3885C8} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"
dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231716932843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {F9B0297B-AA43-4EFC-81A9-602B37379056} = 208.67.222.222,208.67.220.220
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zeus\applic~1\mozilla\firefox\profiles\y7hp3b9o.import\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\zeus\application data\mozilla\firefox\profiles\y7hp3b9o.import\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\zeus\application data\mozilla\firefox\profiles\y7hp3b9o.import\extensions\chris.tomlinson@keefox\components\KeeFox.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmfv.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-3-3 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25240]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-3 1769216]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-5-21 70704]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\cfrmd.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-8-3 29416]
S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]
S3 MSSQL$PROVIDUSSTD;SQL Server (PROVIDUSSTD);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-5-20 539184]
S3 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2010-08-09 18:19:02 0 ----a-w- c:\documents and settings\zeus\defogger_reenable
2010-08-09 18:07:31 0 d-s---w- C:\ComboFix
2010-08-09 07:33:29 0 d-----w- C:\6f0bd19df96fe62c4da73a2275af93c2
2010-08-09 01:12:42 0 d-----w- c:\docume~1\zeus\applic~1\Malwarebytes
2010-08-09 01:12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-09 01:12:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-09 01:12:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 01:10:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 23:14:13 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2010-08-08 23:09:26 399920 ----a-w- c:\windows\system32\vmnat.exe
2010-08-08 23:06:00 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2010-08-08 23:00:52 760368 ----a-w- c:\windows\system32\vnetlib.dll
2010-08-08 22:51:45 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2010-08-08 22:40:10 1024 ----a-w- C:\.rnd
2010-08-08 22:39:00 0 d-----w- c:\program files\common files\VMware
2010-08-08 22:37:48 0 d-----w- c:\program files\VMware
2010-08-04 05:47:46 0 d---a-w- C:\xampp
2010-08-04 00:06:08 0 d-----w- c:\documents and settings\zeus\[WindowsFolder]
2010-08-03 19:08:19 0 d-----w- C:\_backup
2010-07-26 00:24:02 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 00:24:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-25 23:07:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-25 02:55:01 56487226 ----a-w- c:\windows\system32\KTWHGNA
2010-07-22 21:09:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 04:15:53 0 d-----w- c:\program files\EM Calculator

==================== Find3M ====================

2010-08-09 10:51:28 90112 ----a-w- c:\windows\DUMP9318.tmp
2010-08-09 10:40:41 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-07-28 19:55:17 90728 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 23:54:06 256 ----a-w- c:\documents and settings\zeus\pool.bin
2010-05-21 07:37:30 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2010-05-21 06:13:38 252464 ----a-w- c:\windows\system32\vmnc.dll
2010-05-21 04:19:20 59952 ----a-w- c:\windows\system32\vnetinst.dll

============= FINISH: 11:20:10.37 ===============



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 09 August 2010 - 06:05 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 jamartin

jamartin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 August 2010 - 06:29 PM

Thanks for your help. Below are the contents of MBRCheck and Preformat. I put a # in front name to make it a little easier to find.


--------------------------------------------
#MBRCheck
--------------------------------------------

