TechSpot

Ie pop ups,mouse clicking,volume issue and advertisements heard

By d7jrobin
Jul 10, 2010
  1. Hi, I have seen other post similar to the problem I am having. I use mozilla but get random ie pop ups and constant mouse clicking tones. The volume control mutes itself and I also get random advertisements playing in the background with no video. I use microsoft essentials and get multiple infection results almost everytime I run a scan. I tried restoring to an earlier date but the problem will not go away. Any help would be appreciated as this is the limits of my usual fixes. Thanks,
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

  3. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    I am trying to run DDS and the instruction box displays but nothing else seems to be happening. I have microsoft essentials turned off and my wireless disconnected. I am not sure if I have any other script protection on. I use windows xp home. Are their other scripts I need to disable. Thanks for the help,
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 8cedfa5de235f2c6eceb00dafafd92fd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.

    Restart computer and let me know, how the machine is doing.
     
  7. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    When I double click fix.bat it says windows cannot find remover.exe in dialog box. I closed it and ran remover again with same result:

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 8cedfa5de235f2c6eceb00dafafd92fd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...



    Am I doing this the right way? Thanks again
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Did you download Bootkit Remover to your Desktop?
     
  9. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    My files automatically download into my documents then into my downloads folder. I send a shortcut to my desktop and tried to open from their.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    You have to move a whole remover.exe file to your desktop. Shortcut won't do.
     
  11. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    I downloaded remover to the desktop but got the same results. I redownloaded dds to the desktop and was able to generate logs. Here are the logs from the first steps

    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-10 16:31:39
    Windows 5.1.2600 Service Pack 3
    Running: 4in2yrm3.exe; Driver: C:\DOCUME~1\JASON\LOCALS~1\Temp\awldypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? cffukfi.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[740] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    ? C:\WINDOWS\system32\svchost.exe[1892] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

    • dds.zip
      File size:
      6.7 KB
      Views:
      2
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please, don't zip any files.
    I still need Attach.txt file.

    When posting logs, make sure you post them completed. For instance, Malwarebytes log has top missing.
     

    Attached Files:

    • dds.txt
      File size:
      34.6 KB
      Views:
      3
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Actually, you posted Attach.txt, but main DDS log is missing
     
  14. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    If you have remover.exe on your desktop, please re-do steps from my reply #6.
    Don't rush anything.
    Make sure, you copy/paste ALL text from my code box. Don't try to type it manually.
    Let me know, what happens.

    Don't try, or run anything else. At this point, removing rootkit, you're infected with is the main goal.
     
  15. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    Sorry about that. Hopefully I got it right this time. Heres the malware again and the two files as txt. Thanks,

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4300

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/10/2010 4:06:18 PM
    mbam-log-2010-07-10 (16-06-18).txt

    Scan type: Quick scan
    Objects scanned: 169740
    Time elapsed: 10 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    You're not listening to me:
     
  17. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    My bad. I'm using another computer to try keep up with post to keep my computer usage minimal. I started logging info again after post 12. Does my internet and antivirus need to be off when running remover.exe?
     
  18. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    Here is the info from remover this time,

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Press any key to quit...
     
  19. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    I restarted after remover info and received a message box stating that windows has finished installing new devices and need to restart computer. Should I restart again?
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Now you're talking!
    Good job :)
    Rootkit is gone.
    Restart computer and tell me how is your computer doing and we'll go from there.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Go ahead.
     
  22. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    Restarted fine. I restarted again after testing the volume. When i would restart before, the main volume control would mute. No mute this time. Hopefully its good. Do I need to remove the downloads or more steps?
     
  23. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good news :)
    More steps. We only removed the main culprit.

    Now, I need:

    1. Both DDS logs.

    2. Update Malwarebytes, run "Quick Scan", post new log.

    3. Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  24. d7jrobin

    d7jrobin TS Rookie Topic Starter Posts: 25

    Before running combofix, should I turn off my WIFI or let combofix disconnect my internet?
     
  25. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Combofix will do it for you.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...