TechSpot

Another congratulations you won soundbyte virus

By Verdict
Aug 10, 2010
  1. Good day everyone,
    let me start off by saying that this computer (a small acer laptop) was recently infected (how I honestly don't know) with the Antivir Solution Pro virus, but I believe I got all of it. Now, I am stuck with an annoying malware/adware kind of issue, which plays different soundbytes at random intervals, usually Congratulations You Won. I've checked the processes at the time of the sound playing, but I honestly couldn't identify which process it was. Do note that this happens with all programs closed as well, so it doesn't seem browser related. Also, less frequently (not sure if it is actually the same thing), popups appear through internet explorer, which I don't even use, advertising for things like emoticons.
    I followed the 8 step guide, but after scanning with GMER, saving the log actually freezes the process, so I am unable to save the log. It didn't come up with any warnings tho. I tried without devices checked and in safe mode, for the record.
    I have scanned the computer with my antivirus (Avira), MBAM, Superantispyware, Spybot S&D and immunized with Spybot aswell as spywareblaster. Apart from some tracking cookies, I came across nothing. Uploading a HJT log to one of those analysis websites told me some files were coolwebsearch files, but I figures I'd post here first. The scans I did were full scans, not quick scans, by the way. Well, here are all those logs requested in the 8 step, apart from the GMER as stated above. I have attached the attach file from DDS, because the post was too long.

    --

    mbam-log-2010-08-10 (16-09-35)

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4363

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/10/2010 4:09:35 PM
    mbam-log-2010-08-10 (16-09-35).txt

    Scan type: Quick scan
    Objects scanned: 136726
    Time elapsed: 8 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --

    DDS


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by ihu at 22:18:57.65 on Tue 08/10/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.514 [GMT 2:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    svchost.exe 4
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    svchost.exe 4
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1108&m=aoa150
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [LaunchApp] Alaunch
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227717327062
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ihu\applic~1\mozilla\firefox\profiles\o5x6izb9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.startpagina.nl/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-28 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-28 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-28 56816]
    R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
    S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
    S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-11-26 96856]

    =============== Created Last 30 ================

    2010-08-10 13:34:56 0 d-----w- c:\program files\Trend Micro
    2010-08-02 20:09:02 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-07-30 20:11:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
    2010-07-30 19:27:45 0 d-----w- c:\windows\system32\XPSViewer
    2010-07-30 19:26:52 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-07-30 19:26:52 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-07-30 19:26:52 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-07-30 19:26:52 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-07-30 19:26:52 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-07-30 19:26:51 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-07-30 19:26:51 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-07-30 19:26:51 0 d-----w- C:\611901af9b6ea6ebfbdf
    2010-07-30 19:17:37 0 d-sh--w- c:\documents and settings\ihu\IETldCache
    2010-07-30 18:44:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-07-30 18:44:11 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-07-30 18:44:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-07-30 18:44:10 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-07-30 18:44:09 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-07-30 18:44:09 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-07-30 18:44:09 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-07-30 18:43:55 0 d-----w- c:\windows\ie8updates
    2010-07-30 18:43:46 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-07-30 18:40:06 0 dc-h--w- c:\windows\ie8
    2010-07-30 18:04:59 0 d-----w- c:\docume~1\ihu\applic~1\SafeReturner
    2010-07-30 18:04:53 0 d-----w- c:\program files\Safe Returner
    2010-07-30 17:49:07 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-30 17:30:25 0 d-----w- c:\program files\CCleaner
    2010-07-30 15:37:45 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2010-07-30 15:37:45 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2010-07-30 15:28:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-07-30 14:58:22 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-07-30 14:58:21 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-07-30 14:58:20 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-07-30 14:38:42 2560 ------w- c:\windows\system32\xpsp4res.dll
    2010-07-30 14:30:57 0 d-----w- c:\windows\system32\PreInstall
    2010-07-30 04:07:35 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-30 04:07:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-07-30 04:01:44 0 d-----w- c:\program files\SpywareBlaster
    2010-07-30 03:59:27 0 d-s---w- C:\ComboFix
    2010-07-30 03:54:53 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-07-30 03:54:53 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-07-30 03:54:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-07-30 03:18:53 0 d-sha-r- C:\cmdcons
    2010-07-30 03:17:00 77312 ----a-w- c:\windows\MBR.exe
    2010-07-30 03:16:59 98816 ----a-w- c:\windows\sed.exe
    2010-07-30 03:16:59 256512 ----a-w- c:\windows\PEV.exe
    2010-07-30 03:16:59 161792 ----a-w- c:\windows\SWREG.exe
    2010-07-30 02:35:57 0 d-----w- c:\docume~1\ihu\applic~1\SUPERAntiSpyware.com
    2010-07-30 02:35:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-07-30 02:35:40 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-07-28 14:59:57 0 d-----w- c:\docume~1\ihu\applic~1\Malwarebytes
    2010-07-28 14:59:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-28 14:59:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-28 14:59:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-07-28 14:59:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-28 14:10:58 0 d-----w- c:\windows\pss

    ==================== Find3M ====================

    2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2008-11-27 05:09:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat

    ============= FINISH: 22:20:02.39 ===============


    --

    Thanks in advance!
     

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    MBA-M is out-of-date. Please update it and re-run and post the log.

    =========

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. Verdict

    Verdict TS Rookie Topic Starter

    Stupid of me not to update. It found another registry key from that rogue virus, but I somehow doubt that's the solution.

    Here's the log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4415

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/10/2010 11:21:33 PM
    mbam-log-2010-08-10 (23-21-33).txt

    Scan type: Quick scan
    Objects scanned: 139333
    Time elapsed: 9 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    --


    and the text from remover.exe:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`384c7a00
    Boot sector MD5 is: 5f7721761f677686b557a8f39cb31ec5

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.

    Reboot and let me know how things are.
     
  5. Verdict

    Verdict TS Rookie Topic Starter

    The output is located below. As I am located in Europe (GMT+1), I will be going to bed shortly. As these sounds happen on random intervals, I was wondering, is there a simple technique to record system output as if it were, say, input from a microphone? If it is complicated, forget about it, I'll have to see tomorrow. If not, it would probably be a good test to be able to monitor the computer overnight. On a side note, I ran a full scan with MBAM after the update, didn't come up with anything.
    Thanks again for the quick replies thus far!

    ---


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`384c7a00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    Not sure how you would rig something up. Just use it as normal for a while and see how it is :).
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...