Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Online Protection Tool

  • This topic is locked This topic is locked
5 replies to this topic

#1 justbinda


  • Members
  • 4 posts
  • Local time:09:09 PM

Posted 01 April 2010 - 09:37 AM

see post#3

Edited by justbinda, 02 April 2010 - 06:39 AM.

BC AdBot (Login to Remove)


#2 justbinda

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:09 PM

Posted 01 April 2010 - 09:18 PM

see post#3

Edited by justbinda, 02 April 2010 - 06:41 AM.

#3 justbinda

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:09 PM

Posted 02 April 2010 - 06:33 AM

Hi all,

I apologise for the first 2 posts being blank. I made an error and I'm not sure how to remove the entire post, if possible.

Unfortunately all the computers in my house have been infected with the "Online Protection Tool" popup virus. It redirects the majority of my internet searches, using Internet Explorer 8, to random advertising websites. It has also prevented me from updating any of my antivirus, malware and spyware programs as well as Windows 7.
I used the recovery partition in an attempt to remove the problem but it still remains. I reinstalled Malwarebytes, Superantispyware and Avast antivirus free copied from a 'clean' computer and ran full scans. A couple of threats detected and quarantined however I still can't update any of the software and the popup keeps coming back. Attached is the revised DDS and GMER files. The GMER program had everything apart from Services, Files and Registry sections greyed out and therefore could not be included in the scan.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Buddha at 22:01:34.26 on Fri 02/04/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3037.1890 [GMT 11:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Asus\Game Park\GameConsole\OberonGameConsoleService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\ASUS CopyProtect\aspg.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CNRpc.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://asus.msn.com
uDefault_Page_URL = hxxp://asus.msn.com
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
uRun: [SUPERAntiSpyware] c:\program files (x86)\superantispyware\SUPERAntiSpyware.exe
mRun: [UpdateLBPShortCut] "c:\program files (x86)\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdateP2GoShortCut] "c:\program files (x86)\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [CinemaNowMediaManagerApp] c:\program files (x86)\cinemanow\cinemanow media manager\CinemaNowShell.exe -start
mRun: [HDAudDeck] c:\program files (x86)\via\viaudioi\vdeck\VDeck.exe -r
mRun: [HControlUser] c:\program files (x86)\asus\atk hotkey\HControlUser.exe
mRun: [ATKOSD2] c:\program files (x86)\asus\atkosd2\ATKOSD2.exe
mRun: [ATKMEDIA] c:\program files (x86)\asus\atk media\DMedia.exe
mRun: [Setwallpaper] c:\programdata\SetWallpaper.cmd
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\fancys~1.lnk - c:\windows\installer\{f0df4513-3c4c-4eb8-8012-2c5f70af3988}\_A1DDD39913A1970387B7B3.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\tmchlang.lnk - c:\program files\trend micro\internet security\TmChLang.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
Trusted Zone: cinemanow.com
Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO-X64: Windows Live Family Safety Browser Helper - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [EeeStorageBackup] c:\program files (x86)\asus\asus webstorage\BackupService.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [AmIcoSinglun64] c:\program files (x86)\amicosinglun\AmIcoSinglun64.exe
mRun-x64: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun-x64: [GUCI_AVS] c:\windows\pixart\pap7501\GUCI_AVS.exe

============= SERVICES / DRIVERS ===============

R0 lullaby;lullaby;c:\windows\system32\drivers\lullaby.sys [2009-12-5 15928]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-2 121936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2009-12-5 359552]
R2 ASMMAP64;ASMMAP64;c:\program files\atkgfnex\ASMMAP64.sys [2009-12-5 14904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-2 22096]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-2 63568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-2 40384]
R2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-12 127352]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files (x86)\asus\game park\gameconsole\OberonGameConsoleService.exe [2009-12-5 44312]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-2 40384]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-10-15 117760]
R3 GUCI_AVS;ASUS USB2.0 UVC VGA WebCam;c:\windows\system32\drivers\GUCI_AVS.sys [2009-10-29 692736]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-7-9 1222144]
S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-5 61792]
S3 fsssvc;Windows Live Family Safety;c:\program files (x86)\windows live\family safety\fsssvc.exe [2008-12-9 533344]
S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSG664.sys [2009-6-11 56832]

=============== Created Last 30 ================

2010-04-03 02:44:25 0 d-----w- c:\windows\system32\log
2010-04-02 08:47:38 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-02 08:47:34 0 d-----w- c:\users\buddha\appdata\roaming\SUPERAntiSpyware.com
2010-04-02 08:47:34 0 d-----w- c:\program files (x86)\SUPERAntiSpyware
2010-04-02 08:47:09 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2010-04-02 08:46:36 0 d-----w- c:\users\buddha\appdata\roaming\Malwarebytes
2010-04-02 08:46:28 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 08:46:28 0 d-----w- c:\programdata\Malwarebytes
2010-04-02 08:46:28 0 d-----w- c:\program files (x86)\Mbytes
2010-04-02 08:45:07 63568 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-02 08:45:07 0 ----a-w- c:\windows\syswow64\config.nt
2010-04-02 08:44:53 38848 ----a-w- c:\windows\syswow64\avastSS.scr
2010-04-02 08:44:53 153184 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-04-02 08:44:52 0 d-----w- c:\programdata\Alwil Software
2010-04-02 08:44:52 0 d-----w- c:\program files\Alwil Software
2010-04-02 07:50:28 0 d-----w- c:\users\buddha\appdata\roaming\Asus WebStorage
2010-04-02 07:48:23 0 d--h--w- C:\asus.dat

==================== Find3M ====================

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-08 18:31:56 106496 ----a-w- c:\program files (x86)\common files\CPInstallAction.dll
2008-08-12 05:45:20 155648 ----a-w- c:\program files (x86)\common files\MSIactionall.dll
2008-05-22 16:35:54 51962 ----a-w- c:\program files (x86)\common files\banner.jpg
2007-06-12 17:34:50 35822 ----a-w- c:\program files (x86)\common files\ASPG_icon.ico
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 05:12:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:02:14.29 ===============

Look forward to a response and this infection being removed.

Justbinda clapping.gif

Attached Files

Edited by justbinda, 02 April 2010 - 07:28 PM.

#4 justbinda

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:09 PM

Posted 05 April 2010 - 10:16 AM

Hi all,

It has been 3 days since my first post of annoying popups and redirects to advertising websites, in my Internet Explorer8 search bar, along with the inability to update Windows 7 or XP and any other spyware/malware security programs. I haven't had a response from anyone here at Bleeping Computer and virus "experts" at Nortons declared this was a brand new issue they hadn't heard of. I went through all the steps of cleaning out my machine to find and remove any sign of infection. Had no luck. Originally, I thought this problem had arisen from a friend using one of my computers to print documents saved on her usb. And that the usb was plugged into a couple of other laptops of mine passing on the infection. This was not true!

Turns out that the only other thing connecting all the computers in my house was the wireless network provided through a Netgear router. I uninstalled all Netgear software from the main pc and restored the router to factory settings. This was done by inserting a paperclip into a pin-sized hole on the router. I reinstalled the software again, followed the steps including finding updates for firmware, then fired up the wireless network. This removed the redirect problem for internet searches and I haven't had the Online Protection Tool popup yet.

I ensured that when all other laptops in the house were restarted, I deleted the original wireless network connection then reconnected to my new network. I have since been able to update everything on my laptops. No dramas!! And that dreaded fake "Online Protection Tool" popup has not returned. Lets hope it stays that way.

So if you encounter the same infection as I had and run your internet through a router, don't panic. Try uninstalling/resetting/installing/updating your router software and see how you go.

It worked for me and might work for you to.


Justbinda thumbup.gif

#5 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:11:09 AM

Posted 05 April 2010 - 12:04 PM

Hi Justbinda,

Thank you for letting us know about your issue. If I have read the information correctly - it appears your issue is resolved. As such, a staff member will be along shortly to close this topic. If this is not the case then please let us know.


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#6 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:06:09 AM

Posted 05 April 2010 - 12:19 PM

Please pm if you need further assistance. smile.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users