Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ADWARE PROBLEM


  • This topic is locked This topic is locked
16 replies to this topic

#1 cthesage

cthesage

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 31 August 2010 - 11:16 AM

I am having issues with adware. It first started as audio ads randomly playing, but now there are google search [this is not my defualt search engine] and ads randomly opening in browser windows, one after another. I tried several different programs to get rid of the audio ads but nothing ever worked so I just ignored it the past few weeks. The windows opening randomly is too much. I ran superantispyware and malwarebytes in safe mode this morning, but I am still having the same problems.


DDS (Ver_10-03-17.01) - NTFSX64
Run by moi at 11:23:27.55 on Tue 08/31/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.861 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\mdbg.exe
C:\Windows\System32\osk.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Users\moi\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files (x86)\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files (x86)\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [AnyDVD] c:\program files (x86)\slysoft\anydvd\AnyDVDtray.exe
uRun: [RoboForm] "c:\program files (x86)\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files (x86)\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MDBG] c:\program files (x86)\common files\mdbg.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISTray] "c:\program files (x86)\spyware doctor\pctsTray.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files (x86)\picturemover\bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Customize Menu - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO-X64: Windows Live Family Safety Browser Helper - No File
TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [PC-Doctor for Windows localizer] c:\program files\pc-doctor for windows\localizer.exe
mRun-x64: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-8-30 233488]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-20 121936]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 173984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-6-29 128752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-20 20048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-20 61008]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\spyware doctor\bdt\BDTUpdateService.exe [2010-8-30 112592]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-7-28 14112]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\spyware doctor\pctsAuxs.exe [2010-8-30 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files (x86)\spyware doctor\pctsSvc.exe [2010-8-30 1142224]
R2 XMouseButton Launcher;XMouseButton Launcher;c:\program files\highresolution enterprises\x-mouse button control\XMouseButtonSvc.exe [2009-5-6 84480]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 USB_RNDIS_VISTA;Westell WireSpeed Dual Connect Modem;c:\windows\system32\drivers\usb8023.sys [2009-7-13 19968]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-7-20 61288]
S3 fsssvc;Windows Live Family Safety Service;c:\program files (x86)\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 40832]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-20 1255736]

=============== Created Last 30 ================

2010-08-31 14:31:49 0 d-----w- c:\program files (x86)\Trend Micro
2010-08-31 02:19:30 882 ----a-w- c:\windows\RegSDImport.xml
2010-08-31 02:19:30 879 ----a-w- c:\windows\RegISSImport.xml
2010-08-31 02:19:30 767952 ----a-w- c:\windows\BDTSupport.dll
2010-08-31 02:19:30 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-08-31 02:19:30 131 ----a-w- c:\windows\IDB.zip
2010-08-31 02:19:29 1152444 ----a-w- c:\windows\UDB.zip
2010-08-31 02:19:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-08-31 02:19:28 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-08-31 02:08:20 7357 ----a-w- c:\windows\system32\drivers\pctgntdi64.cat
2010-08-31 02:08:20 306648 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2010-08-31 02:08:20 133072 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2010-08-31 02:08:12 7353 ----a-w- c:\windows\system32\drivers\pctcore64.cat
2010-08-31 02:08:12 233488 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2010-08-31 02:08:00 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2010-08-31 02:08:00 7353 ----a-w- c:\windows\system32\drivers\pctplsg64.cat
2010-08-31 02:07:42 0 d-----w- c:\users\moi\appdata\roaming\PC Tools
2010-08-31 02:07:42 0 d-----w- c:\programdata\PC Tools
2010-08-31 02:07:42 0 d-----w- c:\program files (x86)\Spyware Doctor
2010-08-31 02:07:42 0 d-----w- c:\program files (x86)\common files\PC Tools
2010-08-31 02:02:01 0 d-----w- c:\users\moi\appdata\roaming\Malwarebytes
2010-08-31 02:01:51 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 02:01:51 0 d-----w- c:\programdata\Malwarebytes
2010-08-31 02:01:51 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-25 09:53:16 0 d-----w- c:\program files (x86)\Microsoft Antimalware
2010-08-25 09:53:12 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-25 06:24:53 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-25 06:24:53 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-17 16:19:19 0 d-----w- c:\users\moi\appdata\roaming\HP Support Assistant
2010-08-17 16:19:17 0 d-----w- c:\users\moi\appdata\roaming\HpUpdate
2010-08-12 21:21:59 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 21:21:59 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 21:21:59 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-12 21:21:53 340992 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 21:21:53 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-08-12 21:18:24 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 21:17:58 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 21:17:58 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-08-12 21:17:57 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-08-12 21:13:16 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 21:13:16 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-08-12 21:13:14 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-08-12 21:13:11 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 21:13:08 1877504 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 21:13:07 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-08-10 14:41:35 0 d-----w- c:\users\moi\appdata\roaming\TweakNow RegCleaner
2010-08-10 14:41:35 0 d-----w- c:\program files (x86)\TweakNow RegCleaner
2010-08-05 09:31:15 0 d-----w- c:\program files (x86)\common files\PX Storage Engine
2010-08-05 09:31:05 0 d-----w- c:\program files\DivX
2010-08-05 09:15:08 0 d-----w- c:\program files (x86)\DivX
2010-08-05 09:14:11 0 d-----w- c:\programdata\DivX
2010-08-05 07:54:55 0 d-----w- c:\users\moi\appdata\roaming\SUPERAntiSpyware.com
2010-08-05 07:54:55 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-05 07:54:43 0 d-----w- c:\programdata\!SASCORE
2010-08-05 07:54:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-04 08:49:00 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 08:18:19 12867584 ----a-w- c:\windows\syswow64\shell32.dll

