Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Adware


  • This topic is locked This topic is locked
17 replies to this topic

#1 Schwidus

Schwidus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 15 July 2009 - 06:25 PM

First I noticed IE8 would close some of my open windows/tabs due to the DEP (data execution prevention), but then a day later I started getting popups for various websites besides DEP errors. This happens whenever I have IE8 or Windows Live Messenger open, or both. I have run many scans so far, as well as used CCleaner to clear out almost 3gb worth of temp files and also to fix many registry issues. The scans I have run are below, in that order:
Malwarebytes (found MyWebSearch adware in the registry as well as a couple other small ones)
Spyware Doctor (found a couple small problems, most likely adware)
Then in safe mode:
SuperAntiSpyware (found many tracking cookies, as well as a couple adware problems in the registry)
Spybot: Search and Destroy (did not find any additional problems)
Malwarebytes (did not find any additional problems)
McAfee Virus Scan Enterprise (did not find any additional problems)

After those scans had been run, I switched through a few of my normal websites that have never shown problems before to find that I still got popups and still had the DEP problem. My guess is there is still something out there that is not being picked up by these scans. Fortunately, I have not experienced a slowdown of my system or any other problems. It is just the annoyance of popus and my IE windows being closed. A couple friends who work as computer repair technicians suggested I find somewhere to upload a HijackThis log so that a professional might be able to detect a problem or at least make a suggestion. Below is the HijackThis log. If a solution is not certain, I am open for suggestions of other scans to run or of what to do next, however I will stop attempting to fix the problem until I have received a response from the Bleeping Computer support.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:22 PM, on 7/15/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\UltraMon\UltraMonUiAcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IELowutil.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SearchPerks! Follow-On Study Assistant - {D1A1FD57-93FC-45FE-BC2A-B3A5D47D6674} - C:\Program Files\SearchPerks! Follow-On Study Assistant\Bmbho.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: SearchPerks! Follow-On Study Assistant - {D1A1FD57-93FC-45FE-BC2A-B3A5D47D6674} - C:\Program Files\SearchPerks! Follow-On Study Assistant\Bmbho.dll
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43A1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; DS_desktopsmiley; desktopsmiley_1_1_52340229131985_66_6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729; AskTB5.3; SPC 3.2 P1 Ta)" -"http://www.shockwave.com/gamelanding/inklink.jsp"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Single Screen.lnk = ?
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} (LogMeIn Rescue Applet Downloader) - https://secure.logmeinrescue.com/Customer/x...eDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

--
End of file - 11039 bytes

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 26 July 2009 - 04:25 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:17 AM

Posted 01 August 2009 - 11:06 PM

Topic reopened.

@ Schwidus,

Please follow the instructions in the previous post.

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 02 August 2009 - 12:07 AM

My problem still stands as how it was in my original post. I continuously get popups while in Internet explorer, and the problems carried over when I tried Firefox temporarily. Many of the popups usually come up with the name Incentaclick Media, but others are for a bunch of random stores or websites. About 50% of the time, Windows Vista is blocking the advertisement before it even pops up by telling me Internet Explorer has stopped responding and then telling me the webpage has been closed from Data Execution Prevention (DEP).

As I also mentioned, I have run many scans and they have not found what is causing this problem I assume to be a form of adware. I have not run anymore scans since the original post.

I ran the DDS log script, and following will be the DDS log I copied and pasted from the notepad file. Attached is the other half of the DDS log script, the notepad named Attach put into a .zip folder. If the technician looking at this topic needs more than the HijackThis log posted originally or the DDS log included with this post, please let me know of what else I can do. Thank you.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dustin at 23:38:10.65 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1218 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\mqsvc.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Windows\system32\mqtgsvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UltraMon\UltraMonUiAcc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dustin\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.asus.com/
mDefault_Page_URL = hxxp://www.asus.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NP Helper Class: {35b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\internet saving optimizer\3.4.0.4340\NPIEAddOn.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SearchPerks! Follow-On Study Assistant: {d1a1fd57-93fc-45fe-bc2a-b3a5d47d6674} - c:\program files\searchperks! follow-on study assistant\Bmbho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ASUS Security Protect Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
TB: SearchPerks! Follow-On Study Assistant: {d1a1fd57-93fc-45fe-bc2a-b3a5d47d6674} - c:\program files\searchperks! follow-on study assistant\Bmbho.dll
TB: Live Search Club Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\live search club toolbar\Toolbar.dll
TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [NB Probe] c:\program files\asus\nb probe\NBProbe.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; DS_desktopsmiley; desktopsmiley_1_1_52340229131985_66_6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729; AskTB5.3; SPC 3.2 P1 Ta)" -"http://www.shockwave.com/gamelanding/inklink.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
StartupFolder: c:\users\dustin\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\program files\dropbox\Dropbox.exe
StartupFolder: c:\users\dustin\appdata\roaming\microsoft\windows\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\users\dustin\appdata\roaming\micros~1\windows\startm~1\programs\startup\single~1.lnk - c:\users\dustin\appdata\roaming\realtime soft\ultramon\3.0.3\profiles\Single Screen.umprofile
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{cc15a5fc-b6d3-4a2d-8a26-d8f2702a3c00}\IcoUltraMon.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: APSHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-6-30 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-6-30 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-11-21 67904]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-9-14 10496]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2008-9-9 46592]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-11-21 64432]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2009-1-23 828288]

=============== Created Last 30 ================

2009-07-22 13:22 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-07-22 13:19 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2009-07-15 18:01 <DIR> --d----- c:\program files\Trend Micro
2009-07-14 21:14 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-14 21:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-14 21:14 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-14 21:05 <DIR> a-d----- c:\programdata\TEMP
2009-07-14 18:57 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-14 18:57 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-14 18:57 <DIR> --d----- c:\users\dustin\appdata\roaming\SUPERAntiSpyware.com
2009-07-14 18:57 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 17:24 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 17:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 17:24 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 17:24 23,552 a------- c:\windows\system32\lpk.dll
2009-07-14 17:24 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-11 10:57 <DIR> --d----- c:\program files\Internet Saving Optimizer
2009-07-10 23:56 188,968 a------- c:\windows\system32\PnkBstrB.xtr

==================== Find3M ====================

2009-08-01 20:28 518,306 a------- c:\programdata\nvModes.dat
2009-08-01 20:28 518,306 a------- c:\progra~2\nvModes.dat
2009-08-01 09:39 45,056 a------- c:\windows\system32\acovcnt.exe
2009-07-29 17:29 138,736 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-29 17:29 188,968 a------- c:\windows\system32\PnkBstrB.exe
2009-07-22 13:20 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-22 13:20 143,360 a------- c:\windows\inf\infstor.dat
2009-07-22 13:20 51,200 a------- c:\windows\inf\infpub.dat
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-10 14:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-12 19:00 87,608 a------- c:\users\dustin\appdata\roaming\inst.exe
2009-06-12 19:00 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-06-12 19:00 47,360 a------- c:\users\dustin\appdata\roaming\pcouffin.sys
2009-05-29 22:42 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-05 20:10 84 a---h--- c:\programdata\aspg.dat
2009-05-05 20:10 84 a---h--- c:\progra~2\aspg.dat
2009-05-05 11:02 532,480 a------- c:\windows\system32\sm56co85.dll
2008-11-05 20:41 314,574 a------- c:\users\dustin\appdata\roaming\nvModes.dat
2008-09-03 20:38 22,328 a------- c:\users\dustin\appdata\roaming\PnkBstrK.sys
2008-06-30 12:01 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:38:28.70 ===============

Attached Files



#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 02 August 2009 - 11:46 AM

Hi Schwidus,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.



Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please post back:

1.Gmer log
2.OTListIt.txt and Extra.txt Thanks

#6 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 03 August 2009 - 08:49 PM

To help keep this topic a bit organized, I have attached the three logs to this post in individual zipped folers. I feel a post containing those three logs end after end would be very difficult to look at. Good luck and I hope with these new logs you might be able to find something.

Attached Files



#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 04 August 2009 - 01:15 AM

Hi Schwidus,





Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.



