Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected


  • This topic is locked This topic is locked
23 replies to this topic

#1 Dave Clark

Dave Clark

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 21 April 2010 - 08:17 AM

Hello,
I'm running XP Pro and recently I downloaded a trial of CA AntiVirus. I ran the program but it seemed to interfere with programs and in particular FireFox, so i removed the program. I've now got AVG 9 Free edition but on installation it said I must remove CA AntiVirus. I looked in add/remove programs but no mention, also no mention in Program Files so then did a search for CA AntiVirus but again nothing. I then checked windows Firewall and it's disabled and I can't enable it. Now a program has appeared with a shortcut on my dektop called Bowser Choice. Did a right click on shortcut and the properties put the target at:-c:\Windows\system32\browserchoice.exe/launch.

I'm a bit scared of even running the computer Please Help even if it's to say nothing to worry about.


Dave

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 April 2010 - 10:24 AM

Most vendor's have removal tools if complete uninstallation failed when removing from Add/Remove Programs. Moderators at the CA Support forums are referring members to this link with instructions for using their tool provided on the same page.

If you still encounter problems afterwards, then contact CA Anti-Virus Technical Support or ask in the CA Anti-Virus Forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 21 April 2010 - 11:26 AM

Thanks for that Quietman but what about the program which installed itself on my computer and the fact that the Firewall is disabled and I can't get it to enable

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 April 2010 - 11:49 AM

You need to address your anti-virus issue and get the AVG replacement installed ASAP.

However, an anit-virus is not enough so I recommend doing the following.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 21 April 2010 - 12:21 PM

Enclosed is the Log from mbam. I already had the program on my computer and had run it yesterday. The log shows no infections but I ran the windows "Rootkit Revealer" and it showed lots of possible infections although most showed 0 bytes. Is it possible to have infections with 0 Bytes?
Next question, this program "Browser Choice" which has installed itself on my computer in C\Windows\system32\browserchoice.exe/launch and put a shortcut on my desktop can I just go and delete it?
Sorry to go on Quiteman but what can I do about my Firewall?

Regards,

Dave


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4012

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

21/04/2010 06:10:39 PM
mbam-log-2010-04-21 (18-10-39).txt

Scan type: Quick scan
Objects scanned: 114207
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 April 2010 - 01:03 PM

Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\browserchoice.exe <- this file
Click "Open", then click the "Submit" button.
-- Post back with the results of the file analysis in your next reply.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

I don't know if its related to the file on your system but when researching for information, I came across this article: Windows Browser Choice Screen Will Cause Confusion In Europe. Since it was released to Europe customers and I have not encountered anyone else asking about it, I was not aware of the update.As for your firewall, have you tried to renable it? Some security programs will take control and disable the Windows Firewall when they are installed. To enable the Firewall do this:
  • Press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: firewall.cpl
  • Click OK or press Enter.
  • On the General tab, click On (recommended), and then click OK.
To reset the Windows Firewall to the factory default state:
  • Press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: firewall.cpl
  • Click OK or press Enter.
  • Click the Advanced tab > Restore Defaults button.
  • Click Yes to continue when you see "Restoring the default settings will delete all settings of Windows Firewall that you have made since Windows was installed. This may cause some programs to stop working. Do you want to continue?"
Alternately, you can click on Posted Image > Run..., and in the Open dialog box, type: NETSH FIREWALL RESET
Click OK or press Enter
Reboot when you've done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 21 April 2010 - 01:27 PM

Here is the readout from Jotties Virus Scan.
I looked for the file in explorer and it is sitting amongst "browser.dll files etc.
Did as you said and the properties of the file are:-
Created-20/04/2010
Modified-12/02/2010
Accessed-21/04/2010
Version-6.1.7600.16526
Copyright-Microsoft
Product Name-Microsoft Windows Operating System
Origional File Name-Browserchoice.exe

Will get back to you ASAP but here in UK it's dinnertime.

