Random audio and ie popups, nothing in hjt log

[blahdu]

Hi all,

Whatever it is that I have, it's hiding itself very well. I've looked through the HJT log myself and can't find anything, have run spybot, adaware, and malwarebytes, and I'm still getting popups and audio ads. anything that you guys can suggest is greatly appreciated.

for the record, the popups and audio aren't that frequent, although the audio is more frequent than the popups. my computer doesn't seem to be running much slower, maybe slightly, although I have noticed that full-screen applications get kicked to windows (the program stays running, it just returns to the desktop at random)

if anyone wants any other logs I'll happily provide.

thanks in advance,

-alex

 

[Bobbye]

Alex, we don't 'screen' with HijackThis.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

And you will need to either uninstall this, disable it or take it off Startup while cleaning:
C:\Program Files\uTorrent\uTorrent.exe

And this is one indication of what malware you might have:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

 

[blahdu]

Here is the gmer log, the dds script runs but it does not produce two log files afterwards. I have disabled utorrent from the startup in msconfig.

 

[blahdu]

Oh and here's the mb log

 

[Bobbye]

Run DDS again please if you can find the logs:

• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Please attach both in your next reply.

 

[Bobbye]

I also like you to run Combofix:



Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.

Please paste the log in the next reply.

 

[blahdu]

Thanks for your response, here are all three logs, windows script hosting was disabled in the registry, I enabled it and dds worked fine

 

[blahdu]

also for the record, since i have run these two scripts, firefox is now not loading pages correctly and i cannot log into this vb board in firefox now. not sure what changed, but ie is still displaying everything fine.

 

[Bobbye]

The MBR is infected with the Whistler Bootkit so we'll be working on that. The Group Policy has been set to disallow most functions and the Services are disabled.

For the record, you haven't run any 'scripts' yet- at least not from me. You have run programs. I will be giving you script to run within Combofix.

I also need some help with translations:
1. NETSVCS VEREIST REPARATIES - huidige waarden worden getoond
2. is niet aanwezig

Edit: I am going to ask for help with this so be patient. Your entire MBR needs to be rewritten.

 

[blahdu]

non-unicode programs are currently displaying in dutch, these are the translations i got from google:

1)NETSVCS REQUIRES REPAIRS - current values are displayed
2)is not present

thanks for your response and i hope you can help me soon!

edit: to clarify, this is not my computer and so i do not know how or why non-unicode programs got their language changed, the default language for unicode is US english.

 

[blahdu]

Here is a new combofix log. I did a bunch of googling on the whistler bootkit last night while trying to decode the original combofix log, and I found a .rar that was a bootkit remover. seeing as there isn't a dual booter like GRUB on this machine, I figured that there wasn't much harm in trying it, as it was on another malware forum. I ran it and it found the code, so I ran the "fix" element of the executable and it looks to have removed it, although anything that was on the physical drive and not in the MBR is still here.

this appears to have solved the issue for now, ie the popups and audio are gone, but if you could take a look at the log I've provided and let me know if there's anything else that needs to be done that would be greatly appreciated.

 

[Bobbye]

If you had given me time, I would have come back and given you instructions. Your problem is still there. I have no idea what you ran or removed. It appears that you have uninstalled the previous Combofix program and with it, the logs and any quarantined files, then reinstalled and run Combofix again.

You can run fixmbr then fixboot but I will not take the responsibility for the contents of this log.