Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

weird beeps and bloops, HJT log


  • This topic is locked This topic is locked
17 replies to this topic

#1 MikeInAlaska

MikeInAlaska

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 14 December 2011 - 04:56 AM

Woops, forgot to submit my HJT log. Here it is. Also, I tried to do the preliminary steps through your tutorial. I was able to run defogger, but DDS will not download. I click the link, and nothing happens. Rebooted, checked Downloads, tried multiple times. Weird.


Hello,

Please read my HiJackThis log and analyze. Recently, after visiting a controversial govt. website, my computer started acting weird. It makes random bleeps, bloops, and donks (ie: the one's that sound when you've done something wrong on your PC. Somewhat regular, once or twice an hour, even when the computer is on and I'm not on it. A few times it has restarted on its own (bleep weird). My Yahoo account was compromised once, and my password would'nt work. Three times now, my "personal photo security verification" wasn't there, and I had to load a new one. I'm close to reformatting the PC, but would rather not, since I've had great success (thanks Gringo) with your site before. I run XP.

Thanks,
Mike in Alaska


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:32:32 PM, on 12/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
C:\Program Files\Webshots\3.1.5.7619\webshots.scr
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\javaw.exe
c:\program files\real\realplayer\update\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\VIDEOD~1\ARCURL~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.myksrobut\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\3.1.5.7619\Launcher.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: SAC-Desktop-Alert.lnk = C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219038806781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219321564080
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9006 bytes

Edited by MikeInAlaska, 14 December 2011 - 09:26 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 20 December 2011 - 05:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432383 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 22 December 2011 - 09:20 AM

Hi MikeInAlaska,

Do you still need assistance?
PW

#4 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 23 December 2011 - 12:53 AM

yes please

#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 23 December 2011 - 01:38 AM

Good morning MikeInAlaska, :)

Do you have a usb flash/thumb drive that can be formatted in case we need it?


Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.



In your next reply please include the following:

Combofix.txt


Thanks!
PW

#6 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 23 December 2011 - 07:01 AM

Hey, thanks for the quick reply.
I just formatted a flash drive and also have a spare external HD that I could clear as well. I I have ran Combo fix and attached the log in a compressed file. Attached File  combofix log 12.23.11.zip   26.5KB   2 downloads

Did you see my earlier comment about having trouble downloading the DDS program? BTW, I use Chrome and rarely Firefox, leaving Explorer in the wind long ago. Also, I was also not able to Restore to any earlier dates at all before requesting help from you. This normally fixes things for me, and have experienced this not operating correctly a few times over the past few years. Is it a virus/bug/trojan/gremlin that causes that function to fail?

Thank you again for your help,

MikeInAlaska

#7 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 23 December 2011 - 04:48 PM

BTW,

I just checked my two external harddrives, preparing to clear one in case we need it, and they BOTH had a file named "RECYCLER", which I have also run into before in the past. Same situation, same solution. Scanned file with MBAM and Avira and both were clean. Could not delete either one(both folders were also initially empty), so resorted to cutting and pasting to desktop and deleting, because this is how I resolved problem before. Interweb posts about this differ. Some insist malware and other say that it is a gateway the OS sets up to use the regular Recycle Bin more efficient. Please advise after reading Combo log above please.

Thank you and happy holidays.

MikeInAlaska

#8 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 23 December 2011 - 05:15 PM

Sorry,

One more thing. Scotty the Winamp patrol dog keeps asking me about a File Type Change Alert. BTW, I'm streaming a live radio station, and its come up six times, every time I reject it for now. this is also something that I've seen numerous times in the past.

The program currently associated with this file type is:
Run DLL as an APP
Microsoft Corp.
C:\WINDOWS\system32\rundll32.exe.C:\WINDOWS\system32\ieframe.dll,OpenURL %|

Change was made to use the following for this file type.
Run DLL as an App
Microsoft
rund32.exe ieframe.dll,OpenURL %|

Once again, I've clicked No each time, not wanting to make the wrong choice.
Scotty doesn't bark too much, even with my seemingly infected machine, so a bunch in a row is weird. Associated with this Winamp radio stream? The "ieframe" makes me think Explorer, which I never use, which also seems weird. Should I simply allow any changes that Microsoft wants to make or is that risky?

#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 23 December 2011 - 06:07 PM

Hi MikeInAlaska,

Sorry for the delay. I have a lot of Christmas stuff going on today and this evening and it will be later before I can go over your logs. :thumbup2:


Thanks for your patience.

Edited by pwgib, 23 December 2011 - 06:07 PM.

PW

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 24 December 2011 - 10:59 AM

Hi MikeInAlaska,

Please temporarily disable Adaware and WinPatrol. See this topic


Run DLL as an App

It's a normal function of Windows. It might be software you have installed trying to update or "call home". I would allow it and monitor if there are any changes or what website it connects to.

RECYCLER

Again, this is normal. Windows creates the folder on external drives. Read here.


I see you have multiple antivirus programs installed.

You should never have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

In your case I notice that you have three antivirus programs installed and although they might be disabled and outdated there are still processes, services / drivers that are running that can cause conflicts and use up resources in addition to reducing boot time and other issues.

I suggest you uninstall all but one of the antivirus programs via Add/Remove Programs. If you decide to uninstall AVG first remove via Add/Remove Programs then use the AVG Removal Tool here

I also see remnants of McAfee AntiVirus/Firewall

To remove McAfee AntiVirus fully I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

For download and instruction to use McAfee Consumer Product Removal tool click here

  • Download the removal tool
  • Click Save and save the file to a folder on your computer.
  • Navigate to the folder where the file was saved.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.exe to run the removal tool.
  • Restart your computer after receiving the message CleanUp Successful.
  • Your McAfee product will not be fully removed until the system is restarted.

You can now delete the removal tool.

It could have been malware or either Adaware/Winpatrol could have been blocking DDS.


Step 1.

  • Run HijackThis.
  • Click on Open the Misc Tools Section.
  • Then press Open Uninstall Manager
  • Click on the Save List button
  • A HijackThis folder window will open. Change it to your desktop and click Save.
  • Paste this log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.


Step 2.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


In your next reply please include the following:

HijackThis Uninstall List
TDSSKiller log


Please do not attach logs unless asked to. If they will not fit in one post it is OK to use multiple posts.

How is your computer running now and what symptoms do you have, if any?


Thanks!!
PW

#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 26 December 2011 - 09:51 AM

Hi MikeInAlaska,


Any problems? Do you still need help?
PW

#12 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 26 December 2011 - 07:35 PM

Hello and thanks so much for your help. I hope you've enjoyed the holidays. Bleeps, bloops, and dings seem to have ended, and the robut runs pretty fast. The TDDS showed nothing but I attached the logs anyway. Do I now reactivate the CD Emulation or whatever that was? Also, why do you guys warn to not use the Combofix without being instructed to? Can't I run it periodically to ensure safety? Also, the Gringo helped me last time and recommended I not use Windows Defender at all, so which firewall should I use? He also recommended Malwarebytes, Avira, and Ccleaner (I think). Why didn't these three catch these problems? Are there better ones you recommend that are free, or is paying worth the safety? I also have TFC, and Wise Disk and REgistry Cleaner. Think I read somewhere that cleaning your registry can do more harm than good?

Sorry for so many questions, just hoping to not have to ask for your help any time soon again.

Thank you again,

MikeInAlaska

Attached File  TDSSKiller.2.6.25.0_24.12.2011_18.22.32_log.zip   11.64KB   1 downloads
Attached File  uninstall_list.zip   1.69KB   3 downloads

#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 27 December 2011 - 09:14 AM

Hi MikeInAlaska,

I will try to answer your questions before we are through. :thumbup2:

Please do not attach logs unless asked to. If they will not fit in one post it is OK to use multiple posts. :)

The following is referring to CCleaner and Wise Disk Cleaner. Both contain a registry cleaner utility.
Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
I highly recommend CCleaner but also suggest you do not use the registry cleaner component. I do not know much about Wise Disk Cleaner
but also suggest you not use it's registry cleaner.

More information about registry cleaners can be found at Miekiemoes Blog

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u2-windows-i586.exe (or jre-7u2-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Step 1.

Please run MBAM that appears to already be installed on your computer.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 2.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.


In your next reply please post, do not attach, the following:

MBAM log
ESET scan results <--If any



Thanks!!
PW

#14 MikeInAlaska

MikeInAlaska
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 29 December 2011 - 03:06 AM

Hello,

Thanks again for your help.

Looks like Malwarebytes didn't find anything:)

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.29.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: MYKSROBUT [administrator]

12/28/2011 4:23:01 PM
mbam-log-2011-12-28 (16-23-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 193691
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

The ESET scanner DID find a number of malicious files, cleaned, and quarantined them. I checked to delete quarantined files, because I hate maliciiousness.

Here's the results.

C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\cnet_WDCFree_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\setup (1).exe Win32/Adware.Bundlore application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\setup (2).exe Win32/Adware.Bundlore application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\setup (3).exe Win32/Adware.Bundlore application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\setup (4).exe Win32/Adware.Bundlore application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\setup.exe Win32/Adware.Bundlore application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\vshare-plugin-v10.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\winamp5621_full_emusic-7plus_en-us.exe Win32/OpenCandy application deleted - quarantined
C:\Documents and Settings\Owner.myksrobut\My Documents\Downloads\winamp562_full_emusic-7plus_en-us.exe Win32/OpenCandy application deleted - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1304\A0221285.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1304\A0221286.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1304\A0221288.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1304\A0221292.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1304\A0221297.exe a variant of Win32/InstallCore.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1317\A0224022.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1317\A0224026.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1318\A0225487.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1318\A0225491.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1319\A0226978.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1319\A0226982.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1320\A0228450.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1320\A0228454.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1321\A0229916.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1321\A0229920.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1324\A0231422.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1324\A0231426.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1325\A0232901.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1325\A0232905.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1330\A0235687.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1330\A0235688.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined


Once again, you rock, your site rocks, and I am very appreciative.
Have a wonderful day

MikeInAlaska

#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 29 December 2011 - 09:13 AM

Hi MikeInAlaska,

All the items ESET found were adware or toolbars. I don't recommend downloading from C-NET anymore for that reason. That's just my opinion. :wink:


Also, why do you guys warn to not use the Combofix without being instructed to? Can't I run it periodically to ensure safety?

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer. There have been instances where a computer was made into a doorstop by incorrect usage of Combofix, hence the warnings.


Malwarebytes, Avira, and Ccleaner (I think). Why didn't these three catch these problems?

CCleaner is not an antivirus or antispyware program. It's more for just cleaning the junk off of your system that can result in poor performance.

Why popular antivirus apps 'do not work'

What’s the Difference Between Viruses, Trojans, Worms, and Other Malware?



You now appear to be all clean. :thumbsup:

We need to do a little house cleaning.

Step 1.

Re-enable emulation

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger might ask to reboot the machine - click OK

Step 2.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

Please advise if this step is missed for any reason as it performs some important functions.

If ComboFix asks to update please allow it to do so.


You can now uninstall any other programs we may have used and delete any logs that may have been generated.

Most can be deleted by right clicking and choosing Delete. Others, such as ESET online scan can be removed via Control Panel | Add/Remove Programs


Step 3.

Here are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however, by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. You can find microsoft updates here

I recommend that you visit the link above and either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Make sure you use a firewall. A tutorial on understanding and using firewalls may be found here. For most users the built in Windows Firewall is sufficient.

If you would like a third party firewall some good free firewalls are
(While installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage". Uncheck "Install Comodo Antivirus".)

Only use one firewall at a time.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any questions please do not hesitate to ask.


Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users