Results 1 to 4 of 4

Thread: Background click and "bubbling" .wav sound playing on my PC

  1. #1
    Junior Member chemwiz1's Avatar
    Join Date
    Jun 2011
    Posts
    2

    Default Background click and "bubbling" .wav sound playing on my PC

    I've seen earlier posts for this problem, but the solutions don't apply to me, and the earlier posts are a couple of years old.

    I was hit on 6/5/11 with malware from a legitimate website that I had accessed just the day before with no problems. Malwarebytes (MBAM) identified the culprits as Trojan.Agent.GD and Trojan.FakeMS. These trojans installed a start-up program called NfeiQASGux and ran from a program called 26992420.exe on my PC.

    I thought MBAM had scrubbed the trojans, but I found later that I could hear a sound in the background that occurred randomly whether or not I was connected to the Internet. It also occurred when I was in Safe Mode without networking. The sound is a click followed by a "bubbling" sound like someone pouring something out of a bottle. It seems like it's a program that's hidden and keeps trying to open or is opening, and I just can't see it. It doesn't show up in TaskManager Applications, Processes, or Networking.

    I ran updated MBAM and Microsoft Security Essentials several times in full System Mode and in Safe Mode without networking, and both showed that my PC was clean. I then ran ComboFix (it found and fixed the Process.exe virus and revealed several items such as desktop icons and Start Menu Programs that had been hidden by the trojans), followed by ESET Online Antivirus (it found the malware items that ComboFix had quarantined -- after I uninstalled ComboFix, ESET found no malware), and TFC (Temporary File Cleaner) to get rid of remnants that might be hiding in the Temp files. All these tools now show my PC to be clean.

    But, the sound continues to occur.

    I then ran BootKit Remover (http://www.esagelab.com), and it states that unknown boot code has been found on my hard drive, indicating that malware has infected it. I ran Microsoft Windows Recovery Console to see if I could fix the master boot record (fixmbr), but I got a warning message that this could do serious damage to my PC.

    Should I go ahead and run fixmbr, run the BootKit Remover "fix" command, or do nothing?

    Please advise!

    I've attached my most recent HJThis, MBAM (original infected log plus current clean log), ComboFix, ESET (log showing items quarantined by ComboFix plus current clean log), and BootKit logs:

    ==========================================
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:33:07 PM, on 6/9/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\OEM02Mon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071226
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [OEM02Mon.exe] "C:\WINDOWS\OEM02Mon.exe"
    O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
    O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
    O4 - HKLM\..\Run: [KADxMain] "C:\WINDOWS\system32\KADxMain.exe"
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_se...zTCPConfig.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199584626484
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos...ineScanner.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-31-0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8885 bytes
    ===================================================

    INFECTED MBAM Log

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6777

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/5/2011 4:54:57 PM
    mbam-log-2011-06-05 (16-54-57).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 228384
    Time elapsed: 1 hour(s), 3 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\26992420.exe (Trojan.Agent.GD) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\nfeiqasguw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    ===========================================

    Current Clean MBAM Log

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6818

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/9/2011 10:35:48 AM
    mbam-log-2011-06-09 (10-35-48).txt

    Scan type: Quick scan
    Objects scanned: 155381
    Time elapsed: 5 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ==========================================================

    ComboFix 11-06-06.02 - Kristina Paquette 06/09/2011 11:06:07.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.433 [GMT -4:00]
    Running from: c:\documents and settings\Kristina Paquette\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-09 14:27 . 2011-06-09 14:27 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FDA99AB-47EF-4F13-89C6-921B28AB4323}\MpKslb295b43f.sys
    2011-06-09 12:11 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FDA99AB-47EF-4F13-89C6-921B28AB4323}\mpengine.dll
    2011-06-07 20:39 . 2011-06-07 20:39 -------- d-----w- c:\documents and settings\Kristina Paquette\Application Data\Dell
    2011-06-07 20:39 . 2011-06-07 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
    2011-06-07 20:29 . 2011-06-07 20:30 -------- d-----w- c:\documents and settings\Kristina Paquette\Application Data\PCDr
    2011-06-06 08:29 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-06-06 02:24 . 2011-06-06 02:24 -------- d-----w- c:\program files\Malwarebytes' anti-malware
    2011-06-05 23:17 . 2011-06-05 23:17 -------- d-----w- c:\documents and settings\Kristina Paquette\Application Data\DataSafeOnline
    2011-06-05 23:11 . 2011-06-05 23:11 -------- d-----w- c:\documents and settings\Kristina Paquette\Application Data\Creative
    2011-06-05 19:47 . 2011-06-05 21:33 -------- d-----w- C:\Kris
    2011-05-16 09:37 . 2011-06-05 22:52 -------- d-----w- c:\program files\CCleaner
    2011-05-16 09:19 . 2011-06-04 17:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-06 05:41 . 2011-04-25 01:41 44 ----a-w- c:\windows\system32\stopSvc.bat
    2011-06-06 05:41 . 2011-04-25 01:41 260 ----a-w- c:\windows\system32\cmdVBS.vbs
    2011-05-29 13:11 . 2010-02-16 16:53 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2010-02-16 16:53 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-18 05:24 . 2011-05-07 03:05 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2011-03-18 05:24 . 2011-05-07 03:05 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2011-03-18 05:24 . 2011-05-07 03:05 104448 ----a-w- c:\windows\system32\zlcommdb.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
    "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
    "SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2007-07-10 405504]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
    "QD FastAndSafe"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Kristina Paquette\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-26 50688]
    Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704]
    HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
    backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 20:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"= 135:TCP:DCOM(135)
    "50000:UDP"= 50000:UDP:IHA_MessageCenter
    .
    R1 MpKslb295b43f;MpKslb295b43f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FDA99AB-47EF-4F13-89C6-921B28AB4323}\MpKslb295b43f.sys [6/9/2011 10:27 AM 28752]
    R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [1/3/2008 8:07 AM 135168]
    S1 MpKsl926ee030;MpKsl926ee030;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D716FA2B-77AC-4275-8640-132B42D9AC48}\MpKsl926ee030.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D716FA2B-77AC-4275-8640-132B42D9AC48}\MpKsl926ee030.sys [?]
    S1 MpKslcd2e4441;MpKslcd2e4441;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{28E1E272-60B0-434F-A0FB-7ACBE6EB5B6E}\MpKslcd2e4441.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{28E1E272-60B0-434F-A0FB-7ACBE6EB5B6E}\MpKslcd2e4441.sys [?]
    S1 MpKslebd4e001;MpKslebd4e001;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3D18E9B-3DFF-4D72-8940-8CE34AE6F48E}\MpKslebd4e001.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3D18E9B-3DFF-4D72-8940-8CE34AE6F48E}\MpKslebd4e001.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLB295B43F
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-06-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
    .
    2011-06-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071226
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
    DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-09 11:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,23,9f,79,9f,90,d5,4f,85,0a,b2,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,23,9f,79,9f,90,d5,4f,85,0a,b2,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3976)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-06-09 11:14:10
    ComboFix-quarantined-files.txt 2011-06-09 15:14
    ComboFix2.txt 2011-06-09 14:07
    ComboFix3.txt 2011-06-09 13:24
    .
    Pre-Run: 52,482,424,832 bytes free
    Post-Run: 52,326,612,992 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 2330190F86DB9E4D34654B9C7F18A90D
    =================================================

    ESET Log Showing Items Quarantined by ComboFix Followed by Current Clean Log

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6526
    # api_version=3.0.2
    # EOSSerial=e5c952260c8dec41aec92487e6a2533f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-06-09 04:56:01
    # local_time=2011-06-09 12:56:01 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5891 16776869 42 87 0 18742797 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 1975117 6288447 0 0
    # scanned=79604
    # found=3
    # cleaned=0
    # scan_time=4228
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0071456.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0082282.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I


    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6526
    # api_version=3.0.2
    # EOSSerial=e5c952260c8dec41aec92487e6a2533f
    # end=stopped
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-06-09 06:25:38
    # local_time=2011-06-09 02:25:38 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5891 16776533 42 87 0 18752363 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 1984683 6298013 0 0
    # scanned=318
    # found=0
    # cleaned=0
    # scan_time=39
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6526
    # api_version=3.0.2
    # EOSSerial=e5c952260c8dec41aec92487e6a2533f
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-06-09 07:18:41
    # local_time=2011-06-09 03:18:41 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5891 16776869 42 87 0 18752488 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 1984808 6298138 0 0
    # scanned=67235
    # found=0
    # cleaned=0
    # scan_time=3097
    ================================================

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com
    Program version: 1.2.0.0

    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`04e71400

    Boot sector MD5 is: d151c79dcec0bf1ec983bea63558a0ef



    Size Device Name MBR Status
    --------------------------------------------

    74 GB \\.\PhysicalDrive0 Unknown boot code



    Unknown boot code has been found on some of your physical disks.

    To inspect the boot code manually, dump the master boot sector:

    remover.exe dump <device_name> [output_file]

    To disinfect the master boot sector, use the following command:

    remover.exe fix <device_name>



    Done;
    Last edited by tashi; 2011-06-10 at 05:20. Reason: Disabled link

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello chemwiz1,

    Looks like you missed the stickies in this forum.

    Please DO NOT RUN ComboFix without being asked

    Please see the forum FAQ which includes guidelines and instructions in post #2 on how to provide preliminary "DDS" logs used for analysis.

    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky and a link back to this thread.

    If DDS won't run and produce a log please start a new topic anyway and explain the situation.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member chemwiz1's Avatar
    Join Date
    Jun 2011
    Posts
    2

    Default Random .wav sound after trojan removal

    Here's a link to my original post about this problem: Removed

    I've attached the requested DDS log.

    Update: I just ran Sysinternals RootkitRevealer v. 1.7 and Kaspersky TDSSKiller v. 2.5.4.0, and neither found anything. RootkitRevealer showed 3 files, but they were expected. TDSSKiller found absolutely nothing. I can provide the log files if they would be helpful.

    So, it doesn't look like a Boot Record problem.

    When the malware was running rampant on my PC, it hid all my files and desktop icons and broke the links between my Start Menu Programs and their executables. I'm thinking that this click-bubbling sound I'm hearing is some program or function that is still hidden (e.g., a "suppressed" balloon tip that is trying to show itself). I noticed that the balloon tips that normally pop up during startup are no longer there. I went into Regedit to enable balloon tips, but they haven't come back, and the sound persists.
    Last edited by tashi; 2011-06-10 at 08:27. Reason: Merged two topics

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello chemwiz1,
    Quote Originally Posted by tashi View Post
    Please see the forum FAQ which includes guidelines and instructions in post #2 on how to provide preliminary "DDS" logs used for analysis.

    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky and a link back to this thread.
    From the sticky.
    DDS Log

    Download to your desktop DDS from one of the links below:

    Link 1
    Link 2

    • Double click the tool to run it.
    • If a black Screen opens, just read the contents and do nothing.
    • When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
    • Copy/Paste the contents of 'DDS.txt' into your post.
    • 'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)
    The attach.txt is correctly attached to your topic, however it is not the DDS.txt which should be copy pasted into the thread.

    Also,
    Quote Originally Posted by chemwiz1 View Post
    Update: I just ran Sysinternals RootkitRevealer v. 1.7 and Kaspersky TDSSKiller v. 2.5.4.0, and neither found anything. RootkitRevealer showed 3 files, but they were expected. TDSSKiller found absolutely nothing. I can provide the log files if they would be helpful.

    So, it doesn't look like a Boot Record problem.
    As you are requesting assistance, from the same FAQ;
    Please do not attempt to "do it yourself" while waiting for someone to respond to your topic.
    If you are able to wait for someone to respond please post the logs requested into a new topic.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •