Another Multiple iexplore's popups, system wave muted.

2010-07-20, 14:53
Hey there everyone. Thanks very much in advance for your assistance. Below is my DDS log. I've also run Sophos which detected/quarantined some Sus/ComPack-B & Sus/ComPack-C files but I'm still getting these popups.

Spybot S&D, malwarebytes & Adaware all report I'm clean and clear.

Thanks again:

DDS (Ver_10-03-17.01) - NTFSx86
Run by craig.murphy at 13:42:21.85 on 20/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.985 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

2010-07-24, 11:11
Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

2010-07-24, 13:33
Hi there and thanks for your post.

I'm still here and still have the issue.

Thanks again.

2010-07-25, 17:38
Hello spud101 :),

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.


Please post back Attach.txt from the DDS scan.


Please download MBRCheck© by a_d_13 from one of the links below and save it to your desktop.

Link 1 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 2 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)

Preliminary scan

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running MBRCheck. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on MBRCheck.exe to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
A command prompt window will open.
If you are presented with options, enter N at the prompt and press Enter twice.
Otherwise, just press Enter.
A log file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Please post the contents of that file.


Check for Recovery Partition via script

Please download Preformat© by Noviciate and save to your desktop. Click here. (http://images.malwareremoval.com/Noviciate/Preformat.zip)
Extract Preformat.vbs from the zip file to the desktop and double click on it.
A script will run and will prompt that it has completed. Click OK.
A log will be created on the desktop as Preformat.txt. Please post the contents of this log.


Do you have the Windows XP Installation disc? Is the Recovery Console installed on your computer?

Is this a business computer?


Please post back:
1. Attach.txt
2. MBRCheck log
3. Preformat.txt
4. the answers to my questions

2010-07-27, 11:26

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 17/03/2009 08:32:33
System Uptime: 20/07/2010 11:00:43 (2 hours ago)

Motherboard: Dell Inc. | | 0F331C
Processor: Intel(R) Core(TM)2 Duo CPU U7700 @ 1.33GHz | Microprocessor | 1330/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 31.127 GiB free.
H: is NetworkDisk (NTFS) - 0 GiB total, 95.62 GiB free.
O: is NetworkDisk (NTFS) - 20 GiB total, 6.758 GiB free.
P: is NetworkDisk (NTFS) - 1073 GiB total, 22.139 GiB free.
R: is NetworkDisk (NTFS) - 20 GiB total, 6.758 GiB free.
Y: is NetworkDisk (NTFS) - 612 GiB total, 339.031 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\F2E470394FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\F2E470394FC000
Service: NIC1394

