Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't make head or tails out of this


  • Please log in to reply
9 replies to this topic

#1 chesterlestreet

chesterlestreet

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 14 October 2013 - 08:23 AM

hello

 

ill be as accurate as possible.

 

sunday 13th 2013 between 245pm - 3pm i locked my computer and went to the kitchen for a minute or two, i came back to find my computer somehow managed to restart by itself, and on the 'Dell Logo' screen, with a message that reads 'program installing please wait' and a line going left to right, right to left, below the message indicating the changes.

 

the computer then came back on the lock screen, i typed my password to bring me onto the desktop, the anti virus (kaspersky) did not start as normal but greyed out and a 'i'  (<~~ i think it was this sign) i clicked the 'K' near the clock, and after 30-45 seconds the AV turned on. i  then clicked firefox, it automatically directed me to my youtube channel webpage, the very webpage i was on before i locked the screen and went to the kitchen before the system restarted by itself   -   shouldn't any system restart launch the firefox homepage?

 

earlier on the day between 8pm and 10pm i installed windows update and xbox controller software (genuine CD) on both occasions i restarted the PC.

 

i've never known windows update or any other software to 'program installing please wait' when on the 'Dell Logo'  screen, and this is what's bugging me most.

 

i checked the 'program and features' and there was nothing suspicious or any new programs other than what i know to be installed on the PC.

 

can you please shed some light as to what this could be, i've never known anything to instal, or give a message of installing when on the 'Dell Logo' screen - everything about this seems out of character

 

just to add to that, if this information helps, on 12/10/13 i had a network attack that was blocked 'Intrusion.Win.MSSQL.worm.Helkern' and i made the amateur mistake of doing a system restore yesterday to a previous state on a whim.

 

 

Thank you.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:46 PM

Posted 14 October 2013 - 12:08 PM

I have found that if Firefox is the default browser, in some cases after installing new software, it will open to a page related to that software automatically. After I close and restart, Firefox goes back to the default home page I had set it to.

I don't use Dell so I can't advise up in regards to anything on the 'Dell Logo' screen.

As far as checking for new programs, be aware that not all programs show up in Add/Remove Programs or Programs and Features... so the next place to check is your browser Add-ons and remove any you do not recognize or did not install.

ALERT MESSAGE:
"Your computer has been attcked from the internet.
Network attack Intrusion.Wi.MSSQL.worm.Helkern from address 61.175.163.195
has been successfully repelled.


There is nothing to be concerned about with this type of alert unless you are using Microsoft SQL Server which uses port 1434. The MSSQL worm (aka: SQL Slammer/Helkern/Sapphire) exploits vulnerabilities in Microsoft SQL 2000 servers on port 1434 and only affects unpatched systems (SQL servers not running SP3 for Microsoft SQL Server Desktop Engine). This exploit was addressed in Microsoft Security Bulletin MS02-039 originally posted on July 24, 2002
 

Helkern (aka Helkern, aka Sapphire) is an extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000. To get into victim machines the worm exploits a buffer overrun vulnerability...

Net-Worm.Win32.Slammer


"Helkern" infects only computers running Microsoft SQL Server 2000, a multi-functional database system widely used primarily on Web-servers. To home users of any Windows version without the installion of Microsoft SQL Server the worm poses no threat.

"Helkern" - 376 Bytes That Shook The World
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 chesterlestreet

chesterlestreet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 14 October 2013 - 12:56 PM

hi

 

ive checked IE, chrome and firefox addons and plugins, nothing suspect to report.

 

my main concern was finding out what installed on my computer during the automatic boot, as i know i didnt restart the computer, it restarted automatically from the lock screen. first time in 10 years of owning dells i get a message on the dell logo screen as soon as the computer starts 'program installing please wait'   -   WEIRD STUFF :-)   never had any messages before of programs installing on the dell logo screen upon boot

 

i done anti virus scan, tddskiller scan and malwarebytes, all three scans found nothing.   

 

 

It's probably nothing to worry about, maybe im paranoid.

 

Thank you very much for the quick response, have a nice day.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:46 PM

Posted 14 October 2013 - 03:10 PM

These tools will search for and remove many unwanted programs (PUPs), toolbars, browser extensions, add-ons and other junkware. So if you want to check further, follow the instructions below.

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Please download Junkware Removal Tool thisisujrt.gif and save it to your Desktop.
  • Close all open programs and shut down any protection/security software now to avoid potential conflicts.
  • Double-click on JRT.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 chesterlestreet

chesterlestreet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 15 October 2013 - 09:39 AM

hello

 

i downloaded AdwCleaner and Junkware Removal Tool, below are the logfile and JRT.txt respectively.

 

Thank you.

 

 

 

 

 

# AdwCleaner v3.007 - Report created 15/10/2013 at 14:14:03
# Updated 09/10/2013 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : 8700 - XPS
# Running from : C:\Users\8700\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Program Files (x86)\Viewpoint

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16537


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\8700\AppData\Roaming\Mozilla\Firefox\Profiles\ml97axi9.default\prefs.js ]

Line Deleted : user_pref("extensions.xnotifier.accounts.[aol#jackbiscuit@aol.com].inboxOnly", true);
Line Deleted : user_pref("extensions.xnotifier.accounts.[gmail#emailviruses@gmail.com].inboxOnly", true);
Line Deleted : user_pref("extensions.xnotifier.accounts.[gmail#gchq1968@gmail.com].inboxOnly", true);
Line Deleted : user_pref("extensions.xnotifier.accounts.[hotmail#emailemails@msn.com].inboxOnly", true);
Line Deleted : user_pref("extensions.xnotifier.accounts.[hotmail#emailviruses@msn.com].inboxOnly", true);
Line Deleted : user_pref("extensions.xnotifier.accounts.[yahoo#emalmeviruses@yahoo.com].inboxOnly", true);

-\\ Google Chrome v30.0.1599.69

[ File : C:\Users\8700\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2645 octets] - [15/10/2013 14:11:21]
AdwCleaner[S0].txt - [2614 octets] - [15/10/2013 14:14:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2674 octets] ##########
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.4 (10.06.2013:1)
OS: Windows 8 x64
Ran by 8700 on 15/10/2013 at 14:46:11.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\8700\AppData\Roaming\mozilla\firefox\profiles\ml97axi9.default\minidumps [1 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15/10/2013 at 14:49:27.88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:46 PM

Posted 15 October 2013 - 10:11 AM

We found a few things but nothing of significant concern.

You can try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.
  • -- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. Be careful what you choose to remove. If in doubt, ask before taking action.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 chesterlestreet

chesterlestreet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 15 October 2013 - 12:18 PM

hello

 

here are the results from the eset scan.

 

thanks.

 

 

 

 

 

 

 

C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe    a variant of Win32/HiddenStart.A application    cleaned by deleting - quarantined
 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:46 PM

Posted 15 October 2013 - 01:48 PM

I don't see anything which could have caused the issue you described in your first post. It may possibly have been an update to something you already have installed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 chesterlestreet

chesterlestreet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 15 October 2013 - 01:54 PM

so far so good based on all the tests. 

 

 

thank you very much for your time over the two days.

 

have a nice day.


Edited by chesterlestreet, 15 October 2013 - 01:55 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:46 PM

Posted 15 October 2013 - 01:59 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users