Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have an infection?


  • Please log in to reply
15 replies to this topic

#1 Tricky Nick

Tricky Nick

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 16 April 2009 - 01:29 PM

I am not sure if I have an infection or not. I have an odd quirk that is having me seek some help.

I have Windows Vista Home Premium, and every so often a popup would appear near my clock. It was so fast I didn't know what it was. I went ahead and decided to use a program called CamStudio that would record my desktop. I have since found out the popup is Security Center popping up then closing so fast, I can't read it and even in the video slowing it down to play speed of 0.03 all I get is the shape of the box. It is an AVI file and I can attach it or send it if it will help in case someone can slow it down even more.

Am I infected or is this common for the popup box to come up saying there's something wrong then disappear so fast that all I see is the box?

Please help, it's getting annoying.

BC AdBot (Login to Remove)

 


#2 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 16 April 2009 - 02:42 PM

Is anyone able to help?

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 16 April 2009 - 06:03 PM

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#4 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 16 April 2009 - 07:22 PM

I have run both....and for the life of me I can't figure out how to include the log file in the post as that would be easier...but anyways, here's the copy/pasted log files, ProcessExplorer is first.

Process PID CPU Description Company Name
System Idle Process 0 60.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 408 Windows Session Manager Microsoft Corporation
csrss.exe 484 Client Server Runtime Process Microsoft Corporation
wininit.exe 548 Windows Start-Up Application Microsoft Corporation
services.exe 592 Services and Controller app Microsoft Corporation
svchost.exe 796 Host Process for Windows Services Microsoft Corporation
WRConsumerService.exe 864 WRConsumerService Webroot Software, Inc.
svchost.exe 896 Host Process for Windows Services Microsoft Corporation
Ati2evxx.exe 956 ATI External Event Utility EXE Module ATI Technologies Inc.
Ati2evxx.exe 1368 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1008 Host Process for Windows Services Microsoft Corporation
audiodg.exe 1200 Windows Audio Device Graph Isolation Microsoft Corporation
svchost.exe 1064 Host Process for Windows Services Microsoft Corporation
WUDFHost.exe 2680 Windows Driver Foundation - User-mode Driver Framework Host Process Microsoft Corporation
dwm.exe 3180 Desktop Window Manager Microsoft Corporation
svchost.exe 1100 Host Process for Windows Services Microsoft Corporation
taskeng.exe 2128 Task Scheduler Engine Microsoft Corporation
taskeng.exe 3708 Task Scheduler Engine Microsoft Corporation
SLsvc.exe 1304 Microsoft Software Licensing Service Microsoft Corporation
svchost.exe 1440 Host Process for Windows Services Microsoft Corporation
svchost.exe 1572 Host Process for Windows Services Microsoft Corporation
spoolsv.exe 1720 Spooler SubSystem App Microsoft Corporation
sched.exe 1744 Antivirus Scheduler Avira GmbH
avguard.exe 1756 Antivirus On-Access Service Avira GmbH
svchost.exe 1772 Host Process for Windows Services Microsoft Corporation
acs.exe 12 Agnitum Outpost Service Agnitum Ltd.
avwebgrd.exe 584 AntiVir WebGuard Service Avira GmbH
FaH6.exe 808
FahCore_78.exe 1268 40.00
LSSrvc.exe 1188 LightScribe Service Hewlett-Packard Company
svchost.exe 2036 Host Process for Windows Services Microsoft Corporation
svchost.exe 804 Host Process for Windows Services Microsoft Corporation
ViewpointService.exe 788 ViewMgr Viewpoint Corporation
SpySweeper.exe 2116 Spy Sweeper Engine Webroot Software, Inc. (www.webroot.com)
SSU.exe 3396 Spy Sweeper SSU Webroot Software, Inc. (www.webroot.com)
svchost.exe 2432 Host Process for Windows Services Microsoft Corporation
SearchIndexer.exe 2504 Microsoft Windows Search Indexer Microsoft Corporation
SearchProtocolHost.exe 3484 Microsoft Windows Search Protocol Host Microsoft Corporation
SearchFilterHost.exe 3644 Microsoft Windows Search Filter Host Microsoft Corporation
lsass.exe 608 Local Security Authority Process Microsoft Corporation
lsm.exe 616 Local Session Manager Service Microsoft Corporation
csrss.exe 556 Client Server Runtime Process Microsoft Corporation
winlogon.exe 656 Windows Logon Application Microsoft Corporation
explorer.exe 2236 Windows Explorer Microsoft Corporation
op_mon.exe 2372 Outpost User Interface Agnitum Ltd.
avgnt.exe 2320 Antivirus System Tray Tool Avira GmbH
jusched.exe 2948 Java™ Platform SE binary Sun Microsystems, Inc.
SpySweeperUI.exe 1208 Spy Sweeper Client Executable Webroot Software, Inc.
sidebar.exe 3764 Windows Sidebar Microsoft Corporation
LightScribeControlPanel.exe 4052 Hewlett-Packard Company
robotaskbaricon.exe 3464 RoboForm TaskBar Icon Siber Systems
sidebar.exe 3724 Windows Sidebar Microsoft Corporation
firefox.exe 3572 Firefox Mozilla Corporation
procexp.exe 3196 Sysinternals Process Explorer Sysinternals - www.sysinternals.com



*****************************
******** start of mbam ********
*****************************

Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 6.0.6001 Service Pack 1

4/16/2009 7:07:26 PM
mbam-log-2009-04-16 (19-07-26).txt

Scan type: Quick Scan
Objects scanned: 66571
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




On a side note: I didn't disable my AV/Firewall/Spyware software....should I rerun the tests with them disabled?

Edited by Tricky Nick, 16 April 2009 - 07:29 PM.


#5 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 April 2009 - 07:21 AM

Any further steps I should take?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 17 April 2009 - 08:49 AM

I don't think you are infected, you might check your settings in security center and outpost, maybe spysweeper.

Too many cooks spoil the soup?

There are so many processes running that might be slowing something down enough where you see that popup.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 April 2009 - 02:31 PM

Is there a place or could you advise me on the process I have running, which I could effectively shutdown as they are not needed or anything like that?

I went through my services and put services which I knew I didn't need to start automatically to manual mode.

I guess what I'm asking is, is there a place I can go to check on the running processes and disable them from starting up if not needed?
The only reason I know it's the security panel that pops up is that every so often it's slow enough that I can see the icon that pops up when I disable one piece of my security such as Spy sweeper, Avira, or Outpost. The pop up is so darn quick that I can't read what is doing it. I would have to assume it's one of those three, wouldn't you? That is all the security center monitors, isn't it?

I did disable all built in windows features (in terms of software security) such as Windows Firewall, Defender, etc. Is there another way I can try and figure out what is causing the pop ups? Like, if I record my screen again with the security center window open, do you think it would catch what would be causing the error? As I mentioned in my original post, it is so quick that even looking at the video frame by frame, it didn't catch the error, just the little "balloon" or "bubble" that appears with the message, it's gone so quick, the message isn't displayed.


EDIT:
Well, I managed to capture security center itself and I now know what's causing the popup. It said that my antivirus is turned off.
Please see this video the error happens around the 56-58 mark. You will need to slow it down in order to see the actual error.
Will supply link once video is uploaded and gives me a link in a new post.

Edited by Tricky Nick, 17 April 2009 - 03:14 PM.


#8 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 April 2009 - 03:42 PM

Here is the link to the video
Remember, the error happens around the 57 second mark of the video
http://video.google.com/videoplay?docid=7984345466426338825

When you watch, you'll see just how quick it is.

Edited by Tricky Nick, 17 April 2009 - 03:51 PM.


#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 17 April 2009 - 06:22 PM

Try disabling or uninstalling spysweeper
Chewy

No. Try not. Do... or do not. There is no try.

#10 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 April 2009 - 08:50 PM

I closed it down for now, and if this proves to be the culprit, what would you recommend for another anti spyware program?

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 17 April 2009 - 09:17 PM

Malwarebytes paid

for the protection module

spybot for immunization only

Firefox with noscript addon or surf as a limited user

I might also drop outpost and rely on vista plus a hardwre nat in a router

Avira is a good choice for AV

If you execute one of the new state of the art infectors most AV's and Firewalls are bypassed, so the real defence has to come from you.