==== System Restore Points ===================

RP268: 29/06/2010 10:11:26 - Installed Windows XP KB943729.
RP269: 30/06/2010 09:51:30 - Installed Windows XP KB943729.
RP270: 30/06/2010 09:51:53 - Installed Windows XP KB943729.
RP271: 30/06/2010 10:01:23 - Installed Windows XP KB943729.
RP272: 30/06/2010 10:01:45 - Installed Windows XP KB943729.
RP273: 30/06/2010 10:51:54 - Installed Windows XP KB943729.
RP274: 30/06/2010 10:52:30 - Installed Windows XP KB943729.
RP275: 30/06/2010 17:02:53 - Software Distribution Service 3.0
RP276: 01/07/2010 09:58:33 - Software Distribution Service 3.0
RP277: 01/07/2010 12:25:02 - Installed Windows XP KB943729.
RP278: 01/07/2010 12:25:53 - Installed Windows XP KB943729.
RP279: 02/07/2010 10:34:17 - Installed Windows XP KB943729.
RP280: 02/07/2010 10:35:13 - Installed Windows XP KB943729.
RP281: 02/07/2010 11:04:45 - Installed Windows XP KB943729.
RP282: 02/07/2010 11:05:18 - Installed Windows XP KB943729.
RP283: 06/07/2010 09:38:29 - Installed Windows XP KB943729.
RP284: 06/07/2010 09:39:17 - Installed Windows XP KB943729.
RP285: 07/07/2010 09:36:36 - Installed Windows XP KB943729.
RP286: 07/07/2010 09:37:22 - Installed Windows XP KB943729.
RP287: 08/07/2010 09:42:20 - Installed Windows XP KB943729.
RP288: 08/07/2010 09:43:37 - Installed Windows XP KB943729.
RP289: 08/07/2010 10:24:35 - Installed Windows XP KB943729.
RP290: 08/07/2010 10:25:16 - Installed Windows XP KB943729.
RP291: 09/07/2010 09:15:31 - Installed Windows XP KB943729.
RP292: 09/07/2010 09:16:22 - Installed Windows XP KB943729.
RP293: 13/07/2010 09:31:17 - Installed Windows XP KB943729.
RP294: 13/07/2010 09:33:00 - Installed Windows XP KB943729.
RP295: 13/07/2010 11:58:16 - Removed Java 2 Runtime Environment, SE v1.4.2_19
RP296: 13/07/2010 12:00:10 - Removed Java(TM) 6 Update 17
RP297: 13/07/2010 14:00:23 - Removed product_name_not_used
RP298: 13/07/2010 14:06:52 - Installed Windows XP KB943729.
RP299: 13/07/2010 14:07:33 - Installed Windows XP KB943729.
RP300: 14/07/2010 08:36:02 - Installed Windows XP KB943729.
RP301: 14/07/2010 08:37:07 - Installed Windows XP KB943729.
RP302: 14/07/2010 15:20:18 - Installed Rapport
RP303: 14/07/2010 15:22:27 - Installed Windows XP KB943729.
RP304: 14/07/2010 15:23:03 - Installed Windows XP KB943729.
RP305: 15/07/2010 09:47:29 - Installed Windows XP KB943729.
RP306: 15/07/2010 09:48:52 - Installed Windows XP KB943729.
RP307: 15/07/2010 12:01:32 - Installed Windows XP KB943729.
RP308: 15/07/2010 12:03:54 - Installed Windows XP KB943729.
RP309: 19/07/2010 19:45:03 - System Checkpoint
RP310: 20/07/2010 08:09:12 - Software Distribution Service 3.0
RP311: 20/07/2010 10:10:26 - Removed SolarWinds SCP Server
RP312: 20/07/2010 10:12:25 - Configured SolarWinds Toolset v10.4

==== Installed Programs ======================

.print Client Windows (RDP)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Broadcom Gigabit Integrated Controller
Compatibility Pack for the 2007 Office system
Compliance Checker for VMware ESX
Conexant HDA D330 MDC V.92 Modem
DameWare Mini Remote Control Client Agent Service
Dell Resource CD
ERUNT 1.1j
Google Chrome
Google Desktop
Google Gears
Google Talk, Labs Edition
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Java Auto Updater
Juniper Installer Service
Juniper Networks Network Connect 6.0.0
Juniper Networks Network Connect 6.3.0
Juniper Networks Setup Client Activex Control
Lotus Notes 7.0.2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Active Directory Topology Diagrammer
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Interop Forms Redistributable Package 2.0a
Microsoft Office Project Standard 2003
Microsoft Office Standard Edition 2003
Microsoft Office Visio Standard 2003
Microsoft Office Visio Viewer 2007
Microsoft RichCopy 4.0
Microsoft Silverlight
Mozilla Firefox (3.6.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Oracle JInitiator
OZ776 SCR Driver V1.1.3.9
Quest Secure Password Extension x86
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Segoe UI
SigmaTel Audio
Skype Toolbars
Skype™ 4.2
Sophos Anti-Rootkit 1.5.4
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Remote Management System
Spybot - Search & Destroy
TomTom HOME Visual Studio Merge Modules
TreeSize Free V2.3.3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB980182)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
WebFldrs XP
Windows Driver Package - Amoi Incorporated (INQ1usbser) Modem (01/01/2007
Windows Driver Package - Amoi Incorporated (INQ1usbser) Ports (01/01/2007
Windows Driver Package - Amoi Incorporated (S2usbser) Modem (01/01/2007
Windows Driver Package - Amoi Incorporated (S2usbser) Ports (01/01/2007
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools - GPInventory.exe
WinRAR archiver