Will be back in about 1Hr

Many thanks for your help,

Dave


This file has been scanned before. The results for this previous scan are listed below.





--------------------------------------------------------------------------------

Filename: browserchoice.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Fri 16 Apr 2010 12:04:40 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 293376 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: da1919d896dbd5895e138932ae9e398b
SHA1: 361bee6e2535d9fc10a01ac6686be55d854fc5ba

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 April 2010 - 01:36 PM

Those results indicate the file was from the MS update that was released in your area.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 21 April 2010 - 03:00 PM

Hi Quietman,
I think your right about the Browserchoice but I'm still sruggling with my Windows Firewall. Why has it been disabled and I've tried all of your suggestions in your post and none work. I keep getting the message "windows cannot start the Firewall/Internet Connection Sharing (ICS) service.

I still think something sinister is going on behind the scenes.
Why have these changes suddenly occured on their own?
Also Firefox seems much more unstable and sometimes when I drag an open window on my desktop the whole computer freezes and I have to manually reboot. (Not software reboot).

Is there no other indication of malware?

Dave

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 22 April 2010 - 07:14 AM

Try Resetting the Winsock. The Winsock reset will only work if you have Windows XP SP2 installed
Press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: cmd
Click OK or press Enter.
At the command prompt C:\>_, type: Netsh winsock reset
press Enter.
Exit the command prompt and reboot.

If this does not resolve the issue, try Starting the Windows Firewall/ICS service:
  • Click on
  • Press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: services.msc
  • Click OK or press Enter.
  • Click the "Extended tab" at the bottom to view all the info on your services.
  • Scroll down the list and find the service called Windows Firewall/Internet Connection Sharing (ICS).
  • When you find the service, double-click on it or right-click and choose "Properties".
  • In the Properties Window > General Tab that opens, click the "Start" button.
  • From the drop-down menu next to "Startup Type", click on "Automatic".
Repeat the above instructions and ensure that the following are set to Automatic and Started:
  • Remote Procedure Call (RPC)
  • Network Connections
  • Windows Management Instrumentation
  • Event Log
Related links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 23 April 2010 - 06:55 AM

Hi Quietman,
Tried your suggestions but the first returned an:- "Error 1068-Dependancy Services or Group failed to start". All of the other intems are running.
I then tried the other suggestions but none of the 3 worked. One of the suggestions returned a message :-"Missingendr:install hinfSection"

So I'm no further forward

Dave

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 23 April 2010 - 08:42 AM

Error 1068-Dependancy Services or Group failed to start <- the fourth and fifth links reference Microsoft Articles.

If that does not help, then start a new topic in the appropriate Windows Operating System Subforum as this does not appear to be a malware related issued.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:01:44 PM

Posted 24 April 2010 - 10:31 AM

Hi Quietman,
Since the last post I've had allsorts of problems. I have definately GOT a virus. A program I use a lot and have had for about 10years has stopped functioning Nero7. My AVG9 free has suddenly disarmed it'self and I have no working components. I downloaded another copy but again I got the CA running message even after using the tools from the link you provided. I ignored the message but then got a message saying tha installation was unsccessful here is the message:- Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.

I then tried to uninstall AVG and got the failed message again and again the same reason. I ran an online scan by ESET and it threw up a lot of problems it quarentined a lot of them but about a dozen it said it could not quarentine and suggested I contact a specialist A/V removal Forum.
Can someone please help me.

Dave

#14 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 24 April 2010 - 10:55 AM

It's hard to say for sure if you have a virus or not, but if your new antivirus reported viruses, you probably do. The issue with the firewall might be related to viruses or not.

Have you tried running Malwarebytes Antimalware or SUPERAntispyware which might fix your problems without the need for further help.

Edited by certifiedgeek, 24 April 2010 - 02:16 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 24 April 2010 - 03:43 PM

The Eset scan should have saved a log file (log.txt) in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users