==================== Find3M ====================

2010-08-25 09:36:11 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-08-25 09:35:18 88 --sh--r- c:\programdata\DE4B4AC649.sys
2010-08-15 14:56:14 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-07-22 11:37:32 125888 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-07-21 03:39:25 178800 ----a-w- c:\windows\syswow64\CmdLineExt_x64.dll
2010-07-21 03:28:35 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-20 06:31:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-07-19 23:41:00 1675 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_BQ472AA-ABA CQ5500Y_YC_0Pres_Q4CE018_EA1NAv6PrA8_49_INARRA5_SPEGATRON CORPORATION_V5.00_B5.55_T091208_WUH0_L409_M1791_J500_7AMD_8Sempron 140_92.7_#_N10DE03EF_Z_G10DE03D0.MRK
2010-07-16 22:14:04 73728 ----a-w- c:\program files (x86)\common files\mdbg.exe
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57:12 165032 ----a-w- c:\windows\syswow64\aswBoot.exe
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:24:42.85 ===============


When i try to run GMER, I get c:\windows\system32\config\system: The system cannot find the file specified. There are only check boxes in Services, Registry and Files, c:\, and ADS. Once I hit scan I get a msg that c:\windows\system32\config\system is unavailable because it is being used by another program. I hit OK and the scan says there are no modifications.

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:30 AM

Posted 10 September 2010 - 08:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 13 September 2010 - 06:19 PM

The Google popups have disappeared, but I still have the audio ads playing randomly.

DDS (Ver_10-03-17.01) - NTFSX64
Run by moi at 19:03:34.57 on Mon 09/13/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.837 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Common Files\mdbg.exe
C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\moi\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [AnyDVD] c:\program files (x86)\slysoft\anydvd\AnyDVDtray.exe
uRun: [RoboForm] "c:\program files (x86)\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files (x86)\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MDBG] c:\program files (x86)\common files\mdbg.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files (x86)\picturemover\bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Customize Menu - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO-X64: Windows Live Family Safety Browser Helper - No File
TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-20 121936]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 173984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-6-29 128752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-20 20048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-20 61008]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-7-28 14112]
R2 XMouseButton Launcher;XMouseButton Launcher;c:\program files\highresolution enterprises\x-mouse button control\XMouseButtonSvc.exe [2009-5-6 84480]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 40832]
R3 USB_RNDIS_VISTA;Westell WireSpeed Dual Connect Modem;c:\windows\system32\drivers\usb8023.sys [2009-7-13 19968]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-7-20 61288]
S3 fsssvc;Windows Live Family Safety Service;c:\program files (x86)\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-20 1255736]

