Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Audio Ads


  • This topic is locked This topic is locked
6 replies to this topic

#1 draxoon

draxoon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 22 August 2010 - 03:00 PM

Alright so I've had this problem for a couple of days now and it is starting to get really annoying. Random audio ads will start playing and I cant find the process anywhere in task manager. I've already run Spybot, Malwarebyte's Anti-Malware, and Super Antispyware multiple times, but these have done nothing to fix it. Any help would be greatly appreciated


DDS (Ver_10-03-17.01) - NTFSx86
Run by Albert at 19:40:05.35 on Sat 08/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2551.1577 [GMT -7:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ViStart\ViStart.exe
C:\PROGRA~1\ViGlance\ViGlance.exe
C:\PROGRA~1\ViSplore\ViSplore.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Albert\Desktop\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vompi.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\albert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [DrvIcon] c:\program files\vista drive icon\DrvIcon.exe
mRun: [vilaunch] c:\windows\system32\vilaunch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {F3D34410-6F9A-4FDD-987E-410C6F7AEA27} - hxxp://now.abs-cbn.com/software/ES_EasyInstall.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\albert\applic~1\mozilla\firefox\profiles\dxao9n36.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\albert\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\albert\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-12 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-12 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100820.001\IDSXpx86.sys [2010-8-20 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-12 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100821.004\NAVENG.SYS [2010-8-21 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100821.004\NAVEX15.SYS [2010-8-21 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [2009-8-10 29184]
S3 cpuz132;cpuz132;\??\c:\docume~1\albert\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\albert\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-2-27 31872]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-4-20 16640]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-08-22 02:38:26 0 ----a-w- c:\documents and settings\albert\defogger_reenable
2010-08-21 03:35:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-21 03:35:57 0 d-----w- c:\docume~1\albert\applic~1\SUPERAntiSpyware.com
2010-08-21 03:35:47 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 02:34:07 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb3db4aa7f36a4.mof
2010-08-14 03:37:55 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2010-08-12 19:14:43 0 d-----w- c:\program files\Steam
2010-08-12 00:43:18 0 d--h--w- c:\docume~1\albert\applic~1\Mahou Shoujo Ai San
2010-08-07 21:01:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Guitar Pro 6
2010-08-07 20:58:15 0 d-----w- c:\docume~1\albert\applic~1\Guitar Pro 6
2010-08-07 20:55:19 0 d-----w- c:\program files\Guitar Pro 6
2010-08-03 00:16:47 1494 ----a-w- c:\documents and settings\albert\.recently-used.xbel
2010-08-02 23:49:18 0 d-----w- c:\program files\GIMP-2.0
2010-07-29 03:44:15 0 d-----w- C:\d0fbc2ff317cb78664
2010-07-29 03:36:36 0 d-----w- C:\df7c181334547f77cdbaf908d92d37da

==================== Find3M ====================

2010-08-21 16:41:31 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-21 16:41:29 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-02 11:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 11:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 11:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 18:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 18:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 18:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 18:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 18:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2009-02-28 01:39:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022720090228\index.dat

============= FINISH: 19:40:48.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:51 PM

Posted 23 August 2010 - 02:32 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 draxoon

draxoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 23 August 2010 - 09:16 PM

Here you go

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CF000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED9000 sr.sys
0xB9E8A000 SYMEFA.SYS
0xBA118000 PxHelp20.sys
0xB9E73000 KSecDD.sys
0xB9E60000 WudfPf.sys
0xB9DD3000 Ntfs.sys
0xB9DA6000 NDIS.sys
0xB9D8C000 Mup.sys
0xBA168000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB930D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9210000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB91FC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB91D4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA450000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB91B0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA458000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9196000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xB8FC6000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8EA0000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA460000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8E8C000 \SystemRoot\system32\DRIVERS\parport.sys
0xB92FD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA470000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB92ED000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB92DD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB92CD000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8E69000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA478000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA7BA000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA188000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8E52000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA198000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8E41000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA488000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA490000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA498000 \SystemRoot\system32\DRIVERS\hamachi.sys
0xB8E11000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8D8B000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D68000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1F8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA88BE000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA889A000 \SystemRoot\system32\drivers\portcls.sys
0xBA218000 \SystemRoot\system32\drivers\drmk.sys
0xBA228000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA76F7000 \SystemRoot\System32\Drivers\N360\0308000.029\SRTSP.SYS
0xA75AB000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100823.025\NAVEX15.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA7586000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA7572000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100823.025\NAVENG.SYS
0xB8D87000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA380000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB8D83000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA268000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA388000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA6F02000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xBA278000 \SystemRoot\system32\drivers\usbaudio.sys
0xA6EC2000 \SystemRoot\system32\DRIVERS\lvrs.sys
0xBA288000 \SystemRoot\system32\drivers\N360\0308000.029\SRTSPX.SYS
0xBA60C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6D0000 \SystemRoot\System32\Drivers\Null.SYS
0xBA612000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3B0000 \SystemRoot\System32\drivers\vga.sys
0xBA61A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA61C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3B8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3C0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA534000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA6E8F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA6E36000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA6DDA000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMTDI.SYS
0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA3C8000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
0xBA2A8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA6D25000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS
0xBA3D0000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS
0xA6CD0000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100820.001\IDSxpx86.sys
0xA6CA8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA6C86000 \SystemRoot\System32\drivers\afd.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA3E0000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA6C64000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3F8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA6C39000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6BC9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA6B6B000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA6B4E000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA6AD3000 \SystemRoot\System32\Drivers\N360\0308000.029\ccHPx86.sys
0xA6A91000 \SystemRoot\System32\Drivers\N360\0308000.029\BHDrvx86.sys
0xA6A45000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA308000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA6A2D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA656000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA6E1E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA428000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7AB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA56E9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA57A5000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA43B8000 \SystemRoot\system32\drivers\wdmaud.sys
0xA557D000 \SystemRoot\system32\drivers\sysaudio.sys
0xA40CC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA660000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x9EE63000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA418000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
0x9E44A000 \SystemRoot\System32\Drivers\HTTP.sys
0x9DEF4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
1124 C:\WINDOWS\system32\smss.exe
1200 csrss.exe
1236 C:\WINDOWS\system32\winlogon.exe
1280 C:\WINDOWS\system32\services.exe
1292 C:\WINDOWS\system32\lsass.exe
1464 C:\WINDOWS\system32\svchost.exe
1532 svchost.exe
212 C:\WINDOWS\system32\svchost.exe
244 C:\WINDOWS\system32\svchost.exe
372 C:\WINDOWS\system32\svchost.exe
568 svchost.exe
788 svchost.exe
1092 C:\WINDOWS\system32\svchost.exe
1184 C:\WINDOWS\system32\spoolsv.exe
1764 C:\WINDOWS\explorer.exe
1852 C:\WINDOWS\VistaDrive\VistaDrive.exe
1860 C:\Program Files\LClock\LClock.exe
1912 C:\Program Files\iTunes\iTunesHelper.exe
1920 svchost.exe
136 C:\WINDOWS\SOUNDMAN.EXE
232 C:\WINDOWS\ALCWZRD.EXE
264 C:\WINDOWS\ALCMTR.EXE
896 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
908 C:\Program Files\Unlocker\UnlockerAssistant.exe
936 C:\Program Files\Vista Drive Icon\DrvIcon.exe
976 C:\WINDOWS\system32\ctfmon.exe
1156 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
1668 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
500 C:\PROGRA~1\ViStart\ViStart.exe
512 C:\PROGRA~1\ViGlance\ViGlance.exe
700 C:\PROGRA~1\ViSplore\ViSplore.exe
1816 C:\PROGRA~1\MICROS~4\rapimgr.exe
648 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1296 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1144 C:\Program Files\Bonjour\mDNSResponder.exe
2904 C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
3032 C:\Program Files\Java\jre6\bin\jqs.exe
3100 C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
3148 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
3824 C:\WINDOWS\system32\svchost.exe
784 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3844 C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
2356 C:\Program Files\iPod\bin\iPodService.exe
2568 ytbb.exe
3072 C:\WINDOWS\system32\svchost.exe
3788 C:\Program Files\Mozilla Firefox\firefox.exe
3312 C:\Documents and Settings\Albert\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`00a4e000 (NTFS)
\\.\H: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3200822AS, Rev: 3.02

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 41FFB40BCF7823FF7D20425E9F8402B7228428E6


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!



Partition ID: Disk #0, Partition #0
Size: 8.01 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 178.3 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: American Megatrends Inc.
Name: BIOS Date: 03/31/05 20:06:54 Ver: 08.00.10
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:51 PM

Posted 24 August 2010 - 02:29 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your infected Master Boot Record with a standard one, which doesn't guarantee to put everything right. Some computer manufacturers use custom MBRs which allow boot access to options such as Factory Restore and this infection will render these unavailable until the custom MBR is written back to the hard drive - an issue which a standard MBR won't solve.

If the custom MBR problem affects you, and your only recovery option is Factory Restore as the PC manufacturer didn't supply you with a Windows Recovery Disc, you will need to contact them and see if they are willing to supply you with this disc. Without it you will be unable to reinstall Windows should the need arise.

The worst-case scenario with overwriting the MBR to clean the infection is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which, although unlikely, needs to be mentioned. While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.

Will you let me know the make and model of the PC and whether or not you have a Windows Recovery Disc and we'll take it from there.

So long, and thanks for all the fish.

 

 


#5 draxoon

draxoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 24 August 2010 - 06:38 PM

Hiya

My computer is a HP Pavilion a1120n and I don't have a recovery disk sad.gif

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:51 PM

Posted 25 August 2010 - 02:08 PM

Good evening. smile.gif

You may just be in luck, if you cross your fingers, touch wood, and various other things that don't come with any guarantee of success.

Linky - Creating recovery discs and Ordering recovery discs from HP. Apparently HP software allows you to take one shot at creating a Recovery disc from a Recovery partition, which I think you have on your system. Try this option first as it's free and easy-ish.

If that doesn't work, then the page has other options to help you acquire one. It is in your interests to have a Windows installation safety net as computers have a habit of doing the wrong thing at the worst possible moment.

I suggest you try the create your own option and let me know how you get on.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:51 PM

Posted 30 August 2010 - 03:19 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users