==== Event Viewer Messages From Past Week ========

20/07/2010 10:54:47, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SAVOnAccessControl SAVOnAccessFilter
19/07/2010 13:38:22, error: SAVOnAccessFilter [63] - Failed to obtain volume information from mount manager.
16/07/2010 11:43:34, error: Service Control Manager [7022] - The Sophos Anti-Virus service hung on starting.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file sstext3d.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssstars.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file sspipes.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssmyst.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssmypics.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssmarque.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssflwbox.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ssbezier.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file ss3dfo.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file scrnsave.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:22:17, information: Windows File Protection [64005] - The protected system file logon.scr was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is craig.murphy. The file version of the bad file is unknown.
15/07/2010 14:12:13, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service Sophos AutoUpdate Service with arguments "-Service" in order to run the server: {ACB50159-5EFF-47D5-B93F-5433C1BD2F3A}
15/07/2010 12:59:25, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
15/07/2010 12:53:41, error: DCOM [10000] - Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error: "%5" Happened while starting this command: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding
15/07/2010 12:00:03, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
15/07/2010 11:57:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
15/07/2010 11:29:41, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
15/07/2010 10:51:57, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter Tcpip
15/07/2010 10:51:57, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
15/07/2010 10:51:57, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
15/07/2010 10:51:57, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
15/07/2010 10:51:57, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
15/07/2010 10:13:14, error: System Error [1003] - Error code 10000050, parameter1 e5d07a89, parameter2 00000000, parameter3 a5fee997, parameter4 00000001.
15/07/2010 10:09:00, error: NETLOGON [5719] - No Domain Controller is available for domain RICOH-EUROPE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
15/07/2010 10:07:20, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.
14/07/2010 15:58:25, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Sophos Anti-Virus status reporter service to connect.
14/07/2010 15:58:25, error: Service Control Manager [7000] - The Sophos Anti-Virus status reporter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
14/07/2010 11:58:12, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

==== End Of File ===========================

2010-07-27, 11:27
MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status


74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...

2010-07-27, 11:29
Partition ID: Disk #0, Partition #0
Size: 180.39 MB


Partition ID: Disk #0, Partition #1
Size: 74.35 GB

The computer boots from this partition.


BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A08
Status: OK

This is the primary BIOS.


2010-07-27, 11:39
Do you have the Windows XP Installation disc?
No sorry.

Is the Recovery Console installed on your computer?

Is this a business computer?
Not any more, it was an old one that was 'upgraded' so I got to keep it.

2010-07-27, 18:14
Hello spud101 :),

Your computer is infected with the Whistler Bootkit. Sorry for the bad news.

It affects the Master Boot Record (MBR), which is located at the first sector of your hard disk and executed for the computer to boot up. Due to your computer being an Original Equipment Manufacturer (OEM) machine, Dell in this case, and having a custom MBR, I will not be able to proceed further due to the possibility making it unbootable.

I suggest that you contact the manufacturer of your computer to assist you in this matter as they will be better equipped to deal with it, more efficiently and effectively. If you have any questions, please ask.

2010-07-30, 18:30
Hello spud101 :),

Sorry could not help you further. I see signs of ComboFix being used on your computer.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Now, we need to clear off some of the tools I asked you to download and ComboFix.
Go to Start > Run.... Copy and paste the following text into the white box:
ComboFix /uninstall
Click OK.
Delete the MBRCheck and Preformat files from your desktop.

Some tips to help you stay clean and safe after you get the MBR issue sorted out:

1. Keep your Windows up to date. Enable Automatic Updates (http://www.bleepingcomputer.com/tutorials/tutorial35.html) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.

6. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

9. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

10. Also look up How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) and So how did I get infected in the first place? By Tony Klein (http://malwareremoval.com/forum/viewtopic.php?f=11&t=4959).

Stay safe.


As we reach a point where we could not proceed further and you need to seek help from alternative sources, this topic is now closed.

We are glad to be of help up to this point. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)