Advertisements without having a window open

hi there, I'm having a big problem with my computer, it is a windows 7 home premium and almost every 2 or 3 minutes i can hear Advertisements without having a window open... could anyone help me?? by the way i have Superantispyware, AVG and Norton internet security. please help me!!! i hate these advertisements!!!

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

---

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes

---

With that out of the way:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Here's the log. Now what do I do, Crush?
ComboFix 10-07-27.05 - Eric 07/28/2010 21:25:02.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3326.2359 [GMT -5:00]
Running from: c:\users\Eric\Desktop\commy.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\%appdata%\Microsoft\Windows\IETldCache\index.dat

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-29 02:22 . 2010-07-29 02:23 -------- d-----w- C:\32788R22FWJFW
2010-07-28 20:18 . 2010-07-28 20:18 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2010-07-28 20:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 20:18 . 2010-07-28 20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 20:18 . 2010-07-28 20:18 -------- d-----w- c:\programdata\Malwarebytes
2010-07-28 20:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 15:37 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 01:06 . 2010-07-25 01:06 -------- d-----w- c:\program files\ESET
2010-07-24 23:12 . 2010-07-28 03:11 63488 ----a-w- c:\users\Eric\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-24 23:12 . 2010-07-24 23:12 52224 ----a-w- c:\users\Eric\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-24 23:12 . 2010-07-28 03:11 117760 ----a-w- c:\users\Eric\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-24 23:12 . 2010-07-24 23:12 -------- d-----w- c:\users\Eric\AppData\Roaming\SUPERAntiSpyware.com
2010-07-24 23:12 . 2010-07-24 23:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-24 23:12 . 2010-07-24 23:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-24 22:11 . 2010-04-19 15:25 2117704 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-07-24 21:02 . 2010-07-24 21:02 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
2010-07-24 21:02 . 2010-07-24 21:02 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-24 21:02 . 2010-07-24 21:02 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-24 21:02 . 2010-07-24 21:02 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-24 20:59 . 2010-07-24 20:59 -------- d-----w- C:\$AVG
2010-07-24 20:37 . 2010-07-24 20:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-24 20:37 . 2010-07-24 20:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-24 20:37 . 2010-07-24 20:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-24 20:37 . 2010-07-29 01:58 -------- d-----w- c:\windows\system32\drivers\Avg
2010-07-24 20:37 . 2010-07-24 20:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-24 20:37 . 2010-07-24 22:11 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-07-24 20:34 . 2010-07-24 20:34 -------- d-----w- c:\programdata\avg9
2010-07-20 02:58 . 2010-07-20 02:58 -------- d-----w- c:\programdata\Nexon
2010-07-20 01:48 . 2010-07-20 01:48 -------- d-----w- c:\program files\MSN Toolbar
2010-07-20 01:48 . 2010-07-20 01:48 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-07-20 01:48 . 2010-07-20 01:49 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-07-19 05:21 . 2010-07-20 01:38 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-07-19 05:21 . 2010-07-20 01:38 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-07-19 05:21 . 2010-07-20 01:38 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-07-19 05:21 . 2010-07-20 02:58 -------- d-----w- c:\programdata\NexonUS
2010-07-19 05:21 . 2010-07-20 01:38 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-07-19 05:21 . 2010-07-20 01:38 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-07-19 05:21 . 2010-07-20 01:38 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-07-12 15:54 . 2010-07-13 15:41 -------- d-----w- c:\users\Eric\AppData\Local\Sony
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\users\Eric\Podcasts
2010-07-12 15:53 . 2010-07-12 16:08 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-07-12 15:53 . 2010-07-12 15:53 10134 ----a-r- c:\users\Eric\AppData\Roaming\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2010-07-12 15:53 . 2010-07-12 15:53 -------- d-----w- c:\users\Eric\AppData\Local\Downloaded Installations
2010-07-12 15:53 . 2010-07-12 16:08 -------- d-----w- c:\programdata\Sony Corporation
2010-07-12 15:53 . 2010-07-12 15:53 -------- d-----w- c:\program files\Sony
2010-07-12 15:52 . 2010-07-12 15:54 -------- d-----w- c:\users\Eric\AppData\Roaming\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 01:55 . 2009-06-20 20:16 16608 ----a-w- c:\windows\gdrv.sys
2010-07-28 21:10 . 2009-09-02 18:05 1 ----a-w- c:\users\Eric\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-28 15:37 . 2009-09-02 18:03 -------- d-----w- c:\program files\Java
2010-07-27 20:16 . 2010-01-05 23:01 -------- d-----w- c:\program files\World of Warcraft
2010-07-24 23:00 . 2009-06-20 20:17 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-24 23:00 . 2009-06-20 20:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-24 22:52 . 2009-06-20 16:52 -------- d-----w- c:\program files\Exact Audio Copy
2010-07-20 04:27 . 2010-01-26 01:41 -------- d-----w- c:\users\Eric\AppData\Roaming\Skype
2010-07-20 01:42 . 2010-01-26 01:43 -------- d-----w- c:\users\Eric\AppData\Roaming\skypePM
2010-07-19 05:17 . 2009-06-20 00:19 -------- d-----w- c:\program files\Common Files\Microsoft Games
2010-07-19 05:17 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-07-19 05:16 . 2010-06-02 22:55 -------- d-----w- c:\program files\Opera
2010-07-19 05:14 . 2009-08-20 15:38 -------- d-----w- c:\program files\Diablo II
2010-07-19 04:57 . 2009-10-02 15:28 -------- d-----w- c:\programdata\PMB Files
2010-06-26 12:58 . 2010-06-26 12:58 -------- d-----w- c:\program files\Microsoft.NET
2010-06-22 15:23 . 2009-08-20 03:35 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-06-08 18:43 . 2010-06-08 18:42 -------- d-----w- c:\users\Eric\AppData\Roaming\TS3Client
2010-06-06 02:45 . 2009-10-29 18:50 62584 ----a-w- c:\users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-05 23:24 . 2010-06-05 23:24 -------- d-----w- c:\users\Eric\AppData\Roaming\Octoshape
2010-06-03 20:58 . 2009-07-23 20:10 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 07:24 . 2010-06-11 05:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-11 05:06 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2009-10-03 06:45 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-11 05:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-11 20:33 . 2010-05-11 20:33 166272 ----a-w- c:\windows\system32\RzMwApi.dll
2010-05-09 09:14 . 2010-06-23 15:20 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-23 15:20 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49 . 2010-06-11 05:06 2326528 ----a-w- c:\windows\system32\win32k.sys
2009-07-03 18:28 . 2009-07-03 18:29 8737280 ----a-w- c:\program files\Airlink101 WLAN Monitor.msi
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-07-24 136176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Razer Naga Driver"="c:\program files\Razer\Naga\NagaTray.exe" [2010-05-11 810880]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-24 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-07-24 03:16 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-24 20:36 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2009-02-28 18:40 75048 ----a-w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET6\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-24 23:05 136176 ----atw- c:\users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-17 12:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-17 12:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2008-10-14 01:41 50472 ----a-w- c:\program files\CyberLink\PowerDVD9\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-02-16 14:55 87336 ----a-w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-24 10:16 6265376 ----a-w- c:\windows\RtHDVCpl.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-06-24 721904]
R2 AMPingService;AMPingService;c:\users\Eric\AppData\Local\Temp\AMPing.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ALSysIO;ALSysIO;c:\users\Eric\AppData\Local\Temp\ALSysIO.sys [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]
R3 GVTDrv;GVTDrv;c:\windows\system32\Drivers\GVTDrv.sys [2009-12-09 24944]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2009-08-22 310320]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-24 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-24 243024]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-02-03 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100726.001\IDSvix86.sys [2010-05-28 344112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/07/23 20:48];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-03-01 00:40 87536]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-24 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-24 308136]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2009-08-03 569856]
S3 RzSynapse;Razer Naga Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2010-04-21 60032]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2009-08-22 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2795392746-999505017-984182161-1000Core.job
- c:\users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 23:05]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2795392746-999505017-984182161-1000UA.job
- c:\users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-Core Temp - c:\users\Eric\Desktop\Hardware\CoreTemp32\Core Temp.exe
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Norton Internet Security]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,73,d5,5b,03,ec,d0,43,b2,67,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,73,d5,5b,03,ec,d0,43,b2,67,de,\

[HKEY_USERS\S-1-5-21-2795392746-999505017-984182161-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,2d,d2,3b,1b,d1,cd,98,81,cb,29,37,ba,22,e8,08,bb,2b,21,8e,16,1d,3b,
bd,d8,c4,66,15,59,e2,a1,e6,69,6e,59,34,a4,1d,ce,d5,3e,df,5f,84,a7,10,e4,4e,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-07-28 21:31:13
ComboFix-quarantined-files.txt 2010-07-29 02:31

Pre-Run: 260,043,661,312 bytes free
Post-Run: 260,816,412,672 bytes free

- - End Of File - - C32EBF795DFF76175B1985C10FD2494A

Hi,

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  
• It will show a Black screen with some data on it.
  
• Right click on the screen and click Select All.
  
• Press CTRL C
  
• Open a Notepad and press CTRL V
  
• Post the output back here.
  

here it is again and thank you for posting that fast!!!

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
Boot sector MD5 is: 1af81ee9fd1ba67cd6c7ee2405635334

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix


Done;
Press any key to quit...

Hi,

Is this a self built machine or a machine purchased from Dell, HP, etc?

It's a self built machine which I bought from a friend of mine

Okie dokie.

Please create a new text file with e.g. Notepad with the following contents:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

• Save it as Fix.bat to your Desktop.
  
• Doubleclick Fix.bat to run it.
  
• A black DOS screen will flash too quickly to read, indicating a successful run
  
• Doubleclick remover.exe again as you did previously and post its log back here.
  

This is the log, but when I ran the Fix.bat the black appeared and then another white window saying
"You are rewrite boot code at \\.\PhysicalDrive0
It is strongly recommended to reboot immediately after the disinfection.
Otherwise the malicious boot can be restored by the trojan.
Type 'Yes' to allow immediate reboot after the disinfection, or 'No' to disinfect without reboot."
I chose "No," and I continued with the procedure that you told me.

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows 7 Home Premium Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

Can you run that batch file again, except this time reboot please. Looks like the infection did restore the bootkit

kk
I rebooted this time, but now the PC won't let me continue and I'm stuck in a black screen that says "Windows failed to start." It also says " Insert your windows installation disc and restart the computer." but I don't have that thing unless it's the windows 7 but I doubt it. I tried the windows 7 but I doesn't work, so what should I do?

It's the Windows 7 install disk. You need to hit F8 as the PC boots up to use it and choose CD\DVD ROM drive. From there, you can either reformat or do a repair install.

It will likely want you to do a repair install to repair the MBR since it was messed up by the infection

well i dont think we ( my brother and i ) have the disk, but we will get it...
so what would you recommend us to do?? to reformat the pc or just repair it??

Repair install. A reformat will delete everything on your drive. You can use any Windows 7 disk. If you can't find yours, try getting one from a friend