Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Congratulations, You Won!" Audio + Ad Pop-Ups (Part 2)


  • This topic is locked This topic is locked
27 replies to this topic

#1 cywbc

cywbc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 01 August 2010 - 04:24 PM

I'm a getting "Congratulations, You Won!" audio several times per hour. Additionally, I get random audio ads and random Internet Explorer windows with ads that range from IQ Tests to Travel Agencies to Household Goods to Computer Products. (At least none of it is porn!) The audio and the Internet Explorer window ads come up even if I have simply started the computer and not opened anything--including Outlook or Internet Explorer or any other browser. I switched my default browser from Internet Explorer to Google Chrome, but that had no effect. Still, when the visual ads pop up, they always pop up in Internet Explorer.

I ran instructions 1-9 of your Preparation Guide. I'm posting the DDS.txt file below, and attaching the Attach.txt file as instructed. But when I tried to run the GMER.exe, then after about 3 minutes into the scan I got the Blue Screen of Death (filled with the usual "your computer had a problem..." stuff that lasts only for a half second) and then the computer shut down. I tried that twice, ensuring completely clean start-ups each time.

Now I'll be good, sit on my hands and await your suggestions--thanks!

-----------------------------------------



DDS (Ver_10-03-17.01) - NTFSx86
Run by Curt & Ina at 16:21:01.32 on Sun 08/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1169 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE
C:\Program Files\LTCM Client\ltcmScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Curt & Ina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Curt & Ina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Curt & Ina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
c:\documents and settings\curt & ina\local settings\temp\a.tmp\temp00
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214177306671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~4\goec62~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\curt&i~1\applic~1\mozilla\firefox\profiles\iahqc0cf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://en-us.www.mozilla.com/en-US/firefox/3.0.11/whatsnew/|http://www.allmyfaves.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\curt & ina\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100730.001\IDSXpx86.sys [2010-7-30 331640]
R2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10753\AGCoreService.exe [2010-5-19 20480]
R2 FlashDrv;FlashDrv;c:\progra~1\fujitsu\flashaid\FlashDrv.sys [2005-12-16 7196]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-1 1201640]
R3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [2009-8-8 3909]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2005-12-16 4864]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100731.002\NAVENG.SYS [2010-7-31 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100731.002\NAVEX15.SYS [2010-7-31 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 ATICDSDr;ATICDSDr;c:\docume~1\curt&i~1\locals~1\temp\ATICDSDr.sys [2009-8-2 6144]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;c:\windows\system32\drivers\avusbpvr.sys [2005-12-16 1947264]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-26 30192]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\SiriusUSB.sys [2007-2-2 7552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2009-12-16 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2007-1-13 15576]

=============== Created Last 30 ================

2010-08-01 19:58:22 0 ----a-w- c:\documents and settings\curt & ina\defogger_reenable
2010-07-31 11:33:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-20 20:10:32 0 d-----w- c:\windows\NKCCDViewerSetting
2010-07-14 19:36:24 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-16 18:31:20 0 ----a-w- c:\windows\system32\drivers\FUJITSU_AH50K1E607005402_WXPMCE.MKR
2010-06-06 13:48:04 4096 ----a-w- c:\windows\d3dx.dat
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 15:09:25 64480 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2007-05-27 17:22:39 251 ------w- c:\program files\wt3d.ini

============= FINISH: 16:22:12.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 01 August 2010 - 04:35 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to press <ENTER> to exit.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 01 August 2010 - 05:28 PM

Thanks, here are the MBRCheck.txt file and the Preformat.txt file:

--------------------------------------------------------------------------------------

First, MBRCheck.txt:

-----------------------------

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200003c

Kernel Drivers (total 163):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA0D8000 SSHRMD.SYS
0xB9F3A000 SSIDRV.SYS
0xB9F0D000 \WINDOWS\SYSTEM32\Drivers\NDIS.SYS
0xBA328000 \WINDOWS\SYSTEM32\Drivers\TDI.SYS
0xBA0E8000 ssfs0bbc.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA330000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9EEF000 pcmcia.sys
0xBA0F8000 MountMgr.sys
0xB9ED0000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9EAA000 dmio.sys
0xBA338000 PartMgr.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA108000 VolSnap.sys
0xB9E92000 atapi.sys
0xB9DBC000 iaStor.sys
0xBA118000 disk.sys
0xBA128000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9D9C000 fltmgr.sys
0xB9D8A000 sr.sys
0xB9D3B000 SYMEFA.SYS
0xBA138000 PxHelp20.sys
0xB9D24000 KSecDD.sys
0xB9D0D000 WudfPf.sys
0xB9C80000 Ntfs.sys
0xB9C34000 rixdptsk.sys
0xBA148000 risdptsk.sys
0xB9C1A000 Mup.sys
0xBA178000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9BF6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA5BA000 \SystemRoot\system32\DRIVERS\FUJ02E3.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\FUJ02B1.sys
0xB7E90000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB7E7C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB7E54000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7E33000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB7CD5000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA450000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB7CB1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA458000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA460000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB7C98000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7C75000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA470000 \SystemRoot\system32\drivers\gearaspiwdm.sys
0xBA75C000 \SystemRoot\System32\Drivers\bioschk.sys
0xBA75E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7C5E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8862000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8852000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB7C4D000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8842000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA478000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA480000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7C1D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8832000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA488000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7BBF000 \SystemRoot\system32\DRIVERS\update.sys
0xB9B9A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8822000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xB8812000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB7B4E000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB8802000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB36F9000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB36D5000 \SystemRoot\system32\drivers\portcls.sys
0xB87D2000 \SystemRoot\system32\drivers\drmk.sys
0xB35C2000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA490000 \SystemRoot\System32\Drivers\Modem.SYS
0xB26AF000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB10E8000 \SystemRoot\System32\Drivers\NIS\1008000.029\SRTSP.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB7B42000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB262F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\LHidKE.Sys
0xB7B3E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAF0D5000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
0xA678C000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xBA168000 \SystemRoot\system32\drivers\NIS\1008000.029\SRTSPX.SYS
0xBA618000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA785000 \SystemRoot\System32\Drivers\Null.SYS
0xA8F35000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA368000 \SystemRoot\System32\drivers\vga.sys
0xA7E55000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA7E4B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA448000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB115B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA99AA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA6745000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA66EC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA66B8000 \SystemRoot\System32\Drivers\NIS\1008000.029\SYMTDI.SYS
0xA6692000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB1AD4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE2CB000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBA410000 \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS
0xA667D000 \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS
0xAE733000 \SystemRoot\System32\Drivers\NIS\1008000.029\SYMIDS.SYS
0xA6628000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100730.001\IDSxpx86.sys
0xA6600000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA65DE000 \SystemRoot\System32\drivers\afd.sys
0xA707D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA65B3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6543000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAB585000 \SystemRoot\System32\Drivers\Fips.SYS
0xA64E5000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA64C8000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA644D000 \SystemRoot\System32\Drivers\NIS\1008000.029\ccHPx86.sys
0xA640B000 \SystemRoot\System32\Drivers\NIS\1008000.029\BHDrvx86.sys
0xA63E7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA6311000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB7FF8000 \SystemRoot\System32\drivers\Dxapi.sys
0xADCD1000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA741000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xAD635000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA8E73000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA42F9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA41F4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA3C8000 \??\C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys
0xBA616000 \??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys
0xA3EE3000 \SystemRoot\System32\Drivers\HTTP.sys
0xA3C45000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1143000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA3731000 \SystemRoot\system32\drivers\wdmaud.sys
0xA3A7E000 \SystemRoot\system32\drivers\sysaudio.sys
0xA3643000 \SystemRoot\system32\drivers\kmixer.sys
0xA3321000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA168B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100801.003\NAVEX15.SYS
0xA1677000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100801.003\NAVENG.SYS
0xA9356000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 81):
0 System Idle Process
4 System
1320 C:\WINDOWS\system32\smss.exe
1404 csrss.exe
1436 C:\WINDOWS\system32\winlogon.exe
1488 C:\WINDOWS\system32\services.exe
1516 C:\WINDOWS\system32\lsass.exe
1672 C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
1700 C:\WINDOWS\system32\ati2evxx.exe
1724 C:\WINDOWS\system32\svchost.exe
1820 svchost.exe
1888 C:\WINDOWS\system32\svchost.exe
1940 C:\WINDOWS\system32\svchost.exe
320 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
328 C:\WINDOWS\system32\svchost.exe
384 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
620 svchost.exe
672 svchost.exe
1076 C:\WINDOWS\system32\spoolsv.exe
1268 svchost.exe
1352 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
1916 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1960 C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
932 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
956 C:\Program Files\Bonjour\mDNSResponder.exe
1364 C:\WINDOWS\ehome\ehrecvr.exe
288 C:\WINDOWS\ehome\ehSched.exe
2156 C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
2320 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2432 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2544 svchost.exe
2560 C:\WINDOWS\system32\svchost.exe
3368 C:\WINDOWS\system32\UStorSrv.exe
3396 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
4012 C:\WINDOWS\system32\MsPMSPSv.exe
480 C:\WINDOWS\system32\ZuneBusEnum.exe
908 C:\Program Files\Canon\CAL\CALMAIN.exe
2588 C:\WINDOWS\system32\fxssvc.exe
2940 mcrdsvc.exe
3832 C:\WINDOWS\system32\dllhost.exe
3344 C:\WINDOWS\system32\ati2evxx.exe
2172 C:\WINDOWS\explorer.exe
3724 C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
472 alg.exe
2864 C:\WINDOWS\ehome\ehtray.exe
3360 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3488 C:\WINDOWS\ehome\ehmsas.exe
3812 C:\WINDOWS\AGRSMMSG.exe
3656 C:\Program Files\Apoint2K\Apoint.exe
1848 C:\WINDOWS\system32\svchost.exe
3120 C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
2932 C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
1160 C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
3900 C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
728 C:\WINDOWS\RTHDCPL.exe
984 C:\Program Files\Apoint2K\Hidfind.exe
4204 C:\Program Files\Apoint2K\ApntEx.exe
4772 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
4780 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
4812 C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
4864 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
4944 C:\Program Files\iTunes\iTunesHelper.exe
4976 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
4996 C:\Program Files\Messenger\msmsgs.exe
5092 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
5124 C:\WINDOWS\system32\ctfmon.exe
5164 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFIA.EXE
5176 C:\Program Files\LTCM Client\ltcmScheduler.exe
5252 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
4428 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
4452 C:\Program Files\iPod\bin\iPodService.exe
5864 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2248 C:\Documents and Settings\Curt & Ina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2168 C:\Documents and Settings\Curt & Ina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
5840 C:\Documents and Settings\Curt & Ina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
5408 C:\WINDOWS\system32\svchost.exe
5804 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
3688 C:\Program Files\Common Files\Apple\Mobile Device Support\MobileMeServices.exe
3104 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
2768 SSU.exe
660 C:\Documents and Settings\Curt & Ina\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001b`b235fc00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: FUJITSUMHV2120BHPL, Rev: 00000029
PhysicalDrive1 Model Number: WD3200BEV External, Rev: 1.05

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 779D95F7AF27B16A2BB43A1AC3A4C26397242A5B
298 GB \\.\PhysicalDrive1 RE: Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 779D95F7AF27B16A2BB43A1AC3A4C26397242A5B


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

-----------------------------

Note: At the end, the choice was either 'Y" and ENTER for more options, or 'N' to exit; so it did the former, and then hit [3] to exit. I did not do [1] or [2].

I noted that in two places near the end, in red, it detected bad MBR codes; one on my C drive, one on my F drive.

------------------------------------------------------

Here is the Preformat.txt file. As a note, my computer has the standard hard drive, which includes the 110 GB C drive with a 1 GB partitioned D drive (not sure why); and a Western Digital 320 GB F drive.:

-----------------------------



Partition ID: Disk #0, Partition #0
Size: 110.78 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 1027.6 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #0
Size: 298.09 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: FUJITSU/INSYDE
Name: Default System BIOS
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------

Thanks for the quick initial response!


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 02 August 2010 - 02:17 PM

Good evening. smile.gif

MBRCheck is a new release, so it behaved a little differently to the previous version - you were right to exit out.

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have different Master Boot Records and overwriting the MBR with a standard one may result in the PC becoming unbootable or in some of the Manufacturer installed options such as Factory Restore becoming disabled.

If you tell me what make and model the PC is and whether you have the Windows installation disc, i'll try to find out if the fix is likely to adversely affect your machine.

So long, and thanks for all the fish.

 

 


#5 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 03 August 2010 - 04:57 PM

Okay, understand. Here is the information on my computer...may be more than you wanted, or not enough; if you need anything else, let me know.

Fujitsu N3530 Lifebook Computer

Product Serial #: R6Y08750
Configuration #: AH5

Operating System: Windows® XP Media Center Edition with
Office 2003 Small Business Edition
Display: 15.4" Color-Enhanced Crystal View wide XGA+ display
Processors: Intel® Core™ 2 Duo Processor T2400 (2 GHz, 4 MB L2 cache, 667 MHz FSB)
Hard Drive: 120 GB (5400 rpm) SATA Hard Disk Drive
Memory: 2 GB
Communication: Modem/Gigabit Ethernet LAN
Integrated Intel® PRO/Wireless 3945 Network Connection (Tri-mode 802.11a/b/g)
Optical Drives: Dual-Layer Multi-Format DVD Writer
Warranty: 1 Year plus 2 year additional Extended Service Plan
USB Floppy Disk Drive
AC Adapter (2)
Extra Main Battery
MCE Remote

The disks that came with the computer are:

"Drivers and Applications Restore DVD"
"Recovery and Utility Disc: LifeBook N3530 notebook, Microsoft Windows XP Media Center Edition"
"Microsoft Office Small Business Edition 2003"

All are still in their shrinkwrap. I assume the Windows installation is on one of these disks, and can check it for something specific if you need me to. Thanks!



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 04 August 2010 - 02:29 PM

Good evening. smile.gif

After reading the manual for the PC i'm fairly sure that the fix will work, but not totally. The second partition bothers me as I can't find any information as to what it might contain. Do you have access to the partition and can you identify what's on there?

So long, and thanks for all the fish.

 

 


#7 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 06 August 2010 - 07:33 AM

Hello! smile.gif

My spouse also has a Fujitsu (N6200, larger screen) and it does not have a D drive partition. I am pretty sure the D drive exists for one of two reasons. Either it is there because Fujitsu put one there when they gave me Windows Media Center (the other computer does not have Media Center), or else it's because I may possibly have created it when I first got the computer. I do vaguely remember reading in the past that setting up a partition was a good thing to do when you first get your computer, and I may have done so but cannot find anything that confirms one way or another.

In any case, I have gone to View - Folder Options - View, and checked "Display the contents of system folders" and "Show hidden files and folders", and I've unchecked "Hide protected operating system files (Recommended)". When I look at the D drive, which is 1.00 GB and has free space of 0.99 GB, I then see three folders:

- RECYCLER with one file: "S-1-5-21-1515795573-3188556711-389139834-1005", size 85 bytes, size on disk 4.00 KB, created 25 Dec 2006. Mouse cursor over the file says "Contains the files and folders that you have deleted".

- System Volume Information: This one will not allow me access. Size 0 bytes, size on disk 0 KB, created 22 Nov 2006. Mouse cursor over the folder says "Folder is empty".

- update: This one appears empty. Size 0 bytes, size on disk 0 KB, created 8 June 2006. Mouse cursor over the folder says "Folder is empty".

The computer was ordered and shipped to me in Nov 2006...so that could indicate that the RECYCLER and System Volume Information folders were created by me as I was setting it up over Christmas...or it could mean they appear when one first sets up the computer. I can't explain the early date on the "update" folder.

Is there anything else you'd like me to look at? And again...Thank You!! smile.gif

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 06 August 2010 - 05:09 PM

Good evening. smile.gif

The partition has two folders that I would expect of any general user-accessible partition, RECYCLER and System Volume Information, so i'm not worried by that issue any more.

If you wish to go with the fix, the first thing you need to do is to back-up any important files. While you probably won't need them, you'll be madder than Mad Jack McMad, the winner of this year's Mr Madman competition (http://www.bbc.co.uk/comedy/blackadder/epguide/three_duel.shtml) if you don't and things don't go according to plan.

I'll stress yet again that there is a risk that the fix will mess with your Operating System, in effect turning you PC, however temporarily, into an expensive paperweight. While it won't actually damage the "nut and bolts" of the machine, it will stop Windows from loading which is as useless as a PC can be.
As you have the disc you can reinstall Windows if things do go wrong - you can get the manual for the PC here which explains how to do it on page 79.

Please ask any questions you have and tell me what you decide to do.

So long, and thanks for all the fish.

 

 


#9 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 07 August 2010 - 01:24 AM

Well, that's good news! thumbup2.gif

Okay, I've made my data backup so I'm good there. Now my main concern is that I'm going to be traveling for the next 10 days, the computer is functioning (as long as I turn down the sound I don't hear the pop-up audio, and I simply close the pop-up Internet Explorer ads when they appear), and I'm thinking I probably need to hold off on any major re-boots until I'm back from the road.

So here are my questions at this point:

First, I made a backup of my recent internal hard drive files, so those and a previous backup should take care of my data. That new backup is on a thumb drive. Just to be sure...this malware isn't corrupting everything I insert, including this thumb drive, is it?

Second, is this just a problem with my internal C hard drive, or did this also do something to my Western Digital portable hard drive (F drive)? Because I noted the Bad MBR Code appears to have been detected on both drives. So will I need to do something also to the F drive, or is it something that's okay if I just shut down and unplug it?

If I do have a problem with the F drive, I assume I'll need to make a complete backup of that drive...in which case I'll want to go out and buy another Western Digital drive and back it up. But in doing so, will I just contaminate the new drive?

Obviously, the first goal I have is to ensure I'm not making it worse by spreading it around.

And then the next set of questions is basically..."What's involved in this next step of fixing it, and can I do it relatively simply while on the road or do I need to wait until I return?"

Thanks!

smile.gif

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 07 August 2010 - 04:51 PM

Good evening. smile.gif

QUOTE
Just to be sure...this malware isn't corrupting everything I insert, including this thumb drive, is it?

Thumbdrives don't have MBRs as a rule, so no risk there.

QUOTE
Second, is this just a problem with my internal C hard drive, or did this also do something to my Western Digital portable hard drive (F drive)? Because I noted the Bad MBR Code appears to have been detected on both drives.

I'm not totally sure how the nasty works. It may be that it only writes to any MBR it finds at the point of infection and that the external hard drive was connected at the time. You may be able to shed some light on this if you can identify when you were infected and whether the external drive was hooked up at the time.

If the nasty actively seeks any MBR once the infection is active, then connecting a hard drive will result in it's infection.

QUOTE
So will I need to do something also to the F drive, or is it something that's okay if I just shut down and unplug it?

Although I would like to replace the MBR of the external drive as a matter of principal, as far as i'm aware as the PC doesn't boot from the drive the infected MBR shouldn't be an issue if left.

QUOTE
"What's involved in this next step of fixing it, and can I do it relatively simply while on the road or do I need to wait until I return?"

There are two methods of repairing the MBR and it shouldn't make any difference which one you use. MBRCheck can overwrite the MBR or you can boot from the Windows installation disc and use the Recovery Console. It's easier to run MBRCheck and is doable in a couple of minutes if you're game.

It's easy for me to say that all will be well with the fix and I expect that most people will tell you that it will be, and they will probably be right, but a borked PC is no use to you and that is the worst-case scenario.
Your PC looks like it has a standard MBR, so the only risk would be if something went wrong and your MBR became corrupt in some way which is unlikely, but not impossible. Unfortunately it is such a critical part of your machine that any chance of an oops needs to be pointed out.

So it's down to you how we proceed.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 13 August 2010 - 03:08 PM

As there has been no response for 5 days this thread is now closed.

So long, and thanks for all the fish.

 

 


#12 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 14 August 2010 - 12:53 AM

My original post was titled: "Congratulations, You Won!" Audio + Ad Pop-Ups.

Topic begun 1 Aug 2010. "Noviciate" was helping me.

I had to leave for a week, and the topic automatically closed on 13 Aug 2010. I would like to continue the topic with "Noviciate" now that I am available again. Thanks!

To continue that string...my F drive was indeed connected to the computer at the time. It sounds like trying the MBRCheck as "Noviciate" suggested makes the most sense, and I'm ready and able to try that now. Requesting instructions!

Thank you very sincerely!!

smile.gif

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 14 August 2010 - 02:25 PM

Good evening. smile.gif

Threads are locked after 5 days as there are a limited number that can be handled by each Helper and sitting on a dead thread prevents somebody else from receiving help. If the thread is left for 5 days again, i'll lock it and it will remain so.

That said, on with the show. Will you confirm for me that you understand how to reinstall Windows from the disc should it be necessary. While it shouldn't be an issue, these things can't be guaranteed to go as planned and i'd prefer you to be ready for this situation should it arise.

So long, and thanks for all the fish.

 

 


#14 cywbc

cywbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 17 August 2010 - 11:09 PM

Good evening, Noviciate! thumbup2.gif

I do appreciate you coming back for me. I was gone for a week, but I'm back and have been doing some research.