Step2

Please go to Here and Download System Repair Engine by smallfrogs

  • Extract it to Desktop & double click SREng.exe to run it
  • Click System Repair in the left pane.
  • Click on Hosts File tap
  • Press reset button, and click Yes to the prompt window.
  • Click save button in the right bottom corner. Exit the program and restart it
  • Select 'Smart Scan' & tick "Verify the digital signatures of process modules"
  • Click on the Scan button. When finished, click on the Save Reports button & save the log to Desktop
  • You can refer to this thread for your reference.


Step3

1. Click the Microsoft Vista Start logo in the bottom left corner of the screen
2. Click All Programs
3. Click Accessories
4. RIGHT-click on Command Prompt
5. Select Run As Administrator
6. In the command window type the following and then hit enter:

ipconfig /flushdns

7. You will see the following confirmation:


Windows IP Configuration
Successfully flushed the DNS Resolver Cache.


After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.

Then start your IE > Tools > Internet Options > Advanced> In Reset Internet Explorer settings > Click reset button >Click reset when the prompt window appears. Close your IE and Restart your pc. Tell me how things are going now.


In your next reply, please post back:


1.Combofix log
2.SREng log

Tell me how your pc is acting now.

#8 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 04 August 2009 - 07:16 PM

As I did before, the logs you requested are attached to this post in their own zipped folders. I do go off of a router, using a wired connection, but this is not mine and I would not have permission to go and reset the carefully designed security settings on it. Right now, a computer must have a registered MAC address and a password, so obviously it would be a lot of work to configure all of this again. I did, however, do the other steps in the third section of instructions.

Because these random DEP closings and popups never happened in specific instances, I have no sure way of checking to see in this has solved the problem. Based off of quick testing, everything seems good. Please let me test things out more before I say for sure if this has solved the problem.

Attached Files



#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 04 August 2009 - 11:45 PM

Hi Schwidus,



Based off of quick testing, everything seems good

That sounds good. :thumbup2: Let's proceed the following.

Step1


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • Java™ 6 Update 13
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.KAS Scan Report
2.Fresh HJT log

Tell me how your pc is running now.

#10 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 06 August 2009 - 09:19 PM

Step 1 Results: I have installed Java Update 15 (which just came out a couple days ago), and did not have any previous updates in the Uninstall programs list.

Step 2 Results: I ran the cleaner, and only use IE8 for a browser.

Step 3 Results: I started the Kapersky scan, but was unable to finish it all in one session. When I tried to go back to the site and restart the scan, it will not let me as I get an error while it tries to update before it even starts the scan. I do have a variety of installed programs already to do scans such as McAfee Enterprise Anti-Virus, Malwarebytes, Super-Anti-Spyware, and Spybot: S&D. I can run these scans instead of that will produce a similar result. Also, attached I have put the results to a new HJT scan in a zipped folder.

Other news: After running Combofix and reseting some of the Internet settings, I noticed I get a warning from Vista's Security Center. It tells me there is no malware program running, and tells me to turn on Windows Defender. When I go to turn it on, it searches for the latest definitions, but then fails and will not turn on and solve the security problem. I am, however, able to go into Defender separately and run a scan manually. Attached are also a few screenshots to better show what is going on.

I have Googled the problem and found that going into command prompt and doing something like "winmgnt /verifyrepository" and "winmgmt /salvagerespository" will solve this if it is not consistent, but when I verify the respository, I find that it is consistent and this fix does not work. Do you have any other solution for this? Although I can disable the security warning to not bother me, I do not like the idea that Defender is not communicating properly with the rest of Security Center.

Also, I have still not noticed any popups or webpage closings due to Data Execution Prevention, so that problem has been solved completely!

Attached Files



#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 07 August 2009 - 12:14 AM

Hi Schwidus,




Try to disable Spybot: S&D and McAfee real time protection for temporarily. Please go to Here if you don't know how.

If you are using a third party spyware/malware program, it may disable the Windows Defender service. To start the Windows Defender service again, please check and perform the following:

1. Click Start, Type Run. (You can also use Win Key + R)
2. Type services.msc
3. Right-click Windows Defender service and Click Start. (If already turn on, please turn off and restart your pc then click Start again)

Then please to Turn Windows Defender on and Set up Windows Defender alerts . You may turn it off and on again.

