Help: Random bleepy music and explorer.exe crashes

[Pastycrimper]

Hi,

Below is the MBAM log and I have attached the OTS.exe as described in the first pinned post.

Brief notes: Something is very wrong. I plugged in my mobile broadband dongle and shortly after the laptop was connected wierd music played that sounded like it was from a classic ZX Spectrum adventure game. I cant stop it with volume control or even by disabling the sound devices.....it sounds like its coming from the motherboard *beeper*.......it last normally about 3 minutes and then goes??? Now sometimes it wont log on and if I do then sometimes it crashes and is noticeably slower than ever. Note that I have used avast for a ong time and it serves well! I used to use a fixed landline connection and have never had any popups. In the last month I am living away from home and am using a mobile internet provider via a dongle.....since using this a number of avast popups have mentioned "blocking malicious site". And now this.....it alm ost seems as if my system was more vunerable using this dongle.

It took four restarts before I seem to have it running and not having crashed.....yet.

Thanks in advance
Dziga Walker

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7287

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

26/07/2011 23:33:05
mbam-log-2011-07-26 (23-33-05).txt

Scan type: Quick scan
Objects scanned: 166735
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Pondus]

sounds like you may have whistler rootkit   


* download aswMBR.exe and save to desktop  http://public.avast.com/~gmerek/aswMBR.exe
* double click aswMBR icon to run
* click scan, then "Save Log" and post it here in your next reply

[Pastycrimper]

I don't like the sound of the Whister!!! Quick web search reveals many unhappy people 

Here is the log from the aswMBR scan. Hope desperately that you can help.

Thanks again.

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-27 09:58:12
-----------------------------
09:58:12.329    OS Version: Windows 6.0.6002 Service Pack 2
09:58:12.329    Number of processors: 2 586 0x1706
09:58:12.329    ComputerName: DZIGA-PC  UserName: Dziga
09:58:14.170    Initialize success
09:58:14.404    AVAST engine defs: 11072700
09:58:28.897    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:58:28.897    Disk 0 Vendor: TOSHIBA_ LV01 Size: 305245MB BusType: 3
09:58:28.943    Disk 0 MBR read successfully
09:58:28.943    Disk 0 MBR scan
09:58:28.943    Disk 0 Windows VISTA default MBR code
09:58:28.959    Disk 0 scanning sectors +625141760
09:58:29.053    Disk 0 scanning C:\Windows\system32\drivers
09:58:38.054    Service scanning
09:58:39.614    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
09:58:40.207    Modules scanning
09:58:55.573    Disk 0 trace - called modules:
09:58:55.604    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbu.sys hal.dll >>UNKNOWN [0x876e3938]<<
09:58:55.604    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88ee9ac8]
09:58:55.619    3 CLASSPNP.SYS[8c50a8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x877de028]
09:58:56.399    AVAST engine scan C:\Windows
09:58:59.644    AVAST engine scan C:\Windows\system32
10:00:31.450    AVAST engine scan C:\Windows\system32\drivers
10:00:40.904    AVAST engine scan C:\Users\Dziga
10:05:49.768    AVAST engine scan C:\ProgramData
10:08:55.174    Scan finished successfully
10:09:28.621    Disk 0 MBR has been saved successfully to "C:\Users\Dziga\Desktop\MBR.dat"
10:09:28.621    The log file has been saved successfully to "C:\Users\Dziga\Desktop\aswMBR_LOG.txt"

[Pondus]

No whistler,but you have this....suspicious

09:58:55.604    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbu.sys hal.dll >>UNKNOWN [0x876e3938]<<

so i will leave this for Essexboy. He is usually in here at 08:00pm - 11:59pm uk time

[Pastycrimper]

Thanks Pondus,

Something is definitely strange. I will await Essex Boy and given how many threads I have read on these forums with himself and yourself aiding many people I feel in safe hands.....thanks again.

Another observation for you both while I wait:

The severity of this is now such that 4/5 times I boot, after logging on everything appears to freeze EXCEPT the mouse. I.e I get my normal desktop screen but not even the clock changes but the mouse works. It always seems to freeze when Avast AND/OR Malwarebytes is loading. The trouble is if I cant boot, I cant plug in my mobile 3G broadband dongle (3 Network in the UK) to get on the internet. I booted in Safe-Mode and using MSCONFIG disabled: Malwarebytes, BecHelperService.exe (which is apparently something to do with my broadband dongle) and RapportMgtService.exe (which is the security software my bank supplied).