Regarding your question on whether or not I "understand how to reinstall Windows from the disc should it be necessary" I think at this point the answer is "No, I'm not sure I do." Here's what I've found over the past two days:

--------------------------------

First, I've learned that my CD/DVD Reader is reading CDs just fine, but numerous DVDs I inserted failed to work. I've tried letting them open automatically, I've opened other programs like Windows Media Player and Windows Media Center and GOM Player, and none of them indicates a DVD is in the machine. I've also used Windows Explorer, and again--no DVD is shown.

So either independently of the Malware...or because of it...my CD/DVD player will play CDs but not DVDs. This may be the first problem we'll have to tackle.

---------------------------------

Moving on, I've got and examined the discs given to me by the company. The good news is that my wife also has a Fujitsu (slightly different model, mine's a LifeBook N3530 and she has a LifeBook N6220) so I can read these DVDs on her machine.
I have two applicable discs that were given to me by Fujitsu.

The first is called the "Recovery and Utility Disc" and it is subtitled "LifeBook N3530 notebook, Microsoft Windows XP Media Center Edition". It has three utilities:
1. Recovery Utility, which allows you to do one of the following:
a. Restore the original contents of the C: drive (with the exception of certain applications that must be loaded separately); or,
b. Restore the original state of the Hard Disk to its original factory configuration (again, with the exception of certain applications that must be loaded separately), with any partitions created outside of the C: drive (and any data within them) being destroyed. The C: drive will be formatted, and most of the original operating systems and application files will be copied to the C: drive.
2. Hard Disk Data Delete Utility, which I won't go into because that's clearly not what we're looking for.
3. Partition Creation Utility, which allows you to create or resize partitions on your had disk (and will cause all data on the hard disk to be completely erased, so again we don't want this one.)

I don't know if this means that the Recovery Utility will have the program to "reinstall Windows XP" or not.

When we look at this DVD on my wife's computer, it shows a bunch of large image files, but nothing that is specifically shown as being "Windows". So it may be that Fujitsu has incorporated Windows into their own massive image file...perhaps you will know if that makes any sense, or if there is anything more I can do to find out (by using my wife's computer).

----------------

The second DVD is called the "Drivers and Applications Restore DVD." It does not have any subtitles. My Fujitsu User's Guide says it can be used to selectively re-install drivers and/or applications that may have been un-installed or corrupted. To use it, I'm supposed to "Boot up the system and insert the DAR CD after Windows has started. A Fujitsu Installer screen is displayed after the CD is inserted." (Unfortunately, of course, when I put this into the DVD drive, I get no Fujitsu Installer screen, since it won't read the DVD.)

When we look at this DVD on my wife's computer, it has a "ReadMe.wri" file that says it contains two sets of files--one for the Windows XP Home/Professional version, and one for the Windows XP Media Center Edition. I've included them both, in case the differences might help your analysis, but my computer is the second version: the Windows XP Media Center Edition.

Here's what it says:

Contents of README.wri

FUJITSU COMPUTER SYSTEMS CORPORATION

-----------------------------------------------------------------------

Please run SETUP.EXE to install drivers and applications.

Fujitsu LifeBook N3530/N6410

Note: The LifeBook N3530/N6410 requires that you install the SATA driver first from this DVD during Windows Setup in order to complete Windows installation.



To add the SATA driver, follow the steps below:

1. Copy the SATA driver to a floppy disk from the "\Drivers\SATA" folder of this DVD.
2. Connect a floppy disk drive to the system. Do not insert the floppy disk at this point.
3. Start Windows Setup from the Boot CD.
4. Press [F6] when the following message is displayed: "Press F6 if you need to install third party SCSI or RAID driver".
5. Press [S] to specify additional device.
6. Insert the floppy disk with the SATA driver into the floppy drive.
7. Press [Enter].
8. Select "Intel® 82801GBM SATA AHCI Controller (Mobile ICH7M)".
9. Press [Enter].
10. Press [Enter] to continue.
11. Proceed with the Windows Setup as usual.