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 PCIIde.sys
0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xBA0F8000 PxHelp20.sys
0xB9ECD000 TPkd.sys
0xB9EB6000 KSecDD.sys
0xBA5B0000 penclass.sys
0xB9E29000 Ntfs.sys
0xB9E15000 inspect.sys
0xB9DE8000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xBA338000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xB9DCE000 Mup.sys
0xBA218000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9839000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9825000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB97FB000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB97D7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9797000 \SystemRoot\system32\drivers\smwdm.sys
0xB9773000 \SystemRoot\system32\drivers\portcls.sys
0xBA228000 \SystemRoot\system32\drivers\drmk.sys
0xB9750000 \SystemRoot\system32\drivers\ks.sys
0xB969D000 \SystemRoot\system32\drivers\senfilt.sys
0xB9689000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA238000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9D8D000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA258000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA268000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA278000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA288000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA7F0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5FA000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA348000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA298000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D85000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9672000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB9661000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA368000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA370000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA378000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB9631000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA380000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA388000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA600000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB95D3000 \SystemRoot\system32\DRIVERS\update.sys
0xB99DA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB99D6000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xB99D2000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA118000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA608000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA578000 \SystemRoot\System32\DRIVERS\cmderd.sys
0xB148D000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xBA60A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7FC000 \SystemRoot\System32\Drivers\Null.SYS
0xBA60C000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3B8000 \SystemRoot\System32\drivers\vga.sys
0xBA60E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA610000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3C0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3C8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA58C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB145A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1401000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA3D0000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xB13DB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB13B3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9D95000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB1369000 \SystemRoot\System32\drivers\afd.sys
0xBA138000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB133E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB12CE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA148000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA158000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA178000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB95C7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA188000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB95C3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA198000 \SystemRoot\system32\drivers\usbaudio.sys
0xB95BB000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA3E8000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xB128E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA618000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB95AB000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3F0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA73C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09B000 \SystemRoot\System32\atikvmag.dll
0xBF0DD000 \SystemRoot\System32\ati3duag.dll
0xBF37E000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA420000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xAF0B2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAEE01000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB955B000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xBA61A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA168000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xBA61E000 \??\C:\WINDOWS\system32\Drivers\VMparport.sys
0xAED0A000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xAECD1000 \SystemRoot\System32\Drivers\adfs.SYS
0xAEE5A000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xAEC52000 \SystemRoot\system32\DRIVERS\srv.sys
0xAEE9E000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xBA408000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xAEA7E000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xAE87D000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE9E2000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA5EE000 \??\C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
0 System Idle Process
4 System
652 C:\WINDOWS\system32\smss.exe
708 csrss.exe
736 C:\WINDOWS\system32\winlogon.exe
780 C:\WINDOWS\system32\services.exe
792 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\ati2evxx.exe
980 C:\WINDOWS\system32\svchost.exe
1040 svchost.exe
1536 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1568 C:\WINDOWS\system32\svchost.exe
1736 svchost.exe
1864 C:\WINDOWS\system32\svchost.exe
1876 svchost.exe
2040 C:\WINDOWS\system32\spoolsv.exe
456 C:\WINDOWS\system32\svchost.exe
464 svchost.exe
552 C:\Program Files\Bonjour\mDNSResponder.exe
600 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
1188 locator.exe
1824 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
180 C:\WINDOWS\system32\svchost.exe
1124 wdfmgr.exe
1264 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1444 C:\WINDOWS\system32\vmnat.exe
1500 C:\WINDOWS\system32\searchindexer.exe
1908 C:\Program Files\VMware\VMware Player\vmware-authd.exe
1764 C:\WINDOWS\explorer.exe
2108 C:\WINDOWS\system32\vmnetdhcp.exe
2592 alg.exe
3096 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3192 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3252 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
3328 C:\Program Files\VMware\VMware Player\hqtray.exe
3348 C:\WINDOWS\system32\ctfmon.exe
3372 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3608 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2544 C:\WINDOWS\system32\wuauclt.exe
2960 C:\WINDOWS\system32\taskmgr.exe
3728 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3584 C:\Program Files\Mozilla Firefox\firefox.exe
3568 C:\WINDOWS\system32\cmd.exe
3716 C:\WINDOWS\system32\searchprotocolhost.exe
2052 C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
3076 searchfilterhost.exe
3828 C:\Documents and Settings\zeus\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST380013AS, Rev: 8.12

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: DE00FD185DADD28F6A0BBFCA13FF7C962680F72E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!



--------------------------------------------
#Preformat
--------------------------------------------

Partition ID: Disk #0, Partition #0
Size: 74.5 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A08
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 10 August 2010 - 02:12 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have custom Master Boot Records and overwriting the MBR with a standard one may result in some of the Manufacturer installed options such as Factory Restore becoming disabled.
The worst-case scenario is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which although unlikely needs to be mentioned.

If you can tell me the make and model of the PC, and whether you have a Windows installation/Recovery disc or not, I will try to find out if the fix is likely to cause issues with your computer.

So long, and thanks for all the fish.

 

 


#5 jamartin

jamartin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 10 August 2010 - 05:19 PM

The computer is a dell gx280, I don't have any of the dell software installed but do have a full version of XP SP3. Everything important is off the computer, so no worries on deleting contents.



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 10 August 2010 - 05:42 PM

QUOTE
but do have a full version of XP SP3.

Are you saying that you have a Windows installation disc, or that you have Windows XP SP3 installed on your machine?

So long, and thanks for all the fish.

 

 


#7 jamartin

jamartin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 10 August 2010 - 06:54 PM

Both

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 11 August 2010 - 02:07 PM

Good evening. smile.gif

Grand, I just wanted to be sure.

Step 1: You will need to set the CD-Rom as first boot device if it isn't already. There's a handy pictorial guide here. As long as you don't get too carried away you won't do any harm, and you should get the option to exit the BIOS without saving any changes if you are unsure what you did was right.
Obviously if you are sure, make sure that you exit with changes saved.

Step 2: Boot from the disc, access the Recovery Console and run the command fixmbr - handily, you get a walkthrough of both the Recovery Console and repairing the MBR here.

Windows may warn that your MBR is non-standard and prompt for confirmation - this is due to the MBR being infected and you should tell Windows to continue.

Step 3: Once you have rebooted the PC, run MBRCheck.exe again and let me have the log produced. Please make sure you post the latest log, the date will be in the file name, or we'll go round in circles until the end of time.

If I haven't made something clear, please ask BEFORE you begin.

So long, and thanks for all the fish.

 

 


#9 jamartin

jamartin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 11 August 2010 - 04:52 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 PCIIde.sys
0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xBA0F8000 PxHelp20.sys
0xB9ECD000 TPkd.sys
0xB9EB6000 KSecDD.sys
0xBA5B0000 penclass.sys
0xB9E29000 Ntfs.sys
0xB9E15000 inspect.sys
0xB9DE8000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xBA338000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xB9DCE000 Mup.sys
0xBA178000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9603000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB95EF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB95C5000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB95A1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9561000 \SystemRoot\system32\drivers\smwdm.sys
0xB953D000 \SystemRoot\system32\drivers\portcls.sys
0xBA188000 \SystemRoot\system32\drivers\drmk.sys
0xB951A000 \SystemRoot\system32\drivers\ks.sys
0xB9467000 \SystemRoot\system32\drivers\senfilt.sys
0xB9453000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA198000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA594000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA793000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5E8000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA3B8000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB943C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB942B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB93FB000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA228000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5EA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB939D000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D89000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA258000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5EC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB979C000 \SystemRoot\System32\DRIVERS\cmderd.sys
0xB1292000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA55C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA288000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB1234000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA719000 \SystemRoot\System32\Drivers\Null.SYS
0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA410000 \SystemRoot\System32\drivers\vga.sys
0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA418000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA420000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA564000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1201000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB11A8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA428000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xB1180000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB115E000 \SystemRoot\System32\drivers\afd.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB1138000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB110D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1075000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA2C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA2E8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA430000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0xB1042000 \SystemRoot\system32\DRIVERS\Dot4.sys
0xB12D9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA308000 \SystemRoot\system32\drivers\usbaudio.sys
0xB12D5000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0xB12CD000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB102A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA608000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB12BD000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA438000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA759000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09B000 \SystemRoot\System32\atikvmag.dll
0xBF0DD000 \SystemRoot\System32\ati3duag.dll
0xBF37E000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAEE0E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAEB75000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5CA000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAEB64000 \SystemRoot\System32\Drivers\adfs.SYS
0xAEC92000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xAEABD000 \SystemRoot\system32\DRIVERS\srv.sys
0xAEC42000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xAE8C8000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE94D000 \SystemRoot\system32\drivers\sysaudio.sys
0xADBD2000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
500 C:\WINDOWS\system32\smss.exe
556 csrss.exe
584 C:\WINDOWS\system32\winlogon.exe
628 C:\WINDOWS\system32\services.exe
640 C:\WINDOWS\system32\lsass.exe
800 C:\WINDOWS\system32\ati2evxx.exe
816 C:\WINDOWS\system32\svchost.exe
912 svchost.exe
980 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1040 C:\WINDOWS\system32\svchost.exe
1052 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1228 svchost.exe
1288 svchost.exe
1380 C:\WINDOWS\system32\spoolsv.exe
1528 svchost.exe
1580 C:\Program Files\Bonjour\mDNSResponder.exe
1620 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
1668 C:\WINDOWS\system32\msiexec.exe
1832 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
1904 locator.exe
1976 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
248 C:\WINDOWS\system32\svchost.exe
484 wdfmgr.exe
840 C:\WINDOWS\system32\searchindexer.exe
1256 C:\WINDOWS\explorer.exe
1612 C:\WINDOWS\system32\wuauclt.exe
2332 alg.exe
2436 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2472 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2512 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2684 C:\Program Files\Microsoft Security Essentials\msseces.exe
2752 C:\WINDOWS\system32\ctfmon.exe
2768 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2796 C:\Program Files\Mozilla Firefox\firefox.exe
2804 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
1888 C:\WINDOWS\system32\searchprotocolhost.exe
3828 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3428 C:\Program Files\KeePass\KeePass.exe
3744 searchfilterhost.exe
1988 C:\Documents and Settings\zeus\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST380013AS, Rev: 8.12

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 11 August 2010 - 06:05 PM

OK, the log looks like the new MBR stuck nicely. How is the machine behaving now?

So long, and thanks for all the fish.

 

 


#11 jamartin

jamartin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 11 August 2010 - 06:22 PM

Seems to be running well, unblocked IE for about an hour now and haven't had any pop-ups, clicks etc.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 12 August 2010 - 01:52 PM

Good evening. smile.gif

Nice. This nasty occasionally drops some slime elsewhere on the hard drive, so a little scan will see if there's anything leftover to remove. Please work through the below and post accordingly:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:44 PM

Posted 17 August 2010 - 02:50 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users