Interestingly after disabling these it booted OK however after a second reboot back to strange things. I haven't had any of the strange ZX spectrum music anymore though although it was very random when that would occur. When I connect through the dongle occasionally two firefox windows will open and appear to do nothing but I find this odd - Note I only use Firefox.....I have an IE7 installed with the machine but I never use it.

Cheers
Dziga

[essexboy]

Hi there - I must admit this appears to be a variation on Whistler - so lets investigate before I start killing

Download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.


THEN

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 1 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter >>0<< and press Enter

It will ask for a file name and location - call it MBR.txt and place it on your desktop
Then exit the programme and attach the MBR.txt to your next post

[Pastycrimper]

Hi Essexboy,

MBRreport attached.....apparently nothing was found.

[essexboy]

MBR is good - so lets check out the drivers

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Pastycrimper]

Here we go.....hope you can make more sense of it than me...

Cheers again

[essexboy]

I can see it

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 

File::
c:\users\Dziga\AppData\Local\Temp\mdxgthkn.sys
 
Driver::
mdxgthkn

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Pastycrimper]

OK, I've done as requested. File attached BUT some points perhaps you should note.

Started Combofix with the script you asked me to make and it did its thing as before....prior to writing a log it stated a restart was needed which it did. The log in screen came as normal, so I logged in and Combofix kicked in very early as the desktop loaded saying it was preparing the log file....All good. I then doubled clicked the mobile broadband launch icon and was told I wasn't permitted as the item was related to a registry key set for deletion (or thereabouts). I tried Firefox which had the same error. Same for MS Word document. In fact the only software that worked was notepad. As I couldn't get to the forum I just rebooted and now OK. Thought I should let you know as I wasn't sure if I should reboot again.

Once again, thanks

[essexboy]

Yes that happens sometimes - reboot and all will work again

What are your current problems ?

[Pastycrimper]

  Everything seems OK.....famous last words.

You are a legend. OK so realistically, assuming that its gone (any checks?) what should my set up be. I currently run Avast and have done for years with no probs ever, but only with WIndows Defender. Do you recomend I get full MBAM for malware protection. I used to use Spybot - Search & Destroy which I have just downloaded and installed but always thought this was for spyware and wasn't a malware checker. Should I get a 3rd party firewall.....I always heard that defender worked ok?

Thanks ever so much for your time.

[DavidR]

Well essexboy will probably be in bed now, 00:22am in the UK now. He is likely to be back on-line around the same time he was in his last posts.

Generally he would ask you to monitor it for a day or so and if no problems get back on the forums and confirm that is the case He will remove his tools and probably give some general advice for you to follow.

I would say keep MBAM, as a secondary scanner, no need to purchase the full version, though it is a one of lifetime license. I believe it is much better than S&D and I'm not a great fan of Windows Defender (WD), if you had avast and MBAM it sort of depreciates the need for WD. However, WD is free, comes pre-installed on Vista (if correct then I believe you can't uninstall it only disable it), it is a resident solution. So it would be your choice on what to do, but it has been a bit of a passenger in this.

Since you run Vista and you have IE7, it is capable of running IE8 and IE9 so preferably updating to IE9 would give you enhanced security in IE, especially if you use it as your default browser and since IE is an integral part of the OS you should always keep it up to date.

[Pastycrimper]

Hi hi,

OK just a couple of observations. I switched on this morning and Windows booted without problems.

• However since doing the ComboFix, Avast no longer automatically boots on Startup. I've looked in MSConfig and there is no startup item yet there is an enabled and running Avast service. I can start Avast manually by going to the programs menu as one would any software, but surely Avast should be self booting as it always has
• When I first contacted you guys I followed your primary instructions and installed Malwarebytes for a scan. Prior to the Combofix (but after my first MBAM and OTS scan) I suspected that while the desktop loaded it seemed most lockups timed coincidently with MBAM booting into the taskbar, so I disabled all MBAM in startup and services using MSCONFIG. Since "hopefully" getting cured I thought I'd reactivate MBAM startup and services - The result is that explorer locks up immediately upon loading, so I deactivated again. I have rebooted and opened MBAM manually and it opens & scans fine however if I switch on the "real-time" protection all goes to immediate lock up. I wonder if this is because it is a 14 day trial version?

Everything else seems to be behaving as normal.
Cheers
Dziga