Frazettino

21 Posts

July 14th, 2010 16:00

iexplore process in background + internet explorer popups without using the browser

Hi there,

iexplore process in background

i.e. popups without address bar without using i.e. or any other browser

frame of explorer window or any process window becomes "fair" or "lighter" in colour as if pushed to background

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:09, on 14/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WSED\WSED.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Stratis\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4555 bytes

+++++++++++++++++++++++++++
+ File Lister Version 1.1.4                       +
+                                                                  +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>> 14/07/2010 23:44:08

====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WSED\WSED.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Stratis\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe

====== BHO's ======
BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: (NO NAME) - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: (NO NAME) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

====== System Keys (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\WINDOWS\system32\userinit.exe,
Winlogon\Shell = Explorer.exe

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[SynTPEnh] = %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
[RTHDCPL] = RTHDCPL.EXE
[WSED] = C:\Program Files\WSED\WSED.exe
[IgfxTray] = C:\WINDOWS\system32\igfxtray.exe
[HotKeysCmds] = C:\WINDOWS\system32\hkcmd.exe
[Persistence] = C:\WINDOWS\system32\igfxpers.exe
[MSConfig] = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

====== HKCU\~\Run Keys ======

[ctfmon.exe] = C:\WINDOWS\system32\ctfmon.exe

====== DNS Info (List may be empty) ======

NV Hostname = Stratego
DataBasePath = %SystemRoot%\System32\drivers\etc
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = Stratego
UseDomainNameDevolution = 1
EnableICMPRedirect = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
EnableSecurityFilters = 0
DhcpNameServer = 192.168.1.254
DhcpDomain = home

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

14/07/2010 07:21:21    0    C:\Config.Msi
22/06/2010 19:25:32    2867    32    C:\aaw7boot.log
22/06/2010 01:54:11    106496    C:\WINDOWS\Minidump
13/07/2010 22:27:08    25825    32    C:\WINDOWS\ie8Uninst.log
22/06/2010 07:10:33    15880    32    C:\WINDOWS\system32\lsdelete.exe
17/05/2010 23:51:40    256    32    C:\WINDOWS\system32\pool.bin

====== "\Administrator & All Users\Startup" Last 60 Days======

====== "\Program Files" Last 60 Days======

14/07/2010 20:49:51    123690224    C:\Program Files\a-squared Free
13/07/2010 21:42:06    3963302    C:\Program Files\Malwarebytes' Anti-Malware
13/07/2010 21:43:16    400697    C:\Program Files\Trend Micro
13/07/2010 22:36:38    65933736    C:\Program Files\Windows Live Safety Center

======"Drivers" Modified Last 60 Days======

24/03/2010 19:21:37    64288    32    C:\WINDOWS\system32\drivers\Lbd.sys

====== Files Deleted under "%Temp%" ======

93 Files deleted

======"All Users\Application Data" Last 60 Days======

13/07/2010 21:42:07    5197002    C:\Documents and Settings\All Users\Application Data\Malwarebytes
13/07/2010 21:42:07    5197002    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

====== HKLM\~\ShellServiceObjectDelayLoad======

PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll

CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\system32\webcheck.dll

SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll

====== HKLM\~\SharedTaskScheduler======

Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\system32\browseui.dll

Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\Adobe ARM
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKLM\Software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI
HKLM\Software\microsoft\shared tools\msconfig\startupreg\CapsLKNotify
HKLM\Software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Google Update
HKLM\Software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKLM\Software\microsoft\shared tools\msconfig\startupreg\mcagent_exe
HKLM\Software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKLM\Software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

====== Services ( Services that are Whitelisted are not shown) ======

Ambfilt (Ambfilt)- C:\WINDOWS\system32\drivers\Ambfilt.sys - Manual/Stopped
BCM43XX (Dell Wireless WLAN Card Driver)- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys - Manual/Running
CtClsFlt (Creative Camera Class Upper Filter Driver)- C:\WINDOWS\system32\DRIVERS\CtClsFlt.sys - Manual/Running
EMSC (COMPAL Embedded System Control)- C:\WINDOWS\system32\DRIVERS\EMSC.SYS - Boot/Running
iaStor (Intel AHCI Controller)- C:\WINDOWS\system32\drivers\iaStor.sys - Boot/Running
Lbd (Lbd)- C:\WINDOWS\system32\DRIVERS\Lbd.sys - Boot/Running
Monfilt (Monfilt)- C:\WINDOWS\system32\drivers\Monfilt.sys - Manual/Stopped
NdisIP (Microsoft TV/Video Connection)- C:\WINDOWS\system32\DRIVERS\NdisIP.sys - Manual/Stopped
OAO17Afx (OAO17Afx)- C:\WINDOWS\system32\DRIVERS\OAO17Afx.sys - Manual/Running
RimUsb (BlackBerry Smartphone)- C:\WINDOWS\system32\Drivers\RimUsb.sys - Manual/Stopped
RimVSerPort (RIM Virtual Serial Port v2)- C:\WINDOWS\system32\DRIVERS\RimSerial.sys - Manual/Running
RSUSBSTOR (RtsUStor.Sys Realtek USB Card Reader)- C:\WINDOWS\system32\Drivers\RtsUStor.sys - Manual/Stopped
RTLE8023xp (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys - Manual/Stopped
SLIP (BDA Slip De-Framer)- C:\WINDOWS\system32\DRIVERS\SLIP.sys - Manual/Stopped
SynTP (Synaptics TouchPad Driver)- C:\WINDOWS\system32\DRIVERS\SynTP.sys - Manual/Running
USBAAPL (Apple Mobile USB Driver)- C:\WINDOWS\system32\Drivers\usbaapl.sys - Manual/Stopped
usbvideo (USB Video Device (WDM))- C:\WINDOWS\system32\Drivers\usbvideo.sys - Manual/Running
Wdf01000 (Kernel Mode Driver Frameworks service)- C:\WINDOWS\system32\Drivers\wdf01000.sys - Manual/Running
WmiAcpi (Microsoft Windows Management Interface for ACPI)- C:\WINDOWS\system32\DRIVERS\wmiacpi.sys - System/Stopped

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 1063 MB

Boot Info

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

OS Type: Microsoft Windows XP Home Edition
Build: 5.1.2600
Service Pack: 3.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==

I would appreciate any help.

Thanks in advance.

Responses(43)
Solutions(0)

kevin27_b3d29f

2 Intern

•

1.5K Posts

July 25th, 2010 12:00

Hi frazettino,

Welcome to the Dell Community Malware Removal Forum.

Sorry for the delay in getting to your thread.

If you still require assistance please uninstall your version of HiJackThis (2.0.2) via add/remove programs in your control and then reboot your machine and then please download and run the HiJackThis INSTALLER Version 2.0.4 from HERE and follow the prompts and then please post a fresh HJT.

Thanks,
K27

Frazettino

21 Posts

July 26th, 2010 14:00

Hi K27,

Thank you for replying, I really appreciate your time. I can't see iexplore in task manager now, but every few moments I can hear the sound of advertising coming out of the speakers but cannot see the pop ups. Then shortly after, the sounds goes totally down without being on mute and can only be restored by opening Volume control and putting the "Wave" control back up. Strange stuff :(

Below is a fresh HJT:

==============================================================================================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:39:34, on 26/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WSED\WSED.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4701 bytes

==============================================================================================================================

Thanks

frazettino

kevin27_b3d29f

2 Intern

•

1.5K Posts

July 26th, 2010 16:00

Hi frazettino

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being closed and I will remove it from my notifications, If you require more time then that is fine but please let me know.

I need to see some additional information about what is happening in your machine.
Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Then Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

After that I would like you to please download MBRCheck and save it directly to your Desktop

Double click MBRCheck.exe to run the tool answering yes to any prompt's you may receive from Windows
If a malicious MBR code is found DO NOT take any action against it, it will leave you with an unbootable machine and you will more than likely have to reinstall Windows
If a malicious code is found please type Y and then press Enter (NOTE: If no malicious code was found, please exit the program and report that back to this thread)
Then please press 1 to pick the option to create a dump file of your MBR and then press enter
Then press zero (0) to get a dump file of your C:\ drive's MBR.
You will then be prompted to type a location to store the file, please type C:\mbrdump.txt and then press enter
Then type -1 to exit the program
A notepad file will then be on the desktop, Please copy/paste the contents of that file back to me for analysis. I would also like you to navigate to the file C:\MBRdump.txt and zip it up and attach it in your next reply.

(NOTE: This program is not a toy and if used wrong, it may very well render your machine useless, DO NOT run this tool unless under the strict supervision of a trained analyst.)

EXTRA NOTE: If MBRCheck will not allow you to produce a dump file of your MBR, please exit the program and post the log that will be saved to the desktop

Please copy/paste both DDS log and that MBRcheck.text log back to this thread. And please attach the C:\mbrdump.txt file to your next post.

Thanks,
K27.

Frazettino

21 Posts

July 26th, 2010 17:00

Just a quick thing I forgot K27. I also have linux ubuntu on this computer, just in case this would make a difference.

Thanks!

frazettino

Frazettino

21 Posts

July 26th, 2010 17:00

Frazettino

21 Posts

July 26th, 2010 17:00

Thank you K27.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Stratis at 23:38:32.32 on 26/07/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.479 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe 4
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WSED\WSED.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\a-squared Free\a2service.exe
svchost.exe 4
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stratis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [ ]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stratis\applic~1\mozilla\firefox\profiles\ercpijli.default\
FF - plugin: c:\documents and settings\stratis\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\stratis\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2010-1-21 14248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-24 64288]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-7-14 1872320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-1-21 143840]
R3 OAO17Afx;OAO17Afx;c:\windows\system32\drivers\OAO17Afx.sys [2010-1-21 134144]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-21 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-1-21 174592]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

=============== Created Last 30 ================

2010-07-14 19:49:51    0    d-----w-    c:\program files\a-squared Free
2010-07-14 06:27:56    0    d-----w-    c:\windows\system32\wbem\Repository
2010-07-13 20:43:16    0    d-----w-    c:\program files\Trend Micro
2010-07-13 20:42:17    0    d-----w-    c:\docume~1\stratis\applic~1\Malwarebytes
2010-07-13 20:42:08    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 20:42:07    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-07-13 20:42:07    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-13 20:42:06    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-06-19 10:33:47    15880    ----a-w-    c:\windows\system32\lsdelete.exe
2010-06-08 02:51:03    64288    ----a-w-    c:\windows\system32\drivers\Lbd.sys
2010-05-23 17:53:34    256    ----a-w-    c:\documents and settings\stratis\pool.bin
2010-01-21 19:28:58    76    --sh--r-    c:\windows\CT4CET.bin
2010-03-24 17:15:56    245760    --sha-w-    c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 23:38:53.50 ===============

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 24/03/2010 16:40:58
System Uptime: 26/07/2010 20:06:34 (3 hours ago)

Motherboard: Dell Inc. | | 0P9MDV
Processor: Intel(R) Atom(TM) CPU N450 @ 1.66GHz | CPU 1 | 1662/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 3.196 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP15: 18/04/2010 10:00:18 - System Checkpoint
RP16: 19/04/2010 23:28:08 - System Checkpoint
RP17: 22/04/2010 21:22:11 - System Checkpoint
RP18: 25/04/2010 20:29:55 - System Checkpoint
RP19: 26/04/2010 23:07:49 - System Checkpoint
RP20: 30/04/2010 17:25:18 - System Checkpoint
RP21: 02/05/2010 01:09:39 - System Checkpoint
RP22: 05/05/2010 23:37:57 - Installed Mobipocket Reader 6.2
RP23: 08/05/2010 00:48:05 - System Checkpoint
RP24: 09/05/2010 21:12:43 - System Checkpoint
RP25: 13/05/2010 11:16:19 - System Checkpoint
RP26: 14/05/2010 19:25:54 - System Checkpoint
RP27: 16/05/2010 16:46:19 - System Checkpoint
RP28: 17/05/2010 21:51:22 - System Checkpoint
RP29: 20/05/2010 20:59:23 - System Checkpoint
RP30: 21/05/2010 21:02:17 - System Checkpoint
RP31: 24/05/2010 07:22:34 - System Checkpoint
RP32: 28/05/2010 20:23:15 - System Checkpoint
RP33: 30/05/2010 13:07:01 - System Checkpoint
RP34: 31/05/2010 15:34:38 - System Checkpoint
RP35: 01/06/2010 20:26:14 - System Checkpoint
RP36: 02/06/2010 21:46:42 - System Checkpoint
RP37: 03/06/2010 22:15:59 - System Checkpoint
RP38: 06/06/2010 12:53:09 - System Checkpoint
RP39: 07/06/2010 15:35:45 - System Checkpoint
RP40: 08/06/2010 19:27:19 - System Checkpoint
RP41: 09/06/2010 19:27:36 - System Checkpoint
RP42: 10/06/2010 21:30:49 - System Checkpoint
RP43: 12/06/2010 16:52:08 - System Checkpoint
RP44: 14/06/2010 00:27:00 - Removed Skype Toolbars
RP45: 15/06/2010 23:25:20 - System Checkpoint
RP46: 17/06/2010 21:14:01 - System Checkpoint
RP47: 19/06/2010 20:45:32 - System Checkpoint
RP48: 21/06/2010 20:45:27 - System Checkpoint
RP49: 23/06/2010 18:56:39 - System Checkpoint
RP50: 24/06/2010 22:26:49 - System Checkpoint
RP51: 26/06/2010 00:28:06 - System Checkpoint
RP52: 29/06/2010 00:25:39 - System Checkpoint
RP53: 01/07/2010 01:40:43 - System Checkpoint
RP54: 05/07/2010 22:36:02 - System Checkpoint
RP55: 07/07/2010 20:53:53 - System Checkpoint
RP56: 11/07/2010 08:40:27 - System Checkpoint
RP57: 14/07/2010 00:23:42 - System Checkpoint
RP58: 14/07/2010 07:05:00 - Cleaned registry with Windows Live OneCare safety scanner
RP59: 14/07/2010 07:20:42 - Restore Operation
RP60: 14/07/2010 07:27:26 - Restore Operation
RP61: 26/07/2010 19:55:38 - Installed HiJackThis

==== Installed Programs ======================

a-squared Free 4.5
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Advanced Audio FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 5.0.1
Bonjour
CapsLKNotify
Compatibility Pack for the 2007 Office system
Dell System Restore
Dell Touchpad
Dell Webcam Central
Dell Wireless WLAN Card Utility
EMSC
Function Keys
Google Talk Plugin
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB970653-v3)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 16
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mobipocket Reader 6.2
Mozilla Firefox (3.6.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB927977)
OpenOffice.org 3.2
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Skype™ 4.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Management Framework Core
Windows Media Format Runtime
Windows Presentation Foundation
WinRAR archiver
WSED
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

26/07/2010 21:04:37, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

MBRCheck:

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): Dumping \\.\PhysicalDisk0...

Enter filename to dump to: Dumped successfully!

Enter the physical disk number to dump (0-99, -1 to exit): Dumping \\.\PhysicalDisk1...

Enter filename to dump to: Error opening disk (2)!

Enter the physical disk number to dump (0-99, -1 to exit):

Done! Press ENTER to exit...

MRBdump:

file:///C:/Documents%20and%20Settings/Stratis/Desktop/MBRdump.txt

I wasn't sure about the attach file but I saw you asked for both of them in the beginning,

so I took the risk and posted it. please let me know if it wasnt needed. Also, I couldn't find another way to attach the

MBRdump file :(

Many thanks,

frazettino

kevin27_b3d29f

2 Intern

•

1.5K Posts

July 27th, 2010 14:00

Hi frazettino,

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
K27.

Frazettino

21 Posts

July 29th, 2010 00:00

Hi K27.

Many thanks for this.

Can I have 2-3 more days to reply please? Haven't got around it yet as I was busy with work.

Please let me know.

Cheers

frazettino.

kevin27_b3d29f

2 Intern

•

1.5K Posts

July 29th, 2010 02:00

Hi frazenttino,

No worries, I will leave this topic open for a while longer.

Frazettino

21 Posts

August 1st, 2010 17:00

Hi K27,

Sorry about this delay and thank you for keeping this open longer.

Ihave attched the ComboFix.txt file as per your request.

Thanks,

frazettino

1 Attachment

ComboFix.txt

kevin27_b3d29f

2 Intern

•

1.5K Posts

August 1st, 2010 23:00

Hi frazettino,

Please delete your copy of combofix by right clicking the Combofix desktop icon and then clicking delete.

I then need you to download a fresh copy from THIS LINK

Then please run combofix in exactly the same way as you did before,

Please remember to disable all active protection before running combofix

Post the combofix log back to this thread,

Thanks

Frazettino

21 Posts

August 2nd, 2010 16:00

Hi K27,

Thanks for replying. I hope I didn't do anything wrong this time. A message appeared at some point saying:

"this machine is infected with whistler bootkit ", and then the laptop rebooted automatically. Anyway, I have attached

the ComboFix log.

Cheers,

frazettino

1 Attachment

ComboFix.txt

kevin27_b3d29f

2 Intern

•

1.5K Posts

August 4th, 2010 12:00

Hi,

Sorry for the Delay, can you please tell me, Is ubuntu installed on a separate hard drive or is it set up as a dual boot where both operating systems are on the same hard drive and you have to choose which OS to boot to on start up.

Thanks.

EDIT:

The bottom of the Combofix log is missing, please copy/paste the whold log to this thread, It will be located at C:\Combofix.txt

Thanks

Frazettino

21 Posts

August 4th, 2010 12:00

Hi K27, no worries at all, it was the latter, chosing which OS to boot from.

The ubuntu side was actually the biggest part of the hard drive, as I made the windows partition smaller at the time. It's no longer there, when windows start there are now only two options, windows recovery console and normal startup. Which means that I am no longer able to access the ubuntu side. I don't think any files are lost as it shouldn't affect the actual data, or so I hope! I was mainly using the windows side for work anyway, since you can access data stored in windows when booting from ubuntu, but you can't access ubuntu files when booting from windows.

I'll wipe the whole thing and re-install windows at some point, but for now I just need to know if the infection is gone. Over the past couple of days -post combofix- the processes have been reduced to 34 from 38-9, there are no pop-ups or background sound advert of adverts as before, and the laptop seems to run quite smoothly.

I am still a little bit concerned about possible hidden stuff though, I read that bootkit whistler can be quite nasty.

What do you reckon?

Thanks,

frazettino

Frazettino

21 Posts

August 4th, 2010 13:00

Sorry, just saw the edit. I attach the file again.

1 Attachment

ComboFix.txt

View All

0 events found

No Events found!

Virus & Spyware

iexplore process in background + internet explorer popups without using the browser

Was this post helpful?