Edited by DaChew, 17 April 2009 - 09:18 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 18 April 2009 - 07:24 AM

Malwarebytes paid

for the protection module

spybot for immunization only

Firefox with noscript addon or surf as a limited user

I might also drop outpost and rely on vista plus a hardwre nat in a router

Avira is a good choice for AV

If you execute one of the new state of the art infectors most AV's and Firewalls are bypassed, so the real defence has to come from you.


I already use FireFox, but will add the noscript addon.

So basically run vista without a software firewall & let my router do that for me? (I use WRT54GL, using DD-WRT)
I do use uTorrent for downloading & watching TV shows as all the good ones are on when I am at work (I work 3rd shift) so would just the router work or should I keep the software firewall?

Do I keep Spybot running 24x7 or just open, immunize then close?


Also, I closed Spysweeper and I still get that error. Why does Avira report it's turned off for such a short time then back on?

Edited by Tricky Nick, 18 April 2009 - 07:53 AM.


#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 18 April 2009 - 07:40 AM

Unless you are in the dmz zone or forwarding all ports, the NAT in the router would furnish some protection, keep windows firewall on if you disable or uninstall outpost.

Firewalls are great when they work, but they can be a big problem when they don't.

Timeshifting is a whole can of worms, I wish a precedent setting supreme court ruling like universal vs sony(betamax) would get us uptodate in this murky water.

Fair use has been used as a doormat by the entertainment industry.

:thumbsup:

With spybot you install, enable sdhelper, update and then apply immunization

Leave teatimer off until you research it thoroughly
Chewy

No. Try not. Do... or do not. There is no try.

#14 Tricky Nick

Tricky Nick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 18 April 2009 - 09:09 AM

First, about the time-shifting. I know it's murky "gray" area, but until, as you said, a clear cut case saying it's legal or not, I will keep doing it.

Second, apparently the error I was getting was because my WMI was corrupted. Followed steps that was in Avira's forums. I am about 90% sure this is the problem, but I won't be satisfied until later tonight when I have a chance to really watch my computer. ---- Well, just noticed that this didn't solve the problem. According to Avira's website, there is a bug in WSC and they said I could either disable WSC or ignore the messages. What would be your suggestion? Avira is still running fine, it's just not "talking to WSC" due to some bug

I've always been told windows firewall is woefully inadequate (wow, I'm using big words) - has this recently changed?
I have UPnP disabled, and only forward ports for uTorrent and an MMO I play that requires ports to be open for its updater.

Just trying to recap all in one post....

I can get rid of Outpost and use Windows Firewall in its place as I am using a router with NAT?
Remove Spysweeper and get Malwarebytes (paid version) & spybot S&D (for the immunization)?

Also, I am always a limited user on Vista, and NoScript is a little annoying....would it be ok to not use it and still be safe?

Edited by Tricky Nick, 18 April 2009 - 09:11 AM.


#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 PM

Posted 18 April 2009 - 09:31 AM

The limited user is your best protection, spysweeper has a lot of criticism

The noscript won't be necessary as long as you always use limited user to surf

Good investigation tho, I like avira, but can understand it's problems with Vista. Keep using Outpost if it makes you feel better, it's highly reccomended. One man's paranoia is another's salvation. It's all up to user choice.

Read this blog to put it all in perspective regarding computer use and native microsoft protection. Remember this is for 64bit
not 32bit Vista

The future belongs to this not 32 bit protection

Oh, which one do I use? None. I do not open e-mail attachments that come with a subject line of "This is so funny" or "ILOVEYOU" or "Naked tennis player". I do not use copyright violation software (a.k.a. file sharing software). And, I run as a standard user. The last time I had a virus that got flagged by a virus scanner was in 1992, on a lab machine used by a student; on an Apple Macintosh. Yes Steve Jobs, the Macintosh has had viruses for as long as Windows.


http://msinfluentials.com/blogs/jesper/arc...-for-vista.aspx
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users