Removing Malware from Macbook Pro running Windows XP

Posted on 2013-11-03
Last Modified: 2013-11-29
I have acquired some Malware on the Windows "side" of my machine. I know there are two:

Plus! Network
Another which presents a popup saying:
"attention it is important that you download flv mplayer to continue"

How can I remove them.
I have Avast and Malware Bytes Anti-Malware which I run regularly to remove viruses and malware but they do not remove them
Question by:bogorman
  • 6
  • 6
  • 3
  • +1
LVL 34

Expert Comment

ID: 39620342
"attention it is important that you download flv mplayer to continue"

Do you get this message when trying to play a particular media file?
The media file is fake and only an invitation for you to download malware...delete that media file.

Free Malware Removers:

1. Malwarebytes:

2. Combo Fix:

3. Rogue Killer:

4. Hitman Pro:

5. TDS Killer:

6. SuperAntiSpyware:
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39620405
Looks like you have two toolbars remaining from your malware infections that are causing the redirects.  Removal depends on which browser is affected.  MBAM should run normally in your Windows environment.

How are you running Windows?  Parallels?

It's probably worth checking if the browser hijackers are still present but MBAM should have sorted them out (it runs fine in a virtualized Windows install like yours) Look for report referring to PUP's (Potentially Unwanted Programs) discovered on your Windows install.

So let's start by finding which browser needs cleaning up.

Author Comment

ID: 39621254
Hi MASQUERAID and Michael,
Thanks for your help so far.
MASQUERAID:   Am running Parallels. Some time ago I noticed it, I think, in IE which kept taking me to a Plus! Network page. This did not occur again until a day or so ago.
Recently when Using Dreamweaver 8 and the preview in browser button I got a black page with the "attention it is important that you download flv mplayer to continue" message.
Are these things "in the browser" or a more general infection of Windows?    The attention message was in Firefox.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39621255
MASQUERAID:   Also, in Firefox, I get a popup:

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.


LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39622351
Download HJT

Create a folder called HJT on your desktop and copy the file inside this.  Open the folder, right-click the utility and choose Run as administrator.  Accept the licence, choose scan and create log file.  Check the contents of the file and that you are happy to post this publicly then either add the content to a post or attach it as a .txt file using the Attach file link at the bottom of this page.

Author Comment

ID: 39623884
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:58:56, on 05/11/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
CHROME: 30.0.1599.101
FIREFOX: 17.0.1 (en-GB)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: DebugBar (Toolbar) - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - .DEFAULT User Startup: IconPackager.lnk = C:\Program Files\Stardock\MyColors\IconPackager.exe (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Inspect Element with DebugBar - res://C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll/247
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: prl_uprof - C:\Program Files\Parallels\Parallels Tools\prl_uprof.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynamicPDF WebCache - Unknown owner - C:\Program Files\ceTe Software\DynamicPDF WebCache v1.0.0\DynamicPDF.WebCache.Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

End of file - 9263 bytes
LVL 37

Expert Comment

ID: 39633092
As you are running under parallels, you could try the rescue CD's from AVG, Kaspersky and Sophos.

Alternatively, you could just create a new Windows install and copy your files across..
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39634284
Hi bogorman, sorry just getting to the end of a 70+ hour week, going to get some sleep and back to this if the suggestion about using a recovery disk doesn't help.  The HJT log looks pretty clean though, this is hiding somewhere else in the virtual partition.

Author Comment

ID: 39634510
Hi MASQUERAID, you certainly deserve that sleep!  
Would rather not have to obtain a recovery disk.
Strangely enough have not had popups recently and the Plus!Network page also hasn't appeared.
Can you tell me if there is any danger of transferring these viruses/malware when I upload files to my website?  (The webhosters have anti-virus software which runs every day and I have Malwarebytes and Avast which are always active).   If this would be sufficient I will probably not do anything more.
You mention something hiding in the virtual machine. Can I recreate this and then put the backup into it?
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39634564
Sorry again! Not recovery disk - rescue disk!!

Almost certainly these are installations on your PC image and are not "infectious" in the computer virus sense.

Have a look through your installed program list in Windows to check you recognise everything & then look at running TDSS Killer just to check the virtual boot sector
LVL 37

Expert Comment

ID: 39634630
I would try the AVG rescue disk

go to here download the iso and then set it as the boot device in your windows VM, then leave it to examine the windows VM disk

Author Comment

ID: 39638237
MASQUERAID:   Have examined installed programs and there is nothing that appears to be malicious.  Re TDSS Killer - discs seem only to be for Vista and up. I have XP.
ArneLovius:   Is the file avg_arl_cdi_all_120_130801a6481.iso  suitable for windows xp
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39639491
TDSS Killer works in XP too - on the web page there are links to instruction pages for Vista etc but that shouldn't be read as the only versions it runs in.
LVL 37

Expert Comment

ID: 39643261
the iso is a bootable image, you do not install it, but boot the VM with it
LVL 62

Accepted Solution

☠ MASQ ☠ earned 500 total points
ID: 39652967
How did TDSS go?

Author Closing Comment

ID: 39685028
Thanks everyone for your help.
MASQUERAID's suggestions removed a number of viruses. The others did not seem to, but Thanks

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
suspending the anti virus 6 149
dma locker 3 query 7 393
GPO for weekly scan with Microsoft Security Essentials 1 100
MS Endpoint Protection 2 70
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question