Solve : Unsure if this is a virus or not?

1.	Solve : Unsure if this is a virus or not?
Answer» Hi Dave, I ran Dr Web Curit but no viruses were found and so no file was able to save. And so...nothing. What do you think? GDTHow's your computer running? Still having those problems?The computer is running fine, but I am still having the iexplore.com running in the background, the deselection, and the occasional popups. Er, I guess that means it's not running fine. Would it be a bad idea to just uninstall explorer?Quote but I am still having the iexplore.com running in the background, Do you mean that IE is opening by itself? SysProt Antirootkit Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Double click Sysprot.exe to start the program. Click on the Log tab. In the Write to log box select the following items. Process << Selected Kernel Modules << Selected SSDT << Selected Kernel Hooks << Selected IRP Hooks << NOT Selected Ports << NOT Selected Hidden Files << Selected At the bottom of the page Hidden Objects Only << Selected Click on the Create Log button on the bottom right. After a few seconds a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here. [/list] Hi Dave, Yes the problem continues. Let me explain again because I don't think I explained well the first time. Internet Explorer seems to be running by itself. I don't see it on the taskbar, but I hear the telltail "click" sound of a window opening every few MINUTES. Also, every 5 seconds whatever I'm working on becomes de-selected -- as if the computer is returning by itself to Explorer. The task manager shows Explorer to be running. I click "end process" and it just comes back a few seconds later. Here's the latest log results: SysProt AntiRootkit v1.0.1.0 by swatkat **************************************************************************************** ************************************************************************************** No Hidden Processes found ************************************************************************************** ************************************************************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys Service Name: --- Module Base: A7F05000 Module End: A7F1D000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS Service Name: --- Module Base: BA64C000 Module End: BA64E000 Hidden: Yes ************************************************************************************** ************************************************************************************** No SSDT Hooks found ************************************************************************************** ************************************************************************************** No Kernel Hooks found ************************************************************************************** ************************************************************************************** No hidden files/folders found Hi Dave, I started hunting through my program files to see if anything was suspicious. I noticed that there was STILL a folder named MSN. There are two subfolders there Install and OOBE. Under the OOBE file called obepopc.dll. The description reads "MSN IA Poptimization." Now, I didn't DELETE this file/folder just in case a STRAIGHT delete is the wrong thing to do. Maybe it requires some kind of "cleaner" delete. But does this file or folder make sense? By the way, I live in Thailand and came back to North America two weeks ago. This is just when the problem started. I'll leave for Thailand tomorrow. Do you feel that maybe the VIRUS could be cause by either the router I'm using here, or perhaps has been lying dormant for a while? For the life of me, I can't think of anything I've downloaded that could have caused this problem. Thanks, GDTFrom all the scans we've done, it would appear that your computer is clean. If your computer was set up in Thailand and you're now using it in North America could be the cause of all these problems. As for the MSN folder. It is legit as are the files inside it. Quote Obepopc.dll is a 32-bit Dynamic Linked Library of code components for a graphics UI style application. Please let me know what happens when your're back home in Asia.Hi Dave, My computer was purchased in the US and has traveled around the world through about 5 countries. I've used it everywhere. It's about 3 years old. There hadn't been any problems in Thailand (or any other country) but I just thought that maybe there had been a "sleeper" virus and that it was activated when I came to NA. I am back in Thailand and the problem remains. IE running, the clicking sound, and the deselection of windows (which means I can't watch any movie full-screen for more than 5 seconds as it deselects. Typing this email to you just popped up another add, although now the add is in Thai! I noticed that I'm running IE 6.0 which is old. That can't be the problem, but maybe it's helping the virus? Outside of that, the only new downloads in the days running up to the virus were GetIt downloader (have it on another computer, no problems) and two programs to change PDF files to MOBI. Plus I bought a Kindle. Any other ideas? I'd really rather not format this thing if I don't have to. GDTQuote I noticed that I'm running IE 6.0 which is old. That can't be the problem, but maybe it's helping the virus? Any un-updated program is more vulnerable to infections. Have you tried IE 8? Do you have an XP CD? If so, place it in your CD ROM drive and follow the instructions below: •Click on Start > Run and type sfc /scannow** then press Enter (note the space between scf and /scannow) Let this run undisturbed until the window with the blue progress bar goes away SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file. Hi Dave, I have installed the new version of IE and ran the Windows CD. The problem remains. -DaveHi Dave, Do you remember how GMER crashed the computer? Well I tried running it again and yes, it crashed again. However just before doing so the blue screen told me that it had run into problems with a file called pxtdapow.sys. Does that mean anything? GDTGMER is a difficult program to run. It crashed my computer also. I'm going to check with someone about this problem Hi Dave, I was able to get the problem solved through another person I think. Turns out it was a rootkit virus called "Whistler". I did an internet search and seems a lot of people have this virus right now. MBRCheck found it. I then ran ComboFix to cure it I'm not sure why ComboFix didn't WORK the first time when I tried it with you. I swear I did everything you said! Oh, that said it seemed to be a newer version. But oh well, it's fixed now. Thanks very much for all your help. GDTQuote Turns out it was a rootkit virus called "Whistler". I did an internet search and seems a lot of people have this virus right now. MBRCheck found it. I then ran ComboFix to cure it I'm not sure why ComboFix didn't work the first time when I tried it with you. I swear I did everything you said! Oh, that said it seemed to be a newer version. ComboFix will detect Whistler bootkit but it won't repair it. Please run this to check if it's still there. Download the MBR Rootkit Detector to your desktop. Doubleclick mbr.exe and follow prompts. * A black DOS window will quickly appear then disappear. * When mbr.exe is finished it will create a log on your desktop. * Copy and paste contents of that log file to your next reply.Edited.

Answer»

Hi Dave,

I ran Dr Web Curit but no viruses were found and so no file was able to save. And so...nothing. What do you think?

GDTHow's your computer running? Still having those problems?The computer is running fine, but I am still having the iexplore.com running in the background, the deselection, and the occasional popups. Er, I guess that means it's not running fine.

Would it be a bad idea to just uninstall explorer?Quote

but I am still having the iexplore.com running in the background,

Do you mean that IE is opening by itself?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]
Hi Dave,

Yes the problem continues. Let me explain again because I don't think I explained well the first time. Internet Explorer seems to be running by itself. I don't see it on the taskbar, but I hear the telltail "click" sound of a window opening every few MINUTES. Also, every 5 seconds whatever I'm working on becomes de-selected -- as if the computer is returning by itself to Explorer. The task manager shows Explorer to be running. I click "end process" and it just comes back a few seconds later.

Here's the latest log results:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A7F05000
Module End: A7F1D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA64C000
Module End: BA64E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Hi Dave,

I started hunting through my program files to see if anything was suspicious. I noticed that there was STILL a folder named MSN. There are two subfolders there Install and OOBE. Under the OOBE file called obepopc.dll. The description reads "MSN IA Poptimization."

Now, I didn't DELETE this file/folder just in case a STRAIGHT delete is the wrong thing to do. Maybe it requires some kind of "cleaner" delete. But does this file or folder make sense?

By the way, I live in Thailand and came back to North America two weeks ago. This is just when the problem started. I'll leave for Thailand tomorrow. Do you feel that maybe the VIRUS could be cause by either the router I'm using here, or perhaps has been lying dormant for a while? For the life of me, I can't think of anything I've downloaded that could have caused this problem.

Thanks,
GDTFrom all the scans we've done, it would appear that your computer is clean. If your computer was set up in Thailand and you're now using it in North America could be the cause of all these problems. As for the MSN folder. It is legit as are the files inside it.
Quote

Obepopc.dll is a 32-bit Dynamic Linked Library of code components for a graphics UI style application.

Please let me know what happens when your're back home in Asia.Hi Dave,

My computer was purchased in the US and has traveled around the world through about 5 countries. I've used it everywhere. It's about 3 years old. There hadn't been any problems in Thailand (or any other country) but I just thought that maybe there had been a "sleeper" virus and that it was activated when I came to NA.

I am back in Thailand and the problem remains. IE running, the clicking sound, and the deselection of windows (which means I can't watch any movie full-screen for more than 5 seconds as it deselects. Typing this email to you just popped up another add, although now the add is in Thai!

I noticed that I'm running IE 6.0 which is old. That can't be the problem, but maybe it's helping the virus?

Outside of that, the only new downloads in the days running up to the virus were GetIt downloader (have it on another computer, no problems) and two programs to change PDF files to MOBI. Plus I bought a Kindle.

Any other ideas? I'd really rather not format this thing if I don't have to.

GDTQuote

I noticed that I'm running IE 6.0 which is old. That can't be the problem, but maybe it's helping the virus?

Any un-updated program is more vulnerable to infections. Have you tried IE 8?

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
Hi Dave,

I have installed the new version of IE and ran the Windows CD. The problem remains.

-DaveHi Dave,

Do you remember how GMER crashed the computer? Well I tried running it again and yes, it crashed again. However just before doing so the blue screen told me that it had run into problems with a file called pxtdapow.sys. Does that mean anything?

GDTGMER is a difficult program to run. It crashed my computer also. I'm going to check with someone about this problem

Hi Dave,

I was able to get the problem solved through another person I think. Turns out it was a rootkit virus called "Whistler". I did an internet search and seems a lot of people have this virus right now. MBRCheck found it. I then ran ComboFix to cure it I'm not sure why ComboFix didn't WORK the first time when I tried it with you. I swear I did everything you said! Oh, that said it seemed to be a newer version.

But oh well, it's fixed now. Thanks very much for all your help.

GDTQuote

Turns out it was a rootkit virus called "Whistler". I did an internet search and seems a lot of people have this virus right now. MBRCheck found it. I then ran ComboFix to cure it I'm not sure why ComboFix didn't work the first time when I tried it with you. I swear I did everything you said! Oh, that said it seemed to be a newer version.

ComboFix will detect Whistler bootkit but it won't repair it. Please run this to check if it's still there.

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.Edited.

Solve : Unsure if this is a virus or not?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment