Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

You won virus


  • This topic is locked This topic is locked
26 replies to this topic

#1 Tom N

Tom N

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 05 August 2010 - 03:29 PM

I have the Congratulations You Won virus. I tried to follow the preparation guide but the GMER scan does not finish.

Thank you for your assistance.

MBRCheck, version 1.2.3
2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200001c

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E92000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E7A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E5A000 fltmgr.sys
0xB9E48000 sr.sys
0xBA118000 Lbd.sys
0xB9DF9000 SYMEFA.SYS
0xBA128000 PxHelp20.sys
0xB9DE2000 KSecDD.sys
0xB9DCF000 WudfPf.sys
0xB9D42000 Ntfs.sys
0xB9D15000 NDIS.sys
0xB9CFA000 snapman.sys
0xBA138000 sbp2port.sys
0xBA338000 pssnap.sys
0xB9CE0000 Mup.sys
0xB740A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB4DC2000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB4DAE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB4D75000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA370000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB4D51000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA378000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB4D29000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA298000 \SystemRoot\system32\DRIVERS\61883.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB4CF5000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB4CD2000 \SystemRoot\system32\DRIVERS\ks.sys
0xB4BD3000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB4B2C000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA380000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA2B8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA598000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA288000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xBA2D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA388000 \SystemRoot\system32\drivers\InCDPass.sys
0xBA2E8000 \SystemRoot\system32\drivers\InCDRm.sys
0xBA390000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA6BB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA616000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA318000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9CAB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB4B15000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB51BD000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA398000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB4B04000 \SystemRoot\system32\DRIVERS\psched.sys
0xB51AD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB519D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA602000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB4AA6000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C9B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB518D000 \SystemRoot\system32\DRIVERS\avc.sys
0xB9C87000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB9780000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xACF4A000 \SystemRoot\system32\DRIVERS\mafw.sys
0xA82D1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA668000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA2E7B000 \SystemRoot\system32\drivers\sthda.sys
0xA2E57000 \SystemRoot\system32\drivers\portcls.sys
0xAF1B8000 \SystemRoot\system32\drivers\drmk.sys
0xA3E35000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA38EF000 \SystemRoot\System32\Drivers\Null.SYS
0xBA632000 \SystemRoot\System32\Drivers\Beep.SYS
0xAFD45000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAFD3D000 \SystemRoot\System32\drivers\vga.sys
0xBA618000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA634000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA3E2D000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA2E07000 \SystemRoot\system32\drivers\InCDFs.sys
0xAFD35000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAEA87000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA3E29000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA2DCC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA2D73000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA2D3F000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMTDI.SYS
0xA2D19000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA2CF4000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xADFB9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xADFA9000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xAEA7F000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
0xA2CDF000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS
0xAEA77000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS
0xA2C62000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA2C40000 \SystemRoot\System32\drivers\afd.sys
0xADF99000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAEA6F000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA2BAB000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xADF89000 \SystemRoot\system32\drivers\N360\0308000.029\SRTSPX.SYS
0xADF79000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA2B89000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xAEA5F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA2B5E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA2AEE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA2ABB000 \SystemRoot\system32\drivers\mfehidk.sys
0xADF69000 \SystemRoot\System32\Drivers\Fips.SYS
0xA2A5D000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA2A40000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA29C5000 \SystemRoot\System32\Drivers\N360\0308000.029\ccHPx86.sys
0xA2983000 \SystemRoot\System32\Drivers\N360\0308000.029\BHDrvx86.sys
0xB744A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9CCF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB24D1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA311D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB24C5000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA28CC000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA222000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA478000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6AA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9A80000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA0DF6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA0D95000 \SystemRoot\System32\Drivers\adfs.SYS
0xA04E0000 \SystemRoot\system32\drivers\wdmaud.sys
0xB2817000 \SystemRoot\system32\drivers\sysaudio.sys
0xA0D49000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA027B000 \SystemRoot\system32\DRIVERS\srv.sys
0x9FDA3000 \??\C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
0x9F9AA000 \SystemRoot\System32\Drivers\HTTP.sys
0x9F7EF000 \SystemRoot\System32\Drivers\N360\0308000.029\SRTSP.SYS
0x9ECD1000 \SystemRoot\system32\drivers\kmixer.sys
0xBA630000 \SystemRoot\system32\DRIVERS\serscan.sys
0x9EAE4000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100804.040\NAVEX15.SYS
0x9EAD0000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100804.040\NAVENG.SYS
0x9EA7B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100804.001\IDSxpx86.sys
0x9F644000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
964 C:\WINDOWS\system32\smss.exe
1056 csrss.exe
1084 C:\WINDOWS\system32\winlogon.exe
1128 C:\WINDOWS\system32\services.exe
1168 C:\WINDOWS\system32\lsass.exe
1308 C:\WINDOWS\system32\svchost.exe
1388 svchost.exe
1428 C:\WINDOWS\system32\svchost.exe
1468 C:\WINDOWS\system32\svchost.exe
1576 svchost.exe
1600 svchost.exe
1644 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1748 C:\WINDOWS\system32\spoolsv.exe
1840 svchost.exe
1884 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
1888 C:\WINDOWS\system32\svchost.exe
1976 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1992 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
2032 C:\Program Files\Bonjour\mDNSResponder.exe
392 C:\WINDOWS\system32\svchost.exe
616 C:\WINDOWS\system32\svchost.exe
672 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
688 C:\WINDOWS\explorer.exe
708 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
756 C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
804 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
1040 C:\WINDOWS\system32\svchost.exe
1172 C:\WINDOWS\system32\nvsvc32.exe
2068 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
2128 C:\WINDOWS\stsystra.exe
2160 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2288 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2312 C:\WINDOWS\system32\maFwTray.exe
2364 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2384 C:\WINDOWS\system32\ctfmon.exe
2416 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2464 C:\WINDOWS\system32\svchost.exe
2508 C:\Program Files\Macrium\Reflect\ReflectService.exe
2512 C:\Program Files\palmOne\HOTSYNC.EXE
2564 C:\WINDOWS\system32\svchost.exe
3540 unsecapp.exe
3652 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
3976 alg.exe
324 wmiprvse.exe
2440 C:\WINDOWS\system32\wuauclt.exe
3804 C:\WINDOWS\system32\wuauclt.exe
3880 C:\WINDOWS\system32\svchost.exe
1736 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
3448 C:\Documents and Settings\Tom Newhouse\Desktop\Recovery\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-00L9A0, Rev: 01.03E01
PhysicalDrive1 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E
149 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

DDS report
===================================================


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom Newhouse at 9:11:52.62 on Thu 08/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2200 [GMT -7:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.7.1001 [VPS 000740-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
svchost.exe 4
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe 4
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Chaos Software\Chaos 7\chaos7.exe
C:\Documents and Settings\Tom Newhouse\Desktop\Defogger.exe
C:\Documents and Settings\Tom Newhouse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070426
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
c:\documents and settings\tom newhouse\local settings\temp\16d.tmp\temp00
StartupFolder: c:\docume~1\tomnew~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-23 64160]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-6-21 15328]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-11 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-11 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-11 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100804.001\IDSXpx86.sys [2010-8-5 331640]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-11 117640]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-6-21 220128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-31 102448]
R3 MAFW;%FW.SvcDesc%;c:\windows\system32\drivers\mafw.sys [2010-8-3 186368]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100805.003\NAVENG.SYS [2010-8-5 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100805.003\NAVEX15.SYS [2010-8-5 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 AMBAWEBCAM;Sony Webcam;c:\windows\system32\drivers\AmbaWebcam.sys [2009-8-10 33024]
S3 eltima_usb_stub;ELTIMA Usb Stub;c:\windows\system32\drivers\usbstub.sys [2007-6-17 4352]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-3-8 122504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-4-26 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-30 38224]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-8 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-8 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-8 40552]
S3 newsletterMysql;newsletterMysql;c:\program files\pilot group ltd\newsletter apr.2010\mysql\bin\mysqld-opt.exe [2010-2-15 6066176]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]
S3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [2007-6-17 23040]
S4 AmbaAudio;Sony Camera Device;c:\windows\system32\drivers\ambaaudio.sys --> c:\windows\system32\drivers\AmbaAudio.sys [?]

=============== Created Last 30 ================

2010-08-04 17:42:24 0 d-----w- c:\docume~1\tomnew~1\applic~1\Research In Motion
2010-08-04 14:40:22 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-04 14:40:08 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-04 14:40:06 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-04 14:40:05 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-04 14:38:48 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-04 14:38:41 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-04 14:37:49 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-04 14:37:48 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-08-04 14:30:02 0 d-----w- c:\windows\system32\CatRoot_bak
2010-08-04 13:56:33 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-08-04 13:54:15 19569 ----a-w- c:\windows\003132_.tmp
2010-08-03 20:21:11 54156 ---ha-w- c:\windows\QTFont.qfn
2010-08-03 20:21:11 1409 ----a-w- c:\windows\QTFont.for
2010-08-03 17:02:56 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2010-08-03 17:01:59 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-08-03 17:00:56 78848 -c--a-w- c:\windows\system32\dllcache\dayi.ime
2010-08-03 16:56:55 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-08-03 16:56:45 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-08-03 16:56:45 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-08-03 16:56:45 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-08-03 16:56:45 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-08-03 16:56:25 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-08-03 16:32:59 10559 ----a-r- c:\windows\SETC7.tmp
2010-08-03 16:32:58 22339 ----a-r- c:\windows\SETC6.tmp
2010-08-03 16:32:54 13753 ----a-r- c:\windows\SET8F.tmp
2010-08-03 16:32:52 1086058 ----a-r- c:\windows\SET83.tmp
2010-08-03 16:32:50 1042903 ----a-r- c:\windows\SET80.tmp
2010-08-03 15:57:15 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-03 15:57:15 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-03 15:57:15 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-03 15:57:15 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-03 15:57:09 22339 ----a-r- c:\windows\SETC1.tmp
2010-08-03 15:57:09 10559 ----a-r- c:\windows\SETC2.tmp
2010-08-03 15:57:05 13753 ----a-r- c:\windows\SET8E.tmp
2010-08-03 15:57:03 1086058 ----a-r- c:\windows\SET82.tmp
2010-08-03 15:57:00 1042903 ----a-r- c:\windows\SET7F.tmp
2010-08-03 15:07:09 22339 ----a-r- c:\windows\SET12D.tmp
2010-08-03 15:07:09 10559 ----a-r- c:\windows\SET12E.tmp
2010-08-03 15:07:08 8574 -c--a-w- c:\windows\system32\dllcache\IASNT4.CAT
2010-08-03 15:07:08 797189 -c--a-w- c:\windows\system32\dllcache\NT5IIS.CAT
2010-08-03 15:07:08 7710 -c--a-w- c:\windows\system32\dllcache\OEMBIOS.CAT
2010-08-03 15:07:08 399645 -c--a-w- c:\windows\system32\dllcache\MAPIMIG.CAT
2010-08-03 15:07:08 37484 -c--a-w- c:\windows\system32\dllcache\MW770.CAT
2010-08-03 15:07:08 13472 -c--a-w- c:\windows\system32\dllcache\HPCRDP.CAT
2010-08-03 15:07:02 13753 ----a-r- c:\windows\SETF9.tmp
2010-08-03 15:07:00 1086058 ----a-r- c:\windows\SETED.tmp
2010-08-03 15:06:57 1042903 ----a-r- c:\windows\SETEA.tmp
2010-08-01 13:19:08 0 ----a-w- c:\documents and settings\tom newhouse\defogger_reenable
2010-07-31 16:45:31 0 d-----w- c:\program files\Trend Micro
2010-07-30 21:59:00 0 d-----w- c:\docume~1\tomnew~1\applic~1\Malwarebytes
2010-07-30 21:58:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 21:58:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-30 21:58:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 21:58:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 16:19:15 0 d-----w- c:\docume~1\tomnew~1\applic~1\SafeReturner
2010-07-30 16:19:07 0 d-----w- c:\program files\Safe Returner
2010-07-29 19:12:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-29 00:19:07 0 d-----w- C:\Backreg
2010-07-29 00:18:50 108 ----a-w- C:\rnr.rnr
2010-07-28 06:18:37 0 d-----w- c:\docume~1\tomnew~1\applic~1\Samsung
2010-07-28 06:12:15 174592 ----a-w- c:\windows\system32\framedyn.dll
2010-07-28 06:11:45 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-07-28 06:11:34 766 ----a-w- c:\windows\system32\Uninstall.ico
2010-07-28 06:11:28 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-07-28 03:31:30 2 --shatr- c:\windows\winstart.bat
2010-07-28 03:30:45 0 d-----w- c:\program files\UnHackMe
2010-07-27 11:22:11 0 d-----w- c:\program files\Macrium
2010-07-26 14:25:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-07-25 16:52:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-25 16:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-07-25 16:52:39 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-08 15:20:07 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}

==================== Find3M ====================

2010-08-04 17:18:35 186368 ----a-w- c:\windows\system32\drivers\mafw.sys
2010-08-03 16:55:38 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-21 18:58:08 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys
2010-06-21 18:57:56 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys
2010-06-18 04:10:00 1488 ----a-w- c:\docume~1\tomnew~1\applic~1\wklnhst.dat
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-16 06:50:35 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-06-09 15:42:55 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-06-09 15:47:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060920090610\index.dat
2009-12-19 13:47:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121920091220\index.dat

============= FINISH: 9:12:54.96 ===============

Edited by Tom N, 05 August 2010 - 03:30 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 05 August 2010 - 05:14 PM

Good evening. smile.gif

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Can you also tell me the make and model of the computer and whether or not you have the Windows installation disc that sometimes comes with a PC.

So long, and thanks for all the fish.

 

 


#3 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 05 August 2010 - 06:09 PM

It is a Dell XPS 410. I have the dell recovery disk. I have repaired XP with this disk.


Partition ID: Disk #1, Partition #0
Size: 47.03 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #1
Size: 145.96 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #2
Size: 3 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #0
Size: 47.03 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 295.03 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 3.01 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 2.3.1
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 06 August 2010 - 02:03 PM

Good evening. smile.gif

The log isn't as I would expect it - the disks have been read in reverse order which is a little odd.

QUOTE
I have repaired XP with this disk.

Have you reinstalled Windows using the disc rather than the Recovery Partition that I think you still have?

This is important as the MBR that you have may either be a Dell custom one, in which case things may not go according to plan, or the standard Windows one, in which case things should be OK.

So long, and thanks for all the fish.

 

 


#5 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 August 2010 - 02:52 PM

Disk #1 was the boot disk. I replaced it with a lager disk (#0) which is now the boot disk. Could that be why they are numbered backwards? I did not reformat the disk.

I have done a repair with the disk in the CD drive. I don't know where it read the files from. The Disk claims that "the software is already installed on your computer"

I hope this helps

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 06 August 2010 - 05:19 PM

Interesting thing about the discs - it sounds like it could be the answer but it's not something i've come across before.

OK, the situation is quite simple. If the fix works then all is well. If it doesn't then you are going to have to reinstall Windows and that will wipe all your data from the disc. I suggest that if you want to go ahead that you back-up any important data first as it never hurts to have a safety net.

Please ask me any questions that you have and let me know what you decide to do, but please understand that with the best will in the world I can't offer any guarantees.

So long, and thanks for all the fish.

 

 


#7 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 August 2010 - 05:38 PM

Well, I would like my computer back. I did a complete back up right AFTER this bug bit me so I do have my data but the bug is in there somewhere.
Do you think that the boot partion from my old drive might still be good?

Any way I am willing to try anything at this point. I really appreciate your help.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 07 August 2010 - 03:11 PM

Good evening. smile.gif

QUOTE
Do you think that the boot partion from my old drive might still be good?

Unfortunately not.. The nasty infects any MBRs it can find and MBRCheck indicates that both are corrupt:

298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E
149 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run MBRCheck.exe again but, when prompted, enter Y this time for further options.
At the "Options" prompt enter 2 - this will overwrite the malicious boot code.
When asked for the "Physical Drive Number", enter 1
When asked for the "MBR Code to write", enter 1
Enter YES to confirm your actions.

Please immediately reboot your PC and let me have the contents of the new text file that will have been created on your Desktop.

So long, and thanks for all the fish.

 

 


#9 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 07 August 2010 - 03:21 PM

Just to be sure, the 298 GB \\.\PhysicalDrive0 is the boot drive. The 149 GB \\.\PhysicalDrive1 is my data drive. I seems to me that fixing the MBR on the data drive will not change anything at boot. Am I missing something? I would not be surprised if I am...

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 08 August 2010 - 03:50 PM

Good evening. smile.gif

Sorry, my bad.

Partition ID: Disk #1, Partition #1
Size: 145.96 GB

The computer boots from this partition.

Partition ID: Disk #0, Partition #1
Size: 295.03 GB

The computer boots from this partition.


I worked with the first "The computer boots from this partition." and forgot you'd played with the discs. That will be Physical Drive 0 to be fixed then! whistling.gif

So long, and thanks for all the fish.

 

 


#11 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 August 2010 - 02:13 PM

Here is the new report

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200001c

Kernel Drivers (total 154):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E92000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E7A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E5A000 fltmgr.sys
0xB9E48000 sr.sys
0xBA118000 Lbd.sys
0xB9DF9000 SYMEFA.SYS
0xBA128000 PxHelp20.sys
0xB9DE2000 KSecDD.sys
0xB9DCF000 WudfPf.sys
0xB9D42000 Ntfs.sys
0xB9D15000 NDIS.sys
0xB9CFA000 snapman.sys
0xBA138000 sbp2port.sys
0xBA338000 pssnap.sys
0xB9CE0000 Mup.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB558B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB5577000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB553E000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB551A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB54F2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8F98000 \SystemRoot\system32\DRIVERS\61883.sys
0xB8F88000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB54BE000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB549B000 \SystemRoot\system32\DRIVERS\ks.sys
0xB539C000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB52F5000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8F78000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C5F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8F68000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8F58000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB8F48000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8F38000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA3E0000 \SystemRoot\system32\drivers\InCDPass.sys
0xB8F28000 \SystemRoot\system32\drivers\InCDRm.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA5F6000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA762000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5F8000 \SystemRoot\System32\Drivers\RootMdm.sys
0xB8F18000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9A48000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB52DE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8F08000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB98D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB52CD000 \SystemRoot\system32\DRIVERS\psched.sys
0xB5986000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA400000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA408000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB5976000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA418000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA420000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA5FA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB526F000 \SystemRoot\system32\DRIVERS\update.sys
0xB9A38000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB5966000 \SystemRoot\system32\DRIVERS\avc.sys
0xB9A34000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB98F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xADC36000 \SystemRoot\system32\DRIVERS\mafw.sys
0xAE7F6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA666000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xADB06000 \SystemRoot\system32\drivers\sthda.sys
0xADAE2000 \SystemRoot\system32\drivers\portcls.sys
0xAE7E6000 \SystemRoot\system32\drivers\drmk.sys
0xAF16B000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xADA8F000 \SystemRoot\System32\Drivers\N360\0308000.029\SRTSP.SYS
0xA9AC4000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100809.040\NAVEX15.SYS
0xA9A9F000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA9A8B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100809.040\NAVENG.SYS
0xAF05F000 \SystemRoot\system32\drivers\N360\0308000.029\SRTSPX.SYS
0xBA664000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA66C000 \SystemRoot\System32\Drivers\Null.SYS
0xBA66E000 \SystemRoot\System32\Drivers\Beep.SYS
0xAD6FC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD6F4000 \SystemRoot\System32\drivers\vga.sys
0xBA5BC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA9E71000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAE8AC000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA9A4F000 \SystemRoot\system32\drivers\InCDFs.sys
0xAD532000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAD50A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xADCD2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9A3C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA99E3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA99AF000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMTDI.SYS
0xA9989000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA493000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE2C1000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBA478000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
0xA9974000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS
0xBA480000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS
0xA991F000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100805.004\IDSxpx86.sys
0xA98F7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA98D5000 \SystemRoot\System32\drivers\afd.sys
0xBA308000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA390000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA9840000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xBA318000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA981E000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xBA3A8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA97F3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9783000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9750000 \SystemRoot\system32\drivers\mfehidk.sys
0xB4119000 \SystemRoot\System32\Drivers\Fips.SYS
0xA96F2000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA96D5000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA965A000 \SystemRoot\System32\Drivers\N360\0308000.029\ccHPx86.sys
0xA9618000 \SystemRoot\System32\Drivers\N360\0308000.029\BHDrvx86.sys
0xAE301000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD6DC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB2CCD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAF4DA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAF4D2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA9561000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAEC99000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA458000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA737000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xAF4D6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7913000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA1B8000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7728000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA76EF000 \SystemRoot\System32\Drivers\adfs.SYS
0xA76EB000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7418000 \SystemRoot\system32\DRIVERS\srv.sys
0xA68F3000 \??\C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
0xA6362000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
988 C:\WINDOWS\system32\smss.exe
1080 csrss.exe
1108 C:\WINDOWS\system32\winlogon.exe
1152 C:\WINDOWS\system32\services.exe
1164 C:\WINDOWS\system32\lsass.exe
1328 C:\WINDOWS\system32\svchost.exe
1412 svchost.exe
1536 C:\WINDOWS\system32\svchost.exe
1568 C:\WINDOWS\system32\svchost.exe
1720 svchost.exe
1924 svchost.exe
1988 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1992 C:\WINDOWS\system32\svchost.exe
228 C:\WINDOWS\system32\spoolsv.exe
620 C:\WINDOWS\explorer.exe
768 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
808 C:\WINDOWS\stsystra.exe
816 C:\Program Files\Common Files\Java\Java Update\jusched.exe
860 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
864 C:\WINDOWS\system32\maFwTray.exe
932 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
940 C:\WINDOWS\system32\ctfmon.exe
968 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
1048 C:\Program Files\palmOne\HOTSYNC.EXE
1064 C:\WINDOWS\system32\svchost.exe
1236 svchost.exe
1360 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
1404 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1456 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
1492 C:\Program Files\Bonjour\mDNSResponder.exe
1936 C:\WINDOWS\system32\svchost.exe
332 C:\WINDOWS\system32\svchost.exe
384 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
448 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
516 C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
1608 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
1784 C:\WINDOWS\system32\svchost.exe
1840 C:\WINDOWS\system32\nvsvc32.exe
2484 C:\Program Files\Macrium\Reflect\ReflectService.exe
2556 C:\WINDOWS\system32\svchost.exe
3520 C:\WINDOWS\system32\wuauclt.exe
4060 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
2272 unsecapp.exe
2432 wmiprvse.exe
3980 alg.exe
2192 C:\Documents and Settings\Tom Newhouse\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-00L9A0, Rev: 01.03E01
PhysicalDrive1 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E
149 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 10 August 2010 - 02:18 PM

Good evening. smile.gif

Will you run MBRCheck and let me have the new log. It looks like the fix was successful, but i'd like to see the proof for myself.
Once that's confirmed we (you to be prescise) will overwrite the other disc's MBR and that should be that. A quick anti-malware scan just to check fro slime that might have come along for the ride and that should be that.

So long, and thanks for all the fish.

 

 


#13 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 August 2010 - 02:47 PM

Her is the newest report

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200001c

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA328000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E92000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E7A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E5A000 fltmgr.sys
0xB9E48000 sr.sys
0xBA118000 Lbd.sys
0xB9DF9000 SYMEFA.SYS
0xBA128000 PxHelp20.sys
0xB9DE2000 KSecDD.sys
0xB9DCF000 WudfPf.sys
0xB9D42000 Ntfs.sys
0xB9D15000 NDIS.sys
0xB9CFA000 snapman.sys
0xBA138000 sbp2port.sys
0xBA338000 pssnap.sys
0xB9CE0000 Mup.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB5058000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB5044000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB500B000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB4FE7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB4FBF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8B17000 \SystemRoot\system32\DRIVERS\61883.sys
0xB8B07000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB4F8B000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB4F68000 \SystemRoot\system32\DRIVERS\ks.sys
0xB4E69000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB4DC2000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3C8000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8AF7000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA578000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8AE7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8AD7000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB8AC7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8AB7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA3D0000 \SystemRoot\system32\drivers\InCDPass.sys
0xB8AA7000 \SystemRoot\system32\drivers\InCDRm.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA630000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA68A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA638000 \SystemRoot\System32\Drivers\RootMdm.sys
0xB8A97000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9A83000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB4DAB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8A87000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA168000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB4D9A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB5453000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB5443000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA410000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA63A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB4D3C000 \SystemRoot\system32\DRIVERS\update.sys
0xB9A77000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB5433000 \SystemRoot\system32\DRIVERS\avc.sys
0xB9A73000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB94B6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD2E4000 \SystemRoot\system32\DRIVERS\mafw.sys
0xAD8C1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAD1A0000 \SystemRoot\system32\drivers\sthda.sys
0xAD17C000 \SystemRoot\system32\drivers\portcls.sys
0xAD8B1000 \SystemRoot\system32\drivers\drmk.sys
0xAE25C000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAD129000 \SystemRoot\System32\Drivers\N360\0308000.029\SRTSP.SYS
0xAC458000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xAD6B3000 \SystemRoot\system32\drivers\N360\0308000.029\SRTSPX.SYS
0xBA66C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA93F3000 \SystemRoot\System32\Drivers\Null.SYS
0xBA66E000 \SystemRoot\System32\Drivers\Beep.SYS
0xB334E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB3346000 \SystemRoot\System32\drivers\vga.sys
0xBA5AC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5AE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA96F8000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA8F58000 \SystemRoot\system32\drivers\InCDFs.sys
0xB333E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB3336000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA96F4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8F45000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8EEC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8EB8000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMTDI.SYS
0xA8E92000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAF551000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
0xA8E7D000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS
0xAF549000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS
0xA8E28000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100805.004\IDSxpx86.sys
0xA8E00000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8DDE000 \SystemRoot\System32\drivers\afd.sys
0xA95D6000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAF541000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xA8D49000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xA95C6000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA8D27000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xAF531000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8CFC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8C8C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA8C59000 \SystemRoot\system32\drivers\mfehidk.sys
0xA95B6000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8BFB000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA8BDE000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8B63000 \SystemRoot\System32\Drivers\N360\0308000.029\ccHPx86.sys
0xA8B21000 \SystemRoot\System32\Drivers\N360\0308000.029\BHDrvx86.sys
0xA9596000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9586000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB343C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xACED3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAD38C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAF1AF000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAD380000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8A6A000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9C63000 \SystemRoot\System32\drivers\Dxapi.sys
0xACECB000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA9640000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB3C06000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA692D000 \SystemRoot\system32\drivers\wdmaud.sys
0xAEE3A000 \SystemRoot\system32\drivers\sysaudio.sys
0xA66F2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA66B9000 \SystemRoot\System32\Drivers\adfs.SYS
0xA65A5000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA6482000 \SystemRoot\system32\DRIVERS\srv.sys
0xA622A000 \??\C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
0xA5AD8000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4E19000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100810.002\NAVEX15.SYS
0xA4E05000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100810.002\NAVENG.SYS
0xA3CA2000 \SystemRoot\system32\drivers\kmixer.sys
0xB4A7A000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
988 C:\WINDOWS\system32\smss.exe
1084 csrss.exe
1108 C:\WINDOWS\system32\winlogon.exe
1152 C:\WINDOWS\system32\services.exe
1164 C:\WINDOWS\system32\lsass.exe
1336 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1576 C:\WINDOWS\system32\svchost.exe
1620 C:\WINDOWS\system32\svchost.exe
1772 svchost.exe
1940 svchost.exe
256 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
268 C:\WINDOWS\system32\svchost.exe
304 C:\WINDOWS\explorer.exe
380 C:\WINDOWS\system32\spoolsv.exe
676 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
744 C:\WINDOWS\stsystra.exe
772 C:\Program Files\Common Files\Java\Java Update\jusched.exe
824 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
832 C:\WINDOWS\system32\maFwTray.exe
848 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
860 C:\WINDOWS\system32\ctfmon.exe
880 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
920 C:\Program Files\palmOne\HOTSYNC.EXE
1236 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1368 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
1500 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1512 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
1540 C:\Program Files\Bonjour\mDNSResponder.exe
1968 C:\WINDOWS\system32\svchost.exe
2036 C:\WINDOWS\system32\svchost.exe
260 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1436 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
648 C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
692 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
1688 C:\WINDOWS\system32\svchost.exe
1836 C:\WINDOWS\system32\nvsvc32.exe
2492 C:\Program Files\Macrium\Reflect\ReflectService.exe
2532 C:\WINDOWS\system32\svchost.exe
3824 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
2168 unsecapp.exe
2880 wmiprvse.exe
3920 alg.exe
3096 C:\WINDOWS\system32\svchost.exe
2656 C:\Documents and Settings\Tom Newhouse\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-00L9A0, Rev: 01.03E01
PhysicalDrive1 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E
149 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 9654B01951421A0E9A1DC964E4BA1EC7CD703E5E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:18 PM

Posted 10 August 2010 - 03:16 PM

Looks like MBRCheck didn't manage to overwrite the infected MBR - this isn't unknown sadly. OK, we'll go with Plan B:

Download Bootkit Remover by eSage Lab from here and save it to your Desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you have a way to "un-rar" files, then do so. If you don't you'll need to install something to handle the task. The following is freeware and works very nicely:

Download 7zip from here and save it to your Desktop.
Double click the executable to install the program as you usually do and follow the instructions - if instructed, reboot the PC.
Now right click bootkit_remover.rar and select 7-Zip > Extract Here

You should now see three files, remover.exe, readme_ru.txt and readme_en.txt - feel free to delete the two text files as they aren't needed - just make sure that remover.exe is directly on the Desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To run the scanner, do the following:

Go to Start > Run..., enter cmd into the textbox and click OK
Copy and paste the following into the Command Window that has opened and press <ENTER> TWICE - this is important:

"%userprofile%\desktop\remover.exe" > "%userprofile%\desktop\removerlog.txt"

I would like to see the contents of removerlog.txt that should now be on your Desktop.

So long, and thanks for all the fish.

 

 


#15 Tom N

Tom N
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 August 2010 - 04:30 PM

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00
Boot sector MD5 is: 23b36db504fb437836e05caa3ae2e174

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;

Press any key to quit...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users