Windows XP Home/Professional

Driver/Application Version Location

****************************************************************

Intel Chipset Software 7.1.0.1014 \Drivers\Chipset

Display Driver 8.204.0.0

(8.204-051220a1-029814C) \Drivers\Video\ATIX1400

Audio Driver 5.10.0.5200 \Drivers\Audio\RealtekHD2

FUJ02B1 driver 1.21.0.0 \Utilities\HotKey

FUJ02E3 driver 1.0.0.0 \Utilities\Extension

Ethernet adapter driver 8.39.1.0 \Drivers\LAN\BcmGbE

Memory Card 2.32.01 \Drivers\MemoryCard

Modem driver 2.1.61.5 \Drivers\ModemHDA_2

Pointing device 5.6.401.3 \Drivers\Pointing\Alps

SATA 5.5.0.1035 \Drivers\SATA

Intel Wireless LAN 10.1.0.7 \Drivers\WLAN\Intel



Adobe Reader 7.0.5 \Applications\Adobe

FlashAid 3.0a \Utilities\FlashAid

Fujitsu Hotkey Utility 2.6.0.0 \Utilities\HotKey

System Extension Utility 1.2 \Utilities\Extension

LifeBook Application Panel 4.5a \Utilities\LAP

Microsoft .Net Framework 1.1.4322 \Applications\Dotnetfx

CyberLink PowerDVD 4.00.6022 \Applications\PowerDVD

Norton Norton Internet

Security 2005 9.0.3.4 \Applications\NIS_EN

Quicken 2006 New User Edition 15.1.3.1 (R3) \Applications\Quicken





Windows XP Media Center Edition



Driver/Application Version Location

****************************************************************

Intel Chipset Software 7.1.0.1014 \Drivers\Chipset

Display Driver 8.204.0.0

(8.204-051220a1-029814C) \Drivers\Video\ATIX1400

Audio Driver 5.10.0.5200 \Drivers\Audio\RealtekHD2

FUJ02B1 driver 1.21.0.0 \Utilities\HotKey

FUJ02E3 driver 1.0.0.0 \Utilities\Extension

Ethernet adapter driver 8.39.1.0 \Drivers\LAN\BcmGbE

Memory Card 2.32.01 \Drivers\MemoryCard

Modem driver 2.1.61.5 \Drivers\ModemHDA_2

Pointing device 5.6.401.3 \Drivers\Pointing\Alps

SATA 5.5.0.1035 \Drivers\SATA

TV Tuner 4.0.11.63 \Drivers\Tuner

Intel Wireless LAN 10.1.0.7 \Drivers\WLAN\Intel



Adobe Reader 7.0.5 \Applications\Adobe

AVerMedia Color Adjustment 1.0.0.07 \Utilities\ColorAdjust

CyberLink Codec 6.00.2016 \Codec

FlashAid 3.0a \Utilities\FlashAid

Fujitsu Hotkey Utility 2.6.0.0 \Utilities\HotKey

System Extension Utility 1.2 \Utilities\Extension

LifeBook Application Panel 4.5a \Utilities\LAP

Microsoft .Net Framework 1.1.4322 \Applications\Dotnetfx

Norton Norton Internet

Security 2005 9.0.3.4 \Applications\NIS_EN

Quicken 2006 New User Edition 15.1.3.1 (R3) \Applications\Quicken


I admit that I don't know if either of these has what you're looking for, i.e., the ability to "reinstall Windows from a disc." Would it be on the Recovery Utility of the first disc? Or is there supposed to be something called the "Windows Reinstallation" disc? If so, I don't appear to have ever had one.

Thanks for being patient--I've tried to learn as much as I could so I could make it easier for you to help me...but I'm not sure if this is useful or not! sad.gif

Nonetheless, I'm ready to take whatever next steps we need to do in order to be ready in case we need to reinstall Windows! And of course...it appears to me that the first thing we'll need to do is to get the CD/DVD player to work so it can read these DVDs! smile.gif

Edited by cywbc, 18 August 2010 - 10:35 AM.


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:34 PM

Posted 18 August 2010 - 02:55 PM

Good evening. smile.gif

Your first problem is that I have no idea why your drive won't read discs - I do malware removal and this isn't strictly it, although it could conceivably be as a result of malware I suppose.
This leaves you with two courses of action. The first is that you trust that you won't need the ability to read DVDs and we go with MBRCheck for the fix. The second is that you try to solve the drive issue first and then worry about fixing the nasty.
Unfortunately I can't say with any guarantee that you won't have a problem as computers are never 100% happy at doing what humans want them to.

Is the computer still in warranty?

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users