Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Not sure if I'm infected

  • This topic is locked This topic is locked
4 replies to this topic

#1 pulse1


  • Members
  • 16 posts
  • Local time:10:14 AM

Posted 14 July 2012 - 10:51 PM

Hi ! :)

I accidentally typed in the wrong URL the other day... I wanted to go to www.soundcloud.com but I accidentally typed in www.soundcoud.com
The site made Zone Alarm fire up a few warnings.

I clicked allow on the warnings without thinking (I'm in the habit of clicking allow because usually the warnings are about things that are ok)

But these warnings (I realised straight afterwards) were out of the ordinary.

The warnings were:
"Chrome wants to accept connections from the internet. Allow?"
"Thunderbird wants to accept connections to the internet. Allow?"
There was another one which I didn't read because I clicked allow to quickly :/

My browser then began behaving strangely, (redirecting back to that site).

I straight away went into Zone Alarm and configured Chrome and Thunderbird to ask me before doing anything.

I then forced shut down by holding in the power button, and started in safe mode and did a system restore back to a week ago.

After that I scanned the system with Malwarebytes and Zone Alarm but no problems were detected.

Then I went to try to scan with Windows Defender and it would not open. It gives me an error message saying:
"Application failed to initialize:0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually."

Restarting did not solve the issue and I haven't tried to start it manually.

A couple of odd (but maybe minor) things happened when I was going through the instructions on this site.

DDS would not download in Chrome, I had to open Firefox to download it.

Gmer would not run, but the process was open. I did a google search and found a solution which was to change the file name of the Gmer download to test.exe
Once I did that it ran.

After running Gmer it gave me a message saying "Gmer has not found any system modification."
The Gmer log (ark.txt) is blank.

When I try to attach the blank ark.txt, this site gives me an error saying "Error: no file was selected for upload"

Below are my logs etc...
Thanks for your advice in advance, I really appreciate it ! :)


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Admin at 12:26:28 on 2012-07-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3030.1615 [GMT 10:00]
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Extreme Security Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\admin\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer =
TCP: Interfaces\{0EAD81D3-FF70-48B5-814F-DF3BBA289C0F} : DhcpNameServer =
TCP: Interfaces\{13B7ADAB-D524-41BF-BE3A-88871FCE253C} : DhcpNameServer =
TCP: Interfaces\{8E9503B7-3B94-447C-A2A4-008E2B136C23} : DhcpNameServer =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\1dxugnjr.default\
FF - prefs.js: browser.startup.homepage - www.rmit.edu.au
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\admin\appdata\local\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
============= SERVICES / DRIVERS ===============
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-11 242240]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-10-14 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-4 27016]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2011-11-4 36744]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2012-2-10 112128]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-6-20 212992]
=============== Created Last 30 ================
2012-07-14 14:30:45 -------- d-----w- c:\users\admin\appdata\local\Macromedia
2012-07-14 00:37:36 -------- d-----w- c:\program files\MozBackup
2012-07-13 17:08:57 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-13 07:00:49 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d5fe7569-1c28-4c9f-a1b3-48333f96524c}\mpengine.dll
2012-07-13 06:51:17 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-13 06:51:09 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-13 06:51:09 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-13 06:50:22 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-13 06:50:22 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-13 06:50:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-04 20:30:45 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-07-04 20:30:45 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-07-03 02:05:05 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-28 13:04:31 -------- d-----w- c:\program files\Dropbox
2012-06-26 15:01:01 -------- d-----w- c:\users\admin\appdata\roaming\Auslogics
2012-06-26 15:00:55 -------- d-----w- c:\program files\Auslogics
2012-06-26 12:20:14 -------- d-----w- c:\users\admin\appdata\local\MigWiz
2012-06-20 07:52:49 6762896 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
2012-06-20 07:40:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-20 07:39:46 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-20 07:39:27 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 07:39:27 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 11:48:01 -------- d-----w- C:\MyBackup
2012-06-15 08:51:26 -------- d-----w- c:\program files\iPod
2012-06-15 08:51:23 -------- d-----w- c:\program files\iTunes
==================== Find3M ====================
2012-07-03 03:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 02:05:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 02:05:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-11 14:31:08 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2012-06-10 05:42:48 1247016 ----a-w- c:\programdata\SPL903D.tmp
2012-06-10 03:17:47 1247016 ----a-w- c:\programdata\SPL76BA.tmp
2012-06-09 20:05:39 913670 ----a-w- c:\programdata\SPL8D6.tmp
2012-06-09 20:04:42 913670 ----a-w- c:\programdata\SPL2B15.tmp
2012-06-09 20:03:03 913670 ----a-w- c:\programdata\SPLA794.tmp
2012-06-09 20:00:49 2596345 ----a-w- c:\programdata\SPL9C7D.tmp
2012-06-09 19:41:28 2596345 ----a-w- c:\programdata\SPLE36D.tmp
2012-06-02 14:46:38 1025716 ----a-w- c:\programdata\SPL87A6.tmp
2012-06-02 14:45:29 1025716 ----a-w- c:\programdata\SPL7732.tmp
2012-06-02 14:44:49 1025716 ----a-w- c:\programdata\SPLDD06.tmp
2012-06-02 14:37:38 5336956 ----a-w- c:\programdata\SPL27E9.tmp
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-31 02:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00:53 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00:53 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00:53 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-18 10:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 10:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
============= FINISH: 12:31:13.92 ===============

Attached Files

Edited by pulse1, 14 July 2012 - 10:57 PM.

BC AdBot (Login to Remove)


#2 Larusso



  • Malware Response Team
  • 305 posts
  • Gender:Male
  • Location:Austria
  • Local time:02:14 AM

Posted 18 July 2012 - 10:27 AM

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Download OTL to your Desktop.
  • Double click on the icon to run it.
  • Under the Posted Image box paste this in
%systemroot%\*. /mp /s
%windir%\installer\*. /5
%localappdata%\*. /5
  • Make sure all other windows are closed to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please post both logfiles in your next reply.

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Bread for the world instead Bombs and Bangers

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#3 pulse1

  • Topic Starter

  • Members
  • 16 posts
  • Local time:10:14 AM

Posted 22 July 2012 - 02:47 AM

Hi :)
Thanks very much for your reply.

I was required to install some new software for my studies so I decided to start over so that everything is clear for you.

I was just running DDS and I got a message from Zone Alarm saying:

"MBR.DAT is trying to load mbr driver. Allow? Deny?"

I clicked deny and came straight here to find out if I should allow this to happen or not.

If you could tell me what to do that'd be great :)

Thanks heaps,

#4 Larusso



  • Malware Response Team
  • 305 posts
  • Gender:Male
  • Location:Austria
  • Local time:02:14 AM

Posted 22 July 2012 - 07:09 AM

You should follow the instructions in my last reply with OTL and TDSSKiller. No need to run DDS at the moment.

Bread for the world instead Bombs and Bangers

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#5 Larusso



  • Malware Response Team
  • 305 posts
  • Gender:Male
  • Location:Austria
  • Local time:02:14 AM

Posted 29 July 2012 - 06:57 AM

Due the lack of feeback, this topic will now be closed.
If you need this topic reopened, please contact me or any other from the Moderationteam.

This applies only to the topic starter, everyone else please begin a new topic starting with the steps outlined here.

Bread for the world instead Bombs and Bangers

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users