After that, go to this thread and do as exactly instructed in this page. You may try it a few times then reboot your pc.

If still no joy, you may try to uninstall Windows Defender and reinstall it from Here and Here .


Step1

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.---Run as administrator>
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.

I will give you another one, just in case. :thumbup2:


Please go to F-Secure Online Scanner Next Generation
  • Click on the link "Start your scan".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Read the license agreement and click "Accept".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • When done click "Show report" and copy/paste its contents into your next reply.
  • If you have problems to run F-Secure Online Scanner, You may refer to this thread

In you next reply, please post back:

1.ESET online scan report

Tell me how things are going now.

#12 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 07 August 2009 - 04:15 PM

I was able to get the ESET online scan to work and have uploaded the log it created. It did find a few small things I believe.

As far as Windows Defender goes, the service is always running, I had already tried the 'winmgmt /verifyrepository' and 'winmgmt /salvagerepository' trick that you had found, but when I do it, I already get "The repository is consistent". The Microsoft KB document only fixes the problem if it says "The repository is not consistent".

As for uninstalling and reinstalling it, the documentation you gave me was only to turn it off. If I try to turn it off and then install Defender over itself, Windows tells me it is built into Vista and the installation cancels.

As I said before, the computer seems cleaned up of everything harmfull, and I can also run scans of my own to clean up any other little bits, but I would like very much for the Defender thing to get fixed. I'm not sure if it was Combofix, or the Internet cleanup step that did it, but I noticed it only after those were done.

Attached Files



#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 08 August 2009 - 01:01 AM

Hi Schwidus,




It seemed malware issues appear resolved. :thumbup2: The WD problem which might be the clock and Time Zone was not set properly while the combofix is still on board.
Let's do some tidy up and check if possibly make any difference. After that, I would like you do some verifyrepository stuff again. If the problem persists after uninstalling combofix. Please do the following:

Go to the main Windows Update window and click on "Installed Updates" (on the left-hand side of the window, at the bottom), and then remove "Update for Microsoft Windows (KB931099)" (only).

Reboot your pc.

Go back to Windows Update, and re-install the same update, by clicking on the Check for Updates button.

This should essentially re-install Windows Defender on Vista. Now. please check if you can press WD turn on now button in Windows Security Center.

If still no joy whatsoever, you would be better served discussing it in the Windows Vista section of this forum or turn to MS online support from Here .

Let me know how things turn out if you need continued support. Good luck! :)


Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2
  • Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Accept any prompts to let the program proceed.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Remember to delete tools and all the logs we have used.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#14 Schwidus

Schwidus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 09 August 2009 - 08:57 PM

I removed pretty much everything related to curing the infection, leaving my computer pretty much back to the way it always was. I did try your fixes for the Defender problem, but none of them seemed to do it. In fact, I uninstalled that update and when I searched for updates to get, it did not show up. I went and downloaded the individual update so I could install it manually but it will not let me. It says that the update does not apply to my system. I'll move over to a different forum that will hopefully be able to help me get my Security Center back in check.

Thank you very much, sundavis for all of your help. If nothing else, I can look at this and see that the adware problem that was very annoying and slowed down my browsing speed besides, has been reduced to something that I can just turn off it from notifying me. I run Malwarebytes scans routinely, and along with McAfee, I feel I am safe from the majority of infections.

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:17 AM

Posted 09 August 2009 - 11:05 PM

Hi Schwidus,

but it will not let me


Which version are you using now? You can check your version of Windows Defender by clicking the down arrow next to the help icon and choosing About Windows Defender.

Please go the following thread and do as described in the Step4 and update your WD afterwards.

http://www.vistax64.com/tutorials/218830-w...nable-turn.html

http://support.microsoft.com/?kbid=931099

http://www.microsoft.com/Downloads/details...;displaylang=en

Hope it helps. Good luck! :thumbup2:

Edited by sundavis, 09 August 2009 - 11:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users