=============== Created Last 30 ================

2010-08-31 14:31:49 0 d-----w- c:\program files (x86)\Trend Micro
2010-08-31 02:02:01 0 d-----w- c:\users\moi\appdata\roaming\Malwarebytes
2010-08-31 02:01:51 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 02:01:51 0 d-----w- c:\programdata\Malwarebytes
2010-08-31 02:01:51 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-25 09:53:16 0 d-----w- c:\program files (x86)\Microsoft Antimalware
2010-08-25 09:53:12 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-25 06:24:53 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-25 06:24:53 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-17 16:19:19 0 d-----w- c:\users\moi\appdata\roaming\HP Support Assistant
2010-08-17 16:19:17 0 d-----w- c:\users\moi\appdata\roaming\HpUpdate

==================== Find3M ====================

2010-08-25 09:36:11 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-08-25 09:35:18 88 --sh--r- c:\programdata\DE4B4AC649.sys
2010-08-15 14:56:14 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-07-22 11:37:32 125888 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-07-21 03:39:25 178800 ----a-w- c:\windows\syswow64\CmdLineExt_x64.dll
2010-07-21 03:28:35 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-20 06:31:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-07-19 23:41:00 1675 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_BQ472AA-ABA CQ5500Y_YC_0Pres_Q4CE018_EA1NAv6PrA8_49_INARRA5_SPEGATRON CORPORATION_V5.00_B5.55_T091208_WUH0_L409_M1791_J500_7AMD_8Sempron 140_92.7_#_N10DE03EF_Z_G10DE03D0.MRK
2010-07-16 22:14:04 73728 ----a-w- c:\program files (x86)\common files\mdbg.exe
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57:12 165032 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:04:11.23 ===============



GMER still says no modifications found.

Thanks for the help. I am so tired of heaaring about Nancy Grace and flu shots.

Attached Files


Edited by cthesage, 14 September 2010 - 03:37 AM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 18 September 2010 - 07:28 AM

Hello, cthesage.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.

Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case TweakNow Reg Cleaner). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578












Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 20 September 2010 - 07:14 AM

I uninstalled the BitTorrent and TweakNow. I am certain someone has downloaded malware onto my new computer, but no one will admit to it! My Windows Security Essentials removed a Win32 trojan, which is what was causing the Google windows, I think. I still have the annoying audio ads, though.

The MBRcheck has indeed found non-standard or infected MBR.

Thank you for your assistance.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: Compaq-Presario
System Product Name: BQ472AA-ABA CQ5500Y
Logical Drives Mask: 0x0000005c

Kernel Drivers (total 190):
0x02806000 \SystemRoot\system32\ntoskrnl.exe
0x02DE2000 \SystemRoot\system32\hal.dll
0x00B99000 \SystemRoot\system32\kdcom.dll
0x00CEE000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CFB000 \SystemRoot\system32\PSHED.dll
0x00D0F000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00E36000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EDA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x01073000 \SystemRoot\System32\Drivers\spsh.sys
0x01199000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x011A2000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x01000000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x01057000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x01061000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00EE9000 \SystemRoot\system32\DRIVERS\pci.sys
0x011D1000 \SystemRoot\System32\drivers\partmgr.sys
0x011E6000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00F1C000 \SystemRoot\System32\drivers\volmgrx.sys
0x00F78000 \SystemRoot\System32\drivers\mountmgr.sys
0x00F92000 \SystemRoot\system32\DRIVERS\nvstor64.sys
0x00D6D000 \SystemRoot\system32\DRIVERS\storport.sys
0x00FD1000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x012B2000 \SystemRoot\system32\drivers\fltmgr.sys
0x012FE000 \SystemRoot\system32\drivers\fileinfo.sys
0x0143C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01312000 \SystemRoot\System32\Drivers\msrpc.sys
0x015DF000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01370000 \SystemRoot\System32\Drivers\cng.sys
0x01400000 \SystemRoot\System32\drivers\pcw.sys
0x01411000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01663000 \SystemRoot\system32\drivers\ndis.sys
0x01755000 \SystemRoot\system32\drivers\NETIO.SYS
0x017B5000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01801000 \SystemRoot\System32\drivers\tcpip.sys
0x01600000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01200000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x0164A000 \SystemRoot\System32\Drivers\spldr.sys
0x0124C000 \SystemRoot\System32\drivers\rdyboost.sys
0x017E0000 \SystemRoot\System32\Drivers\mup.sys
0x017F2000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01AA3000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01ADD000 \SystemRoot\system32\DRIVERS\disk.sys
0x01AF3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01B8D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x01BB7000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01BE4000 \SystemRoot\System32\Drivers\Null.SYS
0x01BED000 \SystemRoot\System32\Drivers\Beep.SYS
0x01A00000 \SystemRoot\System32\drivers\vga.sys
0x01A0E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01A33000 \SystemRoot\System32\drivers\watchdog.sys
0x01A43000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x01A4C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01A55000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01A5E000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01A69000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01A7A000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01652000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x0141B000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x02EF9000 \SystemRoot\system32\drivers\afd.sys
0x02F83000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x02F8D000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02FD2000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02E00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02E26000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02E35000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02E50000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02E64000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x02E6E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x02E78000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02EC9000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02ED5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02EE0000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0x02FDB000 \SystemRoot\System32\drivers\discache.sys
0x01286000 \SystemRoot\System32\Drivers\dfsc.sys
0x02FEA000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x00FDC000 \SystemRoot\System32\Drivers\aswSP.SYS
0x00E00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x013E3000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x02EEB000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x03EF9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03F4F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03F60000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x03F84000 \SystemRoot\system32\DRIVERS\nvmf6264.sys
0x03FD6000 \SystemRoot\System32\Drivers\AnyDVD.sys
0x04A5D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0555B000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x03E00000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0555D000 \SystemRoot\System32\drivers\dxgmms1.sys
0x055A3000 \SystemRoot\System32\Drivers\aimuu09o.SYS
0x055E8000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04A16000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04A3A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x00DCF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x00CC0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0400D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0402E000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04048000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04057000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04066000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04068000 \SystemRoot\system32\DRIVERS\ks.sys
0x040AB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x040BD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04117000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x03802000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x0412C000 \SystemRoot\system32\drivers\portcls.sys
0x04169000 \SystemRoot\system32\drivers\drmk.sys
0x039EA000 \SystemRoot\system32\drivers\ksthunk.sys
0x0418B000 \SystemRoot\system32\DRIVERS\udfs.sys
0x039F0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x041DF000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x01B23000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
0x041E9000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x000F0000 \SystemRoot\System32\win32k.sys
0x04000000 \SystemRoot\System32\drivers\Dxapi.sys
0x04A46000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00560000 \SystemRoot\System32\TSDDD.dll
0x01B62000 \SystemRoot\system32\DRIVERS\usb8023.sys
0x039FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x01B6C000 \SystemRoot\system32\DRIVERS\RNDISMP.SYS
0x00630000 \SystemRoot\System32\cdd.dll
0x01B7B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0209F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x020B8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x020C1000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x020D6000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x020E3000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x00860000 \SystemRoot\System32\ATMFD.DLL
0x020F7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x02114000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x02122000 \SystemRoot\system32\drivers\luafv.sys
0x02145000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x0215F000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x02168000 \SystemRoot\system32\drivers\WudfPf.sys
0x02189000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0219E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04894000 \SystemRoot\system32\drivers\HTTP.sys
0x0495C000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0497A000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04992000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04800000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0484E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x05880000 \SystemRoot\system32\drivers\peauth.sys
0x05926000 \??\C:\Windows\system32\drivers\regi.sys
0x0592E000 \SystemRoot\System32\Drivers\secdrv.SYS
0x05939000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x05966000 \SystemRoot\System32\drivers\tcpipreg.sys
0x05978000 \SystemRoot\System32\DRIVERS\srv2.sys
0x02000000 \SystemRoot\System32\DRIVERS\srv.sys
0x05800000 \SystemRoot\system32\drivers\spsys.sys
0x77AF0000 \Windows\System32\ntdll.dll
0x47F60000 \Windows\System32\smss.exe
0xFFE10000 \Windows\System32\apisetschema.dll
0xFFB80000 \Windows\System32\autochk.exe
0x77CC0000 \Windows\System32\normaliz.dll
0xFFD80000 \Windows\System32\difxapi.dll
0xFFBA0000 \Windows\System32\setupapi.dll
0xFFAC0000 \Windows\System32\oleaut32.dll
0xFFAA0000 \Windows\System32\imagehlp.dll
0xFF990000 \Windows\System32\msctf.dll
0xFF730000 \Windows\System32\iertutil.dll
0xFF720000 \Windows\System32\lpk.dll
0xFF6B0000 \Windows\System32\gdi32.dll
0xFF580000 \Windows\System32\wininet.dll
0xFF4E0000 \Windows\System32\clbcatq.dll
0xFF4C0000 \Windows\System32\sechost.dll
0xFF340000 \Windows\System32\urlmon.dll
0xFF2A0000 \Windows\System32\msvcrt.dll
0xFF090000 \Windows\System32\ole32.dll
0x779F0000 \Windows\System32\user32.dll
0xFEFB0000 \Windows\System32\advapi32.dll
0xFEE80000 \Windows\System32\rpcrt4.dll
0xFE0F0000 \Windows\System32\shell32.dll
0x77CB0000 \Windows\System32\psapi.dll
0x778D0000 \Windows\System32\kernel32.dll
0xFE0C0000 \Windows\System32\imm32.dll
0xFE0B0000 \Windows\System32\nsi.dll
0xFE030000 \Windows\System32\shlwapi.dll
0xFDFE0000 \Windows\System32\ws2_32.dll
0xFDF40000 \Windows\System32\comdlg32.dll
0xFDE70000 \Windows\System32\usp10.dll
0xFDE20000 \Windows\System32\Wldap32.dll
0xFDDE0000 \Windows\System32\wintrust.dll
0xFDD70000 \Windows\System32\KernelBase.dll
0xFDD30000 \Windows\System32\cfgmgr32.dll
0xFDD10000 \Windows\System32\devobj.dll
0xFDBA0000 \Windows\System32\crypt32.dll
0xFDB00000 \Windows\System32\comctl32.dll
0xFDAF0000 \Windows\System32\msasn1.dll

Processes (total 67):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
428 csrss.exe
484 C:\Windows\System32\wininit.exe
496 csrss.exe
544 C:\Windows\System32\services.exe
576 C:\Windows\System32\lsass.exe
584 C:\Windows\System32\lsm.exe
592 C:\Windows\System32\winlogon.exe
716 C:\Windows\System32\svchost.exe
792 C:\Windows\System32\nvvsvc.exe
820 C:\Windows\System32\svchost.exe
872 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
956 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
332 C:\Windows\System32\svchost.exe
320 C:\Windows\System32\audiodg.exe
1088 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\nvvsvc.exe
1248 C:\Windows\System32\svchost.exe
1340 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1416 C:\Windows\System32\dwm.exe
1428 C:\Windows\explorer.exe
1544 C:\Program Files\Logitech\SetPointP\SetPoint.exe
1552 C:\Program Files\Microsoft Security Essentials\msseces.exe
1560 C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
1568 C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
1584 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
1600 C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
1668 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
1676 C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
1684 C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
1704 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1712 C:\Program Files (x86)\Common Files\mdbg.exe
1772 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
1996 C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
848 C:\Windows\System32\conhost.exe
2252 C:\Windows\System32\spoolsv.exe
2288 C:\Windows\System32\svchost.exe
2344 C:\Windows\System32\taskhost.exe
2448 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
2488 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
2544 C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
2600 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2812 C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
3040 C:\Windows\System32\SearchIndexer.exe
2596 C:\Windows\System32\svchost.exe
2700 C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
3452 C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
3552 C:\Windows\System32\svchost.exe
3672 C:\Windows\System32\svchost.exe
3856 C:\Program Files\Windows Media Player\wmpnetwk.exe
3292 WmiPrvSE.exe
644 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
2848 C:\Windows\System32\sppsvc.exe
700 C:\Program Files\Windows Media Player\wmprph.exe
3296 C:\Windows\servicing\TrustedInstaller.exe
1976 C:\Program Files (x86)\Internet Explorer\iexplore.exe
1232 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3264 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10c.exe
3612 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2180 C:\Windows\System32\SearchProtocolHost.exe
892 C:\Windows\System32\SearchFilterHost.exe
1820 C:\Users\moi\Desktop\MBRCheck.exe
3868 C:\Windows\System32\conhost.exe
4016 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000071`f7800000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD502HJ, Rev: 1AJ1

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 014B3F67BEA156A4A6F7B1E9F98CC1704D06F7AD


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 20 September 2010 - 05:34 PM

OK, non-standard MBR is an unknown...not a positive infected detection, but audio ads are a very common symptom of the Whistler rootkit. Before we replace it, let's do two things.

First, does your computer have a recovery partition? If we overwrite the MBR you won't be able to access it...of course if it is infected, you may have already lost it.

Second, let's run an online scan for a quick look at other files.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 20 September 2010 - 11:57 PM

This computer does have a recovery partition.

The scan found nothing. There was a message that thae online scan was for 32 bit OS. I had to dl the 32 bit Java in order for it to run.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 21, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 20, 2010 22:35:50
Records in database: 4232702
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 145255
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:39:04

No threats found. Scanned area is clean.

Selected area has been scanned.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 21 September 2010 - 06:22 PM

Hello, cthesage.
OK...decision point. The MBR does appear infected as you are complaining about audio ads. However, you will lose the recovery partition if we do that. You may want to dig out your instruction book for the recovery partition and see if you can get into it. Don't wipe your drive or reimage it (unless you'd rather start fresh which may be smart), but ensure you can boot to it.

In the interim, can you please dump your MBR? Please also let me know what brand and model you have.


  • Please download mbr.exe and save it to your Desktop.
  • Open NOTEPAD and copy/paste the text in the quotebox below into it:
    CODE
    @ECHO OFF
    copy "%userprofile%\Desktop\mbr.exe" C:\windows\mbr.exe
    CD "%~DP0"
    MBR -c 0 1 "%userprofile%\Desktop\backup_mbr.zip"
    DEL %0

  • Save this as "MBRDump.bat" and select All files for Save As Type. Save it to your desktop.
  • Double-click mbrdump.bat to run it. (For Windows Vista or 7, right click, select run as administrator)
  • Attach backup_mbr.zip that appears on your desktop to your reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 21 September 2010 - 07:56 PM

Let's proceed. I would rather not wipe it. I do have recovery disks. This is a Compaq Presario BQ472AA-ABA CQ5500Y. When I run MBRDump.bat it creates mbr text file which reads:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net


Edited by cthesage, 21 September 2010 - 08:09 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 22 September 2010 - 05:00 PM

If you have recovery disks, we can replace the MBR which is the likely source of infection. Is that how you want to proceed?

Separately, there should be a new ZIP file besides the EXE file on your desktop named: backup_mbr.zip Can you please attach that file to your reply?



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 22 September 2010 - 09:08 PM

I went through the instructions several times and did not get a zip file. i searched and could not find it elsewhere. Not sure how I could misinterpret the instructions - they're fairly straightforward - but it is possible. I will try it again.

If replacing the MBR with recovery disks will get rid of the ads I am willing to try it. Thanks.



#12 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 23 September 2010 - 05:11 AM

I tried several dozen more times to get your zip file, to no avail. I dl'd mbr.exe to desktop. I pasted the code inside the box into a text file, saved as MBRDump.bat, all files, to desktop, right-click run as administrator. MBRDump disappears and mbr appears below it. What am I missing? Either it or my brain is not working correctly.

I attempted to boot from the recovery partition, just to see what would happen; it just restarted to the recovery manager. I also located my system recovery disks and the first one goes to the recovery manager and the other 2 are not recognized at all. I also have a system repair disk. Out of curiosity, I tried to create new recovery and repair disks - does not work. I still get the audio, 2 or 3 times a day - mucinex and what sounds like middle eastern news. I want my computer back!


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 23 September 2010 - 08:18 PM


OK, here are our choices.

1. Use the recovery partition to wipe your computer back to a fresh state (after backup). This is the only way to know your computer is clean.
2. Use a tool to overwrite your MBR which will likely make the system recovery partition not able to be found.

Which do you want to proceed with? Personally, I would recommend 1. I do believe option 2 would likely fix it, but if you encounter issues later, you don't have a disk to reinstall Windows or restore your computer. I can help you either way.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 cthesage

cthesage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 AM

Posted 23 September 2010 - 09:08 PM

I would like to try option 2. I can order recovery disks from HP later if need be. Thanks for your help so far.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 24 September 2010 - 01:00 PM

First, backup any important files. Only backup documents and media, not programs (.exe, .scr, .pif, .bat, .com, etc.) nor system files (.sys, .dll, or anything in c:\windows) to minimize any chance of infection carrying over.

Next, run MBR_check again.

After it finds the nonstandard MBR, type Y and press Enter for more options.
Type 2 and press Enter to restore the MBR.
Type the number 0 and press Enter for PhysicalDrive0.
Type 5 and press Enter to select the Windows 7 MBR to match your operating system.
Type YES and press Enter to confirm.

You should see this at the end:
QUOTE
Successfully wrote new MBR code!


Done! Press ENTER to exit...


Exit that and reboot. Are the audio ads gone?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users