Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xp-ie popups, computer freezing and blue screen of death


  • This topic is locked This topic is locked
19 replies to this topic

#1 caturday

caturday

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 27 August 2010 - 07:11 AM

Hi, I'm usually good with dealing with my own computer problems but this month has been terrible.
About a month ago I started up my computer and within a few seconds a screen popped up that said the computer needed to shutdown
and was proceeded by a 60 second countdown which shut down the computer. This happened every time I started it up. I tried various things to fix it.
Eventually I reset my computer to "last know good configuration" and that seemed to fix it.
However about a week later another virus or perhaps the same one showed itself.
This one randomly created noises on my computer. It was the same sounds as the side advertisements on many websites.
The sounds of a farmyard for one of those farming games or a space battle.
It also created the sound that's made when a folder is opened up randomly while nothing was running.
Just as with the previous problem I ran virus checks like avg and avira and it found nothing.
So i ended up using "last know good configuration again"
That fixed the annoying advertisement sounds but the clicking stayed.
I also noticed that sometimes my window would be deselected and if I was in full screen it popped out of it.
When this happens If i alt + tab I says a internet explorer window is open listening a advertisement site.
However if i try to select it, it vanishes.
I figured I could live with that but the computer started acting strange and eventually it started freezing. It even froze once at the login screen where i enter my password.
It got so bad that it froze every time I started it up with a minute.
So once again I used "last know good configuration"
This seems to have set it back to the time with just a few clicking noises and the ie pop-ups.
It seemed like my computer would get worse every time I shut it down I started putting it in stand-by instead.
Also it seemed that it wanted to install windows updates everyday or so, so I turned that off as a precaution in case that was how the virus was getting in.
As it is now, my computer clicks and has the annoying window deselecting pop-ups. It hasn't frozen in a while. But the constant clicks remind me that the virus or whatever it is is still on my computer and perhaps growing stronger.
With all three of these problems I have/had I would sometimes randomly get the blue screen of death stating that a problem has been detected and windows has been shut down, If this is the first time you have seen this ignore this.......
I still get that periodically. In fact It crashed my computer on my first attempt at running gmer. I don't remember if it listed the problem, I'm sorry.
It only happens periodically so I don't know when it will happen again.
The second attempt worked.
Please help If you can thanks a lot!!!!!! thumbup2.gif


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jameson at 19:05:36.50 on Fri 08/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2167 [GMT 9:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
c:driversaudior215959STacSV.exe
svchost.exe 4
svchost.exe 4
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32SearchIndexer.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSExplorer.EXE
C:Program FilesDellTPadApoint.exe
C:Program FilesIDTWDMsttray.exe
C:WINDOWSsystem32AESTFltr.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSsystem32WLTRAY.exe
C:Program FilesDellTPadApMsgFwd.exe
C:Program FilesDellQuickSetquickset.exe
C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesDellTPadApntex.exe
C:Program FilesDellTPadHidFind.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe
C:Program FilesLogitechQuickCamQuickcam.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsJamesonDesktopdds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Skype] "c:program filesskypephoneSkype.exe" /nosplash /minimized
mRun: [Apoint] c:program filesdelltpadApoint.exe
mRun: [SysTrayApp] %ProgramFiles%IDTWDMsttray.exe
mRun: [AESTFltr] %SystemRoot%system32AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:windowssystem32WLTRAY.exe
mRun: [Dell QuickSet] c:program filesdellquicksetquickset.exe
mRun: [IAAnotif] c:program filesintelintel matrix storage manageriaanotif.exe
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:windowsimeimkr6_1IMEKRMIG.EXE
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [dellsupportcenter] "c:program filesdell support centerbinsprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:program filescommon fileslogishrdlcommgrCommunications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:program fileslogitechquickcamQuickcam.exe" /hide
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~3office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office11REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:docume~1jamesonapplic~1mozillafirefoxprofilesk90efq8m.default
FF - prefs.js: browser.startup.homepage - gmail.com
FF - component: c:program filesmozilla firefoxextensionsbrowserhighlighter@ebay.comcomponentsShim.dll
FF - plugin: c:program filesjavajre6binnew_pluginnpdeployJava1.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdeployJava1.dll
FF - plugin: c:program fileswindows livephoto galleryNPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-11 67656]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:windowssystem32driversAESTAud.sys [2009-6-19 113024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:windowssystem32driversRTS5121.sys [2009-6-19 160256]
S3 AMBFilt;Creative AMB Service;c:windowssystem32driversAMBFilt.sys [2009-6-19 1656960]

=============== Created Last 30 ================

2010-08-27 09:59:44 0 ----a-w- c:documents and settingsjamesondefogger_reenable
2010-08-13 16:14:55 0 d-----w- c:windowssystem32wbemRepository
2010-08-12 00:06:31 5258 ----a-w- c:windowssystem32PerfStringBackup.TMP
2010-08-08 08:59:39 423656 ----a-w- c:windowssystem32deployJava1.dll
2010-08-08 07:21:43 0 d-----w- c:docume~1jamesonapplic~1SUPERAntiSpyware.com
2010-08-08 07:21:43 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2010-08-08 07:21:38 0 d-----w- c:program filesSUPERAntiSpyware
2010-08-05 12:32:25 0 d-----w- c:docume~1jamesonapplic~1Malwarebytes
2010-08-05 12:32:15 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-08-05 12:32:14 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-08-05 09:48:20 0 d-----w- c:windowssystem32NtmsData
2010-08-05 08:27:38 744448 -c----w- c:windowssystem32dllcachehelpsvc.exe
2010-08-01 14:26:03 0 d-----w- c:program filesESET
2010-08-01 08:29:13 2206 ----a-w- c:windowssystem32wpa.dbl

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 12:10:44 81920 ----a-w- c:windowssystem32ieencode.dll
2010-06-24 12:10:44 667136 ----a-w- c:windowssystem32wininet.dll
2010-06-24 02:14:38 1861120 ----a-w- c:windowssystem32win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll

============= FINISH: 19:05:55.46 ===============

since the blue screen of death that occurred during my gmer scan my computer seems to have gotten worse.
It froze again. And after a restart, I got the blue screen of death again. This time I wrote down what it said.
It said
IRQL_NOT_LESS_OR_EQUAL

technical information
stop: 0x0000000A (0xEE1E5D00,0x00000002,0x00000001,0x804ff92a)
please help I think its getting worse every minute.
It definitely seems to get worse with every shut down.

Attached Files


Edited by Pandy, 27 August 2010 - 02:47 PM.
Posts merged ~Pandy


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 02 September 2010 - 02:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 September 2010 - 05:07 PM

Hi Mole, Thanks a lot for helping me out. I'm looking forward to working with you! thumbup2.gif

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 02 September 2010 - 06:36 PM

We need to see what's at the heart of this infection.

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 September 2010 - 06:56 PM

here you go mole!
Once again thanks a lot!

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 02 September 2010 - 07:42 PM

You have a bootkit so please rerun MBRCheck as below.

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 September 2010 - 08:17 PM

Hi mole, I don't have a recovery disc with me and the link you gave me to burn one has a download for vista. Since my computer runs XP, is there an xp recovery disc download?
Thanks alot

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 02 September 2010 - 08:24 PM

No problem Caturday, if you have XP you can just download the Recovery Console (which was in the third line of the note above)

Vista doesn't have a Recovery Console so they would have to burn a disk.
Posted Image
m0le is a proud member of UNITE

#9 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 September 2010 - 08:48 PM

I don't have my windows disc with me to insert. Is there a way around this. I have it back home in america somewhere but right now I'm in Japan.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 03 September 2010 - 07:32 PM

ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. Please follow these instructions:

1. Click on the following link to go to Microsoft's Web site:

http://support.microsoft.com/kb/310994

2. At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

1. Click on the Start button.
2. Click on the Run menu option.
3. In the Open: field type the following: sysdm.cpl and then click on the OK button.
4. A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack. When you are done determining this information continue with Step 2.

3. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go.

4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. Press Yes and post the new log in your next reply. Then we should be clear to start fixing your computer.
Posted Image
m0le is a proud member of UNITE

#11 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 September 2010 - 03:33 AM

Hey mole thanks for helping me out again.
Here is that combofix scan log.

ComboFix 10-09-03.02 - Jameson 09/04/2010 17:22:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2687 [GMT 9:00]
Running from: c:\documents and settings\Jameson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jameson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.

2010-08-13 16:14 . 2010-08-13 16:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-08 08:59 . 2010-08-08 08:59 -------- d-----w- c:\program files\Common Files\Java
2010-08-08 08:59 . 2010-08-08 08:59 61440 ----a-w- c:\documents and settings\Jameson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5dda6bcf-n\decora-sse.dll
2010-08-08 08:59 . 2010-08-08 08:59 503808 ----a-w- c:\documents and settings\Jameson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56523796-n\msvcp71.dll
2010-08-08 08:59 . 2010-08-08 08:59 499712 ----a-w- c:\documents and settings\Jameson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56523796-n\jmc.dll
2010-08-08 08:59 . 2010-08-08 08:59 348160 ----a-w- c:\documents and settings\Jameson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56523796-n\msvcr71.dll
2010-08-08 08:59 . 2010-08-08 08:59 12800 ----a-w- c:\documents and settings\Jameson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5dda6bcf-n\decora-d3d.dll
2010-08-08 08:59 . 2010-07-16 20:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-08 07:22 . 2010-08-08 07:22 63488 ----a-w- c:\documents and settings\Jameson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-08 07:22 . 2010-08-08 07:22 52224 ----a-w- c:\documents and settings\Jameson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-08 07:22 . 2010-08-08 07:22 117760 ----a-w- c:\documents and settings\Jameson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 07:21 . 2010-08-08 07:21 -------- d-----w- c:\documents and settings\Jameson\Application Data\SUPERAntiSpyware.com
2010-08-08 07:21 . 2010-08-08 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-08 07:21 . 2010-08-08 07:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-05 12:32 . 2010-08-05 12:32 -------- d-----w- c:\documents and settings\Jameson\Application Data\Malwarebytes
2010-08-05 12:32 . 2010-08-05 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-05 12:32 . 2010-08-07 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 09:48 . 2010-08-07 06:02 -------- d-----w- c:\windows\system32\NtmsData
2010-08-05 08:27 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 13:10 . 2009-07-01 22:18 -------- d-----w- c:\documents and settings\Jameson\Application Data\Skype
2010-09-03 12:42 . 2009-07-01 22:27 -------- d-----w- c:\documents and settings\Jameson\Application Data\skypePM
2010-08-15 23:52 . 2010-08-12 00:06 5258 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-08 15:33 . 2010-08-01 14:26 -------- d-----w- c:\program files\ESET
2010-08-08 08:59 . 2009-06-19 09:04 -------- d-----w- c:\program files\Java
2010-08-07 06:22 . 2009-07-01 22:14 -------- d-----w- c:\program files\DivX
2010-08-05 08:23 . 2010-07-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-05 08:23 . 2009-07-01 22:14 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-08-01 14:26 . 2010-08-01 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-07-19 01:01 . 2010-07-19 01:01 -------- d-----w- c:\documents and settings\Jameson\Application Data\DivX
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:10 . 2008-04-25 16:16 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-24 00:27 . 2010-06-24 00:27 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-06-24 00:26 . 2010-06-24 00:26 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 3:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 3:41 AM 67656]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/19/2009 8:49 PM 113024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [6/19/2009 8:49 PM 160256]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [6/19/2009 8:49 PM 1656960]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jameson\Application Data\Mozilla\Firefox\Profiles\k90efq8m.default\
FF - prefs.js: browser.startup.homepage - gmail.com
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-09-04 17:27:45
ComboFix-quarantined-files.txt 2010-09-04 08:27

Pre-Run: 20,066,062,336 bytes free
Post-Run: 20,076,310,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F24E0E1EBFA83A9D2A5219DC498729CA


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 04 September 2010 - 05:34 AM

Combofix reports the bootkit's demise.

Please run MBRCheck and post the log to double check this.



Posted Image
m0le is a proud member of UNITE

#13 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 September 2010 - 09:09 AM

Here is that mbr check

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 117):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9E53000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E33000 fltMgr.sys
0xB9E21000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9E0A000 KSecDD.sys
0xB9D7D000 Ntfs.sys
0xB9D50000 NDIS.sys
0xB9D36000 Mup.sys
0xB8C24000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8C10000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA390000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8BEC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA398000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8BC4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8B7D000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA188000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8B4A000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA198000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB8ACF000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8AAC000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB9CCD000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9CC9000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA681000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8754000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8743000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8673000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA606000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB85ED000 \SystemRoot\system32\DRIVERS\update.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xA5D30000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA5D20000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA238E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA1E6F000 \SystemRoot\system32\drivers\sthda.sys
0xA1E4B000 \SystemRoot\system32\drivers\portcls.sys
0xA298C000 \SystemRoot\system32\drivers\drmk.sys
0xA1E2F000 \SystemRoot\system32\drivers\AESTAud.sys
0xA27D2000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA2244000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA22AC000 \SystemRoot\System32\Drivers\Null.SYS
0xA2242000 \SystemRoot\System32\Drivers\Beep.SYS
0xA2939000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA2931000 \SystemRoot\System32\drivers\vga.sys
0xA2240000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA223E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA2929000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA2921000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA27CA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA1DFC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA1DA3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA1D7B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA1D55000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA297C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA1D33000 \SystemRoot\System32\drivers\afd.sys
0xA296C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA1D11000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xA2919000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA1CE6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA1C76000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA295C000 \SystemRoot\System32\Drivers\Fips.SYS
0xA1C4B000 \SystemRoot\System32\Drivers\RTS5121.sys
0xA2373000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0x9CE34000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9BB64000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9C924000 \SystemRoot\System32\drivers\Dxapi.sys
0x9C783000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x9BC39000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF297000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA2F8000 \SystemRoot\system32\DRIVERS\atmarpc.sys
0xA59B8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9BB0F000 \SystemRoot\system32\drivers\wdmaud.sys
0x9C479000 \SystemRoot\system32\drivers\sysaudio.sys
0x9BAC1000 \SystemRoot\system32\drivers\kmixer.sys
0x9B94C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9B84D000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA438000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0x9AE04000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA5B6000 \SystemRoot\system32\drivers\splitter.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
628 C:\WINDOWS\system32\smss.exe
684 csrss.exe
708 C:\WINDOWS\system32\winlogon.exe
752 C:\WINDOWS\system32\services.exe
764 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1100 C:\WINDOWS\system32\svchost.exe
1204 svchost.exe
1300 svchost.exe
1320 C:\WINDOWS\system32\WLTRYSVC.EXE
1340 C:\WINDOWS\system32\BCMWLTRY.EXE
1380 C:\WINDOWS\system32\spoolsv.exe
1448 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
1460 C:\drivers\audio\R215959\stacsv.exe
1848 C:\WINDOWS\system32\userinit.exe
1868 C:\WINDOWS\explorer.exe
1944 svchost.exe
1988 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2000 C:\Program Files\Bonjour\mDNSResponder.exe
168 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
200 C:\Program Files\Java\jre6\bin\jqs.exe
424 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
528 C:\Program Files\DellTPad\Apoint.exe
536 C:\Program Files\IDT\WDM\sttray.exe
544 C:\WINDOWS\system32\AESTFltr.exe
560 C:\WINDOWS\system32\igfxtray.exe
584 C:\WINDOWS\system32\hkcmd.exe
644 C:\WINDOWS\system32\igfxpers.exe
660 C:\WINDOWS\system32\igfxsrvc.exe
688 C:\WINDOWS\system32\WLTRAY.EXE
832 C:\Program Files\Dell\QuickSet\quickset.exe
956 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
968 C:\Program Files\DellTPad\ApMsgFwd.exe
944 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
1568 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
1576 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1592 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1260 C:\Program Files\DellTPad\ApntEx.exe
1680 C:\Program Files\iTunes\iTunesHelper.exe
1700 C:\Program Files\DellTPad\hidfind.exe
1748 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
1760 C:\Program Files\Logitech\QuickCam\Quickcam.exe
1912 C:\Program Files\Skype\Phone\Skype.exe
1528 C:\Program Files\Dell Support Center\gs_agent\dsc.exe
2068 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2124 C:\WINDOWS\system32\ctfmon.exe
2212 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
2260 C:\WINDOWS\system32\svchost.exe
2332 wdfmgr.exe
2408 C:\WINDOWS\system32\searchindexer.exe
2612 C:\WINDOWS\system32\rundll32.exe
2708 C:\WINDOWS\system32\wuauclt.exe
2728 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
2844 wmiprvse.exe
2900 C:\WINDOWS\system32\wscntfy.exe
3376 C:\Program Files\iPod\bin\iPodService.exe
3792 alg.exe
3888 wmiprvse.exe
1280 C:\Program Files\Skype\Plugin Manager\skypePM.exe
2244 C:\WINDOWS\system32\searchprotocolhost.exe
2504 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
1800 searchfilterhost.exe
3324 C:\Documents and Settings\Jameson\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04699200 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK2555GSX, Rev: FG000D

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 PM

Posted 04 September 2010 - 09:45 AM

Nice thumbup2.gif

Please run ESET's online scanner now
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#15 caturday

caturday
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 September 2010 - 10:31 AM

Hey mole
nothing was found with the eset scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users